FireEye Events Report

by Josef Weiss
August 5, 2014

Displaying a summary of FireEye events is easier than ever. This report provides an overview of collected events using SecurityCenter Continuous View. The events collected from FireEye provide the analyst with many different methods to quickly respond to triggered alerts. This report is meant to enhance the FireEye Events Dashboard collection.

FireEye device alerts, such as infections, malware objects, malware callbacks, and more are aggregated and correlated by Tenable’s Log Correlation Engine (LCE). The importance of near-instant visibility is apparent as threats are pinpointed rapidly. The report contains chapters that provide a visual trend of event indications and results via trend graphs and tables containing normalized events, and actual raw log data.

SecurityCenter Continuous View (SC CV) provides a fully integrated view into the events collected from FireEye. Through advanced threat detections, SC CV can enhance the capabilities of threat mitigation through preventative alerts. LCE correlates data from FireEye and other resources to provide accurate alerting and enhanced vulnerability detection.

The report is available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The report can be easily located in the SecurityCenter Feed by selecting category: Threat Detection & Vulnerability Assessments, and then selecting tags Event, or FireEye. The report requirements are:

  • SecurityCenter 4.8.1
  • LCE 4.2.2
  • FireEye Appliance as log source

The reports data is displayed in three chapters covering 'Event Trends', 'Alerts', and 'Raw Event Details'

Event Trends

This chapter provides a 7-date trend of malware events and normalized event summary of the events collected during the same time period. The trend analysis allows the analyst to view spikes in FireEye alerts over the past week, and to correlate malware specific events against a total event count. The normalized trend data table displays trend data of FireEye events, the associated counts of events, and the name of the triggered events over the last 7 days.

Alerts

This chapter contains tables to present the analyst with a detailed listing of the last 7 days of FireEye Web Infection alerts, Domain Match Alerts, Malware Callback Alerts, and Malware Object Alerts. Displayed within the table is the time the event occurred, event name, source IP address, destination IP address, destination port, the reporting sensor, and the event type category, filtered on this particular FireEye alert. The reporting period is 7 days.

Raw Event Details

The chapter provides more complete details on every event by displaying the raw data of each log alert as it was sent to the Log Correlation Engine. In addition to the exact log data, the time stamp that the alert was received, the event type, and the sensor that reported the event is also presented to the analyst.