FireEye NX

FireEye NX Network Security helps you detect and block attacks from the web. It protects the entire spectrum of attacks from relatively unsophisticated drive-by malware to highly targeted zero-day exploits. Its capabilities provide an extremely low false positive rate by leveraging the FireEye Multi-Vector Virtual Execution (MVX) engine to confirm when malware calls out to C&C servers.

Before You Begin

FireEye supports syslogs in LEEF or CEF format. Because the InsightIDR parser expects CEF, you must configure FireEye to send data in the correct format.

  1. Log onto the FireEye NX Web.
  2. Go to Settings > Notifications.
  3. Check off rsyslog to enable a Syslog notification configuration.
  4. Enter a name to label your FireEye connection to the InsightIDR Collector in the Name field.
  5. Click the Add Rsyslog Server button.
  6. Enter the InsightIDR Collector IP address in the "IP Address" field.
  7. Check off the Enabled check box.
  8. Select Per Event in the "Delivery" drop-down list.
  9. Select All Events from the "Notifications" drop-down list.
  10. Select CEF as the "Format" drop-down list. Other formats are not supported.
  11. Leave the "Account" field empty.
  12. Select UDP from the "Protocol" drop-down list.
  13. Click the Update button.

Ensure that you send syslog to the collector on a unique UDP or TCP port (above 1024). FireEye NX uses port 514 by default. This should be changed from the command line interface.

Do Not Use Port 514

InsightIDR recommends that you do not use port 514 whenever possible. Use this port only for network systems that cannot be configured to use any other port but port 514.

You can read more information about FireEye NX and Splunk here: https://www.fireeye.com/content/dam/fireeye-www/global/en/partners/pdfs/fireeye-splunk-intro-to-integration.pdf.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Advanced Malware icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unfiltered logs.
  7. Select your collection method.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  8. Click Save.

Confirm the Integration

Test that the FireEye NX Notifications page does not get sent to the InsightIDR Collector. To accomplish this, trigger a real alert or use the deployment checks.

Confirm Alerts within InsightIDR

After you triggered the alert, you should see new incidents in the InsightIDR dashboard.

Once they appear, you can click the Incident to drill down into the event to display the User Context and Asset names.

Click the **Advanced Malware Alert ** link to see more specific details about the alert, such as the occurrences for this alert.

Troubleshooting

Not Seeing FireEye NX Data

Data from this event source should be in the Collector log at C:\Program Files\Rapid7\logs\collector.log in the(Undefined variable: Variables.Project) cloud.

If you do not see this data:

  1. Click the stop button in the FireEye NX appliance.
  1. Create a "Generic Syslog" listener on the same port. This is found under the Rapid7 category in FireEye NX.
  1. In InsightIDR, add a new Generic Syslog event source from the "Raw Data" category.
  2. Use the same port and protocol information from the FireEye NX configuration.
  3. Click Save.