FireEye Endpoint Security¶
FireEye Endpoint Security, sometimes called FireEye HX, begins with the knowledge of threats learned from Mandiant front line incident responders. This knowledge enables their team to develop responses targeted to the various Tactics, Techniques, and Procedures (TTPs) of the threats.
Chronicle Data Types¶
- FIREEYE_ALERT
Configuration - API Integration¶
API Key and Permissions¶
Cyderes requires the ability to use FireEye's HX API to obtain alerts on threats and then enrich those alerts with detailed endpoint data and telemetry. In order for Cyderes to begin ingesting data from the FireEye Endpoint Security platform, you must ensure the Endpoint Security server is running FireEye version 2.5 or higher software, and an API user must be created on the Endpoint Security Server.
To generate an API user and key login to the HX management console with an administrator account and then follow the steps under the section titled Creating a user account using the appliance Web UI
which can be found in FireEye's HX documentation.
Once the account has been created further information on API user access levels can be found here.
We recommend the api_analyst
access level for the Cyderes account since this provides the user with full API access without giving them any administrator access.
Configuration - Syslog Forwarder Integration¶
Permissions¶
This section is optional, and is for syslog forwarder ingestion purposes only. You must set up an account following the same steps from the above API Key and Permissions section and follow the below steps to enable syslog forwarding for this product.
- Navigate back to Settings > Notifications > rsyslog
- Check the Event type check box
-
Make sure Rsyslog settings are:
- Default format: JSON – Concise
- Default delivery: Per event
- Default send as: Alert
-
Click Apply Settings
Gather Information¶
Provide the following information to Cyderes to complete implementation:
- The unique FQDN of the HX console
- Username
- Password