FireEye Events Dashboard

by Josef Weiss
July 23, 2014

This dashboard displays a summary status of FireEye events, providing an overview of collected events using several techniques. This event data provides the analyst with many different methods to quickly respond to triggered alerts.

Indicator components automatically alert on incoming events, such as infections, malware objects, malware callbacks, and more, from any FireEye appliance that has its logs aggregated by Tenable’s Log Correlation Engine (LCE). The importance of near-instant visibility is apparent as threats are pinpointed rapidly. The dashboard contains eight components that provide a visual trend of event indications and results via trend graphs and tables containing normalized events, with source and destination information.

The dashboard and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The dashboard requirements are:

  • SecurityCenter 4.8.1
  • LCE 4.2.2

Components that are part of this collection include:

  • FireEye Alert Indicator - This indicator component highlights on triggered events that have been forwarded to the Tenable LCE by a FireEye appliance. Incoming event data is matched to a Normalized Event Type and illuminated red to indicate that an alert has been received within the last 72 hours.
  • FireEye Event Types - This pie chart presents a breakdown of triggered FireEye event types, relative to the overall total of currently existing FireEye events over the last 7 days.
  • FireEye Event Count - This component displays a 7 day trend of the total number of FireEye triggered events along with malware events. This allows the analyst to view spikes in FireEye alerts over the past week, and to correlate malware specific events against the total event count.
  • FireEye Event Analysis - This component displays a trend data of FireEye events, the associated counts of those events, and the name of the triggered event over the last 72 hours. This is presented via a Normalized Event Summary on the FireEye event type.
  • FireEye Web Infection Alerts - This table presents the analyst with a detailed listing of the last 7 days of FireEye Web Infection alerts. Displayed within the table are the time the event occurred, event name, source IP address, destination IP address, destination port, the reporting sensor, and the event type category, which is filtered on in this particular FireEye alert. The reporting period is 7 days.
  • FireEye Domain Match Alerts - This table presents the analyst with a detailed listing of the last 7 days of FireEye Domain Match alerts. Displayed within the table are the time the event occurred, event name, source IP address, destination IP address, destination port, the reporting sensor, and the event type category, which is filtered on this particular FireEye alert. The reporting period is 7 days.
  • FireEye Malware Callback Alerts - This table presents the analyst with a detailed listing of the last 7 days of FireEye Malware Callback alerts. Displayed within the table are the time the event occurred, event name, source IP address, destination IP address, destination port, the reporting sensor, and the event type category, which is filtered on this particular FireEye alert. The reporting period is 7 days.
  • FireEye Malware Object Alerts - This table presents the analyst with a detailed listing of the last 7 days of FireEye Malware Object alerts. Displayed within the table are the time the event occurred, event name, source IP address, destination IP address, destination port, the reporting sensor, and the event type category, which is filtered on this particular FireEye alert. The reporting period is 7 days.