Threat Response - Integration with FireEye EX

This document covers all aspects of Threat Response integration with FireEye EX Series appliances.

Configuring a FireEye EX Series Event Source

The steps below detail the process for creating a FireEye EX Series event source in Threat Response. Once configured, FireEye will begin sending malware events to Threat Response to generate incidents in the Threat Response platform.

Create an Event Source in Threat Response

You must first create an event source in Threat Response to receive alerts from FireEye.

  1. Log in to Threat Response
  2. Navigate to the Sources page
  3. Click the blue Add (+) button next to Sources to bring up the New Source panel
  4. Set the following fields:
    • Type: FireEye EX Series
    • Name: <event_source_name>
    • Description: <description>
    • Link Events: <checked>
  5. Save changes.

Note

You will need the POST URL for this event source when configuring FireEye. To copy the POST URL, click the Show POST URL link in the event source details.

Configure FireEye to Send Alerts to Threat Response

Next, you will need to configure FireEye to forward alerts to Threat Response.

  1. Login to FireEye and navigate to Settings > Notifications.
  2. Click the http link at the top of the Notification Settings table.
  3. Create a new HTTP Server Listing called “Threat Response”.
  4. Configure the new server listing with the following settings:
    • Enabled: True
    • Server URL: <threat_response_post_url>
    • Auth: <blank>
    • Username: <blank>
    • Password: <blank>
    • Notification: All Events
    • Delivery: Per event
    • Account: <blank>
    • SSL Enable: True
    • SSL Verify: False
    • Default Provider: Generic
    • Message Format: JSON Extended
  5. Click Update to save the new HTTP Server Listing.

image

With the new HTTP Server Listing in place, FireEye will now forward all malware alerts to Threat Response for review.

Testing Connectivity Between FireEye and Threat Response

You can run a simple test to confirm that FireEye is able to communicate with Threat Response.

  1. Login to FireEye and navigate to Settings > Notifications.
  2. Click the http link at the top of the Notification Settings table.
  3. Below the HTTP Server Listing table is a Test-Fire option:
    • Select the event type to send (any event type will work)
    • Click the Test-Fire button

small

Within a few moments, the test event should appear in Threat Response as a new incident.