Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

FireEye iSIGHT Threat Intelligence is a proactive, forward-looking means of qualifying threats poised to disrupt your business based on the intents, tools, and tactics of the attacker. 

This document provides information about the FireEye iSIGHT connector, which facilitates automated interactions, with a FireEye iSIGHT server using FortiSOAR™ playbooks. Add the FireEye iSIGHT connector as a step in FortiSOAR™ playbooks and perform automated operations, such as returning published indicator data from FireEye iSIGHT, or returning a list of intelligence reports published since a specific date and time from FireEye iSIGHT.

Version information

Connector Version: 1.0.0

Authored By: Fortinet

Certified: No

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-fireeye-isight

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

  • You must have the URL of the FireEye iSIGHT server to which you will connect and perform automated operations and credentials to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the CyOPsTM instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the FireEye iSIGHT connector row, and in the Configure tab enter the required configuration details.

Parameter Description
Server URL URL of the FireEye iSIGHT server to which you will connect and perform automated operations.
Private Key Private key of the FireEye iSIGHT server to which you will connect and perform automated operations.
Public Key Public key of the FireEye iSIGHT server to which you will connect and perform automated operations.
Accept Version FireEye iSIGHT product version to be used.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Basic Search Returns intelligence report(s) providing context to a searched indicator from FireEye iSIGHT based on the input parameters you have specified. basic_search
Investigation
Get Indicators Data Returns published indicator data from FireEye iSIGHT based on the indicator type and value you have specified. get_indicators
Investigation
Get IOCs Returns the indicators of compromise (IOCs) from FireEye iSIGHT since the date and time that you have specified, which are connected to the context from which they were derived. get_iocs
Investigation
Get Threat Returns the threats that are being tracked for indicators and targets from FireEye iSIGHT. get_threat
Investigation
List Reports Returns a list of intelligence reports published since the date and time that you have specified from FireEye iSIGHT. list_report
Investigation
Get Report Returns an intelligence report from FireEye iSIGHT based on the report ID you have specified. You can also specify the format of the report and the level of detail of the report that you want to retrieve from FireEye iSIGHT. get_report
Investigation
List Vulnerabilities Returns a list of vulnerabilities since the date and time that you have specified from FireEye iSIGHT. list_vulnerability
Investigation

operation: Basic Search

Input parameters

Parameter Description
Query Type of indicator or input based on which you want to run the query in FireEye iSIGHT.
You can choose from options such as Domain, IP, Filename, etc.
Value Value of the option that you have selected in the Query parameter.
From (Optional) Limits the returned data to those reports that were published starting at this Epoch datetime.
To (Optional) Limits the returned data to those reports that were published ending at this Epoch datetime.
Limit (Optional) Limits the number of matching reports returned to the number that you have specified for this parameter.
Offset (Optional) Index of the first item that this operation should return. Use the offset parameter to retrieve paginated results.

Output

The output contains the following populated JSON schema:
{
     "success": "",
     "numRecords": "",
     "message": [
         {
             "reportId": "",
             "webLink": "",
             "title": "",
             "publishDate": "",
             "audience": [],
             "reportType": "",
             "intelligenceType": "",
             "reportLink": "",
             "matchedOn": [
                 {
                     "key": "",
                     "value": ""
                 }
             ],
             "ThreatScape": [],
             "version": "",
             "version1PublishDate": ""
         }
     ]
}

operation: Get Indicators Data

Input parameters

Parameter Description
Indicator Type Type of indicator whose data you want to retrieve from FireEye iSIGHT.
You can choose from options such as Domain, IP, Filename, etc.
Value Value of the option that you have selected in the Indicator Type parameter.
Limit (Optional) Limits the number of matching reports returned to the number that you have specified for this parameter.
By default, up to 1000 records will be returned.
Offset (Optional) Index of the first item that this operation should return. Use the offset parameter to retrieve paginated results.

