Skip to content

Fireeye Endpoint Security

Fireeye Endpoint Security

About

FireEye XDR uncovers threats by correlating incident data and applying unparalleled frontline intelligence and analytics. Simplifying threat detection, investigation, and incident response by highlighting what is critical, and up-level analyst proficiencies.

Product Details

Vendor URL: Fireeye Endpoint Security

Product Type: Endpoint Detection and Response

Product Tier: Tier I

Integration Method: Custom

Integration URL: Fireeye Endpoint Security - Cyderes Documentation

Log Guide: N/A

Parser Details

Log Format: JSON

Expected Normalization Rate: 95%

Data Label: FIREEYE_ALERT

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
agent_info.domain principal.administrative_domain
agent_info.hostname principal.hostname
agent_info.hostname security_result.about.hostname
agent_info.os.product_name principal.platform_version
agent_info.primary_ip_address principal.ip
agent_info.primary_ip_address security_result.about.ip
agent_info.url target.url
alert.action security_result.action
alert.alert-url metadata.url_back_to_product
alert.attack-time metadata.event_timestamp
alert.dst.ip target.ip
alert.dst.port target.port
alert.dst.smtp-to network.email.to
alert.explanation.cnc-services.cnc-service.channel network.http.method
alert.explanation.cnc-services.cnc-service.channel network.http.user_agent
alert.explanation.cnc-services.cnc-service.channel network.session_id
alert.explanation.cnc-services.cnc-service.host target.hostname
alert.explanation.cnc-services.cnc-service.url target.url
alert.explanation.malware-detected.malware.0.url target.url
alert.explanation.malware-detected.malware.name security_result.rule_name
alert.explanation.malware-detected.malware.sha256 security_result.about.file.sha256
alert.explanation.malware-detected.malware.stype security_result.rule_id
alert.explanation.malware-detected.malware.type security_result.rule_type
alert.explanation.malware-detected.malware.url security_result.about.file.full_path
alert.name metadata.product_event_type
alert.name security_result.summary
alert.occurred metadata.event_timestamp
alert.sc-version security_result.rule_version
alert.sensor-ip observer.ip
alert.severity security_result.severity
alert.severity security_result.severity_details
alert.smtp-message.subject network.email.subject
alert.src.host principal.hostname
alert.src.host src.hostname
alert.src.ip principal.ip
alert.src.ip src.ip
alert.src.port principal.port
alert.src.port src.port
alert.src.smtp-mail-from network.email.from
alert.uuid metadata.product_log_id
appliance observer.hostname
appliance-id observer.mac
appliance.id observer.hostname
confidence security_result.confidence
desc security_result.summary
event_type metadata.product_event_type
event_values.fileWriteEvent/fullPath target.process.file.full_path
event_values.fileWriteEvent/parentPid target.process.parent_pid
event_values.fileWriteEvent/pid target.process.pid
event_values.fileWriteEvent/size target.process.file.size
event_values.fileWriteEvent/username principal.user.userid
event_values.processEvent/processPath target.process.file.full_path
event_values.scanned-object.file-event.sub-type metadata.product_event_type
event_values.scanned-object.registry.key target.registry.registry_key
event_values.scanned-object.registry.value target.registry.registry_value_data
event_values.scanned-object.scanned-object-type target.resource.resource_subtype
indicator.display_name security_result.summary
indicator.url security_result.about.url
infection_name security_result.threat_name
infection_type security_result.priority
infection_type security_result.summary
path target.process.file.full_path
product observer.application
reported_at metadata.event_timestamp
resolution security_result.action_details
source security_result.description
source security_result.summary
url security_result.about.url
version metadata.product_version

Product Event Types

event_type, source, subtype UDM Event Type alerting
alert.smtp-message.smtp-header EMAIL_TRANSACTION
all events TRUE
all other events GENERIC_EVENT, NETWORK_CONNECTION
AV SCAN_HOST
FILE_OPERATION_CLOSED FILE_UNCATEGORIZED
FILE_OPERATION_OPENED FILE_OPEN
fileWriteEvent PROCESS_UNCATEGORIZED
processEvent PROCESS_UNCATEGORIZED
PROCGUARD PROCESS_UNCATEGORIZED

