Skip to content

FireEye Alerts

Overview

This article explains how to ingest your on-prem FireEye NG Alerts to Hunters. These logs hold alerts from the FireEye NX and FireEye EX solutions.

For more information about the logs' collection and schema, see here for a general overfiew, and for specific schemas see FireEye NX and FireEye EX.


Hunters' Ingestion

For Hunters to integrate with your on-prem FireEye Alerts, the logs should be collected to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters. Each alert type (EX and NX) should be shared to a different prefix.

Expected Logs Format

In each log file, the events should be separated by a new-line, where each event has a JSON format.

FireEye NX Example:

{"msg":"normal","version":"9.0.3.936727","product":"CMS","alert":{"name":"ips-event","uuid":"abcdefgh-ijkl-1234-5678-123412341234","occurred":"2020-02-01T12:12:11Z","class":"IPS","action":"notified","dst":{"ip":"10.1.1.28","port":80,"mac":"00:aa:bb:cc:dd:ee"},"id":11111,"severity":"crit","ack":"no","version":"9.0.2.929543","product":"Web MPS","explanation":{"ips-detected":{"match-count":1,"cve-id":"CVE-2015-1234","sig-revision":"11","action-taken":"N/A","attack-mode":"server","sig-name":"SQL Injection","sig-id":"12341234","mvx-status":"N/A"}},"appliance-id":"00:11:22:33:44:55","sensor":"sensor.sensor.com","alert-url":"https://myserver.com/notification_url/ips_events?ev_id=11111","src":{"ip":"10.1.1.29","port":12345,"mac":"00:11:bb:33:dd:55"},"vlan":"90","interface":{"interface":"pepe","mode":"tap","label":"lbl"}},"appliance":"myserver.servers.example","appliance-id":"00:88:88:22:11:33"}

FireEye EX Example:

{"product":"CMS","appliance-id":"00:11:22:33:44:55","appliance":"temp.com","alert":{"src":{"url":"temp.com","domain":"temp.com","smtp-mail-from":"example@example.com"},"product":"Email MPS","name":"malware-object","dst":{"smtp-cc":"cc@example.com","smtp-to":"to@example.com"},"ack":"no","severity":"majr","explanation":{"malware-detected":{"malware":{"domain":"example.com","submitted-at":"2020-01-09T11:00:12Z","name":"EXAMPLE","downloaded-at":"2020-01-07T11:11:11Z","md5sum":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","executed-at":"2020-01-07T11:10:12Z","sha256":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","type":"url","stype":"12"}},"protocol":"","analysis":"none"},"alert-url":"https://feyeserver/emps/eanalysis?e_id=12341235&type=url","appliance-id":"00:01:02:03:04:05","root-infection":"12341234","occurred":"2020-01-07T11:12:13Z","action":"notified","version":"9.0.3.936727","smtp-message":{"protocol":"8","smtp-header":"<HEADER>","queue-id":"ABCDEF1235","last-malware":"MALWARE_EXAMPLE","date":"Thu, 12 Jul 2020 11:05:12 +0000","id":"EXAMPLE.OUTLOOK.COM","subject":"RE: EXAMPLE EMAIL"},"interface":{"interface":"temp","mode":"drop"},"sensor-ip":"10.0.0.1","attack-time":"2020-01-07T01:02:03Z","sc-version":"1234.323","sensor":"example.example","id":"12341245","uuid":"aaaaaa-bbbb-cccc-dddd-eeeeeeeeeee"},"version":"9.0.3.936727","msg":"normal"}