Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

FireEye NX protects against the types of advanced malware, zero-day and targeted APT attacks that evade signature-based and policy-based defenses and compromise all types of networks.

This document provides information about the FireEye NX connector, which facilitates automated interactions, with a FireEye NX server using FortiSOAR™ playbooks. Add the FireEye NX connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of all guest image profiles and application details, retrieving artifacts metadata by alert UUID from FireEye NX, adding event filters to FireEye NX, etc.

Version information

Connector Version: 1.0.0

Authored By: Fortinet

Certified: No

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-fireeye-nx

Prerequisites to configuring the connector

  • You must have the URL of FireEye NX server to which you will connect and perform automated operations and credentials to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the FireEye NX connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of FireEye NX server to which you will connect and perform the automated operations.
Username Username to access the FireEye NX server to which you will connect and perform the automated operations.
Password Password to access the FireEye NX server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Get Configuration Information Retrieves a list of all guest image profiles and application details that are available on FireEye NX. get_config
Investigation
Get System Health Status Retrieves the overall system health status of the FireEye NX appliance. get_health_status
Investigation
Get Alerts Retrieves information of all existing alerts or specific existing alerts from FireEye NX based on alert ID, URL of the alert, and other input parameters you have specified. get_alerts
Investigation
Get Alert Details Retrieves details of a single alert from FireEye NX based on the alert ID you have specified. get_alert_details
Investigation
Get Alerts Updated with ATI Information Retrieve IDs of all alerts that have been updated with ATI (Advanced Threat Intelligence) information from FireEye NX, since the time you have specified. get_alert_updated_with_ati_info
Investigation
Get ATI Information of Alert Retrieves contextual information, including ATI information, for a specific alert from FireEye NX based on the alert ID you have specified. get_ati_details_of_alert
Investigation
Get Reports By Time Returns a requested report from FireEye NX based on the report type and time frame you have specified. get_reports_by_time
Investigation
Get Report By ID Retrieves an alert report from FireEye NX based on the either the combination of the infection type and infection ID or the alert ID you have specified. get_report_by_id
Investigation
Get Statistics Retrieves performance statistics for a specified time range from FireEye NX. get_statistics
Investigation
Get Artifacts Metadata By UUID Retrieves metadata for artifacts from FireEye NX based on the alert UUID you have specified. get_artifacts_metadata_by_uuid
Investigation
Get Events Retrieves information of all existing events or specific existing events from FireEye NX based on the duration and other input parameters you have specified. get_events
Investigation
Add Event Filters Adds one or more event filters to FireEye NX based on the filters you have specified. add_event_filters
Investigation
Get Event Filters Retrieve a list of all configured and default event filters or specific event filters from FireEye NX based on the filter type you have specified. get_event_filters
Investigation
Get Event Filter Protocols Retrieves all event filter protocols and the supported fields for each protocol from FireEye NX. get_event_filter_protocols
Investigation
Delete Event Filters Deletes one or more event filters from FireEye NX based on the filters you have specified. delete_event_filters
Investigation
Add YARA Rule Adds a YARA rule to the FireEye NX server based on the file IRI, file type, and other input parameters you have specified. add_yara_rule
Containment
List YARA Rule Retrieves a list of all YARA rules from the FireEye NX server. list_yara_rule
Investigation
Delete YARA Rule Deletes a YARA rule file from the FireEye NX server based on the YARA file name, YARA type, and other input parameters you have specified. delete_yara_rule
Miscellaneous

operation: Get Configuration Information

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "ns2:sysconfig": {
         "@sensor_name": "",
         "sensors": {
             "sensor": [
                 {
                     "@id": "",
                     "features": {
                         "feature": {
                             "@name": "",
                             "@enabled": ""
                         }
                     },
                     "profiles": {
                         "profile": [
                             {
                                 "@id": "",
                                 "@name": "",
                                 "applications": {
                                     "application": [
                                         {
                                             "@id": "",
                                             "@name": ""
                                         }
                                     ]
                                 }
                             }
                         ]
                     },
                     "@address": ""
                 }
             ]
         },
         "osdetails": {
             "osdetail": {
                 "product": "",
                 "release": "",
                 "composite": ""
             }
         }
     }
}

