The FireEye® AX series is a group of forensic analysis platforms that provide security analysts control over powerful auto-configured test environments to execute and inspect advanced malware safely, zero-day and advanced persistent threat (APT) attacks embedded in Web pages, email attachments, and files.
This document provides information about the FireEye AX connector, which facilitates automated interactions, with your FireEye AX server using FortiSOAR™ playbooks. Add the FireEye AX connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all guest image profiles and applications details from FireEye AX, submitting files or URLs for analysis to FireEye AX, and retrieving data for artifacts from FireEye AX
Connector Version: 1.0.1
Authored By: Fortinet
Certified: No
Following enhancements have been made to the FireEye AX Connector in version 1.0.1:
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-fireeye-ax
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™, on the connectors page, select the FireEye AX connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Hostname | FQDN or IP address of FireEye AX server to which you will connect and perform the automated operations. |
Username | Username to access the FireEye AX server to which you will connect and perform the automated operations. |
Password | Password to access the FireEye AX server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Config | Retrieves a list of all guest image profiles and applications details that are available on FireEye AX. | get_config Investigation |
Get Alerts | Retrieves information of existing alerts from FireEye AX based on alert ID, URL of the alert, and other input parameters you have specified. | get_alerts Investigation |
Get Alert Details | Retrieves details of a specific alert from FireEye AX based on the alert ID you have specified. | get_alert_details Investigation |
Submit File | Submits a file that is present in FortiSOAR™ for analysis to FireEye AX based on the FortiSOAR™ file IRI, application ID, profiles, and other input parameters you have specified. | submit_file Investigation |
Submit URL | Submits URLs for analysis to FireEye AX based on the URLs, application ID, profiles, and other input parameters you have specified. | submit_url Investigation |
Get Submission Status | Retrieves the submission status of files or URLs that you have submitted to FireEye AX for analysis based on the information level and object ID (optional) that you have specified. | get_status Miscellaneous |
Get Submission Result | Retrieves the submission result of files or URLs that you have submitted to FireEye AX for analysis based on the information level and object ID (optional) that you have specified. | get_result Investigation |
Get Artifacts Metadata By UUID | Retrieves metadata for artifacts from FireEye AX based on the alert UUID you have specified. | get_artifacts_metadata_by_uuid Investigation |
List Custom Feeds | Retrieves a list of all custom feeds available in the FireEye AX system. | list_feeds Investigation |
Download a Custom IOC File Request | Downloads a custom IOC file request from FireEye AX based on the feed name and feed path you have specified. | download_feeds Investigation |
Delete Custom Feeds | Delete a specific feed from FireEye AX system based on the feed name you have specified. | delete_feeds Remediation |
Add or Update Custom Feeds | Adds or update a custom feed in the FireEye AX server based on the feed name, feed type, and other input parameters you have specified. | add_feeds Containment |
Add YARA Rule | Adds a YARA rule to the FireEye AX server based on the file IRI and file type you have specified. | add_rules Containment |
Delete YARA Rule | Delete a YARA rule file from the FireEye AX server based on the YARA file name and YARA type you have specified. | delete_rule Miscellaneous |
None.
