Logo
Sign in
  1. Logpoint Service Desk
  2. Products Hub
  3. Marketplace

Fireeye.png

FireEye

The FireEye application normalizes FireEye events and enables you to analyze the data using pre-set dashboard views. You can further customize the dashboard and searches to perform in-depth analysis.

Release Details
Version:5.0.2
Release Date: November 14, 2024
Supported On: Logpoint v6.7.0 or later
Prerequisite: Universal REST API Fetcher v2.1.1
SHA 256: 61402a474cf60331ce311f2f95c06b12c180e98d3f281c755835b141302948ab
Documentation: FireEye Guide
Download

Package Details

 

 

 

 

 

 

 

 

 

 

Bug Fix

Description

 Issue ID Reference ID

After upgrading FireEye, FireEyeCEFCompiledNormalizer failed to normalize logs.

 PLUG-13084 85285

Change in the Previous Version

FireEye v5.0.1

General Description

The FireEye application normalizes FireEye events and enables you to analyze the data using pre-set dashboard views. You can further customize the dashboard and searches to perform in-depth analysis.

Release Details

Fields

Details

Name

FireEye

Version

5.0.1

Supported On

LogPoint v6.7.0 and later

Release Date

2020-05-14
Document Date

2020-05-14
Download

FireEye_5.0.1.pak
SHA256

4a8f75d9758992e58970e53f3c15b42e262b6dac2d1b0d3fdd3f7aa27405a5fb


Package Details

The application consists of the following components:

  1. Dashboard Packages
    • LP_FireEye eMPS 
    • LP_FireEye Web 
  2. Normalization Package
    • LP_FireEye Web 
  3. Label Package 
    • LP_FireEye
  4. Search Template
    • LP_FireEye 
  5. Compiled Normalizer
    • FireEyeCEFCompiledNormalizer

Enhancement

A minor update has been done in the application’s normalizer for better signature handling.

Installation 

Follow these steps to install the FireEye v5.0.1 application:

  1. Download the FireEye package from the Download section above.
  2. Add FireEye as the required device in LogPoint.
  3. Create a collection policy with the Syslog collector and appropriate processing policy. 
  4. Assign the policy to the device.
  5. Add the dashboard.

Screenshot

fireeye1.png

Supported Devices

The supported devices of FireEye with LogPoint in this configuration are:

  • FireEye
  • FireEye CEF
  • FireEye CMS CEF
  • FireEye Web

Log Format

 FireEye Web

Log Sample

<164>fenotify-1237443.alert: CSV:0:FireEye:Web MPS:6.1.0.70271:MC:malware-callback,osinfo=Dummy,sev=alert,malware_type=Dummy,alertid=1237443,app=Dummy,spt=3860,locations=Dummy,smac=00:00:00:00:00:0x,header=,cnchost=1.1.1.1,alertType=malware-callback,shost=Dummy,dst=2.2.2.2,original_name=Dummy,application=Dummy,sid=11111288,malware-note=Dummy,objurl=Dummy,mwurl=Dummy,profile=Dummy,dmac=00:00:00:00:00:xx,product=Web MPS,sname=Infection,fileHash=Dummy,dvchost=host1,occurred=2014-10-09T21:52:27Z,release=6.1.0.70271,link=https://1.1.1.1/event_stream/events_for_bot?ev_id=1237443&lms_iden=xx:xx:xx:xx:xx:xx,cncport=80,src=1.1.1.1,dpt=80,anomaly=Dummy,dvc=1.1.1.3,channel=GET /?32992f=3316015 HTTP/1.0::~~User-Agent: xxxx v 5.02c::~~Accept: */*::~~Host: xxxxxxxxx777.info::~~Connection: Keep-Alive::~~::~~,action=notified,os=,stype=bot-command,

FireEye CEF

Expected Log Format

FireEye: CEF

Log Sample

<164>fenotify-1237443.alert: CSV:0:FireEye:Web MPS:6.1.0.70271:MC:malware-callback,osinfo=Dummy,sev=crit,malware_type=Dummy,alertid=1237443,app=Dummy,spt=3860,locations=Dummy,smac=00:00:00:00:00:xx,header=,cnchost=3.3.3.3,alertType=malware-callback,shost=Dummy,dst=4.4.4.4,original_name=Dummy,application=Dummy,sid=11111288,malware-note=Dummy,objurl=Dummy,mwurl=Dummy,profile=Dummy,dmac=00:00:00:00:00:11,product=Web MPS,sname=Trojan.xxxxxx,fileHash=Dummy,dvchost=fireeye2,occurred=2014-10-09T21:52:27Z,release=6.1.0.70271,link=https://1.1.1.1/event_stream/events_for_bot?ev_id=1237443&lms_iden=xx:xx:xx:xx:xx:xx,cncport=80,src=1.1.1.2,dpt=80,anomaly=Dummy,dvc=1.1.1.3,channel=GET /?32992f=3316015 HTTP/1.0::~~User-Agent: xxxx v 5.02c::~~Accept: */*::~~Host: xxxxxxxxxxxxx.info::~~Connection: Keep-Alive::~~::~~,action=notified,os=,stype=bot-command,

To export data to LogPoint, use Syslog collector on port 514 on the LogPoint server.

