This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA® enVision Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
NathanFurze1
Beginner
Beginner
‎2011-08-17 06:57 AM

FireEye Malware Protection System

FireEye Malware Protection System (MPS) network security appliances prevent signature-evading Modern Malware from successfully gaining a foothold in the network and exfiltrating sensitive organizational data. FireEye MPS appliances operate in-line, using fast-path blocking to stop known inbound attacks and malware callbacks coupled with dynamic, real-time Malware-VMâ„¢ and Malware-Callbackâ„¢ analysis filters to accurately detect zero-hour attacks and halt their spread and negate their ability to steal data resources.

 

 

Release Date

What’s New In This Release

06/18/2011

Initial support for FireEye MPS

08/16/2011

Domain Matching messages added to the XML

06/28/2011

Add support for FireEye v6.1 events and modified to support Content 2.0 format

Note: Content 2.0 features substantial improvements to the parsing of event data into the various tables that are used for queries and reports. Content 2.0 is the future direction for all event sources within the supported library. For rules and reports, note the following:

-For factory reports, as existing event sources are converted to Content 2.0, their device-specific reports are updated to work with the new content. In some cases, class-specific reports have replaced device-specific reports.

-Factory correlated rules have been modified to take advantage of the improved tables, variables and parsing.

-Custom rules, that involve event sources updated to work with Content 2.0, need to be rewritten.

-Custom reports may not produce the same results as previously. For guidance on updating custom reports, see the RSA enVision Content Inspection Tool document and the online Help topics that describe the Content 2.0 tables

FireEye.zip
0 Likes
Reply
31 Replies
RSAAdmin
Beginner
Beginner
‎2012-01-24 01:17 PM

I have now configured the device file with RSA and it is recognized appropriately. What is the log format, that the FireEye should be sending to Envision? CEF, LEEF, XML, CSV? I'm currently sending data to Envision in CSV format, but it doesn't seem to be recognized correctly or stored in the appropriate location within the DB. Thoughts/Suggestions?
0 Likes
Reply
NathanFurze1
Beginner
Beginner
In response to RSAAdmin
‎2012-01-24 01:48 PM

The FireEye XML is written against events in the CEF format. Nathan
0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2012-01-30 02:06 PM

A question about reporting: Does the event source update create any ad hoc reports specific to FireEye? If so, where are they located. If it doesn't, what tables/fields are being populated when an event is received? I need to know these in order to create my own reports. Thanks. - Craig.
0 Likes
Reply
NathanFurze1
Beginner
Beginner
In response to RSAAdmin
‎2012-01-30 04:50 PM

There is no OOTB content for the FireEye XML but the data parses to the IPS Intrusion Table and if you download the .zip and look at the XML you can see the fields that are parsed for each message type. Nathan
0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2012-05-14 11:24 AM

Here is an updated XML to support FireEye MPS 6.1.

Please note, this event source does break most previous 6.0 compatibility.

It may not work for all events yet - I just don't have enough data to make it work, but if someone provides me with sufficient logs I'll be happy to update.
14 KB
0 Likes
Reply
NathanFurze1
Beginner
Beginner
‎2012-06-28 10:37 AM

Updated XML to v6.1 and converted to Content 2.0.

 

Note: Content 2.0 features substantial improvements to the parsing of event data into the various tables that are used for queries and reports. Content 2.0 is the future direction for all event sources within the supported library. For rules and reports, note the following:

-For factory reports, as existing event sources are converted to Content 2.0, their device-specific reports are updated to work with the new content. In some cases, class-specific reports have replaced device-specific reports.

-Factory correlated rules have been modified to take advantage of the improved tables, variables and parsing.

-Custom rules, that involve event sources updated to work with Content 2.0, need to be rewritten.

-Custom reports may not produce the same results as previously. For guidance on updating custom reports, see the RSA enVision Content Inspection Tool document and the online Help topics that describe the Content 2.0 tables



Nathan
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to NathanFurze1
‎2012-06-28 02:50 PM

Not to sound ungrateful, but this event source still does not correctly parse many of the new event formats generated by the FireEye Web MPS appliance in version 6.1. Direct message me for details and log sources. Attached is a more up to date FireEye source that will correctly parse all of the event types and examples I have been able to sample so far. Another major issue with the FireEye configuration in general is that there is a length limitation on the SNMP traps, so events with long URLs in them will be cut off and sent to a new line, making them useless for analysis in enVision. Not sure if there is a way around this yet or not.
FireEyeAppliancePE.zip
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2012-07-10 02:31 PM

I have tried the new xml files for fire-eye 6.1 and I still can not get the logs to parse.
Any ideas???
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2012-07-10 02:33 PM

Which package did you use and what messages aren't parsing?
0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.