In this installment of the Tips and Insights series, Adam Goff explains about TAP Sender and Comm Broker on the FireEye Network Security appliance. Comm Broker and TAP sender also known as the Evidence Collector are valuable tools for collecting events in your environment and getting them to FireEye Helix.
Hi I’m Adam Goff. I’m a Support Engineer here at FireEye. Today we are going to be talking about TAP Sender and Comm Broker on the FireEye Network Security appliance. Comm Broker and TAP Sender also known as the Evidence Collector are valuable tools for collecting events in your environment and getting them to Helix. TAP Sender, also known as Evidence Collector, forward’s metadata from traffic processed by your FireEye Network Security appliance to Helix . Once enabled the TAP Sender is configured to send metadata to Helix.
Each evidence collector can generate up to 1000 plus events per second depending on the amount of monitored network bandwidth and whether any filters are enabled on the Evidence Collector. We can use filters to select which metadata to collect with the Evidence Collector.
Comm Broker can be configured to receive events from third party log sources and forward them to Helix. The Comm Broker supports JSON and Syslog formatted logs and the UDP, TCP, and TLS connection protocols.
First we will navigate on the appliance to the settings.
Certificates and keys tab.
Then we will go to our Helix.
Open the operational dashboard.
Download the certificate.
And copy the Helix instance id.
Once the certificate is downloaded we will have these three files and we will add them to the certificate section of the appliance.
So choose the pem and then choose the private key which is bootstrap. Give it a name.
We’ll call the cert name the same name as the instance just for ease of identification.
Our new cert has been uploaded and now we can go to the Evidence Collector and start configuring the Evidence Collector and Tap Sender. So first thing we will do is we will put in the name of the Helix instance. Then we will pick the certificate and we will update. This makes it so either the Tap Sender or the Comm Broker can get events to Helix. And you can have one or the other active at a time. Next we will add we’ll say UDP which is on Port 514 for Syslog and then we will do the same thing for JSON putting it on Port 515. They now show up here. You can have a total of six of these programmed at a given time. And so we have the option for TCP, UDP and TLS SSL. If you decide to use TLS SSL it will require you to upload another certificate and the root CA for that certificate and that certificate will have to be trusted by whatever third party endpoints are sending logs using TLS to this Comm Broker. And so you would just select them out of the list and update them if you are going to use that SSL TLS protocol. Once we are done configuring we come down to the bottom and we can toggle them on and off. With the TAP Sender evidence collector we also have the ability to send to a third party CIM. We can do so through a Splunk integration or by just TCP or UDP. Put in the hostname. Put in the port and the authorization token required.
And then we would update it and then we return on L7 metadata. This would be used when you have an onsite CIM and Helix. And so you would enable it here and you would enable TAP Sender out here if you were sending to both. Now we see how to configure the Comm Broker and TAP Sender feature to send Tips and Insights.