About Notifications

Notifications are triggered when a malicious event occurs on your network.

Notification Delivery Services

FireEye appliances send alert notifications to the following services:

  • Email (SMTP) Server—Notifications are sent to an SMTP server that then forwards the notifications to one or more addresses using Simple Mail Transfer Protocol (SMTP).
  • Remote System Log Servers (Rsyslog)—Notifications are sent to one or more remote syslog servers.
  • Network Monitoring (SNMP) Server—Notifications are sent to one or more Simple Network Management Protocol (SNMP) servers.
  • Web (HTTP)—Notifications are posted to one or more Web servers.

Notification Delivery Frequency

You can specify the delivery frequency both globally and for individual recipients. When you set an individual's delivery frequency it overrides the global delivery frequency setting.

FireEye recommends that you provide per event notifications to all persons monitoring event alerts. This ensures that these persons receive the alerts as soon as they occur.

The following delivery frequencies can be set:

  • Per Event—(Recommended) Send a notification each time an event of this type occurs.
  • 1 Min per Source—Send a notification every minute for each entity that was the source of the event.
  • 5 Mins per Source—Send a notification every 5 minutes for each entity that was the source of the event.
  • Hourly per Source—Send an hourly notification for each entity that was the source of the event.
  • Daily per Source—Send a daily notification for each entity that was the source of the event.
  • Daily Digest—Send a daily notification of specified events detected in the past 24 hours in the selected format and level of details (default is Concise).

Notification Format

You can send email messages in the following formats:

  • XML
  • JSON
  • Text
  • CEF (RSYSLOG service only)
  • LEEF (RSYSLOG service only)
  • CVS (RSYSLOG service only)

Further, you can determine the level of information provided in each JSON, XML, or text formatted alert:

  • Normal—This format contains detailed information and abstracts, such as alert type, ID, source IP, malware name, hostname, and alert URL without redundant information
  • Concise—This format contains basic information, such as alert type, ID, source IP, malware name, hostname, and alert URL.
  • Extended—This format contains detailed information and abstracts, including data-theft information (if any) and static-analysis details. This format provides all details about files and objects modified during analysis.