Output

The output contains the following populated JSON schema:
{
     "success": "",
     "numRecords": "",
     "message": {
         "publishedIndicators": [
             {
                 "actor": "",
                 "reportId": "",
                 "registrantEmail": "",
                 "webLink": "",
                 "senderEmail": "",
                 "fileSize": "",
                 "md5": "",
                 "actorId": "",
                 "url": "",
                 "subject": "",
                 "userAgent": "",
                 "fuzzyHash": "",
                 "registry": "",
                 "networkType": "",
                 "description": "",
                 "malwareFamilyId": "",
                 "domain": "",
                 "domainTimeOfLookup": "",
                 "sourceDomain": "",
                 "sha256": "",
                 "fileType": "",
                 "emailLanguage": "",
                 "ThreatScape": "",
                 "asn": "",
                 "ip": "",
                 "protocol": "",
                 "cidr": "",
                 "emailName": "",
                 "fileName": "",
                 "title": "",
                 "publishDate": "",
                 "registrantName": "",
                 "emailIdentifier": "",
                 "packer": "",
                 "observationTime": "",
                 "recipient": "",
                 "fileIdentifier": "",
                 "reportLink": "",
                 "sourceIp": "",
                 "networkIdentifier": "",
                 "ports": "",
                 "sha1": "",
                 "senderName": ""
             }
         ]
     }
}

operation: Get IOCs

Input parameters

Parameter Description
From Limits the returned IOC data to that were published starting at this Epoch datetime. If you do not specify the date and time in this field, then the response defaults to 24 hours.
To Limits the returned IOC data to that were published ending at this Epoch datetime. You must use this parameter with the From parameter.
Note: The datetime difference between the dates specified should not exceed the range of 90 days.

Output

The output contains the following populated JSON schema:
{
     "success": "",
     "message": [
         {
             "filePath": "",
             "fileSize": "",
             "webLink": "",
             "fileType": "",
             "url": "",
             "malwareFamily": "",
             "description": "",
             "malwareFamilyId": "",
             "domain": "",
             "domainTimeOfLookup": "",
             "observationTime": "",
             "emailLanguage": "",
             "ThreatScape": "",
             "ip": "",
             "port": "",
             "cidr": "",
             "audience": "",
             "actorId": "",
             "packer": "",
             "publishDate": "",
             "recipient": "",
             "actor": "",
             "senderAddress": "",
             "fileCompilationDateTime": "",
             "reportLink": "",
             "sourceIp": "",
             "sha1": "",
             "senderName": "",
             "registrantName": "",
             "reportId": "",
             "sha256": "",
             "md5": "",
             "subject": "",
             "userAgent": "",
             "fuzzyHash": "",
             "intelligenceType": "",
             "sourceDomain": "",
             "protocol": "",
             "networkType": "",
             "asn": "",
             "fileName": "",
             "title": "",
             "registrantEmail": "",
             "emailIdentifier": "",
             "registry": "",
             "fileIdentifier": "",
             "networkIdentifier": ""
         }
     ]
}

operation: Get Threat

Input parameters

Parameter Description
Threat Type Type of threat for which you want to retrieve indicators and targets from FireEye iSIGHT.
Important: Currently, the only values supported are 'malwareFamily' and 'actor'.

Output

The output contains the following populated JSON schema:
{
     "success": "",
     "message": [
         {
             "threatType": "",
             "values": []
         }
     ]
}

operation: List Reports

Input parameters

Parameter Description
From Limits the returned reports data to that were published starting at this Epoch datetime. If you do not specify the date and time in this field, then the response defaults to 24 hours.
To Limits the returned IOC data to that were published ending at this Epoch datetime. You must use this parameter with the From parameter.
Note: The datetime difference between the dates specified should not exceed the range of 90 days.
Report Type Limits the returned reports data to the report type that you have specified.
By default, reports for all report type are returned.
Limit (Optional) Limits the number of matching reports returned to the number that you have specified for this parameter.
By default, up to 1000 records will be returned.
Offset (Optional) Index of the first item that this operation should return. Use the offset parameter to retrieve paginated results.