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Alert ID | ID of the alert whose information you want to retrieve from FireEye AX. |
Info Level | Level of information to be retrieved for alerts from FireEye AX. You can choose from the following options: Concise (default), Normal, or Extended.Level of information to be retrieved for alerts from FireEye AX. You can choose from the following options: Concise (default), Normal, or Extended. |
URL | Alert URL that you want to search for on FireEye AX. |
File Name | Name of the malware file that you want to search for on FireEye AX. |
File Type | Type of the malware file that you want to search for on FireEye AX. |
Malware Name | Name of the malware object that you want to search for on FireEye AX. |
Malware Type | Type of malware object that you want to search for on FireEye AX. For example, domain_match , malware_callback , malware_object , web_infection , infection_match etc. |
Start Time | DateTime from when you want to retrieve alerts from FireEye AX. |
End Time | DateTime till when you want to retrieve alerts from FireEye AX. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Alert ID | ID of the alert whose details you want to retrieve from FireEye AX. |
The output contains the following populated JSON schema:
{
"alertsCount": "",
"msg": "",
"appliance": "",
"alert": [
{
"rootInfection": "",
"vlan": "",
"occurred": "",
"uuid": "",
"action": "",
"product": "",
"dst": {
"smtpTo": ""
},
"ack": "",
"alertUrl": "",
"severity": "",
"malicious": "",
"smtpMessage": {
"subject": ""
},
"applianceId": "",
"id": "",
"sensorIp": "",
"name": "",
"sensor": "",
"src": {
"smtpMailFrom": ""
},
"scVersion": "",
"explanation": {
"osChanges": [],
"malwareDetected": {
"malware": [
{
"md5Sum": "",
"name": "",
"sha256": ""
}
]
}
}
}
],
"version": ""
}
Parameter | Description |
---|---|
CyOPs File IRI | File IRI of the file that you want to FireEye AX for analysis. |
Timeout | Timeout for the analysis (in seconds). |
Application/Sandbox | ID of the application or sandbox that you want to use for analysis. |
Priority | Priority to be set for the analysis. You can choose from the following options:
|
Profiles | AX series profile that you want to use for analysis. |
Analysis Type | Analysis mode that you want to use for analysis. You can choose from the following options:
|
Prefetch | Mode of determining the file target. You can choose either Determine Through Internal Determination or Determine Through Browsing Target Location. If you select Determine Through Internal Determination, then the file target is based on an internal determination. If you select Determine Through Browsing Target Location, then the file target based by browsing to the target location. |
Force | Select the Force checkbox, i.e., set it to True (default), to perform an analysis on the file even if the file exactly matches an analysis that has already been performed, i.e., force the analysis. In most cases, it is not necessary to reanalyze malware. If you clear the Force checkbox, i.e., set it to False, then this operation does not analyze duplicate files. |
The output contains the following populated JSON schema:
{
"ID": ""
}
Parameter | Description |
---|---|
URLs | URLs that you want to FireEye AX for analysis. Note: You can specify multiple URLs in the .csv or list format. |
Timeout | Timeout for the analysis (in seconds). |
Application/Sandbox | ID of the application or sandbox that you want to use for analysis. |
Priority | Priority to be set for the analysis. You can choose from the following options:
|
Profiles | AX series profile that you want to use for analysis. |
Analysis Type | Analysis mode that you want to use for analysis. You can choose from the following options:
|
Prefetch | Mode of determining the target of the URLs. You can choose either Determine Through Internal Determination or Determine Through Browsing Target Location. If you select Determine Through Internal Determination, then the target of the URLs is based on an internal determination. If you select Determine Through Browsing Target Location, then the target of the URLs based by browsing to the target location. |
Force | Select the Force checkbox, i.e., set it to True (default), to perform an analysis on the URLs even if the URLs exactly matches an analysis that has already been performed, i.e., force the analysis. In most cases, it is not necessary to reanalyze malware. If you clear the Force checkbox, i.e., set it to False, then this operation does not analyze duplicate URLs. |
The output contains the following populated JSON schema:
{
"id": ""
}
Parameter | Description |
---|---|
Info Level | Level of information to be returned by this operation for files or URLs submitted to FireEye AX for analysis. You can choose from the following options: Normal or Extended. |
Object ID | (Optional) ID of the object that is provided by your appliance during the submission process. This key identifies the unique file or URL submitted for analysis. |
The output contains the following populated JSON schema:
{
"status": "",
"response": []
}
Parameter | Description |
---|---|
Info Level | Level of information to be returned by this operation for files or URLs submitted to FireEye AX for analysis. You can choose from the following options: Normal or Extended. |
Object ID | (Optional) ID of the object that is provided by your appliance during the submission process. This key identifies the unique file or URL submitted for analysis. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Alert UUID | UUID of the alert whose artifacts metadata you want to retrieve from FireEye AX. |
The output contains a non-dictionary value.
