Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

The FireEye® CM series is a group of management platforms that consolidates the administration, reporting and data sharing of the FireEye products in an easy-to-deploy, network-based platform.

This document provides information about the Infocyte connector, which facilitates automated interactions, with your FireEye CMS server using FortiSOAR™ playbooks. Add the FireEye CMS connector, as a step in FortiSOAR™ playbooks and perform automated operations such as adding or deleting a custom field in FireEye CMS, or retrieve information of all existing alerts from FireEye CMS.

Version information

Connector Version: 1.0.0

Authored By: Fortinet

Certified: No

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-fireeye-cms

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

  • You must have the FQDN or IP address of the FireEye CMS server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, select the FireEye CMS connector row, and in the Configure tab enter the required configuration details. 

Parameter Description
Hostname FQDN or IP address of FireEye CMS server to which you will connect and perform the automated operations.
Username Username to access the FireEye CMS server to which you will connect and perform the automated operations.
Password Password to access the FireEye CMS server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Add Custom Feed Adds a custom IOC feed in the FireEye CMS server based on the feed name, feed type, feed action, and other input parameters you have specified. add_feed
Containment
Get Custom Feeds Retrieves a list of all custom feeds available on the FireEye CMS server. list_feeds
Investigation
Delete Custom Feeds Deletes a specific feed from the FireEye CMS server based on the feed name you have specified. delete_feeds
Remediation
Get Configurations Retrieves a list of all guest image profiles and applications details that are available from the FireEye CMS server. get_config
Miscellaneous
Get Open Alerts Retrieves information of all existing alerts or specific alerts based on alert ID, URL of the alert, and other input parameters you have specified from FireEye CMS. get_alerts
Investigation
Get Events Retrieves IPS event data from FireEye NX, which is managed by FireEye CMS, based on the time range and event type you have specified. get_ips_events
Investigation

operation: Add Custom Feed

Input parameters

Parameter Description
Feed Name Name of the new custom feed that you want to add in the FireEye CMS server.
Feed Type Type of the custom feed that you want to add in the FireEye CMS server.
You can choose from the following feed types: IP, URL, Domain, or Hash.
Feed Action Type of notification that should be generated if a feed matching with the custom feed is found on the FireEye CMS server.
Feed Source Source of custom feed that you want to add in the FireEye CMS server.
IOC Feed Data List of IP addresses, URLs, domain names, or hash values (based on the Feed Type you have chosen) that you want to add to the custom feed in the FireEye CMS server.
Note: You can specify multiple items in this field in the .csv or list format.
Overwrite Existing Feed Specifies whether a feed should be overwritten or not.
If you are creating a new feed, then this checkbox will be unchecked, i.e., the value is set to False, i.e., the feed does not get overwritten.
If you are updating an existing feed, this checkbox will be checked, i.e., the value is set to True, i.e., the feed gets overwritten.

Output

The output contains the following populated JSON schema:

     "message": "" 
}

operation: Get Custom Feeds

Input parameters

None.

Output

No output schema is available at this time.

operation: Delete Custom Feeds

Input parameters

Parameter Description
Feed Name Name of the custom feed that you want to delete from FireEye CMS.

Output

The output contains a non-dictionary value.

operation: Get Configurations

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Get Open Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned. 

Parameter Description
Alert ID ID of the alert whose information you want to retrieve from FireEye CMS.
Info Level Level of information to be retrieved for existing alerts from FireEye CMS.
You can choose from the following options: Concise (default), Normal, or Extended.
URL URL of the alert that you want to search and for which you want to retrieve information from FireEye CMS.
File Name Name of the malware file that you want to search and for which you want to retrieve information from FireEye CMS.
File Type Type of the malware file that you want to search and for which you want to retrieve information from FireEye CMS.
Malware Name Name of the malware object that you want to search and for which you want to retrieve information from FireEye CMS.
Malware Type Type of malware object that you want to search and for which you want to retrieve information from FireEye CMS.
For example, domain_match, malware_callback, malware_object, web_infection, infection_match etc.
Choose Date Filter Date filter to be applied to search for existing alerts and retrieve their information from FireEye CMS.
You can choose between Start Date and or End Date.
For example, if you choose Start Date, then information about alerts from the date that you specify will be retrieved from FireEye CMS.
Filter By Selected Date Start or End DateTime (based on the Choose Date Filter you have chosen) based on which you want to retrieve alert information from FireEye CMS.

Output

The output contains a non-dictionary value.

operation: Get Events

Input parameters

Parameter Description
Time Duration Specifies the time interval to search for events whose information you want to retrieve from FireEye CMS.
This filter is used with the end_time filter.
If you do not specify the duration is, then the system defaults to duration=12_ hours and end_time=current_time
Event Type Type of event whose information you want to retrieve from FireEye CMS.
The value must be set to Ips Event.

Output

No output schema is available at this time.

Included playbooks

The Sample - FireEye CMS - 1.0.0 playbook collection comes bundled with the FireEye CMS connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FireEye CMS connector.

