FireEye Certified CEF Configuration Guide

Summary:

The "Common Event Format Configuration Guide for FireEye Inc.'s FireEye Malware Protection System (MPS)" is a guide to set up FireEye MPS to send notifications in CEF format via rsyslog for better interoperability with other systems. It covers supported versions and functionalities, configuring FireEye appliances to transmit notifications through various methods including email, HTTP POST, SNMP, and rsyslog. The document also explains the structure of events generated by FireEye MPS, providing examples and detailed mappings to ArcSight for enhanced data handling and analysis capabilities against stealthy malware attacks on browsers and operating systems.

Details:

The "Common Event Format Configuration Guide for FireEye Inc.'s FireEye Malware Protection System (MPS)" is a document designed to assist in configuring the FireEye MPS appliance for syslog event collection, specifically tailored for use with devices running version 5.0.0. It outlines the process of setting up FireEye MPS to send notifications via rsyslog in CEF format, which requires support from the trap-sink server. The guide starts by detailing supported versions and functionalities, including the ability to handle various event formats such as Syslog and Common Event Format (CEF). It explains how to configure FireEye appliances to transmit notification messages through different consumer types like email, HTTP POST, SNMP, and rsyslog. Rsyslog supports CEF, XML, and CSV formats; however, configuring it for CEF is the focus here. The document includes a section on events generated by FireEye MPS, listing several event classes such as Binary-analysis (BA), Web-infection (WI), Malware-callback (MC), Mw-analysis-done (MA), and Infection-match (IM). It provides examples of sample events formatted in CEF, illustrating the structure of information included. The configuration involves setting up FireEye appliances to send rsyslog notifications in CEF format, with details on how rsyslog should support this format. This setup facilitates interoperability between systems that follow different event standards, ensuring consistent data handling and analysis across various platforms for enhanced detection capabilities against stealthy malware targeting client browsers and operating systems through techniques like obfuscation. The provided information consists of two parts, each with its own set of details labeled as "CEF" (Common Event Format). These are logs or records that describe network events involving a potential threat or suspicious activity. Here's a breakdown and summary of the information contained in these logs: ### Log 1:

• **Event Type:** web-infection

• **Source IP Address:** 3.0.0.0

• **Source MAC Address:** 00:00:00:00:00:00

• **Device Process:** InternetExplorer 6.0

• **Time of Event:** May 05, 2010, 12:36:22

• **Destination IP Address:** 64.22.138.10

• **Destination Port:** 555

• **Destination MAC Address:** 92:73:75:00:00:35

• **Anomaly Tag (cs2):** anomaly-tag misc-anomaly

• **SID (cn2):** 0

• **Message Link (cs4):** https://172.16.127.7/event_stream/events?event_id=15

• **File Type:** text/html

• **Request:** vip2.51.la/go.asp?we=a-free-service-for-webmasters&svid=22&id=1153797&tpages=1&ttimes=1&tzone=-8&tcolor=24&ssize=800,600&referrer=http%3a//88.88

• **Source Host (shost):** web155.discountasp.net

• **Device (dvc):** 172.16.127.7

• **External ID:** 3

### Log 2:

• **Event Type:** binary-analysis

• **Source IP Address:** 195.2.252.153

• **Source MAC Address:** 00:0d:66:4d:fc:00

• **Time of Event:** May 10, 2010, 11:09:31

• **Destination IP Address:** 128.12.95.64

• **Destination Port:** 0

• **Destination MAC Address:** 00:18:74:1c:a1:80

• **Anomaly Tag (cs2):** anomaly-tag misc-anomaly

• **SID (cn2):** 33331724

• **sname (cs1):** Trojan.Piptea.2

• **Message Link (cs4):** https://172.16.127.7/event_stream/events?event_id=254

• **Device Host (dvcHost):** mslms

• **User-Agent Header:** Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)ver52

• **Host Header:** ahohonline.com

• **Request URI:** /ufwnltbz/evmhfzlfe.php?id=1812198572&p=1 HTTP/1.1

• **Source Host (shost):** rescomp-09-149735.Stanford.EDU

• **Device (dvc):** 172.16.127.7

• **External ID:** 224

### Device Event Mapping: The logs are mapped to ArcSight data fields where information from vendor-specific event definitions is sent through the ArcSight SmartConnector and then mapped to appropriate ArcSight data fields. The mappings between these fields and the supported vendor-specific event definitions are detailed in a table provided in the original text, which isn't available here for review. These logs detail network interactions involving potential threats such as web infections or malicious software like Trojans, providing details about the source IP, destination IP, timestamps, device processes, and anomalies detected. This document, labeled as containing confidential and proprietary information, provides a detailed mapping of fields from the FireEye MPS Connector to ArcSight for event interoperability. The table includes specific details about various components involved in an incident response scenario captured by FireEye MPS. Key elements mapped include IP addresses, host names, ports, MAC addresses, file types, malware descriptions, application names, geographical locations, and server information related to C&C (Command & Control) servers. This mapping is crucial for ensuring seamless data exchange between FireEye systems and ArcSight, enhancing incident detection, response, and analysis capabilities within a network security framework.