operation: Get System Health Status

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "status": "",
     "version": "",
     "causeCode": "",
     "messageType": "",
     "timeStamp": "",
     "appliance": {
         "model": "",
         "version": " ",
         "name": "",
         "dtiEnabled": "",
         "customerId": "",
         "id": "",
         "timezone": "",
         "systemType": "",
         "compositeVersion": "",
         "edition": "",
         "components": {
             "temperature": {
                 "status": "",
                 "high": "",
                 "low": "",
                 "name": "",
                 "currentTemp": ""
             },
             "physicalDisk0": {
                 "status": "",
                 "selfAssess": "",
                 "name": "",
                 "totalBytes": "",
                 "diskStatus": ""
             },
             "cmsha": {
                 "status": "",
                 "primary": "",
                 "name": ""
             },
             "dataDisk": {
                 "status": "",
                 "fsType": "",
                 "name": "",
                 "bytesUsed": "",
                 "percentFree": "",
                 "bytesTotal": "",
                 "deviceName": "",
                 "bytesFree": "",
                 "bytesAvail": ""
             },
             "systemSoftware": {
                 "status": "",
                 "currentVersion": "",
                 "name": "",
                 "warning": "",
                 "latestVersion": ""
             },
             "fireeyeApplianceLicense": {
                 "status": "",
                 "name": "",
                 "perpetual": "",
                 "license": ""
             },
             "dbDisk": {
                 "status": "",
                 "fsType": "",
                 "name": "",
                 "bytesUsed": "",
                 "percentFree": "",
                 "bytesTotal": "",
                 "deviceName": "",
                 "bytesFree": "",
                 "bytesAvail": ""
             },
             "physicalDisk1": {
                 "status": "",
                 "selfAssess": "",
                 "name": "",
                 "totalBytes": "",
                 "diskStatus": ""
             },
             "varDisk": {
                 "status": "",
                 "fsType": "",
                 "name": "",
                 "bytesUsed": "",
                 "percentFree": "",
                 "bytesTotal": "",
                 "deviceName": "",
                 "bytesFree": "",
                 "bytesAvail": ""
             },
             "contentUpdatesLicense": {
                 "status": "",
                 "name": "",
                 "expDate": "",
                 "perpetual": "",
                 "expInDays": "",
                 "license": "",
                 "expiresInSeconds": ""
             },
             "eula": {
                 "accepted": "",
                 "status": "",
                 "acceptedTime": "",
                 "name": ""
             },
             "upTime": {
                 "upTimeDuration": "",
                 "status": "",
                 "name": "",
                 "upTimeMilliSeconds": ""
             },
             "powerSupply": {
                 "status": "",
                 "name": ""
             },
             "fireeyeSupportLicense": {
                 "status": "",
                 "name": "",
                 "expDate": "",
                 "perpetual": "",
                 "expInDays": "",
                 "license": "",
                 "expiresInSeconds": ""
             },
             "location": {
                 "status": "",
                 "geoLocation": "",
                 "timezone": "",
                 "name": "",
                 "utc_offset": ""
             },
             "fan1": {
                 "speed": "",
                 "status": ""
             },
             "usb": {
                 "status": "",
                 "name": "",
                 "mounted": ""
             },
             "configDisk": {
                 "status": "",
                 "fsType": "",
                 "name": "",
                 "bytesUsed": "",
                 "percentFree": "",
                 "bytesTotal": "",
                 "deviceName": "",
                 "bytesFree": "",
                 "bytesAvail": ""
             },
             "raid": {
                 "status": "",
                 "name": ""
             },
             "rootDisk": {
                 "status": "",
                 "fsType": "",
                 "name": "",
                 "bytesUsed": "",
                 "percentFree": "",
                 "bytesTotal": "",
                 "deviceName": "",
                 "bytesFree": "",
                 "bytesAvail": ""
             },
             "address": {
                 "ipv4": "",
                 "ipv6Enabled": "",
                 "domainName": [
                     ""
                 ],
                 "hostName": "",
                 "status": ""
             }
         },
         "mvxMode": "",
         "product": "",
         "serial": "",
         "domainName": "",
         "dtiMode": ""
     }
}

operation: Get Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Alert ID ID of the alert whose information you want to retrieve from FireEye NX. For example, 13705.
Duration Time interval that you want to use to search for alerts in FireEye NX. You can specify the duration in conjunction with the Time Type parameter.
Note: If you do not specify the duration, then the default duration is set for 48 Hours.
Time Type Type of time that you want to use to search for alerts in FireEye NX. You can choose between Start Time and End Time.
If you choose 'End Time', then you must specify the following parameters:
  • End Time: DateTime till when you want to retrieve alerts from FireEye NX. You can use this parameter in conjunction with the Duration parameter. If you specify the end time and do not specify the duration, then the system defaults duration=12 hours, ending at the specified end time.
  • UTC Time Offset: Time offset from UTC. The supported format is 0H:0M. For example, 07:00.
If you choose 'Start Time', then you must specify the following parameters:
  • Start Time: DateTime from when you want to retrieve alerts from FireEye NX. You can use this parameter in conjunction with the Duration parameter. If you specify the start time and do not specify the duration, then the system defaults to duration=12 hours, starting at the specified start time.
  • UTC Time Offset: Time offset from UTC. The supported format is 0H:0M. For example, 07:00.
Info Level Level of information to be retrieved for alerts from FireEye NX. You can choose from the following options: Concise (default), Normal, or Extended.
Callback Domain Domain name based on which you want to search for alerts in FireEye NX that includes callbacks to the specified domain.
Destination IP Destination IPv4 address related to the malware alert you want to search and retrieve information from FireEye NX.
Source IP Source IPv4 address related to the malware alert you want to search and retrieve information from FireEye NX.
File Name Name of the malware file for which you want to search and retrieve information from FireEye NX.
File Type Type of the malware file for which you want to search and retrieve information from FireEye NX.
Malware Name Name of the malware object for which you want to search and retrieve information from FireEye NX.
Malware Type Type of malware object for which you want to search and retrieve information from FireEye NX. For example, domain_match, malware_callback, malware_object, web_infection, infection_match etc.
MD5 Value of the MD5 whose associated alerts you want to search and retrieve information from FireEye NX.
Recipient Email Email address of the malware object receiver for which you want to search and retrieve information from FireEye NX.
Note: This filter does not default to duration=12 hours.
Sender Email Email address of the malware object sender for which you want to search and retrieve information from FireEye NX.
Note: This filter does not default to duration=12 hours.
URL Alert URL for which you want to search and retrieve information from FireEye NX