None.
No output schema is available at this time.
Parameter | Description |
---|---|
Feed Name | Name of an existing feed whose associated custom IOC file request you want to download from FireEye AX. |
File Path | Path of the file that contains the specified feed whose associated custom IOC file request you want to download from FireEye AX. |
No output schema is available at this time.
Parameter | Description |
---|---|
Feed Name | Name of the custom feed that you want to delete from FireEye AX. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Feed Name | Name of the new feed that you want to add to the FireEye AX server, or the name of an existing feed that you want to modify on the FireEye AX server. |
Feed Type | Type of the feed that you want to add or modify on the FireEye AX server. You can choose from the following feed types: IP, URL, Domain, or Hash. |
Feed Action | Type of notification that should be generated if a match is found on the FireEye AX server. |
Feed Source | Source of feed that you want to add or modify on the FireEye AX server. |
IOC Feed Data | IP addresses, URLs, domain names, or hash values (based on the Feed Type you have chosen) that you want to add to the custom feed on the FireEye AX server. Note: You can specify multiple items in this field in the .csv or list format. |
Overwrite Existing Feed | Specifies whether a feed should be overwritten or not. If you are creating a new feed, this checkbox will be unchecked, i.e., the value is set to False. If you are updating an existing feed, this checkbox will be checked, i.e., the value is set to True. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
File IRI | IRI of the file to submit YARA rule to the FireEye AX server. |
File Type | File type of the YARA rules file that you are submitting to the FireEye AX server. File types can be exe, pdf, xls, or ppt. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
YARA Type | Type of the YARA file that you want to delete from the FireEye AX server. YARA types can be exe, pdf, xls, or ppt. |
YARA File Name | Name of the YARA file that you want to delete from the FireEye AX server. |
The output contains a non-dictionary value.
The Sample - FireEye AX - 1.0.1
playbook collection comes bundled with the FireEye AX connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FireEye AX connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
The FireEye® AX series is a group of forensic analysis platforms that provide security analysts control over powerful auto-configured test environments to execute and inspect advanced malware safely, zero-day and advanced persistent threat (APT) attacks embedded in Web pages, email attachments, and files.
This document provides information about the FireEye AX connector, which facilitates automated interactions, with your FireEye AX server using FortiSOAR™ playbooks. Add the FireEye AX connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all guest image profiles and applications details from FireEye AX, submitting files or URLs for analysis to FireEye AX, and retrieving data for artifacts from FireEye AX
Connector Version: 1.0.1
Authored By: Fortinet
Certified: No
Following enhancements have been made to the FireEye AX Connector in version 1.0.1:
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-fireeye-ax
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™, on the connectors page, select the FireEye AX connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Hostname | FQDN or IP address of FireEye AX server to which you will connect and perform the automated operations. |
Username | Username to access the FireEye AX server to which you will connect and perform the automated operations. |
Password | Password to access the FireEye AX server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Config | Retrieves a list of all guest image profiles and applications details that are available on FireEye AX. | get_config Investigation |
Get Alerts | Retrieves information of existing alerts from FireEye AX based on alert ID, URL of the alert, and other input parameters you have specified. | get_alerts Investigation |
Get Alert Details | Retrieves details of a specific alert from FireEye AX based on the alert ID you have specified. | get_alert_details Investigation |
Submit File | Submits a file that is present in FortiSOAR™ for analysis to FireEye AX based on the FortiSOAR™ file IRI, application ID, profiles, and other input parameters you have specified. | submit_file Investigation |
Submit URL | Submits URLs for analysis to FireEye AX based on the URLs, application ID, profiles, and other input parameters you have specified. | submit_url Investigation |
Get Submission Status | Retrieves the submission status of files or URLs that you have submitted to FireEye AX for analysis based on the information level and object ID (optional) that you have specified. | get_status Miscellaneous |
Get Submission Result | Retrieves the submission result of files or URLs that you have submitted to FireEye AX for analysis based on the information level and object ID (optional) that you have specified. | get_result Investigation |
Get Artifacts Metadata By UUID | Retrieves metadata for artifacts from FireEye AX based on the alert UUID you have specified. | get_artifacts_metadata_by_uuid Investigation |
List Custom Feeds | Retrieves a list of all custom feeds available in the FireEye AX system. | list_feeds Investigation |
Download a Custom IOC File Request | Downloads a custom IOC file request from FireEye AX based on the feed name and feed path you have specified. | download_feeds Investigation |
Delete Custom Feeds | Delete a specific feed from FireEye AX system based on the feed name you have specified. | delete_feeds Remediation |
Add or Update Custom Feeds | Adds or update a custom feed in the FireEye AX server based on the feed name, feed type, and other input parameters you have specified. | add_feeds Containment |
Add YARA Rule | Adds a YARA rule to the FireEye AX server based on the file IRI and file type you have specified. | add_rules Containment |
Delete YARA Rule | Delete a YARA rule file from the FireEye AX server based on the YARA file name and YARA type you have specified. | delete_rule Miscellaneous |
None.
