Document toolboxDocument toolbox

edr.fireeye

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Aug 25, 2023
2 min read
[ 1 Introduction ] [ 2 Sending methods ] [ 3 Step 1: Set up the Devo relay rule ] [ 4 Step 2: Configure event sending in FireEye ] [ 5 Table structure ]

Introduction

The tag edr.fireeye.alerts identifies log events generated by FireEye Security Solutions.

Sending methods

This technology uses a single tag to support all of the log events generated by FireEye Security Solutions. The tag is simply edr.fireeye.alerts and the associated events are saved in Devo in a table of the same name. For more information, read more about Devo tags.

To set up the sending of FireEye events to your Devo domain:

  1. Set up the Devo relay rule that applies the tag to the FireEye events.

  2. Configure event sending from FireEye to the Devo relay.

Other sending methods

Instead of the Devo relay, you may opt to use tools like NXlogFluentd, or Logstash to collect the alert events, apply the Devo tag, and forward them securely to your Devo cloud. Learn more in Other data collection methods

Here we explain how to send events using the Devo relay.

Step 1: Set up the Devo relay rule

You'll set up a rule on the relay that will apply the correct tag before forwarding the events to Devo in syslog format.

For complete instructions, see the vendor documentation online.

Create a simple rule on your Devo Relay that applies the edr.fireeye.alerts tag to all events arriving on a specified port. In the example below, we use port 13007 but you should use any port that you can dedicate to these events.

  • Source port → As required

  • Target tag → edr.fireeye.alerts

  • Check the Stop processing and Sent without syslog tag checkboxes.

Step 2: Configure event sending in FireEye

In FireEye, set up a notification rsyslog event type that sends the event data in JSON - Concise format. Then add your Devo Relay as a Rsyslog Server indicating the relay's IP address and the port on which you set up the relay rule in Step 1.

At this point, the events should be getting sent to the Devo relay where the correct tag is applied before being securely forwarded to your Devo domain.

Table structure

These are the fields displayed in this table:

edr.fireeye.alerts

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

appliance

str

 

 

 

appliance_id

str

 

 

 

msg

str

 

 

 

product

str

 

 

 

version

str

 

 

 

alert_id

str

 

 

 

alert_name

str

 

 

 

alert_occurred

str

 

 

 

alert_severity

str

 

 

 

alert_src_url

str

 

 

 

alert_src_repository

str

 

 

 

alert_uuid

str

 

 

 

alert_ack

str

 

 

 

alert_action

str

 

 

 

alert_url

str

 

 

 

alert_explanation_analysis

str

 

 

 

alert_explanation_anomaly

str

 

 

 

alert_explanation_malware

str

 

 

 

alert_explanation_malware_detected_malware_sha256

str

peek(alert_explanation_malware, re("\"sha256\":\"(.*?)\""), 1)

alert_explanation_malware

 

alert_explanation_os_changes_action_fopen_ext

str

 

 

 

alert_explanation_os_changes_action_fopen_mode

str

 

 

 

alert_explanation_os_changes_action_fopen_name

str

 

 

 

alert_explanation_os_changes_action_fopen_tstamp

str

 

 

 

alert_explanation_os_changes_analysis_ftype

str

 

 

 

alert_explanation_os_changes_analysis_mode

str

 

 

 

alert_explanation_os_changes_analysis_product

str

 

 

 

alert_explanation_os_changes_analysis_version

str

 

 

 

alert_explanation_os_changes_app_name

str

 

 

 

alert_explanation_os_changes_doc_summary

str

 

 

 

alert_explanation_os_changes_end_of_report

str

 

 

 

alert_explanation_os_changes_file

str

 

 

 

alert_explanation_os_changes_id

str

 

 

 

alert_explanation_os_changes_malicious_alert_app_name

str

 

 

 

alert_explanation_os_changes_malicious_alert_display_msg

str

 

 

 

alert_explanation_os_changes_network

str

 

 

 

alert_explanation_os_changes_network_ipaddress

str

peek(alert_explanation_os_changes_network, re("\"ipaddress\":\"(.*?)\""), 1)

alert_explanation_os_changes_network

 

alert_explanation_os_changes_os_os_arch

str

 

 

 

alert_explanation_os_changes_os_os_name

str

 

 

 

alert_explanation_os_changes_os_os_sp

str

 

 

 

alert_explanation_os_changes_os_os_version

str

 

 

 

alert_explanation_os_changes_os_monitor_build

str

 

 

 

alert_explanation_os_changes_os_monitor_date

str

 

 

 

alert_explanation_os_changes_os_monitor_time

str

 

 

 

alert_explanation_os_changes_os_monitor_version

str

 

 

 

alert_explanation_os_changes_uac_mode

str

 

 

 

alert_explanation_os_changes_uac_status

str

 

 

 

alert_explanation_os_changes_uac_timestamp

str

 

 

 

alert_explanation_os_changes_uac_value

str

 

 

 

alert_explanation_os_changes_apicall

str

 

 

 

alert_explanation_os_changes_high_cpu

str

 

 

 

alert_explanation_os_changes_process

str

 

 

 

alert_explanation_os_changes_version

str

 

 

 

alert_explanation_protocol

str

 

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str