FireEye

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

FireEye NX Alerts

✅

fireeye_nx_alerts

NDJSON

S3

FireEye EX Alerts

✅

✅

fireeye_ex_alerts

NDJSON

S3


Overview

a15ac69-fireeyeFireEye, now Trellix, specializes in advanced threat intelligence, detection, and response solutions. It offers a range of cybersecurity products and services to help organizations protect against sophisticated cyber threats, detect breaches, and respond effectively to security incidents.

Supported data types

FireEye NX Alerts

Table name: fireeye_nx_alerts

FireEye NX alerts are generated by the FireEye NX platform, a network security solution that identifies and blocks advanced threats, malware, and zero-day attacks. These alerts provide detailed information about detected threats, including the severity of the threat, affected systems, and suggested remediation steps. They are crucial for cybersecurity teams to quickly respond to potential security incidents and protect the network from compromise.

TreFireEye EX Alerts

Table name: fireeye_ex_alerts

FireEye EX Alerts are notifications generated by the FireEye Email Security (EX) platform, designed to identify and stop email-based threats. These alerts provide organizations with information about potential security incidents related to phishing, malware attachments, and other malicious email activities. They are vital for timely response and remediation efforts to protect against email threats and breaches.

Send data to Hunters

Hunters supports the integration of FireEye logs using an intermediary S3 bucket.

To send data to Hunters:

  1. Contact FireEye support to learn how to route your FireEye logs to S3.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

In each log file, the events should be separated by a new line, where each event has a ND-JSON format.

{"msg":"normal","version":"9.0.3.936727","product":"CMS","alert":{"name":"ips-event","uuid":"abcdefgh-ijkl-1234-5678-123412341234","occurred":"2020-02-01T12:12:11Z","class":"IPS","action":"notified","dst":{"ip":"10.1.1.28","port":80,"mac":"00:aa:bb:cc:dd:ee"},"id":11111,"severity":"crit","ack":"no","version":"9.0.2.929543","product":"Web MPS","explanation":{"ips-detected":{"match-count":1,"cve-id":"CVE-2015-1234","sig-revision":"11","action-taken":"N/A","attack-mode":"server","sig-name":"SQL Injection","sig-id":"12341234","mvx-status":"N/A"}},"appliance-id":"00:11:22:33:44:55","sensor":"sensor.sensor.com","alert-url":"https://myserver.com/notification_url/ips_events?ev_id=11111","src":{"ip":"10.1.1.29","port":12345,"mac":"00:11:bb:33:dd:55"},"vlan":"90","interface":{"interface":"pepe","mode":"tap","label":"lbl"}},"appliance":"myserver.servers.example","appliance-id":"00:88:88:22:11:33"}