FireEye iSIGHT Threat Intelligence is a proactive, forward-looking means of qualifying threats poised to disrupt your business based on the intents, tools, and tactics of the attacker.
This document provides information about the FireEye iSIGHT connector, which facilitates automated interactions, with a FireEye iSIGHT server using FortiSOAR™ playbooks. Add the FireEye iSIGHT connector as a step in FortiSOAR™ playbooks and perform automated operations, such as returning published indicator data from FireEye iSIGHT, or returning a list of intelligence reports published since a specific date and time from FireEye iSIGHT.
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-fireeye-isight
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the FireEye iSIGHT connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the FireEye iSIGHT server to which you will connect and perform automated operations. |
Private Key | Private key of the FireEye iSIGHT server to which you will connect and perform automated operations. |
Public Key | Public key of the FireEye iSIGHT server to which you will connect and perform automated operations. |
Accept Version | FireEye iSIGHT product version to be used. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Basic Search | Returns intelligence report(s) providing context to a searched indicator from FireEye iSIGHT based on the input parameters you have specified. | basic_search Investigation |
Get Indicators Data | Returns published indicator data from FireEye iSIGHT based on the indicator type and value you have specified. | get_indicators Investigation |
Get IOCs | Returns the indicators of compromise (IOCs) from FireEye iSIGHT since the date and time that you have specified, which are connected to the context from which they were derived. | get_iocs Investigation |
Get Threat | Returns the threats that are being tracked for indicators and targets from FireEye iSIGHT. | get_threat Investigation |
List Reports | Returns a list of intelligence reports published since the date and time that you have specified from FireEye iSIGHT. | list_report Investigation |
Get Report | Returns an intelligence report from FireEye iSIGHT based on the report ID you have specified. You can also specify the format of the report and the level of detail of the report that you want to retrieve from FireEye iSIGHT. | get_report Investigation |
List Vulnerabilities | Returns a list of vulnerabilities since the date and time that you have specified from FireEye iSIGHT. | list_vulnerability Investigation |
Parameter | Description |
---|---|
Query | Type of indicator or input based on which you want to run the query in FireEye iSIGHT. You can choose from options such as Domain, IP, Filename, etc. |
Value | Value of the option that you have selected in the Query parameter. |
From | (Optional) Limits the returned data to those reports that were published starting at this Epoch datetime. |
To | (Optional) Limits the returned data to those reports that were published ending at this Epoch datetime. |
Limit | (Optional) Limits the number of matching reports returned to the number that you have specified for this parameter. |
Offset | (Optional) Index of the first item that this operation should return. Use the offset parameter to retrieve paginated results. |
The output contains the following populated JSON schema:
{
"success": "",
"numRecords": "",
"message": [
{
"reportId": "",
"webLink": "",
"title": "",
"publishDate": "",
"audience": [],
"reportType": "",
"intelligenceType": "",
"reportLink": "",
"matchedOn": [
{
"key": "",
"value": ""
}
],
"ThreatScape": [],
"version": "",
"version1PublishDate": ""
}
]
}
Parameter | Description |
---|---|
Indicator Type | Type of indicator whose data you want to retrieve from FireEye iSIGHT. You can choose from options such as Domain, IP, Filename, etc. |
Value | Value of the option that you have selected in the Indicator Type parameter. |
Limit | (Optional) Limits the number of matching reports returned to the number that you have specified for this parameter. By default, up to 1000 records will be returned. |
Offset | (Optional) Index of the first item that this operation should return. Use the offset parameter to retrieve paginated results. |
The output contains the following populated JSON schema:
{
"success": "",
"numRecords": "",
"message": {
"publishedIndicators": [
{
"actor": "",
"reportId": "",
"registrantEmail": "",
"webLink": "",
"senderEmail": "",
"fileSize": "",
"md5": "",
"actorId": "",
"url": "",
"subject": "",
"userAgent": "",
"fuzzyHash": "",
"registry": "",
"networkType": "",
"description": "",
"malwareFamilyId": "",
"domain": "",
"domainTimeOfLookup": "",
"sourceDomain": "",
"sha256": "",
"fileType": "",
"emailLanguage": "",
"ThreatScape": "",
"asn": "",
"ip": "",
"protocol": "",
"cidr": "",
"emailName": "",
"fileName": "",
"title": "",
"publishDate": "",
"registrantName": "",
"emailIdentifier": "",
"packer": "",
"observationTime": "",
"recipient": "",
"fileIdentifier": "",
"reportLink": "",
"sourceIp": "",
"networkIdentifier": "",
"ports": "",
"sha1": "",