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Alert ID | ID of the alert whose information you want to retrieve from FireEye AX. |
Info Level | Level of information to be retrieved for alerts from FireEye AX. You can choose from the following options: Concise (default), Normal, or Extended.Level of information to be retrieved for alerts from FireEye AX. You can choose from the following options: Concise (default), Normal, or Extended. |
URL | Alert URL that you want to search for on FireEye AX. |
File Name | Name of the malware file that you want to search for on FireEye AX. |
File Type | Type of the malware file that you want to search for on FireEye AX. |
Malware Name | Name of the malware object that you want to search for on FireEye AX. |
Malware Type | Type of malware object that you want to search for on FireEye AX. For example, domain_match , malware_callback , malware_object , web_infection , infection_match etc. |
Start Time | DateTime from when you want to retrieve alerts from FireEye AX. |
End Time | DateTime till when you want to retrieve alerts from FireEye AX. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Alert ID | ID of the alert whose details you want to retrieve from FireEye AX. |
The output contains the following populated JSON schema:
{
"alertsCount": "",
"msg": "",
"appliance": "",
"alert": [
{
"rootInfection": "",
"vlan": "",
"occurred": "",
"uuid": "",
"action": "",
"product": "",
"dst": {
"smtpTo": ""
},
"ack": "",
"alertUrl": "",
"severity": "",
"malicious": "",
"smtpMessage": {
"subject": ""
},
"applianceId": "",
"id": "",
"sensorIp": "",
"name": "",
"sensor": "",
"src": {
"smtpMailFrom": ""
},
"scVersion": "",
"explanation": {
"osChanges": [],
"malwareDetected": {
"malware": [
{
"md5Sum": "",
"name": "",
"sha256": ""
}
]
}
}
}
],
"version": ""
}
Parameter | Description |
---|---|
CyOPs File IRI | File IRI of the file that you want to FireEye AX for analysis. |
Timeout | Timeout for the analysis (in seconds). |
Application/Sandbox | ID of the application or sandbox that you want to use for analysis. |
Priority | Priority to be set for the analysis. You can choose from the following options:
|
Profiles | AX series profile that you want to use for analysis. |
Analysis Type | Analysis mode that you want to use for analysis. You can choose from the following options:
|
Prefetch | Mode of determining the file target. You can choose either Determine Through Internal Determination or Determine Through Browsing Target Location. If you select Determine Through Internal Determination, then the file target is based on an internal determination. If you select Determine Through Browsing Target Location, then the file target based by browsing to the target location. |
Force | Select the Force checkbox, i.e., set it to True (default), to perform an analysis on the file even if the file exactly matches an analysis that has already been performed, i.e., force the analysis. In most cases, it is not necessary to reanalyze malware. If you clear the Force checkbox, i.e., set it to False, then this operation does not analyze duplicate files. |
The output contains the following populated JSON schema:
{
"ID": ""
}
Parameter | Description |
---|---|
URLs | URLs that you want to FireEye AX for analysis. Note: You can specify multiple URLs in the .csv or list format. |
Timeout | Timeout for the analysis (in seconds). |
Application/Sandbox | ID of the application or sandbox that you want to use for analysis. |
Priority | Priority to be set for the analysis. You can choose from the following options:
|
Profiles | AX series profile that you want to use for analysis. |
Analysis Type | Analysis mode that you want to use for analysis. You can choose from the following options:
|
Prefetch | Mode of determining the target of the URLs. You can choose either Determine Through Internal Determination or Determine Through Browsing Target Location. If you select Determine Through Internal Determination, then the target of the URLs is based on an internal determination. If you select Determine Through Browsing Target Location, then the target of the URLs based by browsing to the target location. |
