Transcription
How to – Configure FireEye NetworkSecurity and Forensics (NX) to forwardlogs to EventTrackerEventTracker v9.x and laterPublication Date: April 30, 2020
Integrate FireEyeAbstractThis guide provides instructions to retrieve the FireEye Network Security and Forensics (NX) events bysyslog. Once EventTracker is configured to collect and parse these logs, dashboard and reports can beconfigured to monitor FireEye Network Security and Forensics (NX).ScopeThe configurations detailed in this guide are consistent with EventTracker version 9.x or above and FireEyeNetwork Security and Forensics (NX).AudienceAdministrators who are assigned the task to monitor FireEye Network Security and Forensics (NX) eventsusing EventTracker.The information contained in this document represents the current view of Netsurion on the issuesdiscussed as of the date of publication. Because Netsurion must respond to changing marketconditions, it should not be interpreted to be a commitment on the part of Netsurion, and Netsurioncannot guarantee the accuracy of any information presented after the date of publication.This document is for informational purposes only. Netsurion MAKES NO WARRANTIES, EXPRESS ORIMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.Complying with all applicable copyright FireEye Network Security and Forensics (NX) is theresponsibility of the user. Without limiting the rights under copyright, this paper may be freelydistributed without permission from Netsurion, if its content is unaltered, nothing is added to thecontent and credit to Netsurion is provided.Netsurion may have patents, patent applications, trademarks, copyrights, or other intellectualproperty rights covering subject matter in this document. Except as expressly provided in anywritten license agreement from Netsurion, the furnishing of this document does not give you anylicense to these patents, trademarks, copyrights, or other intellectual property.The example companies, organizations, products, people and events depicted herein are fictitious.No association with any real company, organization, product, person or event is intended or shouldbe inferred. 2020 Netsurion. All rights reserved. The names of actual companies and products mentionedherein may be the trademarks of their respective owners.1
Integrate FireEyeTable of Contents1.Overview. 32.Prerequisites . 33.Integrating FireEye NX with EventTracker . 33.1 Configuring a Syslog Forwarding . 32
Integrate FireEye1. OverviewThe FireEye Network Security and Forensics (NX) is an effective cyber threat protection solution. It helpsorganizations minimize the risk of costly breaches by accurately detecting and immediately stoppingadvanced, targeted and other evasive attacks hiding in Internet traffic.EventTracker, when integrated with FireEye NX, collects log from FireEye NX and creates detailed reports,alerts, dashboards and saved searches. These attributes of EventTracker help users to view the critical andimportant information on a single platform.Reports contain a detailed overview of events such as, malware object, indicating the presence of a fileattachment with a malicious executable payload.It will also show web infection indicating an outbound connection to a website initiated by a web browserthat was determined to be malicious.Alerts are provided as soon as any critical event is triggered by the FireEye NX. With alerts, users will be ableto get notifications about real time occurrences of events such as, suspicious file hash detection, or suspiciousweb URL detection, and any such activities.Dashboards will display a graphical overview of all the malwares detected by FireEye NX, or Command andControl server connection, etc. These services will include information such as suspicious source IP address,source port, destination IP address, destination port, anomaly type, malware name, etc.2. Prerequisites VCP (virtual collection point) syslog port should be opened.Port 514 should be allowed in Firewall (if applicable).3. Integrating FireEye NX with EventTrackerFireEye NX can be integrated with EventTracker using syslog forwarding.3.1 Configuring a Syslog ForwardingFollow the below steps to configure syslog.1.2.3.4.3Login to FireEye NX Web UI with an admin account.Navigate to Settings Notifications.Click rsyslog and Check the “Event type” check box.Make sure Rsyslog settings are:
Integrate FireEyeDefault format: CEFDefault delivery: Per eventDefault send as: AlertFigure 15. Next to the “Add Rsyslog Server” button, type “EventTracker”. And, click on “Add Rsyslog Server”button.6. Enter the EventTracker server IP address in the "IP Address" field. (Public IP, if hosted in cloud)7. Check off the Enabled check box.8. Select Per Event in the "Delivery" drop-down list.9. Select All Events from the "Notifications" drop-down list.10. Select CEF as the "Format" drop-down list.11. Select UDP from the "Protocol" drop-down list. (Default port is 514)12. Now, click Update. And click the “Test-Fire” button to send the test events to EventTracker server.Figure 24
syslog. Once EventTracker is configured to collect and parse these logs, dashboard and reports can be configured to monitor FireEye Network Security and Forensics (NX). Scope The configurations detailed in this guide are consistent with EventTracker version 9.x or above and FireEye Network Security and Forensics (NX). Audience
