Alerting

Automating queries based on FireEye "malware-object detected"

Thuan
Explorer

We currently have fireeye allerts coming in as log events that will be indexed. Some that are labeled as "malware-object detected" are currently manually processed by our analysts. They collect various fields (source/destnation IPs, time stamp, etc.), and build a query based on other logs (proxy, dns, exchange, etc.) as a way to build a "context" of the possible infection.
The idea is to automate this query search process every time a "malware-obeject detected" log is received and indexed.
May I get some pointers from you on how to proceed in terms of techniques and documentation?
Thank you.

Tags (2)
0 Karma

satishsdange
Builder

There is a cool app for FireEye devices https://splunkbase.splunk.com/app/1845/. This might address your problem.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!