fireeye-ex-alerts
Fetch alerts from FireEye EX devices
fireeye-ex-alerts [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss]
- duration=NUM{mon|w|d|h|m|s}
- 현재 시각으로부터 일정 시간 범위 이내의 로그로 한정. s(초), m(분), h(시), d(일), mon(월) 단위로 지정할 수 있습니다. 예를 들면, 10s의 경우 현재 시각으로부터 10초 이전까지의 범위를 의미합니다.
- from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero. Tomorrow 00:00 by default.
Output Fields
Field | Type | Name | Description |
---|---|---|---|
_time | Date | Time | |
profile | String | Connect profile | Identifier of FireEye EX connect profile |
id | Integer | ID | |
inf_id | Integer | Infection ID | |
type | String | Type | e.g. Malware Object |
signature | String | Signature | e.g. InfoStealer.MSIL.AGENTTESLA.MVX |
file_type | String | File type | e.g. rar, url, email |
file_name | String | File name | e.g. INV-KAX 210816001.arj |
severity | Integer | Severity | |
mail_from | String | Sender address | |
mail_to | String | Recipient address | |
url | String | URL | |
email_status | String | Email status | e.g. Quarantined, Missed |
md5 | String | MD5 | |
sha256 | String | SHA256 | |
download_path | String | Download path | |
campaign_id | Integer | Campaign ID | |
campaign_name | String | Campaign name | |
campaign_size | Integer | Campaign size | |
campaign_status | Integer | Campaign status | |
url_click_blocked_badge | Bool | URL click blocked badge | |
url_click_missed_badge | Bool | URL click missed badge | |
threat_info_badge | Bool | Threat info badge | |
https_alert_badge | Bool | HTTPS alert badge | |
erspan_badge | Bool | ERSPAN badge | |
icap_badge | Bool | ICAP badge | |
retroactive_badge | Bool | Retroactive badge | |
vxlan_badge | Bool | VXLAN badge | |
sv_correlated_badge | Bool | SV correlated badge |