Output

The output contains the following populated JSON schema:
{
     "alertsCount": "",
     "version": "",
     "alert": [
         {
             "dst": {
                 "smtpTo": ""
             },
             "severity": "",
             "occurred": "",
             "applianceId": "",
             "name": "",
             "sensor": "",
             "id": "",
             "src": {
                 "smtpMailFrom": ""
             },
             "smtpMessage": {
                 "subject": ""
             },
             "sensorIp": "",
             "uuid": "",
             "rootInfection": "",
             "explanation": {
                 "malwareDetected": {
                     "malware": [
                         {
                             "md5Sum": "",
                             "sha256": "",
                             "name": ""
                         }
                     ]
                 },
                 "osChanges": []
             },
             "product": "",
             "scVersion": "",
             "alertUrl": "",
             "malicious": "",
             "action": "",
             "ack": "",
             "vlan": ""
         }
     ],
     "msg": "",
     "appliance": ""
}

operation: Get Alert Details

Input parameters

Parameter Description
Alert ID ID of the alert whose information you want to retrieve from FireEye NX.

Output

The output contains the following populated JSON schema:
{
     "alertsCount": "",
     "version": "",
     "alert": [
         {
             "dst": {
                 "smtpTo": ""
             },
             "severity": "",
             "occurred": "",
             "name": "",
             "sensor": "",
             "id": "",
             "action": "",
             "smtpMessage": {
                 "subject": ""
             },
             "sensorIp": "",
             "applianceId": "",
             "rootInfection": "",
             "explanation": {
                 "malwareDetected": {
                     "malware": [
                         {
                             "md5Sum": "",
                             "sha256": "",
                             "name": ""
                         }
                     ]
                 },
                 "osChanges": []
             },
             "uuid": "",
             "product": "",
             "vlan": "",
             "alertUrl": "",
             "scVersion": "",
             "src": {
                 "smtpMailFrom": ""
             },
             "malicious": "",
             "ack": ""
         }
     ],
     "msg": "",
     "appliance": ""
}

operation: Get Alerts Updated with ATI Information

Input parameters

Parameter Description
Start Time Start Time from when you want to search for alerts that have been updated with ATI information.
UTC Time Offset Time offset from UTC. The supported format is 0H:0M. For example, 07:00.

Output

The output contains the following populated JSON schema:


{
     "type": "",
     "entity": {},
     "rawType": ""
}

operation: Get ATI Information of Alert

Input parameters

Parameter Description
Alert ID ID of the alert whose detailed information, including its ATI information, you want to retrieve from FireEye NX.

Output

The output contains a non-dictionary value.

operation: Get Reports By Time

Input parameters

Parameter Description
Report Type Select the type of the report that you want to retrieve from FireEye NX. You can choose the type of report from the drop-down list, for example, Email Antivirus Report, Website Malware Activity, etc.
If you select 'IPS Top N Victims Report', then you must specify the following parameters:
  • Limit: Maximum number of items that should be covered by each report.
  • Interface: Interface that should be used to retrieve reports from FireEye NX. You can choose from the following options, A, B, or AB.
If you choose 'IPS Top N Attackers Report', then you must specify the following parameters:
  • Limit: Maximum number of items that should be covered by each report.
  • Interface: Interface that should be used to retrieve reports from FireEye NX. You can choose from the following options, A, B, or AB.
If you choose 'IPS Executive Summary Report', then you must specify the following parameters:
  • Interface: Interface that should be used to retrieve reports from FireEye NX. You can choose from the following options, A, B, or AB.
If you choose 'IPS Top N Attacks Report', then you must specify the following parameters:
  • Limit: Maximum number of items that should be covered by each report.
  • Interface: Interface that should be used to retrieve reports from FireEye NX. You can choose from the following options, A, B, or AB..
If you choose 'IPS Top N MVX-Correlated Report', then you must specify the following parameters:
  • Limit: Maximum number of items that should be covered by each report.
  • Interface: Interface that should be used to retrieve reports from FireEye NX. You can choose from the following options, A, B, or AB.
Time Frame Time duration for which you want to retrieve reports from FireEye NX. You can choose from options such as Past week, One Day Ago, etc
If you choose 'Between', then you must specify the following parameters:
  • Start Time: Start time from when you want to retrieve reports from FireEye NX.
  • End Time: End time till when you want to retrieve reports from FireEye NX.
  • UTC Time Offset: Time offset from UTC. The supported format is 0H:0M. For example, 07:00.

