Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

FireEye Email Security helps organizations minimize the risk of costly breaches. Email Security (EX Series) on-premises appliances, accurately detect and can immediately stop advanced and targeted attacks, including spear phishing and ransomware before they enter your environment. Email Security uses the signatureless Multi-Vector Virtual Execution™ (MVX) engine to analyze email attachments and URLs against a comprehensive cross-matrix of operating systems, applications, and web browsers. Threats are identified with minimal noise, and false positives are nearly nonexistent.

This document provides information about the FireEye EX connector, which facilitates automated interactions, with an FireEye EX server using FortiSOAR™ playbooks. Add the FireEye EX connector as a step in FortiSOAR™ playbooks and perform automated operations, such as searching and retrieving information about domains, IP addresses, or name servers that you have specified.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 4.9.0.0-708 and later

FireEye CM Version Tested on: 2500

Authored By: Fortinet

Certified: Yes

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-fireeye-ex

For the procedure to install a connector, click here.

Prerequisites to configuring the connector

  • You must have the FQDN or IP address of FireEye CMS server (using which you connect to the FireEye EX server) to which you will connect and perform the automated operations and the credentials to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the FireEye EX connector and click Configure to configure the following parameters:

 

Parameter Description
Hostname FQDN or IP address of FireEye CMS server (using which you connect to the FireEye EX server) to which you will connect and perform the automated operations.
Username Username to access the FireEye EX server to which you will connect and perform the automated operations.
Password Password to access the FireEye EX server to which you will connect and perform the automated operations.
API Version Version of the API to be used for performing automated operations. For FireEye EX connector 1.0.0, the API version is set as v2.0.0. Therefore, currently this is a read-only field, set as v2.0.0.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Note: To use the FireEye EX connector you must create a user with the API Analyst role. Then you must enable wsapi from the command line as follows:

# enable
# configure terminal
# wsapi ?
# wsapi enable

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Add Custom Feed Adds a custom feed to the FireEye EX server, based on the input parameters you have specified. add_feed
Containment
Delete Custom Feed Deletes a custom feed from the FireEye EX server, based on the feed name you have specified. delete_feed
Remediation
Get Custom Feed Retrieves a list of existing custom IOC feeds from the FireEye EX server. get_feeds
Investigation

 

operation: Add Custom Feed

Input parameters

 

Parameter Description
Feed Name Name of the new feed or name of an existing feed that you want to modify or add to the FireEye EX server.
Feed Type Type of the feed that you want to add to the FireEye EX server. Currently only IP type feed is supported. The future versions on this connector could support feed types such as URL, Domain, or Hash.
Feed Action Type of notification that will be received, if a match is found.
For example, Alert. If you add Alert in this field, then an alert notification will be generated.
Feed Source Source of the feed.
IOC Feed Data(CSV or List Format) Actual IP address, URL, Domain name or Hash value that needs to be blocked on the FireEye EX server.
You can add multiple IP address, URLs, Domain names or Hash values in this fields using the csv or list format. For example, you can add a list of URLs as: abc.com, xyz.com, def.com
Overwrite Existing Feed Select this option, i.e. set this option to true, if you are updating an existing feed on the FireEye EX server. Clear this option, i.e. set this option to false, if you are adding a new feed to the FireEye EX server.

 

Output

The JSON output contains the status of the add custom feed operation. The JSON output returns a Successmessage if the custom feed is successfully added or updated (in case of an existing feed) on the FireEye EX server or an Error message containing the reason for failure.

Following image displays a sample output:

Sample output of the Add Custom Feed operation

operation: Delete Custom Feed

Input parameters

 

Parameter Description
Feed Name Name of the custom feed that you want to delete from the FireEye EX server.

 

Output

The JSON output contains the status of the delete custom feed operation. The JSON output returns a Successmessage if the custom feed is successfully delete from the FireEye EX server or an Error message containing the reason for failure.

Following image displays a sample output:

Sample output of the Delete Custom Feed operation

operation: Get Custom Feed

Input parameters

None.

Output

The JSON output contains a list of existing custom IOC feeds from the FireEye EX server.

Following image displays a sample output:

Sample output of the Get Custom Feed operation

Included playbooks

The Sample - FireEye-EX - 1.0.0 playbook collection comes bundled with the FireEye EX connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FireEye EX connector.

