edr.fireeye.alerts

The tag edr.fireeye.alerts identifies log events generated by FireEye Security Solutions.

Sending methods

This technology uses a single tag to support all of the log events generated by FireEye Security Solutions. The tag is simply edr.fireeye.alerts and the associated events are saved in Devo in a table of the same name. For more information, read more about Devo tags.

To set up the sending of FireEye events to your Devo domain:

Set up the Devo relay rule that applies the tag to the FireEye events.
Configure event sending from FireEye to the Devo relay.

Other sending methods

Instead of the Devo relay, you may opt to use tools like NXlog, Fluentd, or Logstash to collect the alert events, apply the Devo tag, and forward them securely to your Devo cloud. Learn more in Other data collection methods.

Here we explain how to send events using the Devo relay.

Step 1: Set up the Devo relay rule

You'll set up a rule on the relay that will apply the correct tag before forwarding the events to Devo in syslog format.

For complete instructions, see the vendor documentation online.

Create a simple rule on your Devo Relay that applies the edr.fireeye.alerts tag to all events arriving on a specified port. In the example below, we use port 13007 but you should use any port that you can dedicate to these events.

Source Port → 13007
Target Tag → edr.fireeye.alerts
Check the Stop processing and Sent without syslog tag checkboxes.

Step 2: Configure event sending in FireEye

In FireEye, set up a notification rsyslog event type that sends the event data in JSON - Concise format. Then add your Devo Relay as an Rsyslog Server indicating the relay's IP address and the port on which you set up the relay rule in Step 1.

Go to Settings - Notifications.
Check the rsyslog Event Type ckeckbox in the Notification Settings grid.
Click the rsyslog column heading to open the Rsyslog Settings.
Specify the following, then click Apply Settings.
Field Value
Default format JSON - Concise
Default delivery Per event
Default send as Alert
In the Rsyslog Server Listing section, click Add Rsyslog Server, then specify the following:
Field Value
Enabled Yes
IP Address <DevoRelayIP>
Delivery Default
Notification All Events
Format Default
Send as Default
Account N/A
Protocol TCP
Click Update to save the new Rsyslog server.
To assign the port on the relay to which you are sending events, go to the CLI and enter the following command:
```
logging <devo_relay_ip_address> port <relay_port>
```
For example,
```
logging 111.23.4.56 port 13003
```

At this point, the events should be getting sent to the Devo relay where the correct tag is applied before being securely forwarded to your Devo domain.

Field	Value
Default format	JSON - Concise
Default delivery	Per event
Default send as	Alert

Field	Value
Enabled	Yes
IP Address	<DevoRelayIP>
Delivery	Default
Notification	All Events
Format	Default
Send as	Default
Account	N/A
Protocol	TCP