Output

The output contains a non-dictionary value.

operation: Get Report By ID

Input parameters

Parameter Description
ID Type Select the type of the ID that you want to use to retrieve the alert report from FireEye NX.
If you choose 'Infection ID and Type', then you must specify the following parameters:
  • Infection ID: Infection ID that specifies a unique alert and when used in combination with the infection type to retrieve a specific alert report from FireEye NX. 
  • Infection Type: Infection type that specifies a unique alert when used in combination with the infection ID to retrieve a specific alert report from FireEye NX. 
If you choose 'ID', then you must specify the following parameters:
  • Alert Record ID: ID of the the alert record whose report you want to retrieve from FireEye NX. An alert record ID is an internal database unique ID of the alert reocrd.

Output

The output contains a non-dictionary value.

operation: Get Statistics

Input parameters

Parameter Description
Start Time Start time from when you want to retrieve statistics from FireEye NX.
End Time Start time till when you want to retrieve statistics from FireEye NX.
UTC Time Offset (Optional) Time offset from UTC. The supported format is 0H:0M. For example, 07:00.

Output

The output contains a non-dictionary value.

operation: Get Artifacts Metadata By UUID

Input parameters

Parameter Description
Alert UUID UUID of the alert whose artifacts metadata you want to retrieve from FireEye NX.

Output

The output contains the following populated JSON schema:
{
     "artifactsInfoList": [
         {
             "artifactName": "",
             "artifactSize": "",
             "artifactType": ""
         }
     ]
}

operation: Get Events

Input parameters

Parameter Description
Duration Time interval that you want to use to search for events in FireEye NX. You can specify the duration in conjunction with the End Time parameter.
Note: If you do not specify the duration, then the default duration is set for 12 Hours.
End Time DateTime till when you want to retrieve events from FireEye NX. You can use this parameter in conjunction with the Duration parameter. If you specify the end time and do not specify the duration, then the system defaults duration=12 hours, ending at the specified end time.
UTC Time Offset Time offset from UTC. The supported format is 0H:0M. For example, 07:00.
MVX Correlated Only Selects this option to retrieve only MVX-correlated events. By default, this is cleared, i.e., false, i.e., by default, all IPS events will be retrieved from FireEye NX.

Output

The output contains the following populated JSON schema:
{
     "eventType": ""
}

operation: Add Event Filters

Input parameters

Parameter Description
Filters Event filters that you want to add to FireEye NX. You must provide filters in the following format: [{"filter_name" : "","field_name" : "","field_value" : },{"filter_name" : "","field_name" : "","field_value" : }]

Output

The output contains a non-dictionary value.

operation: Get Event Filters

Input parameters

Parameter Description
Filter Type Type of event filters that you want to retrieve from FireEye NX. If you do not specify any filter then the default filters will be retrieved from FireEye NX.

Output

The output contains a non-dictionary value.

operation: Get Event Filter Protocols

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Delete Event Filters

Input parameters

Parameter Description
Filters Event filters that you want to delete from FireEye NX. You must provide filters in the following format: [{"filter_name" : "","field_name" : "","field_value" : },{"filter_name" : "","field_name" : "","field_value" : }]

Output

The output contains a non-dictionary value.

operation: Add YARA Rule

Input parameters

Parameter Description
File IRI IRI of the file that you want to submit as a YARA rule to the FireEye NX server.
File Type File type of the YARA rule file that you are submitting to the FireEye NX server. Supported file types are .exe, .pdf, .xls, or .ppt.
Target Type Select the content type to which you want to apply the new YARA rule. You can choose from the following options: Active Content, Base (Default), or All.

Output

The output contains a non-dictionary value.

operation: List YARA Rule

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Delete YARA Rule

Input parameters

Parameter Description
YARA Type Type of the YARA file that you want to delete from the FireEye NX server. Supported YARA types are .exe, .pdf, .xls, or .ppt.
YARA File Name Name of the YARA file that you want to delete from the FireEye NX server.
Target Type Select the content type from which you want to remove the YARA rule. You can choose from the following options: Active Content, Base (Default), or All.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - FireEye NX - 1.0.0 playbook collection comes bundled with the FireEye NX connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the FireEye NX connector.

