Overview

This article explains how to ingest your on-premise FireEye NX Alerts to Hunters.

Hunters Ingestion

For Hunters to integrate with your on-premise FireEye NX, the logs should be collected to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

Expected Format

In each log file, the events should be separated by a new-line, where each event has a JSON format.

Example:

{"msg":"normal","version":"9.0.3.936727","product":"CMS","alert":{"name":"ips-event","uuid":"abcdefgh-ijkl-1234-5678-123412341234","occurred":"2020-02-01T12:12:11Z","class":"IPS","action":"notified","dst":{"ip":"10.1.1.28","port":80,"mac":"00:aa:bb:cc:dd:ee"},"id":11111,"severity":"crit","ack":"no","version":"9.0.2.929543","product":"Web MPS","explanation":{"ips-detected":{"match-count":1,"cve-id":"CVE-2015-1234","sig-revision":"11","action-taken":"N/A","attack-mode":"server","sig-name":"SQL Injection","sig-id":"12341234","mvx-status":"N/A"}},"appliance-id":"00:11:22:33:44:55","sensor":"sensor.sensor.com","alert-url":"https://myserver.com/notification_url/ips_events?ev_id=11111","src":{"ip":"10.1.1.29","port":12345,"mac":"00:11:bb:33:dd:55"},"vlan":"90","interface":{"interface":"pepe","mode":"tap","label":"lbl"}},"appliance":"myserver.servers.example","appliance-id":"00:88:88:22:11:33"}
CODE