fireeye-fx-alerts
Fetch alerts from FireEye FX devices
fireeye-fx-alerts [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss]
- duration=NUM{mon|w|d|h|m|s}
- Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example,
10s
means data from 10 seconds earlier. - from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero. Tomorrow 00:00 by default.
Output Fields
Field | Type | Name | Description |
---|---|---|---|
_time | Date | Alert time | |
profile | String | Connect profile | Identifier of FireEye FX connect profile |
id | Integer | Alert ID | |
type | String | Type | e.g. Malware Object |
signature | String | Signature | e.g. Trojan.Win32.Tiggre.FEC3 |
file_type | String | File type | e.g. zip |
scan_name | String | Scan name | |
url | String | URL | |
status | String | Status | e.g. Success, Duplicate |
md5 | String | MD5 | |
sha256 | String | SHA256 | |
submitted_at | Date | Submitted time | |
started_at | Date | Started time | |
completed_at | Date | Completed time | |
parent | Bool | Parent or not | |
threat_info_badge | Bool | Threat info badge | |
malicious_alerts | Bool | Malicious alert | Analyze digital sign, entropy, packer, API hooking, and so on |
os_change_graph | Bool | OS change graph | |
os_change_table | Bool | OS change table | |
pe_view | Bool | PE view | |
obj_hash | Bool | Object hash | Include crc32, md5, sha1, sha256, ssdeep |
hex_view | Bool | Hex view | |
mitre_view | Bool | MITRE view | Include MITRE attack TTP mappings |
download_path | String | Download path | XML report download path |
guid | String | Alert GUID |