FireEye Threat Solutions

EventLog Analyzer can process log data from FireEye and present the data in the form of graphical reports. For the solution to start collecting log data from FireEye, it has to be added as a threat source.

Steps to add a FireEye threat source:

To add a FireEye device as a threat source, the syslog service has to be configured on the FireEye device.

1. Login to the FireEye device as an administrator.
• Navigate to Settings > Notifications, select rsyslog and the Event type.
2. Click Add Rsyslog Server.
3. In the dialog box that opens, enter the EventLog Analyzer server IP address in the given field. Choose UDP as the protocol and the format as CEF (default).
4. Click on Save.

Once the device is added in EventLog Analyzer, it should then be listed as a threat source. This can be done in a few simple steps.

1. In the EventLog Analyzer console, navigate to Settings > Log Source Configurations > Applications > Security Applications > Add Security Applications
2. Select Add-on type as FireEye
3. Expand the list by clicking the "+" icon to add a new device.
4. Choose from the drop-down menu to add Configured devices, Workgroup devices, domain devices, etc.
5. To add new devices manually, click on Configure Manually and enter Log Source >Select and click on Add.

Once the threat source is added, EventLog Analyzer will start parsing the fields in the logs. This log data can now be viewed in the form of reports.

The reports provide information on:

• Domain matches
• Malware infections
• Callbacks
• Malware objects
• Web infections

EventLog Analyzer also provides reports that give information on the top:

• Severities
• Source IPs of infections
• Target IPs
• Target ports
• Malware
• Active sensors