  • Add Custom Feed
  • Get Configurations
  • Get Open Alerts
  • Get Custom Feeds
  • Get Events
  • Delete Custom Feeds

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

The FireEye® CM series is a group of management platforms that consolidates the administration, reporting and data sharing of the FireEye products in an easy-to-deploy, network-based platform.

This document provides information about the Infocyte connector, which facilitates automated interactions, with your FireEye CMS server using FortiSOAR™ playbooks. Add the FireEye CMS connector, as a step in FortiSOAR™ playbooks and perform automated operations such as adding or deleting a custom field in FireEye CMS, or retrieve information of all existing alerts from FireEye CMS.

Version information

Connector Version: 1.0.0

Authored By: Fortinet

Certified: No

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-fireeye-cms

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, select the FireEye CMS connector row, and in the Configure tab enter the required configuration details. 

Parameter Description
Hostname FQDN or IP address of FireEye CMS server to which you will connect and perform the automated operations.
Username Username to access the FireEye CMS server to which you will connect and perform the automated operations.
Password Password to access the FireEye CMS server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Add Custom Feed Adds a custom IOC feed in the FireEye CMS server based on the feed name, feed type, feed action, and other input parameters you have specified. add_feed
Containment
Get Custom Feeds Retrieves a list of all custom feeds available on the FireEye CMS server. list_feeds
Investigation
Delete Custom Feeds Deletes a specific feed from the FireEye CMS server based on the feed name you have specified. delete_feeds
Remediation
Get Configurations Retrieves a list of all guest image profiles and applications details that are available from the FireEye CMS server. get_config
Miscellaneous
Get Open Alerts Retrieves information of all existing alerts or specific alerts based on alert ID, URL of the alert, and other input parameters you have specified from FireEye CMS. get_alerts
Investigation
Get Events Retrieves IPS event data from FireEye NX, which is managed by FireEye CMS, based on the time range and event type you have specified. get_ips_events
Investigation

operation: Add Custom Feed

Input parameters

Parameter Description
Feed Name Name of the new custom feed that you want to add in the FireEye CMS server.
Feed Type Type of the custom feed that you want to add in the FireEye CMS server.
You can choose from the following feed types: IP, URL, Domain, or Hash.
Feed Action Type of notification that should be generated if a feed matching with the custom feed is found on the FireEye CMS server.
Feed Source Source of custom feed that you want to add in the FireEye CMS server.
IOC Feed Data List of IP addresses, URLs, domain names, or hash values (based on the Feed Type you have chosen) that you want to add to the custom feed in the FireEye CMS server.
Note: You can specify multiple items in this field in the .csv or list format.
Overwrite Existing Feed Specifies whether a feed should be overwritten or not.
If you are creating a new feed, then this checkbox will be unchecked, i.e., the value is set to False, i.e., the feed does not get overwritten.
If you are updating an existing feed, this checkbox will be checked, i.e., the value is set to True, i.e., the feed gets overwritten.

Output

The output contains the following populated JSON schema:

     "message": "" 
}

operation: Get Custom Feeds

Input parameters

None.

Output

No output schema is available at this time.

operation: Delete Custom Feeds

Input parameters

Parameter Description
Feed Name Name of the custom feed that you want to delete from FireEye CMS.

Output

The output contains a non-dictionary value.

operation: Get Configurations

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Get Open Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned. 

Parameter Description
Alert ID ID of the alert whose information you want to retrieve from FireEye CMS.
Info Level Level of information to be retrieved for existing alerts from FireEye CMS.
You can choose from the following options: Concise (default), Normal, or Extended.
URL URL of the alert that you want to search and for which you want to retrieve information from FireEye CMS.
File Name Name of the malware file that you want to search and for which you want to retrieve information from FireEye CMS.
File Type Type of the malware file that you want to search and for which you want to retrieve information from FireEye CMS.
Malware Name Name of the malware object that you want to search and for which you want to retrieve information from FireEye CMS.
Malware Type Type of malware object that you want to search and for which you want to retrieve information from FireEye CMS.
For example, domain_match, malware_callback, malware_object, web_infection, infection_match etc.
Choose Date Filter Date filter to be applied to search for existing alerts and retrieve their information from FireEye CMS.
You can choose between Start Date and or End Date.
For example, if you choose Start Date, then information about alerts from the date that you specify will be retrieved from FireEye CMS.
Filter By Selected Date Start or End DateTime (based on the Choose Date Filter you have chosen) based on which you want to retrieve alert information from FireEye CMS.

Output

The output contains a non-dictionary value.

operation: Get Events

Input parameters

Parameter Description
Time Duration Specifies the time interval to search for events whose information you want to retrieve from FireEye CMS.
This filter is used with the end_time filter.
If you do not specify the duration is, then the system defaults to duration=12_ hours and end_time=current_time
Event Type Type of event whose information you want to retrieve from FireEye CMS.
The value must be set to Ips Event.

Output

No output schema is available at this time.

Included playbooks

The Sample - FireEye CMS - 1.0.0 playbook collection comes bundled with the FireEye CMS connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FireEye CMS connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.