Integrating FireEye ==================== This guide provides an overview of integration with FireEye. It includes the following information: - `1. About This Guide`_ - `2. Deployment of Genian ZTNA using FireEye`_ - `3. Configuring FireEye for integration via SYSLOG`_ - `4. Apply Genian ZTNA Policy based on FireEye Data`_ **1. About this Guide** ------------------------ The guide describes how to integrate Genian |product_name| and FireEye. When a specific anomaly is detected by FireEye, FireEye sends anomaly information detected to Genian |product_name| through SYSLOG Genian |product_name| will be able to prevent the spread of anomalies by quarantine the anomaly target. **2. Deployment of Genian ZTNA using FireEye** -------------------------------------------------------------- .. image:: /images/Integration_FireEye.jpg :width: 600px #. FireEye detects the threatening device. #. FireEye sends the anomaly information to Genian |product_name| via SYSLOG. #. Genian |product_name| quarantines the device to prevent compromising other assets on the network. Other automated responses may also be configured. **3. Configuring FireEye for integration via SYSLOG** ------------------------------------------------------ **3.1 Configuration of Genian ZTNA** For Genian |product_name| to receive and use the information from FireEye, the internal SYSLOG server must be configured to properly extract node information from the incoming log. The ``Type`` and ``Type Value`` variables determine which information sources will be accepted, and how they will be categorized. The ``IP Prefix`` and ``MAC Prefix`` #. Login into Genian |product_name| with the administrator account #. Go to the **Preferences** tap on the top panel. #. Go to the **General** > **Log** on the left panel. #. **Add** the Filter in **Server Rules** in the middle of the center #. Enter the content +------------+--------------------------+ |Name | FireEye | +------------+--------------------------+ |Filter | host | +--------------+------------------------+ |Filter Value|[IP address of FireEye] | +------------+--------------------------+ |IP Prefix |src= | +------------+--------------------------+ |MAC Prefix |smac= | +------------+--------------------------+ 6. Click the **Add** button below and **Update** button **3.2 Configuration of FireEye** The FireEye appliances are very flexible regarding Notification output and support the following formats. - CEF - LEEF - CSV For our guide, we will use CEF Complete the following steps to send data to Genian |product_name| using CEF: #. Log into the FireEye appliance with an administrator account #. Go to the **Settings** tap on the top panel. #. Go to the **Notifications** on the left panel #. Click the **rsyslog** on the middle of the center #. Check the “Event type” in the check box #. Make sure **Rsyslog settings** are .. code-block:: bash Default format: CEF Default delivery: Per event Default send as: Alert #. **Add Rsyslog server** on the middle of under > Enter the **Name** Genian |product_name| > Click on **Add Rsyslog Server** button #. Enter the IP address of the Genian |product_name| in the IP Address field #. Click the **Update** button below **3.3 Verification** #. Go to **Log** on the top panel of Genian |product_name|. #. Messages from FireEye will show. The Sensor column data will show the IP of the FireEye system, and the Description column data will show a FireEye signature. **4. Apply Genian ZTNA Policy based on FireEye Data** ------------------------------------------------------------------- Once Genian |product_name| is receiving SYSLOG data from FireEye, the device information contained in the log files can be used to automatically apply Tags to individual nodes. These tags can be used to group nodes for organizational, or policy purposes. To apply policy through log tagging see: ::doc:`/logs/tagging-assets`