This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
afernandes
Cadet 1st Class
Cadet 1st Class
‎2014-08-07 18:54
655 views

Correlation between FireEye and Symantec Endpoint Protection

Good afternoon everyone.

I'm trying to mount a correlating events between FireEye (MPS f) and Symantec SEP (Symantec Endpoint Protection 12.1.3001.165). I would try to correlate the "Callbacks" generated by FireEye with Symantec Anti Virus status.

Someone went through this problem? Any idea?

I thank you.

Labels (2)
Labels
0 Likes
Reply
Report Inappropriate Content
4 Replies
mmuessig
Absent Member.
Absent Member.
‎2014-11-10 11:33

Hi Alex,

this is interesting question because i am struggeling with it as well. FireEye CEF docs promise, that malware hash is parsed into FileHash field but it is not.

This would be my primary suspect to use for cross-device mapping with CEF.

Will need to have a look, if the raw event containts MD5 info and if yes, try to get parsing fixed.

Otherwise need to find other fields to use.

Have you found a solution in the meanwhile?

Markus

0 Likes
Reply
Report Inappropriate Content
mmuessig
Absent Member.
Absent Member.
‎2014-11-18 20:21

Currently heading for Correlation between FireEye MO and SEP Virus Found.

Hash is present for MO.

A bit of substring stuff, then i guess, filenames could also be a chance for join event.

anyone else correlating FireEye with other stuff?

Markus

0 Likes
Reply
Report Inappropriate Content
mmuessig
Absent Member.
Absent Member.
‎2014-12-08 18:41

using hashes does not really work. SEP uses SHA-256 per default and FireEye MD5. So filenames may be an Option?

0 Likes
Reply
Report Inappropriate Content
mmuessig
Absent Member.
Absent Member.
‎2014-12-08 18:44

what do you plan to use as mapping field? MC and AV seems complicated as MC does not contain something an AV alert usually reports.

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.