Output

The output contains the following populated JSON schema:
{
     "success": true,
     "message": [
         {
             "reportId": "",
             "webLink": "",
             "reportLink": "",
             "title": "",
             "ThreatScape": [],
             "pubType": "",
             "publishDate": ""
         }
     ]
}

operation: Get Report

Input parameters

Parameter Description
Report ID Report identifier of the intelligence report that you want to retrieve from FireEye iSIGHT.
Report Detail (Optional) Level of detail of the report that you want to retrieve from FireEye iSIGHT.
For example, full, summary, or title.
IOCs Only (Optional) If you select this option, i.e., set to true, the network, email, and file tags within the tag section will contain only indicators whose identifier is either 'Attacker' or 'Compromised'.
By default, this option is cleared, i.e., set to false.

Output

The output contains the following populated JSON schema:
{
     "success": "",
     "message": {
         "report": {
             "reportId": "",
             "audience": "",
             "publishDate": "",
             "execSummary": "",
             "title": ""
         }
     }
}

operation: List Vulnerabilities

Input parameters

Parameter Description
From Limits the returned vulnerabilities data to that were published starting at this Epoch datetime. If you do not specify the date and time in this field, then the response defaults to 24 hours.
To Limits the returned vulnerabilities data to that were published ending at this Epoch datetime. You must use this parameter with the From parameter.
Note: The datetime difference between the dates specified should not exceed the range of 90 days.

Output

The output contains the following populated JSON schema:
{
     "success": "",
     "message": {
         "reportId": "",
         "webLink": "",
         "cvssBaseScore": "",
         "exploitRating": "",
         "exploitInTheWild": "",
         "cveIds": [],
         "intelligenceType": "",
         "cvssTemporalScore": "",
         "cvssBaseScoreLink": "",
         "cvssTemporalScoreLink": "",
         "cvssBaseVector": "",
         "ThreatScape": [],
         "attackingEase": "",
         "cvssTemporalVector": "",
         "riskRating": "",
         "cpe": "",
         "title": "",
         "publishDate": "",
         "audience": [],
         "version": "",
         "cveOriginalReleaseDate": "",
         "reportLink": "",
         "mitigations": [],
         "version1PublishDate": ""
     }
}

Included playbooks

The Sample - FireEye-iSIGHT - 1.0.0 playbook collection comes bundled with the FireEye iSIGHT connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FireEye iSIGHT connector.

  • Basic Search
  • Get Indicators Data
  • Get IOCs
  • Get Report
  • Get Threat
  • List Reports
  • List Vulnerabilities

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

FireEye iSIGHT Threat Intelligence is a proactive, forward-looking means of qualifying threats poised to disrupt your business based on the intents, tools, and tactics of the attacker. 

This document provides information about the FireEye iSIGHT connector, which facilitates automated interactions, with a FireEye iSIGHT server using FortiSOAR™ playbooks. Add the FireEye iSIGHT connector as a step in FortiSOAR™ playbooks and perform automated operations, such as returning published indicator data from FireEye iSIGHT, or returning a list of intelligence reports published since a specific date and time from FireEye iSIGHT.

Version information

Connector Version: 1.0.0

Authored By: Fortinet

Certified: No

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-fireeye-isight

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the FireEye iSIGHT connector row, and in the Configure tab enter the required configuration details.

Parameter Description
Server URL URL of the FireEye iSIGHT server to which you will connect and perform automated operations.
Private Key Private key of the FireEye iSIGHT server to which you will connect and perform automated operations.
Public Key Public key of the FireEye iSIGHT server to which you will connect and perform automated operations.
Accept Version FireEye iSIGHT product version to be used.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Basic Search Returns intelligence report(s) providing context to a searched indicator from FireEye iSIGHT based on the input parameters you have specified. basic_search
Investigation
Get Indicators Data Returns published indicator data from FireEye iSIGHT based on the indicator type and value you have specified. get_indicators
Investigation
Get IOCs Returns the indicators of compromise (IOCs) from FireEye iSIGHT since the date and time that you have specified, which are connected to the context from which they were derived. get_iocs
Investigation
Get Threat Returns the threats that are being tracked for indicators and targets from FireEye iSIGHT. get_threat
Investigation
List Reports Returns a list of intelligence reports published since the date and time that you have specified from FireEye iSIGHT. list_report
Investigation
Get Report Returns an intelligence report from FireEye iSIGHT based on the report ID you have specified. You can also specify the format of the report and the level of detail of the report that you want to retrieve from FireEye iSIGHT. get_report
Investigation
List Vulnerabilities Returns a list of vulnerabilities since the date and time that you have specified from FireEye iSIGHT. list_vulnerability
Investigation