  • Add Event Filters
  • Add YARA Rule
  • Delete Event Filters
  • Delete YARA Rule
  • Get Alert Details
  • Get Alerts
  • Get Alerts Updated with ATI Information
  • Get Artifacts Metadata By UUID
  • Get ATI Information of Alert
  • Get Configuration Information
  • Get Event Filter Protocols
  • Get Event Filters
  • Get Events
  • Get Report By ID
  • Get Reports By Time
  • Get Statistics
  • Get System Health Status
  • List YARA Rule

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

About the connector

FireEye NX protects against the types of advanced malware, zero-day and targeted APT attacks that evade signature-based and policy-based defenses and compromise all types of networks.

This document provides information about the FireEye NX connector, which facilitates automated interactions, with a FireEye NX server using FortiSOAR™ playbooks. Add the FireEye NX connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of all guest image profiles and application details, retrieving artifacts metadata by alert UUID from FireEye NX, adding event filters to FireEye NX, etc.

Version information

Connector Version: 1.0.0

Authored By: Fortinet

Certified: No

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-fireeye-nx

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the FireEye NX connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of FireEye NX server to which you will connect and perform the automated operations.
Username Username to access the FireEye NX server to which you will connect and perform the automated operations.
Password Password to access the FireEye NX server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Get Configuration Information Retrieves a list of all guest image profiles and application details that are available on FireEye NX. get_config
Investigation
Get System Health Status Retrieves the overall system health status of the FireEye NX appliance. get_health_status
Investigation
Get Alerts Retrieves information of all existing alerts or specific existing alerts from FireEye NX based on alert ID, URL of the alert, and other input parameters you have specified. get_alerts
Investigation
Get Alert Details Retrieves details of a single alert from FireEye NX based on the alert ID you have specified. get_alert_details
Investigation
Get Alerts Updated with ATI Information Retrieve IDs of all alerts that have been updated with ATI (Advanced Threat Intelligence) information from FireEye NX, since the time you have specified. get_alert_updated_with_ati_info
Investigation
Get ATI Information of Alert Retrieves contextual information, including ATI information, for a specific alert from FireEye NX based on the alert ID you have specified. get_ati_details_of_alert
Investigation
Get Reports By Time Returns a requested report from FireEye NX based on the report type and time frame you have specified. get_reports_by_time
Investigation
Get Report By ID Retrieves an alert report from FireEye NX based on the either the combination of the infection type and infection ID or the alert ID you have specified. get_report_by_id
Investigation
Get Statistics Retrieves performance statistics for a specified time range from FireEye NX. get_statistics
Investigation
Get Artifacts Metadata By UUID Retrieves metadata for artifacts from FireEye NX based on the alert UUID you have specified. get_artifacts_metadata_by_uuid
Investigation
Get Events Retrieves information of all existing events or specific existing events from FireEye NX based on the duration and other input parameters you have specified. get_events
Investigation
Add Event Filters Adds one or more event filters to FireEye NX based on the filters you have specified. add_event_filters
Investigation
Get Event Filters Retrieve a list of all configured and default event filters or specific event filters from FireEye NX based on the filter type you have specified. get_event_filters
Investigation
Get Event Filter Protocols Retrieves all event filter protocols and the supported fields for each protocol from FireEye NX. get_event_filter_protocols
Investigation
Delete Event Filters Deletes one or more event filters from FireEye NX based on the filters you have specified. delete_event_filters
Investigation
Add YARA Rule Adds a YARA rule to the FireEye NX server based on the file IRI, file type, and other input parameters you have specified. add_yara_rule
Containment
List YARA Rule Retrieves a list of all YARA rules from the FireEye NX server. list_yara_rule
Investigation
Delete YARA Rule Deletes a YARA rule file from the FireEye NX server based on the YARA file name, YARA type, and other input parameters you have specified. delete_yara_rule
Miscellaneous

operation: Get Configuration Information

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "ns2:sysconfig": {
         "@sensor_name": "",
         "sensors": {
             "sensor": [
                 {
                     "@id": "",
                     "features": {
                         "feature": {
                             "@name": "",
                             "@enabled": ""
                         }
                     },
                     "profiles": {
                         "profile": [
                             {
                                 "@id": "",
                                 "@name": "",
                                 "applications": {
                                     "application": [
                                         {
                                             "@id": "",
                                             "@name": ""
                                         }
                                     ]
                                 }
                             }
                         ]
                     },
                     "@address": ""
                 }
             ]
         },
         "osdetails": {
             "osdetail": {
                 "product": "",
                 "release": "",
                 "composite": ""
             }
         }
     }
}

