Connecting CM to Helix to Ingest FireEye Alerts

In this installment of the Tips and Insights series, Todd Bane demonstrates how to enable the on-prem CMS to send in alerts generated by your managed FireEye appliances into Helix.

Hi my name is Todd Bane and I’m a Technical Initiative’s Manager here at FireEye’s Deployment and Integrations team. Today I would like to show you how to enable the on-prem CMS to send in alerts generated by your managed FireEye appliances into Helix. First we begin by logging into the CMS console command line. Next we will issue an enable command and a configure terminal command to get to the configuration route menu. We will begin by enabling the Helix mode for on-premises. And we can verify that this configuration was successful by running a show Helix command and verifying the enabled output shown here in the screen. We can verify that the Helix mode has been enabled through the show Helix command. Shown here where enabled is marked as yes and mode on-premise is configured. We will also want to verify the console URL output at the very end of the string for I.D..

This hex identifier should match with the Helix instance I.D. that was sent in with your welcome letter email. Next we will want to make sure that the receiver destination is configured correctly through your DTI configuration settings. This can be viewed through the show FE net DTI configuration command. At the bottom of your configuration output under the Helix section you should see an address marking the Helix instance identifier that we just discussed with the URL destination of hex instance If this information is inaccurate it is recommended that you contact technical support in order to get this configuration output corrected. You can also verify that the on-premise CM has been properly registered through a show fenotify integ helix output. Your hostname in this output should accurately reflect the receiver destination shown above in the DTI settings. If this is not correct again you will want to contact technical support in order to get this information corrected. We can now attempt to verify that event data is being sent out your CMS to the destination receiver that is displayed above through a TCPDUMP command. If your CMS is properly processing the alerts in attempting to send them to your Helix receiver you should receive some output similar to what is shown on the screen above. Using port 443 and the host destination of the receiver address provided this information should be apparent in the TCPDUMP. And that’s how you enable the on-prem Stay tuned for more FireEye tips and insights.Stay tuned for more FireEye tips and insights.

Scroll to Top