operation: Basic Search

Input parameters

Parameter Description
Query Type of indicator or input based on which you want to run the query in FireEye iSIGHT.
You can choose from options such as Domain, IP, Filename, etc.
Value Value of the option that you have selected in the Query parameter.
From (Optional) Limits the returned data to those reports that were published starting at this Epoch datetime.
To (Optional) Limits the returned data to those reports that were published ending at this Epoch datetime.
Limit (Optional) Limits the number of matching reports returned to the number that you have specified for this parameter.
Offset (Optional) Index of the first item that this operation should return. Use the offset parameter to retrieve paginated results.

Output

The output contains the following populated JSON schema:
{
     "success": "",
     "numRecords": "",
     "message": [
         {
             "reportId": "",
             "webLink": "",
             "title": "",
             "publishDate": "",
             "audience": [],
             "reportType": "",
             "intelligenceType": "",
             "reportLink": "",
             "matchedOn": [
                 {
                     "key": "",
                     "value": ""
                 }
             ],
             "ThreatScape": [],
             "version": "",
             "version1PublishDate": ""
         }
     ]
}

operation: Get Indicators Data

Input parameters

Parameter Description
Indicator Type Type of indicator whose data you want to retrieve from FireEye iSIGHT.
You can choose from options such as Domain, IP, Filename, etc.
Value Value of the option that you have selected in the Indicator Type parameter.
Limit (Optional) Limits the number of matching reports returned to the number that you have specified for this parameter.
By default, up to 1000 records will be returned.
Offset (Optional) Index of the first item that this operation should return. Use the offset parameter to retrieve paginated results.

Output

The output contains the following populated JSON schema:
{
     "success": "",
     "numRecords": "",
     "message": {
         "publishedIndicators": [
             {
                 "actor": "",
                 "reportId": "",
                 "registrantEmail": "",
                 "webLink": "",
                 "senderEmail": "",
                 "fileSize": "",
                 "md5": "",
                 "actorId": "",
                 "url": "",
                 "subject": "",
                 "userAgent": "",
                 "fuzzyHash": "",
                 "registry": "",
                 "networkType": "",
                 "description": "",
                 "malwareFamilyId": "",
                 "domain": "",
                 "domainTimeOfLookup": "",
                 "sourceDomain": "",
                 "sha256": "",
                 "fileType": "",
                 "emailLanguage": "",
                 "ThreatScape": "",
                 "asn": "",
                 "ip": "",
                 "protocol": "",
                 "cidr": "",
                 "emailName": "",
                 "fileName": "",
                 "title": "",
                 "publishDate": "",
                 "registrantName": "",
                 "emailIdentifier": "",
                 "packer": "",
                 "observationTime": "",
                 "recipient": "",
                 "fileIdentifier": "",
                 "reportLink": "",
                 "sourceIp": "",
                 "networkIdentifier": "",
                 "ports": "",
                 "sha1": "",
                 "senderName": ""
             }
         ]
     }
}

operation: Get IOCs

Input parameters

Parameter Description
From Limits the returned IOC data to that were published starting at this Epoch datetime. If you do not specify the date and time in this field, then the response defaults to 24 hours.
To Limits the returned IOC data to that were published ending at this Epoch datetime. You must use this parameter with the From parameter.
Note: The datetime difference between the dates specified should not exceed the range of 90 days.

