About the connector
FireEye iSIGHT Threat Intelligence is a proactive, forward-looking means of qualifying threats poised to disrupt your business based on the intents, tools, and tactics of the attacker.
This document provides information about the FireEye iSIGHT connector, which facilitates automated interactions, with a FireEye iSIGHT server using FortiSOAR™ playbooks. Add the FireEye iSIGHT connector as a step in FortiSOAR™ playbooks and perform automated operations, such as returning published indicator data from FireEye iSIGHT, or returning a list of intelligence reports published since a specific date and time from FireEye iSIGHT.
Version information
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-fireeye-isight
For the detailed procedure to install a connector, click here
Prerequisites to configuring the connector
- You must have the URL of the FireEye iSIGHT server to which you will connect and perform automated operations and credentials to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the CyOPsTM instance.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the Connectors page, click the FireEye iSIGHT connector row, and in the Configure tab enter the required configuration details.
| Parameter |
Description |
| Server URL |
URL of the FireEye iSIGHT server to which you will connect and perform automated operations. |
| Private Key |
Private key of the FireEye iSIGHT server to which you will connect and perform automated operations. |
| Public Key |
Public key of the FireEye iSIGHT server to which you will connect and perform automated operations. |
| Accept Version |
FireEye iSIGHT product version to be used. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function |
Description |
Annotation and Category |
| Basic Search |
Returns intelligence report(s) providing context to a searched indicator from FireEye iSIGHT based on the input parameters you have specified. |
basic_search
Investigation |
| Get Indicators Data |
Returns published indicator data from FireEye iSIGHT based on the indicator type and value you have specified. |
get_indicators
Investigation |
| Get IOCs |
Returns the indicators of compromise (IOCs) from FireEye iSIGHT since the date and time that you have specified, which are connected to the context from which they were derived. |
get_iocs
Investigation |
| Get Threat |
Returns the threats that are being tracked for indicators and targets from FireEye iSIGHT. |
get_threat
Investigation |
| List Reports |
Returns a list of intelligence reports published since the date and time that you have specified from FireEye iSIGHT. |
list_report
Investigation |
| Get Report |
Returns an intelligence report from FireEye iSIGHT based on the report ID you have specified. You can also specify the format of the report and the level of detail of the report that you want to retrieve from FireEye iSIGHT. |
get_report
Investigation |
| List Vulnerabilities |
Returns a list of vulnerabilities since the date and time that you have specified from FireEye iSIGHT. |
list_vulnerability
Investigation |
operation: Basic Search
Input parameters
| Parameter |
Description |
| Query |
Type of indicator or input based on which you want to run the query in FireEye iSIGHT.
You can choose from options such as Domain, IP, Filename, etc. |
| Value |
Value of the option that you have selected in the Query parameter. |
| From |
(Optional) Limits the returned data to those reports that were published starting at this Epoch datetime. |
| To |
(Optional) Limits the returned data to those reports that were published ending at this Epoch datetime. |
| Limit |
(Optional) Limits the number of matching reports returned to the number that you have specified for this parameter. |
| Offset |
(Optional) Index of the first item that this operation should return. Use the offset parameter to retrieve paginated results. |
Output
The output contains the following populated JSON schema:
{
"success": "",
"numRecords": "",
"message": [
{
"reportId": "",
"webLink": "",
"title": "",
"publishDate": "",
"audience": [],
"reportType": "",
"intelligenceType": "",
"reportLink": "",
"matchedOn": [
{
"key": "",
"value": ""
}
],
"ThreatScape": [],
"version": "",
"version1PublishDate": ""
}
]
}
operation: Get Indicators Data
Input parameters
| Parameter |
Description |
| Indicator Type |
Type of indicator whose data you want to retrieve from FireEye iSIGHT.
You can choose from options such as Domain, IP, Filename, etc. |
| Value |
Value of the option that you have selected in the Indicator Type parameter. |
| Limit |
(Optional) Limits the number of matching reports returned to the number that you have specified for this parameter.
By default, up to 1000 records will be returned. |
| Offset |
(Optional) Index of the first item that this operation should return. Use the offset parameter to retrieve paginated results. |
Output
The output contains the following populated JSON schema:
{
"success": "",
"numRecords": "",
"message": {
"publishedIndicators": [
{
"actor": "",
"reportId": "",
"registrantEmail": "",
"webLink": "",
"senderEmail": "",
"fileSize": "",
"md5": "",
"actorId": "",
"url": "",
"subject": "",
"userAgent": "",
"fuzzyHash": "",
"registry": "",
"networkType": "",
"description": "",
"malwareFamilyId": "",
"domain": "",
"domainTimeOfLookup": "",
"sourceDomain": "",
"sha256": "",
"fileType": "",
"emailLanguage": "",
"ThreatScape": "",
"asn": "",
"ip": "",
"protocol": "",
"cidr": "",
"emailName": "",
"fileName": "",
"title": "",
"publishDate": "",
"registrantName": "",
"emailIdentifier": "",
"packer": "",
"observationTime": "",
"recipient": "",
"fileIdentifier": "",
"reportLink": "",
"sourceIp": "",
"networkIdentifier": "",
"ports": "",
"sha1": "",
"senderName": ""
}
]
}
}
operation: Get IOCs
Input parameters
| Parameter |
Description |
| From |
Limits the returned IOC data to that were published starting at this Epoch datetime. If you do not specify the date and time in this field, then the response defaults to 24 hours. |
| To |
Limits the returned IOC data to that were published ending at this Epoch datetime. You must use this parameter with the From parameter.