"senderName": ""
}
]
}
}
Parameter | Description |
---|---|
From | Limits the returned IOC data to that were published starting at this Epoch datetime. If you do not specify the date and time in this field, then the response defaults to 24 hours. |
To | Limits the returned IOC data to that were published ending at this Epoch datetime. You must use this parameter with the From parameter. Note: The datetime difference between the dates specified should not exceed the range of 90 days. |
The output contains the following populated JSON schema:
{
"success": "",
"message": [
{
"filePath": "",
"fileSize": "",
"webLink": "",
"fileType": "",
"url": "",
"malwareFamily": "",
"description": "",
"malwareFamilyId": "",
"domain": "",
"domainTimeOfLookup": "",
"observationTime": "",
"emailLanguage": "",
"ThreatScape": "",
"ip": "",
"port": "",
"cidr": "",
"audience": "",
"actorId": "",
"packer": "",
"publishDate": "",
"recipient": "",
"actor": "",
"senderAddress": "",
"fileCompilationDateTime": "",
"reportLink": "",
"sourceIp": "",
"sha1": "",
"senderName": "",
"registrantName": "",
"reportId": "",
"sha256": "",
"md5": "",
"subject": "",
"userAgent": "",
"fuzzyHash": "",
"intelligenceType": "",
"sourceDomain": "",
"protocol": "",
"networkType": "",
"asn": "",
"fileName": "",
"title": "",
"registrantEmail": "",
"emailIdentifier": "",
"registry": "",
"fileIdentifier": "",
"networkIdentifier": ""
}
]
}
Parameter | Description |
---|---|
Threat Type | Type of threat for which you want to retrieve indicators and targets from FireEye iSIGHT. Important: Currently, the only values supported are 'malwareFamily' and 'actor'. |
The output contains the following populated JSON schema:
{
"success": "",
"message": [
{
"threatType": "",
"values": []
}
]
}
Parameter | Description |
---|---|
From | Limits the returned reports data to that were published starting at this Epoch datetime. If you do not specify the date and time in this field, then the response defaults to 24 hours. |
To | Limits the returned IOC data to that were published ending at this Epoch datetime. You must use this parameter with the From parameter. Note: The datetime difference between the dates specified should not exceed the range of 90 days. |
Report Type | Limits the returned reports data to the report type that you have specified. By default, reports for all report type are returned. |
Limit | (Optional) Limits the number of matching reports returned to the number that you have specified for this parameter. By default, up to 1000 records will be returned. |
Offset | (Optional) Index of the first item that this operation should return. Use the offset parameter to retrieve paginated results. |
The output contains the following populated JSON schema:
{
"success": true,
"message": [
{
"reportId": "",
"webLink": "",
"reportLink": "",
"title": "",
"ThreatScape": [],
"pubType": "",
"publishDate": ""
}
]
}
Parameter | Description |
---|---|
Report ID | Report identifier of the intelligence report that you want to retrieve from FireEye iSIGHT. |
Report Detail | (Optional) Level of detail of the report that you want to retrieve from FireEye iSIGHT. For example, full, summary, or title. |
IOCs Only | (Optional) If you select this option, i.e., set to true, the network, email, and file tags within the tag section will contain only indicators whose identifier is either 'Attacker' or 'Compromised'. By default, this option is cleared, i.e., set to false. |
The output contains the following populated JSON schema:
{
"success": "",
"message": {
"report": {
"reportId": "",
"audience": "",
"publishDate": "",
"execSummary": "",
"title": ""
}
}
}
Parameter | Description |
---|---|
From | Limits the returned vulnerabilities data to that were published starting at this Epoch datetime. If you do not specify the date and time in this field, then the response defaults to 24 hours. |
To | Limits the returned vulnerabilities data to that were published ending at this Epoch datetime. You must use this parameter with the From parameter. Note: The datetime difference between the dates specified should not exceed the range of 90 days. |
The output contains the following populated JSON schema:
{
"success": "",
"message": {
"reportId": "",
"webLink": "",
"cvssBaseScore": "",
"exploitRating": "",
"exploitInTheWild": "",
"cveIds": [],
"intelligenceType": "",
"cvssTemporalScore": "",
"cvssBaseScoreLink": "",
"cvssTemporalScoreLink": "",
"cvssBaseVector": "",
"ThreatScape": [],
"attackingEase": "",
"cvssTemporalVector": "",
"riskRating": "",
"cpe": "",
"title": "",
"publishDate": "",
"audience": [],
"version": "",
"cveOriginalReleaseDate": "",
"reportLink": "",
"mitigations": [],
"version1PublishDate": ""
}
}
The Sample - FireEye-iSIGHT - 1.0.0
playbook collection comes bundled with the FireEye iSIGHT connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FireEye iSIGHT connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
FireEye iSIGHT Threat Intelligence is a proactive, forward-looking means of qualifying threats poised to disrupt your business based on the intents, tools, and tactics of the attacker.
