About the connector
The FireEye® CM series is a group of management platforms that consolidates the administration, reporting and data sharing of the FireEye products in an easy-to-deploy, network-based platform.
This document provides information about the Infocyte connector, which facilitates automated interactions, with your FireEye CMS server using FortiSOAR™ playbooks. Add the FireEye CMS connector, as a step in FortiSOAR™ playbooks and perform automated operations such as adding or deleting a custom field in FireEye CMS, or retrieve information of all existing alerts from FireEye CMS.
Version information
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-fireeye-cms
For the detailed procedure to install a connector, click here
Prerequisites to configuring the connector
- You must have the FQDN or IP address of the FireEye CMS server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the Connectors page, select the FireEye CMS connector row, and in the Configure tab enter the required configuration details.
| Parameter |
Description |
| Hostname |
FQDN or IP address of FireEye CMS server to which you will connect and perform the automated operations. |
| Username |
Username to access the FireEye CMS server to which you will connect and perform the automated operations. |
| Password |
Password to access the FireEye CMS server to which you will connect and perform the automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function |
Description |
Annotation and Category |
| Add Custom Feed |
Adds a custom IOC feed in the FireEye CMS server based on the feed name, feed type, feed action, and other input parameters you have specified. |
add_feed
Containment |
| Get Custom Feeds |
Retrieves a list of all custom feeds available on the FireEye CMS server. |
list_feeds
Investigation |
| Delete Custom Feeds |
Deletes a specific feed from the FireEye CMS server based on the feed name you have specified. |
delete_feeds
Remediation |
| Get Configurations |
Retrieves a list of all guest image profiles and applications details that are available from the FireEye CMS server. |
get_config
Miscellaneous |
| Get Open Alerts |
Retrieves information of all existing alerts or specific alerts based on alert ID, URL of the alert, and other input parameters you have specified from FireEye CMS. |
get_alerts
Investigation |
| Get Events |
Retrieves IPS event data from FireEye NX, which is managed by FireEye CMS, based on the time range and event type you have specified. |
get_ips_events
Investigation |
operation: Add Custom Feed
Input parameters
| Parameter |
Description |
| Feed Name |
Name of the new custom feed that you want to add in the FireEye CMS server. |
| Feed Type |
Type of the custom feed that you want to add in the FireEye CMS server.
You can choose from the following feed types: IP, URL, Domain, or Hash. |
| Feed Action |
Type of notification that should be generated if a feed matching with the custom feed is found on the FireEye CMS server. |
| Feed Source |
Source of custom feed that you want to add in the FireEye CMS server. |
| IOC Feed Data |
List of IP addresses, URLs, domain names, or hash values (based on the Feed Type you have chosen) that you want to add to the custom feed in the FireEye CMS server.
Note: You can specify multiple items in this field in the .csv or list format. |
| Overwrite Existing Feed |
Specifies whether a feed should be overwritten or not.
If you are creating a new feed, then this checkbox will be unchecked, i.e., the value is set to False, i.e., the feed does not get overwritten.
If you are updating an existing feed, this checkbox will be checked, i.e., the value is set to True, i.e., the feed gets overwritten. |
Output
The output contains the following populated JSON schema:
{
"message": ""
}
operation: Get Custom Feeds
Input parameters
None.
Output
No output schema is available at this time.
operation: Delete Custom Feeds
Input parameters
| Parameter |
Description |
| Feed Name |
Name of the custom feed that you want to delete from FireEye CMS. |
Output
The output contains a non-dictionary value.
operation: Get Configurations
Input parameters
None.
Output
The output contains a non-dictionary value.
operation: Get Open Alerts
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Alert ID |
ID of the alert whose information you want to retrieve from FireEye CMS. |
| Info Level |
Level of information to be retrieved for existing alerts from FireEye CMS.
You can choose from the following options: Concise (default), Normal, or Extended. |
| URL |
URL of the alert that you want to search and for which you want to retrieve information from FireEye CMS. |
| File Name |
Name of the malware file that you want to search and for which you want to retrieve information from FireEye CMS. |
| File Type |
Type of the malware file that you want to search and for which you want to retrieve information from FireEye CMS. |
| Malware Name |
Name of the malware object that you want to search and for which you want to retrieve information from FireEye CMS. |
| Malware Type |
Type of malware object that you want to search and for which you want to retrieve information from FireEye CMS.
For example, domain_match, malware_callback, malware_object, web_infection, infection_match etc. |
| Choose Date Filter |
Date filter to be applied to search for existing alerts and retrieve their information from FireEye CMS.
You can choose between Start Date and or End Date.
For example, if you choose Start Date, then information about alerts from the date that you specify will be retrieved from FireEye CMS. |
| Filter By Selected Date |
Start or End DateTime (based on the Choose Date Filter you have chosen) based on which you want to retrieve alert information from FireEye CMS. |
Output
The output contains a non-dictionary value.
operation: Get Events
Input parameters
| Parameter |
Description |
| Time Duration |
Specifies the time interval to search for events whose information you want to retrieve from FireEye CMS.
This filter is used with the end_time filter.
If you do not specify the duration is, then the system defaults to duration=12_ hours and end_time=current_time |
| Event Type |
Type of event whose information you want to retrieve from FireEye CMS.
The value must be set to Ips Event. |
Output
No output schema is available at this time.
Included playbooks
The Sample - FireEye CMS - 1.0.0 playbook collection comes bundled with the FireEye CMS connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FireEye CMS connector.
- Add Custom Feed
- Get Configurations
- Get Open Alerts
- Get Custom Feeds
- Get Events
- Delete Custom Feeds
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
