Overview

This article explains how to ingest your on-premise FireEye EX Alerts to Hunters.

Hunters Ingestion

For Hunters to integrate with your on-premise FireEye EX, the logs should be collected to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

Expected Format

In each log file, the events should be separated by a new-line, where each event has a JSON format.

Example:

{"product":"CMS","appliance-id":"00:11:22:33:44:55","appliance":"temp.com","alert":{"src":{"url":"temp.com","domain":"temp.com","smtp-mail-from":"example@example.com"},"product":"Email MPS","name":"malware-object","dst":{"smtp-cc":"cc@example.com","smtp-to":"to@example.com"},"ack":"no","severity":"majr","explanation":{"malware-detected":{"malware":{"domain":"example.com","submitted-at":"2020-01-09T11:00:12Z","name":"EXAMPLE","downloaded-at":"2020-01-07T11:11:11Z","md5sum":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","executed-at":"2020-01-07T11:10:12Z","sha256":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","type":"url","stype":"12"}},"protocol":"","analysis":"none"},"alert-url":"https://feyeserver/emps/eanalysis?e_id=12341235&type=url","appliance-id":"00:01:02:03:04:05","root-infection":"12341234","occurred":"2020-01-07T11:12:13Z","action":"notified","version":"9.0.3.936727","smtp-message":{"protocol":"8","smtp-header":"<HEADER>","queue-id":"ABCDEF1235","last-malware":"MALWARE_EXAMPLE","date":"Thu, 12 Jul 2020 11:05:12 +0000","id":"EXAMPLE.OUTLOOK.COM","subject":"RE: EXAMPLE EMAIL"},"interface":{"interface":"temp","mode":"drop"},"sensor-ip":"10.0.0.1","attack-time":"2020-01-07T01:02:03Z","sc-version":"1234.323","sensor":"example.example","id":"12341245","uuid":"aaaaaa-bbbb-cccc-dddd-eeeeeeeeeee"},"version":"9.0.3.936727","msg":"normal"}
CODE