Log Sample

{"is_false_positive":false,"event_id":null,"event_values":{"scanned-object":{"scanned-object-type":"file-event","file-event":{"file-path":"C:\\Users\\johndoe\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache\\QGQ0JQ4F\\start-use-shared-lib.c99a284abf6f1c08b04c[1].js","actor-process":{"path":"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe","user":{"username":"johndoe","domain":"domain1"},"pid":"21524"},"sub-type":"FILE_OPERATION_OPENED"}},"detections":{"detection":[{"engine":{"engine-type":"av","engine-version":"11.0.1.19","content-version":"7.91303"},"infected-object":{"object-type":"file","file-object":{"system-file":"false","access-time":"2022-03-02T20:17:30.105Z","inner-file-path":"(INFECTED_JS)","packed":"false","hidden":"false","read-only":"false","temporary":"false","size-in-bytes":"734776","file-path":"C:\\Users\\johndoe\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache\\QGQ0JQ4F\\start-use-shared-lib.c99a284abf6f1c08b04c[1].js","original-file-name":"","md5sum":"8443590f7ec6039ebc5c7e2b03db2cc5","sha1sum":"d2304e47adb30181fe2c8ad857cf1be14728ad94","creation-time":"2022-03-02T20:17:30.105Z","container":"true","sha256sum":"a7a146048ff57df7f32d09bbaeb30ff3cdb84b3280dab5111d7520c4022b6778","modification-time":"2022-03-02T20:17:30.203Z"}},"infection":{"confidence-level":"high","infection-type":"malware","infection-name":"JS:Trojan.JS.Agent.RX"},"action":{"requested-action":"clean","applied-action":"quarantine","result":"success","error":"0","reboot-required":"false","actioned-object":{"object-type":"file","file-object":{"temporary":"false","sha256sum":"a7a146048ff57df7f32d09bbaeb30ff3cdb84b3280dab5111d7520c4022b6778","size-in-bytes":"734776","inner-file-path":"(INFECTED_JS)","container":"true","hidden":"false","read-only":"false","md5sum":"8443590f7ec6039ebc5c7e2b03db2cc5","sha1sum":"d2304e47adb30181fe2c8ad857cf1be14728ad94","modification-time":"2022-03-02T20:17:30.203Z","file-path":"C:\\Users\\johndoe\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache\\QGQ0JQ4F\\start-use-shared-lib.c99a284abf6f1c08b04c[1].js","original-file-name":"","creation-time":"2022-03-02T20:17:30.105Z","access-time":"2022-03-02T20:17:30.105Z","packed":"false","system-file":"false"}}}}]},"scan-statistics":{"total-scan-time-in-ms":"503"},"system-data":{"xmlns":"website.domain2.com","xsi:schemaLocation":"website.domain2.com AM-alert.xsd","correlation-id":"sa9q23ka-asdl2011","timestamp":"2022-03-02T20:17:32.064Z","product-version":"33.45.0","whitelist-schema-version":"1.0.0","whitelist-content-version":"1.38.9","xmlns:xsi":"website.domain3.com","alert-version":"3","engine-version":"11.0.1.19","content-version":"7.91303","mg-engine-version":"33.46.0.13237","mg-content-version":"31"},"os-details":{"$":{"os-language":"en-US","name":"windows","version":"10.0.17134","patch":"0","os-arch":"64-bit"}},"scan-type":"oas"},"agent_info":{"hostname":"Hostname1","timezone":"Eastern Standard Time","primary_ip_address":"10.0.0.15","last_exploit_block_timestamp":null,"containment_state":"normal","domain":"domain1","last_alert":{"_id":103495,"url":"website.domain1.com"},"last_alert_timestamp":"2022-03-02T20:17:32.24+00:00","last_audit_timestamp":"2022-03-02T20:11:41.990Z","initial_agent_checkin":"2021-07-19T18:45:12.007Z","agent_version":"33.46.0","containment_missing_software":false,"ad_domain_comps":"","reported_clone":false,"_id":"asdl16707l4llas","stats":{"acqs":0,"malware_cleaned_count":0,"alerting_conditions":0,"exploit_alerts":0,"generic_alerts":0,"false_positive_alerts_by_source":{},"malware_quarantined_count":2,"alerts":2,"exploit_blocks":0,"malware_alerts":2,"false_positive_alerts":0,"malware_false_positive_alerts":0},"last_poll_timestamp":"2022-03-02T20:11:36.000Z","last_poll_ip":"198.177.6.251","primary_mac":"98-2c-bc-01-67-c4","containment_queued":false,"last_exploit_block":null,"excluded_from_containment":false,"ad_org_units":"","ad_common_names":"","url":"website.domain4.com","gmt_offset_seconds":-18000,"sysinfo":{"url":"website.domain4.com"},"os":{"product_name":"Windows 10 Enterprise","patch_level":null,"bitness":"64-bit","platform":"win","kernel_version":null}},"matched_source_alerts":[],"source":"MAL","decorators":[],"indicator":null,"multi_indicators":[],"agent":{"_id":"asdl16707l4llas","url":"website.domain4.com","containment_state":"normal"},"event_at":"2022-03-02T20:17:32.064Z","matched_at":"2022-03-02T20:17:32.064Z","reported_at":"2022-03-02T20:17:32.240Z","md5values":["8443590f7ec6039ebc5c7e2b03db2cc5"],"event_type":null,"appliance":{"_id":"Hostname2"},"_id":103495,"resolution":"QUARANTINED","decorator_statuses":[],"url":"website.domain1.com","condition":null,"subtype":"AV"}

Sample Parsing

metadata.event_timestamp = "2022-03-02T20:17:32Z"
metadata.event_type = "FILE_OPEN"
metadata.vendor_name = "FireEye"
metadata.product_name = "Alert"
metadata.ingested_timestamp = "2022-03-02T20:23:35.434254Z"
principal.hostname = "Hostname1"
principal.ip = "10.0.0.15"
principal.administrative_domain = "domain1"
principal.platform_version = "Windows 10 Enterprise"
principal.asset.ip = "10.0.0.15"
target.file.full_path = "C:\\Users\\johndoe\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache\\QGQ0JQ4F\\start-use-shared-lib.c99a284abf6f1c08b04c[1].js"
observer.hostname = "Hostname2"
security_result.about.hostname = "Hostname1"
security_result.about.ip = "10.0.0.15"
security_result.about.url = "website.domain1.com"
security_result.threat_name = "JS:Trojan.JS.Agent.RX"
security_result.summary = "malware"
security_result.description = "MAL"
security_result.severity = "LOW"
security_result.confidence = "HIGH_CONFIDENCE"
security_result.priority = "HIGH_PRIORITY"
security_result.action_details = "QUARANTINED"
security_result.alert_state = "ALERTING"

Parser Alerting

Alerting criteria is listed in the Product Event Types table above.

Rules

Coming soon