Force | Select the Force checkbox, i.e., set it to True (default), to perform an analysis on the URLs even if the URLs exactly matches an analysis that has already been performed, i.e., force the analysis. In most cases, it is not necessary to reanalyze malware. If you clear the Force checkbox, i.e., set it to False, then this operation does not analyze duplicate URLs. |
The output contains the following populated JSON schema:
{
"id": ""
}
Parameter | Description |
---|---|
Info Level | Level of information to be returned by this operation for files or URLs submitted to FireEye AX for analysis. You can choose from the following options: Normal or Extended. |
Object ID | (Optional) ID of the object that is provided by your appliance during the submission process. This key identifies the unique file or URL submitted for analysis. |
The output contains the following populated JSON schema:
{
"status": "",
"response": []
}
Parameter | Description |
---|---|
Info Level | Level of information to be returned by this operation for files or URLs submitted to FireEye AX for analysis. You can choose from the following options: Normal or Extended. |
Object ID | (Optional) ID of the object that is provided by your appliance during the submission process. This key identifies the unique file or URL submitted for analysis. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Alert UUID | UUID of the alert whose artifacts metadata you want to retrieve from FireEye AX. |
The output contains a non-dictionary value.
None.
No output schema is available at this time.
Parameter | Description |
---|---|
Feed Name | Name of an existing feed whose associated custom IOC file request you want to download from FireEye AX. |
File Path | Path of the file that contains the specified feed whose associated custom IOC file request you want to download from FireEye AX. |
No output schema is available at this time.
Parameter | Description |
---|---|
Feed Name | Name of the custom feed that you want to delete from FireEye AX. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Feed Name | Name of the new feed that you want to add to the FireEye AX server, or the name of an existing feed that you want to modify on the FireEye AX server. |
Feed Type | Type of the feed that you want to add or modify on the FireEye AX server. You can choose from the following feed types: IP, URL, Domain, or Hash. |
Feed Action | Type of notification that should be generated if a match is found on the FireEye AX server. |
Feed Source | Source of feed that you want to add or modify on the FireEye AX server. |
IOC Feed Data | IP addresses, URLs, domain names, or hash values (based on the Feed Type you have chosen) that you want to add to the custom feed on the FireEye AX server. Note: You can specify multiple items in this field in the .csv or list format. |
Overwrite Existing Feed | Specifies whether a feed should be overwritten or not. If you are creating a new feed, this checkbox will be unchecked, i.e., the value is set to False. If you are updating an existing feed, this checkbox will be checked, i.e., the value is set to True. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
File IRI | IRI of the file to submit YARA rule to the FireEye AX server. |
File Type | File type of the YARA rules file that you are submitting to the FireEye AX server. File types can be exe, pdf, xls, or ppt. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
YARA Type | Type of the YARA file that you want to delete from the FireEye AX server. YARA types can be exe, pdf, xls, or ppt. |
YARA File Name | Name of the YARA file that you want to delete from the FireEye AX server. |
The output contains a non-dictionary value.
The Sample - FireEye AX - 1.0.1
playbook collection comes bundled with the FireEye AX connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FireEye AX connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.