operation: Get System Health Status

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "status": "",
     "version": "",
     "causeCode": "",
     "messageType": "",
     "timeStamp": "",
     "appliance": {
         "model": "",
         "version": " ",
         "name": "",
         "dtiEnabled": "",
         "customerId": "",
         "id": "",
         "timezone": "",
         "systemType": "",
         "compositeVersion": "",
         "edition": "",
         "components": {
             "temperature": {
                 "status": "",
                 "high": "",
                 "low": "",
                 "name": "",
                 "currentTemp": ""
             },
             "physicalDisk0": {
                 "status": "",
                 "selfAssess": "",
                 "name": "",
                 "totalBytes": "",
                 "diskStatus": ""
             },
             "cmsha": {
                 "status": "",
                 "primary": "",
                 "name": ""
             },
             "dataDisk": {
                 "status": "",
                 "fsType": "",
                 "name": "",
                 "bytesUsed": "",
                 "percentFree": "",
                 "bytesTotal": "",
                 "deviceName": "",
                 "bytesFree": "",
                 "bytesAvail": ""
             },
             "systemSoftware": {
                 "status": "",
                 "currentVersion": "",
                 "name": "",
                 "warning": "",
                 "latestVersion": ""
             },
             "fireeyeApplianceLicense": {
                 "status": "",
                 "name": "",
                 "perpetual": "",
                 "license": ""
             },
             "dbDisk": {
                 "status": "",
                 "fsType": "",
                 "name": "",
                 "bytesUsed": "",
                 "percentFree": "",
                 "bytesTotal": "",
                 "deviceName": "",
                 "bytesFree": "",
                 "bytesAvail": ""
             },
             "physicalDisk1": {
                 "status": "",
                 "selfAssess": "",
                 "name": "",
                 "totalBytes": "",
                 "diskStatus": ""
             },
             "varDisk": {
                 "status": "",
                 "fsType": "",
                 "name": "",
                 "bytesUsed": "",
                 "percentFree": "",
                 "bytesTotal": "",
                 "deviceName": "",
                 "bytesFree": "",
                 "bytesAvail": ""
             },
             "contentUpdatesLicense": {
                 "status": "",
                 "name": "",
                 "expDate": "",
                 "perpetual": "",
                 "expInDays": "",
                 "license": "",
                 "expiresInSeconds": ""
             },
             "eula": {
                 "accepted": "",
                 "status": "",
                 "acceptedTime": "",
                 "name": ""
             },
             "upTime": {
                 "upTimeDuration": "",
                 "status": "",
                 "name": "",
                 "upTimeMilliSeconds": ""
             },
             "powerSupply": {
                 "status": "",
                 "name": ""
             },
             "fireeyeSupportLicense": {
                 "status": "",
                 "name": "",
                 "expDate": "",
                 "perpetual": "",
                 "expInDays": "",
                 "license": "",
                 "expiresInSeconds": ""
             },
             "location": {
                 "status": "",
                 "geoLocation": "",
                 "timezone": "",
                 "name": "",
                 "utc_offset": ""
             },
             "fan1": {
                 "speed": "",
                 "status": ""
             },
             "usb": {
                 "status": "",
                 "name": "",
                 "mounted": ""
             },
             "configDisk": {
                 "status": "",
                 "fsType": "",
                 "name": "",
                 "bytesUsed": "",
                 "percentFree": "",
                 "bytesTotal": "",
                 "deviceName": "",
                 "bytesFree": "",
                 "bytesAvail": ""
             },
             "raid": {
                 "status": "",
                 "name": ""
             },
             "rootDisk": {
                 "status": "",
                 "fsType": "",
                 "name": "",
                 "bytesUsed": "",
                 "percentFree": "",
                 "bytesTotal": "",
                 "deviceName": "",
                 "bytesFree": "",
                 "bytesAvail": ""
             },
             "address": {
                 "ipv4": "",
                 "ipv6Enabled": "",
                 "domainName": [
                     ""
                 ],
                 "hostName": "",
                 "status": ""
             }
         },
         "mvxMode": "",
         "product": "",
         "serial": "",
         "domainName": "",
         "dtiMode": ""
     }
}

operation: Get Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Alert ID ID of the alert whose information you want to retrieve from FireEye NX. For example, 13705.
Duration Time interval that you want to use to search for alerts in FireEye NX. You can specify the duration in conjunction with the Time Type parameter.
Note: If you do not specify the duration, then the default duration is set for 48 Hours.
Time Type Type of time that you want to use to search for alerts in FireEye NX. You can choose between Start Time and End Time.
If you choose 'End Time', then you must specify the following parameters:
  • End Time: DateTime till when you want to retrieve alerts from FireEye NX. You can use this parameter in conjunction with the Duration parameter. If you specify the end time and do not specify the duration, then the system defaults duration=12 hours, ending at the specified end time.
  • UTC Time Offset: Time offset from UTC. The supported format is 0H:0M. For example, 07:00.
If you choose 'Start Time', then you must specify the following parameters:
  • Start Time: DateTime from when you want to retrieve alerts from FireEye NX. You can use this parameter in conjunction with the Duration parameter. If you specify the start time and do not specify the duration, then the system defaults to duration=12 hours, starting at the specified start time.
  • UTC Time Offset: Time offset from UTC. The supported format is 0H:0M. For example, 07:00.
Info Level Level of information to be retrieved for alerts from FireEye NX. You can choose from the following options: Concise (default), Normal, or Extended.
Callback Domain Domain name based on which you want to search for alerts in FireEye NX that includes callbacks to the specified domain.
Destination IP Destination IPv4 address related to the malware alert you want to search and retrieve information from FireEye NX.
Source IP Source IPv4 address related to the malware alert you want to search and retrieve information from FireEye NX.
File Name Name of the malware file for which you want to search and retrieve information from FireEye NX.
File Type Type of the malware file for which you want to search and retrieve information from FireEye NX.
Malware Name Name of the malware object for which you want to search and retrieve information from FireEye NX.
Malware Type Type of malware object for which you want to search and retrieve information from FireEye NX. For example, domain_match, malware_callback, malware_object, web_infection, infection_match etc.
MD5 Value of the MD5 whose associated alerts you want to search and retrieve information from FireEye NX.
Recipient Email Email address of the malware object receiver for which you want to search and retrieve information from FireEye NX.
Note: This filter does not default to duration=12 hours.
Sender Email Email address of the malware object sender for which you want to search and retrieve information from FireEye NX.
Note: This filter does not default to duration=12 hours.
URL Alert URL for which you want to search and retrieve information from FireEye NX