Release Details

Fields

Details

Name

FireEye

Version

3.3.0

Supported On

LogPoint v6.0.0 to v6.6.6

Release Date

2020-05-14
Document Date

2020-05-14
Download

FireEye_3.3.0.pak 
SHA256

 638c97f91f8e574583e77ddac1d6635a37243fdedb5a047e830b9625d9aeea84


Package Details

The application consists of the following components:

  1. Dashboard Packages
    • LP_FireEye eMPS 
    • LP_FireEye Web 
  2. Normalization Package
    • LP_FireEye Web 
  3. Label Package 
    • LP_FireEye
  4. Search Template
    • LP_FireEye 
  5. Compiled Normalizer
    • FireEyeCEFCompiledNormalizer

Enhancement

A minor update has been done in the application’s normalizer for better signature handling.

Installation 

Follow these steps to install the FireEye v3.3.0 application:

  1. Download the FireEye package from the Download section above.
  2. Add FireEye as the required device in LogPoint.
  3. Create a collection policy with the Syslog collector and appropriate processing policy. 
  4. Assign the policy to the device.
  5. Add the dashboard.

Screenshot

fireeye.png

Supported Devices

The supported devices of FireEye with LogPoint in this configuration are:

  • FireEye
  • FireEye CEF
  • FireEye CMS CEF
  • FireEye Web

Log Format

 FireEye Web

Log Sample

<164>fenotify-1237443.alert: CSV:0:FireEye:Web MPS:6.1.0.70271:MC:malware-callback,osinfo=Dummy,sev=alert,malware_type=Dummy,alertid=1237443,app=Dummy,spt=3860,locations=Dummy,smac=00:00:00:00:00:0x,header=,cnchost=1.1.1.1,alertType=malware-callback,shost=Dummy,dst=2.2.2.2,original_name=Dummy,application=Dummy,sid=11111288,malware-note=Dummy,objurl=Dummy,mwurl=Dummy,profile=Dummy,dmac=00:00:00:00:00:xx,product=Web MPS,sname=Infection,fileHash=Dummy,dvchost=host1,occurred=2014-10-09T21:52:27Z,release=6.1.0.70271,link=https://1.1.1.1/event_stream/events_for_bot?ev_id=1237443&lms_iden=xx:xx:xx:xx:xx:xx,cncport=80,src=1.1.1.1,dpt=80,anomaly=Dummy,dvc=1.1.1.3,channel=GET /?32992f=3316015 HTTP/1.0::~~User-Agent: xxxx v 5.02c::~~Accept: */*::~~Host: xxxxxxxxx777.info::~~Connection: Keep-Alive::~~::~~,action=notified,os=,stype=bot-command,

FireEye CEF

Expected Log Format

FireEye: CEF

Log Sample

<164>fenotify-1237443.alert: CSV:0:FireEye:Web MPS:6.1.0.70271:MC:malware-callback,osinfo=Dummy,sev=crit,malware_type=Dummy,alertid=1237443,app=Dummy,spt=3860,locations=Dummy,smac=00:00:00:00:00:xx,header=,cnchost=3.3.3.3,alertType=malware-callback,shost=Dummy,dst=4.4.4.4,original_name=Dummy,application=Dummy,sid=11111288,malware-note=Dummy,objurl=Dummy,mwurl=Dummy,profile=Dummy,dmac=00:00:00:00:00:11,product=Web MPS,sname=Trojan.xxxxxx,fileHash=Dummy,dvchost=fireeye2,occurred=2014-10-09T21:52:27Z,release=6.1.0.70271,link=https://1.1.1.1/event_stream/events_for_bot?ev_id=1237443&lms_iden=xx:xx:xx:xx:xx:xx,cncport=80,src=1.1.1.2,dpt=80,anomaly=Dummy,dvc=1.1.1.3,channel=GET /?32992f=3316015 HTTP/1.0::~~User-Agent: xxxx v 5.02c::~~Accept: */*::~~Host: xxxxxxxxxxxxx.info::~~Connection: Keep-Alive::~~::~~,action=notified,os=,stype=bot-command,

To export data to LogPoint, use Syslog collector on port 514 on the LogPoint server.

 

 

 

Support

If you have any questions or require assistance, create a support ticket.

  • Fireeye.zip (1 MB)

Comments

Article is closed for comments.

Follow

Related articles

  • Trellix
  • Support Overview
  • Fail2ban
  • First Class
  • Varonis
Privacy policy    EULA    Terms of service   
Copyright © , Logpoint. All rights reserved.