Integrating FireEye

This guide provides an overview of integration with FireEye. It includes the following information:

• 1. About This Guide
• 2. Deployment of Genian ZTNA using FireEye
• 3. Configuring FireEye for integration via SYSLOG
• 4. Apply Genian ZTNA Policy based on FireEye Data

1. About this Guide

The guide describes how to integrate Genian ZTNA and FireEye.

When a specific anomaly is detected by FireEye, FireEye sends anomaly information detected to Genian ZTNA through SYSLOG Genian ZTNA will be able to prevent the spread of anomalies by quarantine the anomaly target.

2. Deployment of Genian ZTNA using FireEye

1. FireEye detects the threatening device.
2. FireEye sends the anomaly information to Genian ZTNA via SYSLOG.
3. Genian ZTNA quarantines the device to prevent compromising other assets on the network. Other automated responses may also be configured.

3. Configuring FireEye for integration via SYSLOG

3.1 Configuration of Genian ZTNA

For Genian ZTNA to receive and use the information from FireEye, the internal SYSLOG server must be configured to properly extract node information from the incoming log. The Type and Type Value variables determine which information sources will be accepted, and how they will be categorized. The IP Prefix and MAC Prefix

1. Login into Genian ZTNA with the administrator account
2. Go to the Preferences tap on the top panel.
3. Go to the General > Log on the left panel.
4. Add the Filter in Server Rules in the middle of the center
5. Enter the content

Name	FireEye
Filter | host
Filter Value|[IP address of FireEye]
IP Prefix	src=
MAC Prefix	smac=

6. Click the Add button below and Update button

3.2 Configuration of FireEye

The FireEye appliances are very flexible regarding Notification output and support the following formats.

• CEF
• LEEF
• CSV

For our guide, we will use CEF Complete the following steps to send data to Genian ZTNA using CEF:

1. Log into the FireEye appliance with an administrator account

2. Go to the Settings tap on the top panel.

3. Go to the Notifications on the left panel

4. Click the rsyslog on the middle of the center

5. Check the “Event type” in the check box

6. Make sure Rsyslog settings are

   Default format: CEF
   Default delivery: Per event
   Default send as: Alert
   

7. Add Rsyslog server on the middle of under > Enter the Name Genian ZTNA > Click on Add Rsyslog Server button

8. Enter the IP address of the Genian ZTNA in the IP Address field

9. Click the Update button below

3.3 Verification

1. Go to Log on the top panel of Genian ZTNA.
2. Messages from FireEye will show. The Sensor column data will show the IP of the FireEye system, and the Description column data will show a FireEye signature.

4. Apply Genian ZTNA Policy based on FireEye Data

Once Genian ZTNA is receiving SYSLOG data from FireEye, the device information contained in the log files can be used to automatically apply Tags to individual nodes. These tags can be used to group nodes for organizational, or policy purposes.

To apply policy through log tagging see: :Tagging Assets Using Event