Output

The output contains the following populated JSON schema:
{
     "alertsCount": "",
     "version": "",
     "alert": [
         {
             "dst": {
                 "smtpTo": ""
             },
             "severity": "",
             "occurred": "",
             "applianceId": "",
             "name": "",
             "sensor": "",
             "id": "",
             "src": {
                 "smtpMailFrom": ""
             },
             "smtpMessage": {
                 "subject": ""
             },
             "sensorIp": "",
             "uuid": "",
             "rootInfection": "",
             "explanation": {
                 "malwareDetected": {
                     "malware": [
                         {
                             "md5Sum": "",
                             "sha256": "",
                             "name": ""
                         }
                     ]
                 },
                 "osChanges": []
             },
             "product": "",
             "scVersion": "",
             "alertUrl": "",
             "malicious": "",
             "action": "",
             "ack": "",
             "vlan": ""
         }
     ],
     "msg": "",
     "appliance": ""
}

operation: Get Alert Details

Input parameters

Parameter Description
Alert ID ID of the alert whose information you want to retrieve from FireEye NX.

Output

The output contains the following populated JSON schema:
{
     "alertsCount": "",
     "version": "",
     "alert": [
         {
             "dst": {
                 "smtpTo": ""
             },
             "severity": "",
             "occurred": "",
             "name": "",
             "sensor": "",
             "id": "",
             "action": "",
             "smtpMessage": {
                 "subject": ""
             },
             "sensorIp": "",
             "applianceId": "",
             "rootInfection": "",
             "explanation": {
                 "malwareDetected": {
                     "malware": [
                         {
                             "md5Sum": "",
                             "sha256": "",
                             "name": ""
                         }
                     ]
                 },
                 "osChanges": []
             },
             "uuid": "",
             "product": "",
             "vlan": "",
             "alertUrl": "",
             "scVersion": "",
             "src": {
                 "smtpMailFrom": ""
             },
             "malicious": "",
             "ack": ""
         }
     ],
     "msg": "",
     "appliance": ""
}

operation: Get Alerts Updated with ATI Information

Input parameters

Parameter Description
Start Time Start Time from when you want to search for alerts that have been updated with ATI information.
UTC Time Offset Time offset from UTC. The supported format is 0H:0M. For example, 07:00.

Output

The output contains the following populated JSON schema:


{
     "type": "",
     "entity": {},
     "rawType": ""
}

operation: Get ATI Information of Alert

Input parameters

Parameter Description
Alert ID ID of the alert whose detailed information, including its ATI information, you want to retrieve from FireEye NX.

Output

The output contains a non-dictionary value.

operation: Get Reports By Time

Input parameters

Parameter Description
Report Type Select the type of the report that you want to retrieve from FireEye NX. You can choose the type of report from the drop-down list, for example, Email Antivirus Report, Website Malware Activity, etc.
If you select 'IPS Top N Victims Report', then you must specify the following parameters:
  • Limit: Maximum number of items that should be covered by each report.
  • Interface: Interface that should be used to retrieve reports from FireEye NX. You can choose from the following options, A, B, or AB.
If you choose 'IPS Top N Attackers Report', then you must specify the following parameters:
  • Limit: Maximum number of items that should be covered by each report.
  • Interface: Interface that should be used to retrieve reports from FireEye NX. You can choose from the following options, A, B, or AB.
If you choose 'IPS Executive Summary Report', then you must specify the following parameters:
  • Interface: Interface that should be used to retrieve reports from FireEye NX. You can choose from the following options, A, B, or AB.
If you choose 'IPS Top N Attacks Report', then you must specify the following parameters:
  • Limit: Maximum number of items that should be covered by each report.
  • Interface: Interface that should be used to retrieve reports from FireEye NX. You can choose from the following options, A, B, or AB..
If you choose 'IPS Top N MVX-Correlated Report', then you must specify the following parameters:
  • Limit: Maximum number of items that should be covered by each report.
  • Interface: Interface that should be used to retrieve reports from FireEye NX. You can choose from the following options, A, B, or AB.
Time Frame Time duration for which you want to retrieve reports from FireEye NX. You can choose from options such as Past week, One Day Ago, etc
If you choose 'Between', then you must specify the following parameters:
  • Start Time: Start time from when you want to retrieve reports from FireEye NX.
  • End Time: End time till when you want to retrieve reports from FireEye NX.
  • UTC Time Offset: Time offset from UTC. The supported format is 0H:0M. For example, 07:00.

