Transcription
FireEye Network SecurityDeployment GuideDate Published: 8/11/2021
Securonix Proprietary StatementThis material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to anythird party, nor used by the recipient except under the terms and conditions prescribed by Securonix.The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or theirrespective owners.Securonix Copyright StatementThis material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using anymedium, without the prior written authorization of Securonix.However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training andreference.Information in this document is subject to change without notice. The software described in this document isfurnished under a license agreement or nondisclosure agreement. The software may be used or copied only inaccordance with the terms of those agreements. Nothing herein should be construed as constituting an additionalwarranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of thispublication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic ormechanical, including photocopying and recording for any purpose other than the purchaser's internal use withoutthe written permission of Securonix.Copyright 2021 Securonix. All rights reserved.Contact InformationSecuronix5080 Spectrum Drive, Suite 950WAddison, TX 75001(855) 732-6649SNYPR Deployment Guide2
Table of ContentsIntroduction4About FireEye NX4Supported Collection MethodFormatFunctionality444FireEye NX Configuration4Configuration in SNYPRVerify the JobSNYPR Deployment Guide6103
IntroductionIntroductionThis Deployment Guide provides information on how to configure FireEye NetworkSecurity (NX Series) to send security logs to SNYPR.About FireEye NXFireEye NX is an effective cyber threat protection solution that helps organizationsminimize the risk of costly.Supported Collection MethodThe collection method is syslog.FormatThe format is CEF.FunctionalityIn SNYPR, resource groups (datasources) are categorized by functionality. Thefunctionality determines what content is available when you import the datasource.For more information about Device Categorization, see the Data Dictionary.The functionality of FireEye NX is a Antivirus / Malware / EDR.FireEye NX ConfigurationBefore you configure the log collection, you must have the IP address of the RemoteIngester Node (RIN). To enable FireEye NX to communicate with RIN, configure yourFireEye NX appliance to forward syslog events.SNYPR Deployment Guide4
FireEye NX ConfigurationComplete the following steps to configure FireEye NX to export events to SNYPR.1. Log in to the FireEye NX Web user interface (UI) with an admin account.2. Navigate to Settings Notifications.3. Click rsyslog, and then select the Event type check box.4. Ensure the following settings are configured:lDefault format: CEFlDefault delivery: Per eventlDefault send as: Alert5. Type “RIN Server, and then click Add Rsyslog Server.6. Enter the RIN server IP address in the IP Address field. Enter the Public IP, if hosted in cloud.7. Select the Enabled check box.8. Select Per Event in the Delivery list.9. Select All Events from the Notifications list.10. Select CEF from the Format list.11. Select UDP from the Protocol list. The default port is 514.12. Click Update, and then click Test-Fire to send the test events to RIN server.SNYPR Deployment Guide5
Configuration in SNYPR13. Use the following command to verify that the RIN is receiving logs:tcpdump -i eth0 port 514 -v -AConfiguration in SNYPRTo configure FireEye NX in SNYPR, complete the following steps:1. Log in to SNYPR.2. Navigate to Menu Add Data Activity.3. Click Add Data for Existing Device Type.4. Click the Vendor drop-down and select the following information:lVendors: FireEyelDevice Type: FireEye Network SecuritylCollection Method: CEF[SYSLOG]5. Choose an ingester from the drop-down list.SNYPR Deployment Guide6
Configuration in SNYPR6. Click to add a filter.SNYPR Deployment Guide7
Configuration in SNYPR7. Add the following syslog filter in the Filter expression box: {host("10.0.0.1");};Note: Note : IP address is the address of the source host initiating the traffic.8. Click Add.9. Complete the following information in the Device Information section:a. Datasource Name: Fireeye NXb. Specify timezone for activity logs: Click the drop-down and select a timezonefor the logs.10. Click Get Preview on the top right of the screen to view the data.11. Click Save & Next until you reach step 4: Identity Attribution.12. Click Add New Correlation Rule.13. Enter a descriptive name for the correlation rule.SNYPR Deployment Guide8
Configuration in SNYPR14. Provide the following parameters to create a correlation rule:lUser xample: User Attribute: firstname Operation: None Condition: And Separator: . (period) User Attribute: lastname Operation: None Condition:And. This correlation rule will correlate users to activity accounts with theformat: firstname.lastname.SNYPR Deployment Guide9
Configuration in SNYPR15. Scroll to the bottom of the screen and click Save.16. Click Save & Next.17. Select Do you want to run job Once? in the Job Scheduling Information section.18. Click Save & Run.You will be automatically be directed to the Job Monitor screen.Verify the JobUpon a successful import, the event data will be available for searching in Spotter. Tosearch events in Spotter, complete the following steps:SNYPR Deployment Guide10
Configuration in SNYPR1. Navigate to Menu Security Center Spotter.2. Verify that the datasource you ingested is listed under the Available Datasourcessection.SNYPR Deployment Guide11
Aug 11, 2021
