Scribd Logo
Upload

Welcome to Scribd!

  • FireEye NX Deployment Guide

    Uploaded by

    zoum
    171 views11 pages
    FireEye NX Deployment Guide

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    FireEye NX Deployment Guide

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    171 views11 pages

    FireEye NX Deployment Guide

    Uploaded by

    zoum
    FireEye NX Deployment Guide

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    FireEye Network Security

    Deployment Guide
    Date Published: 8/11/2021
    Securonix Proprietary Statement

    This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any
    third party, nor used by the recipient except under the terms and conditions prescribed by Securonix.

    The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their
    respective owners.

    Securonix Copyright Statement

    This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any
    medium, without the prior written authorization of Securonix.

    However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and
    reference.

    Information in this document is subject to change without notice. The software described in this document is
    furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in
    accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional
    warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this
    publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or
    mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without
    the written permission of Securonix.

    Copyright © 2021 Securonix. All rights reserved.

    Contact Information

    Securonix
    5080 Spectrum Drive, Suite 950W
    Addison, TX 75001
    (855) 732-6649

    SNYPR Deployment Guide 2


    Table of Contents

    Introduction 4
    About FireEye NX 4
    Supported Collection Method 4
    Format 4
    Functionality 4
    FireEye NX Configuration 4
    Configuration in SNYPR 6
    Verify the Job 10

    SNYPR Deployment Guide 3


    Introduction

    Introduction
    This Deployment Guide provides information on how to configure FireEye Network
    Security (NX Series) to send security logs to SNYPR.

    About FireEye NX
    FireEye NX is an effective cyber threat protection solution that helps organizations
    minimize the risk of costly.

    Supported Collection Method


    The collection method is syslog.

    Format
    The format is CEF.

    Functionality
    In SNYPR, resource groups (datasources) are categorized by functionality. The
    functionality determines what content is available when you import the datasource.
    For more information about Device Categorization, see the Data Dictionary.

    The functionality of FireEye NX is a Antivirus / Malware / EDR.

    FireEye NX Configuration
    Before you configure the log collection, you must have the IP address of the Remote
    Ingester Node (RIN). To enable FireEye NX to communicate with RIN, configure your
    FireEye NX appliance to forward syslog events.

    SNYPR Deployment Guide 4


    FireEye NX Configuration

    Complete the following steps to configure FireEye NX to export events to SNYPR.

    1. Log in to the FireEye NX Web user interface (UI) with an admin account.
    2. Navigate to Settings > Notifications.
    3. Click rsyslog, and then select the Event type check box.
    4. Ensure the following settings are configured:

    l Default format: CEF


    l Default delivery: Per event
    l Default send as: Alert

    5. Type “RIN Server, and then click Add Rsyslog Server.


    6. Enter the RIN server IP address in the IP Address field. Enter the Public IP, if hos-
    ted in cloud.
    7. Select the Enabled check box.
    8. Select Per Event in the Delivery list.
    9. Select All Events from the Notifications list.
    10. Select CEF from the Format list.
    11. Select UDP from the Protocol list. The default port is 514.

    12. Click Update, and then click Test-Fire to send the test events to RIN server.

    SNYPR Deployment Guide 5


    Configuration in SNYPR

    13. Use the following command to verify that the RIN is receiving logs:

    tcpdump -i eth0 port 514 -v -A

    Configuration in SNYPR
    To configure FireEye NX in SNYPR, complete the following steps:

    1. Log in to SNYPR.
    2. Navigate to Menu > Add Data > Activity.
    3. Click + > Add Data for Existing Device Type.
    4. Click the Vendor drop-down and select the following information:
    l Vendors: FireEye
    l Device Type: FireEye Network Security
    l Collection Method: CEF[SYSLOG]

    5. Choose an ingester from the drop-down list.

    SNYPR Deployment Guide 6


    Configuration in SNYPR

    6. Click + to add a filter.

    SNYPR Deployment Guide 7


    Configuration in SNYPR

    7. Add the following syslog filter in the Filter expression box: {host("10.0.0.1");};

    Note: Note : IP address is the address of the source host initiating the traffic.

    8. Click Add.

    9. Complete the following information in the Device Information section:


    a. Datasource Name: Fireeye NX
    b. Specify timezone for activity logs: Click the drop-down and select a timezone
    for the logs.

    10. Click Get Preview on the top right of the screen to view the data.

    11. Click Save & Next until you reach step 4: Identity Attribution.
    12. Click + > Add New Correlation Rule.

    13. Enter a descriptive name for the correlation rule.

    SNYPR Deployment Guide 8


    Configuration in SNYPR

    14. Provide the following parameters to create a correlation rule:

    l User Attribute
    l Operation
    l Parameter
    l Condition
    l Separator

    Example: User Attribute: firstname | Operation: None | Condition: And |


    Separator: . (period) + User Attribute: lastname | Operation: None | Condition:
    And. This correlation rule will correlate users to activity accounts with the
    format: firstname.lastname.

    SNYPR Deployment Guide 9


    Configuration in SNYPR

    15. Scroll to the bottom of the screen and click Save.


    16. Click Save & Next.
    17. Select Do you want to run job Once? in the Job Scheduling Information section.

    18. Click Save & Run.

    You will be automatically be directed to the Job Monitor screen.

    Verify the Job


    Upon a successful import, the event data will be available for searching in Spotter. To
    search events in Spotter, complete the following steps:

    SNYPR Deployment Guide 10


    Configuration in SNYPR

    1. Navigate to Menu > Security Center > Spotter.


    2. Verify that the datasource you ingested is listed under the Available Datasources
    section.

    SNYPR Deployment Guide 11

    You might also like