Note: The datetime difference between the dates specified should not exceed the range of 90 days. |
Output
The output contains the following populated JSON schema:
{
"success": "",
"message": [
{
"filePath": "",
"fileSize": "",
"webLink": "",
"fileType": "",
"url": "",
"malwareFamily": "",
"description": "",
"malwareFamilyId": "",
"domain": "",
"domainTimeOfLookup": "",
"observationTime": "",
"emailLanguage": "",
"ThreatScape": "",
"ip": "",
"port": "",
"cidr": "",
"audience": "",
"actorId": "",
"packer": "",
"publishDate": "",
"recipient": "",
"actor": "",
"senderAddress": "",
"fileCompilationDateTime": "",
"reportLink": "",
"sourceIp": "",
"sha1": "",
"senderName": "",
"registrantName": "",
"reportId": "",
"sha256": "",
"md5": "",
"subject": "",
"userAgent": "",
"fuzzyHash": "",
"intelligenceType": "",
"sourceDomain": "",
"protocol": "",
"networkType": "",
"asn": "",
"fileName": "",
"title": "",
"registrantEmail": "",
"emailIdentifier": "",
"registry": "",
"fileIdentifier": "",
"networkIdentifier": ""
}
]
}
operation: Get Threat
Input parameters
| Parameter |
Description |
| Threat Type |
Type of threat for which you want to retrieve indicators and targets from FireEye iSIGHT.
Important: Currently, the only values supported are 'malwareFamily' and 'actor'. |
Output
The output contains the following populated JSON schema:
{
"success": "",
"message": [
{
"threatType": "",
"values": []
}
]
}
operation: List Reports
Input parameters
| Parameter |
Description |
| From |
Limits the returned reports data to that were published starting at this Epoch datetime. If you do not specify the date and time in this field, then the response defaults to 24 hours. |
| To |
Limits the returned IOC data to that were published ending at this Epoch datetime. You must use this parameter with the From parameter.
Note: The datetime difference between the dates specified should not exceed the range of 90 days. |
| Report Type |
Limits the returned reports data to the report type that you have specified.
By default, reports for all report type are returned. |
| Limit |
(Optional) Limits the number of matching reports returned to the number that you have specified for this parameter.
By default, up to 1000 records will be returned. |
| Offset |
(Optional) Index of the first item that this operation should return. Use the offset parameter to retrieve paginated results. |
Output
The output contains the following populated JSON schema:
{
"success": true,
"message": [
{
"reportId": "",
"webLink": "",
"reportLink": "",
"title": "",
"ThreatScape": [],
"pubType": "",
"publishDate": ""
}
]
}
operation: Get Report
Input parameters
| Parameter |
Description |
| Report ID |
Report identifier of the intelligence report that you want to retrieve from FireEye iSIGHT. |
| Report Detail |
(Optional) Level of detail of the report that you want to retrieve from FireEye iSIGHT.
For example, full, summary, or title. |
| IOCs Only |
(Optional) If you select this option, i.e., set to true, the network, email, and file tags within the tag section will contain only indicators whose identifier is either 'Attacker' or 'Compromised'.
By default, this option is cleared, i.e., set to false. |
Output
The output contains the following populated JSON schema:
{
"success": "",
"message": {
"report": {
"reportId": "",
"audience": "",
"publishDate": "",
"execSummary": "",
"title": ""
}
}
}
operation: List Vulnerabilities
Input parameters
| Parameter |
Description |
| From |
Limits the returned vulnerabilities data to that were published starting at this Epoch datetime. If you do not specify the date and time in this field, then the response defaults to 24 hours. |
| To |
Limits the returned vulnerabilities data to that were published ending at this Epoch datetime. You must use this parameter with the From parameter.
Note: The datetime difference between the dates specified should not exceed the range of 90 days. |
Output
The output contains the following populated JSON schema:
{
"success": "",
"message": {
"reportId": "",
"webLink": "",
"cvssBaseScore": "",
"exploitRating": "",
"exploitInTheWild": "",
"cveIds": [],
"intelligenceType": "",
"cvssTemporalScore": "",
"cvssBaseScoreLink": "",
"cvssTemporalScoreLink": "",
"cvssBaseVector": "",
"ThreatScape": [],
"attackingEase": "",
"cvssTemporalVector": "",
"riskRating": "",
"cpe": "",
"title": "",
"publishDate": "",
"audience": [],
"version": "",
"cveOriginalReleaseDate": "",
"reportLink": "",
"mitigations": [],
"version1PublishDate": ""
}
}
Included playbooks
The Sample - FireEye-iSIGHT - 1.0.0 playbook collection comes bundled with the FireEye iSIGHT connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FireEye iSIGHT connector.
- Basic Search
- Get Indicators Data
- Get IOCs
- Get Report
- Get Threat
- List Reports
- List Vulnerabilities
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