Output

The output contains a non-dictionary value.

operation: Get Report By ID

Input parameters

Parameter Description
ID Type Select the type of the ID that you want to use to retrieve the alert report from FireEye NX.
If you choose 'Infection ID and Type', then you must specify the following parameters:
  • Infection ID: Infection ID that specifies a unique alert and when used in combination with the infection type to retrieve a specific alert report from FireEye NX. 
  • Infection Type: Infection type that specifies a unique alert when used in combination with the infection ID to retrieve a specific alert report from FireEye NX. 
If you choose 'ID', then you must specify the following parameters:
  • Alert Record ID: ID of the the alert record whose report you want to retrieve from FireEye NX. An alert record ID is an internal database unique ID of the alert reocrd.

Output

The output contains a non-dictionary value.

operation: Get Statistics

Input parameters

Parameter Description
Start Time Start time from when you want to retrieve statistics from FireEye NX.
End Time Start time till when you want to retrieve statistics from FireEye NX.
UTC Time Offset (Optional) Time offset from UTC. The supported format is 0H:0M. For example, 07:00.

Output

The output contains a non-dictionary value.

operation: Get Artifacts Metadata By UUID

Input parameters

Parameter Description
Alert UUID UUID of the alert whose artifacts metadata you want to retrieve from FireEye NX.

Output

The output contains the following populated JSON schema:
{
     "artifactsInfoList": [
         {
             "artifactName": "",
             "artifactSize": "",
             "artifactType": ""
         }
     ]
}

operation: Get Events

Input parameters

Parameter Description
Duration Time interval that you want to use to search for events in FireEye NX. You can specify the duration in conjunction with the End Time parameter.
Note: If you do not specify the duration, then the default duration is set for 12 Hours.
End Time DateTime till when you want to retrieve events from FireEye NX. You can use this parameter in conjunction with the Duration parameter. If you specify the end time and do not specify the duration, then the system defaults duration=12 hours, ending at the specified end time.
UTC Time Offset Time offset from UTC. The supported format is 0H:0M. For example, 07:00.
MVX Correlated Only Selects this option to retrieve only MVX-correlated events. By default, this is cleared, i.e., false, i.e., by default, all IPS events will be retrieved from FireEye NX.

Output

The output contains the following populated JSON schema:
{
     "eventType": ""
}

operation: Add Event Filters

Input parameters

Parameter Description
Filters Event filters that you want to add to FireEye NX. You must provide filters in the following format: [{"filter_name" : "","field_name" : "","field_value" : },{"filter_name" : "","field_name" : "","field_value" : }]

Output

The output contains a non-dictionary value.

operation: Get Event Filters

Input parameters

Parameter Description
Filter Type Type of event filters that you want to retrieve from FireEye NX. If you do not specify any filter then the default filters will be retrieved from FireEye NX.

Output

The output contains a non-dictionary value.

operation: Get Event Filter Protocols

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Delete Event Filters

Input parameters

Parameter Description
Filters Event filters that you want to delete from FireEye NX. You must provide filters in the following format: [{"filter_name" : "","field_name" : "","field_value" : },{"filter_name" : "","field_name" : "","field_value" : }]

Output

The output contains a non-dictionary value.

operation: Add YARA Rule

Input parameters

Parameter Description
File IRI IRI of the file that you want to submit as a YARA rule to the FireEye NX server.
File Type File type of the YARA rule file that you are submitting to the FireEye NX server. Supported file types are .exe, .pdf, .xls, or .ppt.
Target Type Select the content type to which you want to apply the new YARA rule. You can choose from the following options: Active Content, Base (Default), or All.

Output

The output contains a non-dictionary value.

operation: List YARA Rule

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Delete YARA Rule

Input parameters

Parameter Description
YARA Type Type of the YARA file that you want to delete from the FireEye NX server. Supported YARA types are .exe, .pdf, .xls, or .ppt.
YARA File Name Name of the YARA file that you want to delete from the FireEye NX server.
Target Type Select the content type from which you want to remove the YARA rule. You can choose from the following options: Active Content, Base (Default), or All.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - FireEye NX - 1.0.0 playbook collection comes bundled with the FireEye NX connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the FireEye NX connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.