edr.fireeye
Introduction
The tag edr.fireeye.alerts
identifies log events generated by FireEye Security Solutions.
Sending methods
This technology uses a single tag to support all of the log events generated by FireEye Security Solutions. The tag is simply edr.fireeye.alerts
and the associated events are saved in Devo in a table of the same name. For more information, read more about Devo tags.
To set up the sending of FireEye events to your Devo domain:
Set up the Devo relay rule that applies the tag to the FireEye events.
Configure event sending from FireEye to the Devo relay.
Other sending methods
Instead of the Devo relay, you may opt to use tools like NXlog, Fluentd, or Logstash to collect the alert events, apply the Devo tag, and forward them securely to your Devo cloud. Learn more in Other data collection methods.
Here we explain how to send events using the Devo relay.
Step 1: Set up the Devo relay rule
You'll set up a rule on the relay that will apply the correct tag before forwarding the events to Devo in syslog format.
For complete instructions, see the vendor documentation online.
Create a simple rule on your Devo Relay that applies the edr.fireeye.alerts
tag to all events arriving on a specified port. In the example below, we use port 13007 but you should use any port that you can dedicate to these events.
Source port → As required
Target tag →
edr.fireeye.alerts
Check the Stop processing and Sent without syslog tag checkboxes.
Step 2: Configure event sending in FireEye
In FireEye, set up a notification rsyslog event type that sends the event data in JSON - Concise format. Then add your Devo Relay as a Rsyslog Server indicating the relay's IP address and the port on which you set up the relay rule in Step 1.
At this point, the events should be getting sent to the Devo relay where the correct tag is applied before being securely forwarded to your Devo domain.
Table structure
These are the fields displayed in this table:
edr.fireeye.alerts
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
|
|
|
|
appliance |
|
|
|
|
appliance_id |
|
|
|
|
msg |
|
|
|
|
product |
|
|
|
|
version |
|
|
|
|
alert_id |
|
|
|
|
alert_name |
|
|
|
|
alert_occurred |
|
|
|
|
alert_severity |
|
|
|
|
alert_src_url |
|
|
|
|
alert_src_repository |
|
|
|
|
alert_uuid |
|
|
|
|
alert_ack |
|
|
|
|
alert_action |
|
|
|
|
alert_url |
|
|
|
|
alert_explanation_analysis |
|
|
|
|
alert_explanation_anomaly |
|
|
|
|
alert_explanation_malware |
|
|
|
|
alert_explanation_malware_detected_malware_sha256 |
| peek(alert_explanation_malware, re("\"sha256\":\"(.*?)\""), 1) | alert_explanation_malware |
|
alert_explanation_os_changes_action_fopen_ext |
|
|
|
|
alert_explanation_os_changes_action_fopen_mode |
|
|
|
|
alert_explanation_os_changes_action_fopen_name |
|
|
|
|
alert_explanation_os_changes_action_fopen_tstamp |
|
|
|
|
alert_explanation_os_changes_analysis_ftype |
|
|
|
|
alert_explanation_os_changes_analysis_mode |
|
|
|
|
alert_explanation_os_changes_analysis_product |
|
|
|
|
alert_explanation_os_changes_analysis_version |
|
|
|
|
alert_explanation_os_changes_app_name |
|
|
|
|
alert_explanation_os_changes_doc_summary |
|
|
|
|
alert_explanation_os_changes_end_of_report |
|
|
|
|
alert_explanation_os_changes_file |
|
|
|
|
alert_explanation_os_changes_id |
|
|
|
|
alert_explanation_os_changes_malicious_alert_app_name |
|
|
|
|
alert_explanation_os_changes_malicious_alert_display_msg |
|
|
|
|
alert_explanation_os_changes_network |
|
|
|
|
alert_explanation_os_changes_network_ipaddress |
| peek(alert_explanation_os_changes_network, re("\"ipaddress\":\"(.*?)\""), 1) | alert_explanation_os_changes_network |
|
alert_explanation_os_changes_os_os_arch |
|
|
|
|
alert_explanation_os_changes_os_os_name |
|
|
|
|
alert_explanation_os_changes_os_os_sp |
|
|
|
|
alert_explanation_os_changes_os_os_version |
|
|
|
|
alert_explanation_os_changes_os_monitor_build |
|
|
|
|
alert_explanation_os_changes_os_monitor_date |
|
|
|
|
alert_explanation_os_changes_os_monitor_time |
|
|
|
|
alert_explanation_os_changes_os_monitor_version |
|
|
|
|
alert_explanation_os_changes_uac_mode |
|
|
|
|
alert_explanation_os_changes_uac_status |
|
|
|
|
alert_explanation_os_changes_uac_timestamp |
|
|
|
|
alert_explanation_os_changes_uac_value |
|
|
|
|
alert_explanation_os_changes_apicall |
|
|
|
|
alert_explanation_os_changes_high_cpu |
|
|
|
|
alert_explanation_os_changes_process |
|
|
|
|
alert_explanation_os_changes_version |
|
|
|
|
alert_explanation_protocol |
|
|
|
|
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
|
|
|