  • Add Custom Feed
  • Delete Custom Feed
  • Get Custom Feeds

Note: Ensure that you clone the Sample - FireEye-EX - 1.0.0 playbook collection before using the playbooks, since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

FireEye Email Security helps organizations minimize the risk of costly breaches. Email Security (EX Series) on-premises appliances, accurately detect and can immediately stop advanced and targeted attacks, including spear phishing and ransomware before they enter your environment. Email Security uses the signatureless Multi-Vector Virtual Execution™ (MVX) engine to analyze email attachments and URLs against a comprehensive cross-matrix of operating systems, applications, and web browsers. Threats are identified with minimal noise, and false positives are nearly nonexistent.

This document provides information about the FireEye EX connector, which facilitates automated interactions, with an FireEye EX server using FortiSOAR™ playbooks. Add the FireEye EX connector as a step in FortiSOAR™ playbooks and perform automated operations, such as searching and retrieving information about domains, IP addresses, or name servers that you have specified.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 4.9.0.0-708 and later

FireEye CM Version Tested on: 2500

Authored By: Fortinet

Certified: Yes

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-fireeye-ex

For the procedure to install a connector, click here.

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the FireEye EX connector and click Configure to configure the following parameters:

 

Parameter Description
Hostname FQDN or IP address of FireEye CMS server (using which you connect to the FireEye EX server) to which you will connect and perform the automated operations.
Username Username to access the FireEye EX server to which you will connect and perform the automated operations.
Password Password to access the FireEye EX server to which you will connect and perform the automated operations.
API Version Version of the API to be used for performing automated operations. For FireEye EX connector 1.0.0, the API version is set as v2.0.0. Therefore, currently this is a read-only field, set as v2.0.0.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Note: To use the FireEye EX connector you must create a user with the API Analyst role. Then you must enable wsapi from the command line as follows:

# enable
# configure terminal
# wsapi ?
# wsapi enable

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Add Custom Feed Adds a custom feed to the FireEye EX server, based on the input parameters you have specified. add_feed
Containment
Delete Custom Feed Deletes a custom feed from the FireEye EX server, based on the feed name you have specified. delete_feed
Remediation
Get Custom Feed Retrieves a list of existing custom IOC feeds from the FireEye EX server. get_feeds
Investigation

 

operation: Add Custom Feed

Input parameters

 

Parameter Description
Feed Name Name of the new feed or name of an existing feed that you want to modify or add to the FireEye EX server.
Feed Type Type of the feed that you want to add to the FireEye EX server. Currently only IP type feed is supported. The future versions on this connector could support feed types such as URL, Domain, or Hash.
Feed Action Type of notification that will be received, if a match is found.
For example, Alert. If you add Alert in this field, then an alert notification will be generated.
Feed Source Source of the feed.
IOC Feed Data(CSV or List Format) Actual IP address, URL, Domain name or Hash value that needs to be blocked on the FireEye EX server.
You can add multiple IP address, URLs, Domain names or Hash values in this fields using the csv or list format. For example, you can add a list of URLs as: abc.com, xyz.com, def.com
Overwrite Existing Feed Select this option, i.e. set this option to true, if you are updating an existing feed on the FireEye EX server. Clear this option, i.e. set this option to false, if you are adding a new feed to the FireEye EX server.

 

Output

The JSON output contains the status of the add custom feed operation. The JSON output returns a Successmessage if the custom feed is successfully added or updated (in case of an existing feed) on the FireEye EX server or an Error message containing the reason for failure.

Following image displays a sample output:

Sample output of the Add Custom Feed operation

operation: Delete Custom Feed

Input parameters

 

Parameter Description
Feed Name Name of the custom feed that you want to delete from the FireEye EX server.

 

Output

The JSON output contains the status of the delete custom feed operation. The JSON output returns a Successmessage if the custom feed is successfully delete from the FireEye EX server or an Error message containing the reason for failure.

Following image displays a sample output:

Sample output of the Delete Custom Feed operation

operation: Get Custom Feed

Input parameters

None.

Output

The JSON output contains a list of existing custom IOC feeds from the FireEye EX server.

Following image displays a sample output:

Sample output of the Get Custom Feed operation

Included playbooks

The Sample - FireEye-EX - 1.0.0 playbook collection comes bundled with the FireEye EX connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FireEye EX connector.

Note: Ensure that you clone the Sample - FireEye-EX - 1.0.0 playbook collection before using the playbooks, since the sample playbook collection gets deleted during connector upgrade and delete.