Correlation between FireEye and Symantec Endpoint Protection
Good afternoon everyone.
I'm trying to mount a correlating events between FireEye (MPS f) and Symantec SEP (Symantec Endpoint Protection 12.1.3001.165). I would try to correlate the "Callbacks" generated by FireEye with Symantec Anti Virus status.
Someone went through this problem? Any idea?
I thank you.
this is interesting question because i am struggeling with it as well. FireEye CEF docs promise, that malware hash is parsed into FileHash field but it is not.
This would be my primary suspect to use for cross-device mapping with CEF.
Will need to have a look, if the raw event containts MD5 info and if yes, try to get parsing fixed.
Otherwise need to find other fields to use.
Have you found a solution in the meanwhile?
Currently heading for Correlation between FireEye MO and SEP Virus Found.
Hash is present for MO.
A bit of substring stuff, then i guess, filenames could also be a chance for join event.
anyone else correlating FireEye with other stuff?