Output

The output contains the following populated JSON schema:
{
     "success": "",
     "message": [
         {
             "filePath": "",
             "fileSize": "",
             "webLink": "",
             "fileType": "",
             "url": "",
             "malwareFamily": "",
             "description": "",
             "malwareFamilyId": "",
             "domain": "",
             "domainTimeOfLookup": "",
             "observationTime": "",
             "emailLanguage": "",
             "ThreatScape": "",
             "ip": "",
             "port": "",
             "cidr": "",
             "audience": "",
             "actorId": "",
             "packer": "",
             "publishDate": "",
             "recipient": "",
             "actor": "",
             "senderAddress": "",
             "fileCompilationDateTime": "",
             "reportLink": "",
             "sourceIp": "",
             "sha1": "",
             "senderName": "",
             "registrantName": "",
             "reportId": "",
             "sha256": "",
             "md5": "",
             "subject": "",
             "userAgent": "",
             "fuzzyHash": "",
             "intelligenceType": "",
             "sourceDomain": "",
             "protocol": "",
             "networkType": "",
             "asn": "",
             "fileName": "",
             "title": "",
             "registrantEmail": "",
             "emailIdentifier": "",
             "registry": "",
             "fileIdentifier": "",
             "networkIdentifier": ""
         }
     ]
}

operation: Get Threat

Input parameters

Parameter Description
Threat Type Type of threat for which you want to retrieve indicators and targets from FireEye iSIGHT.
Important: Currently, the only values supported are 'malwareFamily' and 'actor'.

Output

The output contains the following populated JSON schema:
{
     "success": "",
     "message": [
         {
             "threatType": "",
             "values": []
         }
     ]
}

operation: List Reports

Input parameters

Parameter Description
From Limits the returned reports data to that were published starting at this Epoch datetime. If you do not specify the date and time in this field, then the response defaults to 24 hours.
To Limits the returned IOC data to that were published ending at this Epoch datetime. You must use this parameter with the From parameter.
Note: The datetime difference between the dates specified should not exceed the range of 90 days.
Report Type Limits the returned reports data to the report type that you have specified.
By default, reports for all report type are returned.
Limit (Optional) Limits the number of matching reports returned to the number that you have specified for this parameter.
By default, up to 1000 records will be returned.
Offset (Optional) Index of the first item that this operation should return. Use the offset parameter to retrieve paginated results.

Output

The output contains the following populated JSON schema:
{
     "success": true,
     "message": [
         {
             "reportId": "",
             "webLink": "",
             "reportLink": "",
             "title": "",
             "ThreatScape": [],
             "pubType": "",
             "publishDate": ""
         }
     ]
}

operation: Get Report

Input parameters

Parameter Description
Report ID Report identifier of the intelligence report that you want to retrieve from FireEye iSIGHT.
Report Detail (Optional) Level of detail of the report that you want to retrieve from FireEye iSIGHT.
For example, full, summary, or title.
IOCs Only (Optional) If you select this option, i.e., set to true, the network, email, and file tags within the tag section will contain only indicators whose identifier is either 'Attacker' or 'Compromised'.
By default, this option is cleared, i.e., set to false.

Output

The output contains the following populated JSON schema:
{
     "success": "",
     "message": {
         "report": {
             "reportId": "",
             "audience": "",
             "publishDate": "",
             "execSummary": "",
             "title": ""
         }
     }
}

operation: List Vulnerabilities

Input parameters

Parameter Description
From Limits the returned vulnerabilities data to that were published starting at this Epoch datetime. If you do not specify the date and time in this field, then the response defaults to 24 hours.
To Limits the returned vulnerabilities data to that were published ending at this Epoch datetime. You must use this parameter with the From parameter.
Note: The datetime difference between the dates specified should not exceed the range of 90 days.

Output

The output contains the following populated JSON schema:
{
     "success": "",
     "message": {
         "reportId": "",
         "webLink": "",
         "cvssBaseScore": "",
         "exploitRating": "",
         "exploitInTheWild": "",
         "cveIds": [],
         "intelligenceType": "",
         "cvssTemporalScore": "",
         "cvssBaseScoreLink": "",
         "cvssTemporalScoreLink": "",
         "cvssBaseVector": "",
         "ThreatScape": [],
         "attackingEase": "",
         "cvssTemporalVector": "",
         "riskRating": "",
         "cpe": "",
         "title": "",
         "publishDate": "",
         "audience": [],
         "version": "",
         "cveOriginalReleaseDate": "",
         "reportLink": "",
         "mitigations": [],
         "version1PublishDate": ""
     }
}

Included playbooks

The Sample - FireEye-iSIGHT - 1.0.0 playbook collection comes bundled with the FireEye iSIGHT connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FireEye iSIGHT connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.