About the connector
FireEye Email Security helps organizations minimize the risk of costly breaches. Email Security (EX Series) on-premises appliances, accurately detect and can immediately stop advanced and targeted attacks, including spear phishing and ransomware before they enter your environment. Email Security uses the signatureless Multi-Vector Virtual Execution™ (MVX) engine to analyze email attachments and URLs against a comprehensive cross-matrix of operating systems, applications, and web browsers. Threats are identified with minimal noise, and false positives are nearly nonexistent.
This document provides information about the FireEye EX connector, which facilitates automated interactions, with an FireEye EX server using FortiSOAR™ playbooks. Add the FireEye EX connector as a step in FortiSOAR™ playbooks and perform automated operations, such as searching and retrieving information about domains, IP addresses, or name servers that you have specified.
Version information
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.9.0.0-708 and later
FireEye CM Version Tested on: 2500
Authored By: Fortinet
Certified: Yes
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-fireeye-ex
For the procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must have the FQDN or IP address of FireEye CMS server (using which you connect to the FireEye EX server) to which you will connect and perform the automated operations and the credentials to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click
here.
Configuration parameters
In FortiSOAR™, on the Connectors page, select the FireEye EX connector and click Configure to configure the following parameters:
| Parameter |
Description |
| Hostname |
FQDN or IP address of FireEye CMS server (using which you connect to the FireEye EX server) to which you will connect and perform the automated operations. |
| Username |
Username to access the FireEye EX server to which you will connect and perform the automated operations. |
| Password |
Password to access the FireEye EX server to which you will connect and perform the automated operations. |
| API Version |
Version of the API to be used for performing automated operations. For FireEye EX connector 1.0.0, the API version is set as v2.0.0. Therefore, currently this is a read-only field, set as v2.0.0. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Note: To use the FireEye EX connector you must create a user with the API Analyst role. Then you must enable wsapi from the command line as follows:
# enable
# configure terminal
# wsapi ?
# wsapi enable
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Add Custom Feed |
Adds a custom feed to the FireEye EX server, based on the input parameters you have specified. |
add_feed
Containment |
| Delete Custom Feed |
Deletes a custom feed from the FireEye EX server, based on the feed name you have specified. |
delete_feed
Remediation |
| Get Custom Feed |
Retrieves a list of existing custom IOC feeds from the FireEye EX server. |
get_feeds
Investigation |
operation: Add Custom Feed
Input parameters
| Parameter |
Description |
| Feed Name |
Name of the new feed or name of an existing feed that you want to modify or add to the FireEye EX server. |
| Feed Type |
Type of the feed that you want to add to the FireEye EX server. Currently only IP type feed is supported. The future versions on this connector could support feed types such as URL, Domain, or Hash. |
| Feed Action |
Type of notification that will be received, if a match is found.
For example, Alert. If you add Alert in this field, then an alert notification will be generated. |
| Feed Source |
Source of the feed. |
| IOC Feed Data(CSV or List Format) |
Actual IP address, URL, Domain name or Hash value that needs to be blocked on the FireEye EX server.
You can add multiple IP address, URLs, Domain names or Hash values in this fields using the csv or list format. For example, you can add a list of URLs as: abc.com, xyz.com, def.com |
| Overwrite Existing Feed |
Select this option, i.e. set this option to true, if you are updating an existing feed on the FireEye EX server. Clear this option, i.e. set this option to false, if you are adding a new feed to the FireEye EX server. |
Output
The JSON output contains the status of the add custom feed operation. The JSON output returns a Successmessage if the custom feed is successfully added or updated (in case of an existing feed) on the FireEye EX server or an Error message containing the reason for failure.
Following image displays a sample output:
operation: Delete Custom Feed
Input parameters
| Parameter |
Description |
| Feed Name |
Name of the custom feed that you want to delete from the FireEye EX server. |
Output
The JSON output contains the status of the delete custom feed operation. The JSON output returns a Successmessage if the custom feed is successfully delete from the FireEye EX server or an Error message containing the reason for failure.
Following image displays a sample output:
operation: Get Custom Feed
Input parameters
None.
Output
The JSON output contains a list of existing custom IOC feeds from the FireEye EX server.
Following image displays a sample output:
Included playbooks
The Sample - FireEye-EX - 1.0.0 playbook collection comes bundled with the FireEye EX connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FireEye EX connector.
- Add Custom Feed
- Delete Custom Feed
- Get Custom Feeds
Note: Ensure that you clone the Sample - FireEye-EX - 1.0.0 playbook collection before using the playbooks, since the sample playbook collection gets deleted during connector upgrade and delete.