This document provides information about the FireEye iSIGHT connector, which facilitates automated interactions, with a FireEye iSIGHT server using FortiSOAR™ playbooks. Add the FireEye iSIGHT connector as a step in FortiSOAR™ playbooks and perform automated operations, such as returning published indicator data from FireEye iSIGHT, or returning a list of intelligence reports published since a specific date and time from FireEye iSIGHT.
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-fireeye-isight
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the FireEye iSIGHT connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the FireEye iSIGHT server to which you will connect and perform automated operations. |
Private Key | Private key of the FireEye iSIGHT server to which you will connect and perform automated operations. |
Public Key | Public key of the FireEye iSIGHT server to which you will connect and perform automated operations. |
Accept Version | FireEye iSIGHT product version to be used. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Basic Search | Returns intelligence report(s) providing context to a searched indicator from FireEye iSIGHT based on the input parameters you have specified. | basic_search Investigation |
Get Indicators Data | Returns published indicator data from FireEye iSIGHT based on the indicator type and value you have specified. | get_indicators Investigation |
Get IOCs | Returns the indicators of compromise (IOCs) from FireEye iSIGHT since the date and time that you have specified, which are connected to the context from which they were derived. | get_iocs Investigation |
Get Threat | Returns the threats that are being tracked for indicators and targets from FireEye iSIGHT. | get_threat Investigation |
List Reports | Returns a list of intelligence reports published since the date and time that you have specified from FireEye iSIGHT. | list_report Investigation |
Get Report | Returns an intelligence report from FireEye iSIGHT based on the report ID you have specified. You can also specify the format of the report and the level of detail of the report that you want to retrieve from FireEye iSIGHT. | get_report Investigation |
List Vulnerabilities | Returns a list of vulnerabilities since the date and time that you have specified from FireEye iSIGHT. | list_vulnerability Investigation |
Parameter | Description |
---|---|
Query | Type of indicator or input based on which you want to run the query in FireEye iSIGHT. You can choose from options such as Domain, IP, Filename, etc. |
Value | Value of the option that you have selected in the Query parameter. |
From | (Optional) Limits the returned data to those reports that were published starting at this Epoch datetime. |
To | (Optional) Limits the returned data to those reports that were published ending at this Epoch datetime. |
Limit | (Optional) Limits the number of matching reports returned to the number that you have specified for this parameter. |
Offset | (Optional) Index of the first item that this operation should return. Use the offset parameter to retrieve paginated results. |
The output contains the following populated JSON schema:
{
"success": "",
"numRecords": "",
"message": [
{
"reportId": "",
"webLink": "",
"title": "",
"publishDate": "",
"audience": [],
"reportType": "",
"intelligenceType": "",
"reportLink": "",
"matchedOn": [
{
"key": "",
"value": ""
}
],
"ThreatScape": [],
"version": "",
"version1PublishDate": ""
}
]
}
Parameter | Description |
---|---|
Indicator Type | Type of indicator whose data you want to retrieve from FireEye iSIGHT. You can choose from options such as Domain, IP, Filename, etc. |
Value | Value of the option that you have selected in the Indicator Type parameter. |
Limit | (Optional) Limits the number of matching reports returned to the number that you have specified for this parameter. By default, up to 1000 records will be returned. |
Offset | (Optional) Index of the first item that this operation should return. Use the offset parameter to retrieve paginated results. |
The output contains the following populated JSON schema:
{
"success": "",
"numRecords": "",
"message": {
"publishedIndicators": [
{
"actor": "",
"reportId": "",
"registrantEmail": "",
"webLink": "",
"senderEmail": "",
"fileSize": "",
"md5": "",
"actorId": "",
"url": "",
"subject": "",
"userAgent": "",
"fuzzyHash": "",
"registry": "",
"networkType": "",
"description": "",
"malwareFamilyId": "",
"domain": "",
"domainTimeOfLookup": "",
"sourceDomain": "",
"sha256": "",
"fileType": "",
"emailLanguage": "",
"ThreatScape": "",
"asn": "",
"ip": "",
"protocol": "",
"cidr": "",
"emailName": "",
"fileName": "",
"title": "",
"publishDate": "",
"registrantName": "",
"emailIdentifier": "",
"packer": "",
"observationTime": "",
"recipient": "",
"fileIdentifier": "",
"reportLink": "",
"sourceIp": "",
"networkIdentifier": "",
"ports": "",
"sha1": "",
