Skip to content
This repository has been archived by the owner on Aug 31, 2018. It is now read-only.

Email Setup

Jump to bottom
robfry edited this page Nov 10, 2014 · 5 revisions

Home
Detector Setup
FireEye MPS Setup

Setting up email to process alerts can be an easy way to get data without difficulties especially when a vendor doesn't have an API. Considering FireEye currently doesn't have an API and you're left with either syslog, direct HTTP post, or email. Below you'll find configurations for how to parse MPS/MAS alerts via email.

IMAP

Below are the configurations needed for proper IMAP configuration to receive FireEye alerts. Assumption here is you've already configured the configs_email table, which provides the ability to send/receive email.

  1. Edit the configs_detectors table in the FIDO database.
  2. If not already present, add an entry and for detectortype enter in 'email'.
  3. For the detector row put in 'mps' or 'mas' followed by 'FireEye' for the vendor row.
  4. The folder row should be a folder where FireEye alerts are located. For instance, at Netflix FireEye generated alerts are put in a 'FireEye' folder. We like to keep the root folder empty and put specific alerts in specific folders for parsing.
  5. The folder_test value is similar to #4 except it is a folder where test alerts can be gathered. The use of a test folder can be two-fold. First, it allows testing of new code on old alerts or custom alerts without affecting production. It also allows for running FIDO in test mode to parse test alerts. At Netflix we use the folder name 'FireEye Test' as a folder to store test alerts.
  6. Configure the emailfrom row with the values inserted into your FireEye appliances as the sent from value when receiving an email. By specifying both a folder and an email from it will only parse specific alerts coming from FireEye and not emails which might accidentally make it into this folder.

Outlook

At one time we used Outlook to receive alerts using a locally installed version of Outlook. This seemed dirty and thankfully we migrated away from Exchange to Gmail. I did, however, leave the code in place and it should still be possible to pull email in this way. This is not something I'm willing to put a lot of effort into, though, as I'd prefer to work on API, SQL and log/syslog. If you'd like to tweak and update this please feel free if you feel there is still value.

Exchange

At one time I was also looking at doing a direct connection to Exchange instead of having to use Outlook. While scoping this out it appeared possible, but since we were moving away from Exchange I dropped it. As with Outlook, if you find value please feel free to update and share.

Clone this wiki locally