"senderName": ""
}
]
}
}
Parameter | Description |
---|---|
From | Limits the returned IOC data to that were published starting at this Epoch datetime. If you do not specify the date and time in this field, then the response defaults to 24 hours. |
To | Limits the returned IOC data to that were published ending at this Epoch datetime. You must use this parameter with the From parameter. Note: The datetime difference between the dates specified should not exceed the range of 90 days. |
The output contains the following populated JSON schema:
{
"success": "",
"message": [
{
"filePath": "",
"fileSize": "",
"webLink": "",
"fileType": "",
"url": "",
"malwareFamily": "",
"description": "",
"malwareFamilyId": "",
"domain": "",
"domainTimeOfLookup": "",
"observationTime": "",
"emailLanguage": "",
"ThreatScape": "",
"ip": "",
"port": "",
"cidr": "",
"audience": "",
"actorId": "",
"packer": "",
"publishDate": "",
"recipient": "",
"actor": "",
"senderAddress": "",
"fileCompilationDateTime": "",
"reportLink": "",
"sourceIp": "",
"sha1": "",
"senderName": "",
"registrantName": "",
"reportId": "",
"sha256": "",
"md5": "",
"subject": "",
"userAgent": "",
"fuzzyHash": "",
"intelligenceType": "",
"sourceDomain": "",
"protocol": "",
"networkType": "",
"asn": "",
"fileName": "",
"title": "",
"registrantEmail": "",
"emailIdentifier": "",
"registry": "",
"fileIdentifier": "",
"networkIdentifier": ""
}
]
}
Parameter | Description |
---|---|
Threat Type | Type of threat for which you want to retrieve indicators and targets from FireEye iSIGHT. Important: Currently, the only values supported are 'malwareFamily' and 'actor'. |
The output contains the following populated JSON schema:
{
"success": "",
"message": [
{
"threatType": "",
"values": []
}
]
}
Parameter | Description |
---|---|
From | Limits the returned reports data to that were published starting at this Epoch datetime. If you do not specify the date and time in this field, then the response defaults to 24 hours. |
To | Limits the returned IOC data to that were published ending at this Epoch datetime. You must use this parameter with the From parameter. Note: The datetime difference between the dates specified should not exceed the range of 90 days. |
Report Type | Limits the returned reports data to the report type that you have specified. By default, reports for all report type are returned. |
Limit | (Optional) Limits the number of matching reports returned to the number that you have specified for this parameter. By default, up to 1000 records will be returned. |
Offset | (Optional) Index of the first item that this operation should return. Use the offset parameter to retrieve paginated results. |
The output contains the following populated JSON schema:
{
"success": true,
"message": [
{
"reportId": "",
"webLink": "",
"reportLink": "",
"title": "",
"ThreatScape": [],
"pubType": "",
"publishDate": ""
}
]
}
Parameter | Description |
---|---|
Report ID | Report identifier of the intelligence report that you want to retrieve from FireEye iSIGHT. |
Report Detail | (Optional) Level of detail of the report that you want to retrieve from FireEye iSIGHT. For example, full, summary, or title. |
IOCs Only | (Optional) If you select this option, i.e., set to true, the network, email, and file tags within the tag section will contain only indicators whose identifier is either 'Attacker' or 'Compromised'. By default, this option is cleared, i.e., set to false. |
The output contains the following populated JSON schema:
{
"success": "",
"message": {
"report": {
"reportId": "",
"audience": "",
"publishDate": "",
"execSummary": "",
"title": ""
}
}
}
Parameter | Description |
---|---|
From | Limits the returned vulnerabilities data to that were published starting at this Epoch datetime. If you do not specify the date and time in this field, then the response defaults to 24 hours. |
To | Limits the returned vulnerabilities data to that were published ending at this Epoch datetime. You must use this parameter with the From parameter. Note: The datetime difference between the dates specified should not exceed the range of 90 days. |
The output contains the following populated JSON schema:
{
"success": "",
"message": {
"reportId": "",
"webLink": "",
"cvssBaseScore": "",
"exploitRating": "",
"exploitInTheWild": "",
"cveIds": [],
"intelligenceType": "",
"cvssTemporalScore": "",
"cvssBaseScoreLink": "",
"cvssTemporalScoreLink": "",
"cvssBaseVector": "",
"ThreatScape": [],
"attackingEase": "",
"cvssTemporalVector": "",
"riskRating": "",
"cpe": "",
"title": "",
"publishDate": "",
"audience": [],
"version": "",
"cveOriginalReleaseDate": "",
"reportLink": "",
"mitigations": [],
"version1PublishDate": ""
}
}
The Sample - FireEye-iSIGHT - 1.0.0
playbook collection comes bundled with the FireEye iSIGHT connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FireEye iSIGHT connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.