FireEye Email Security helps organizations minimize the risk of costly breaches. Email Security (EX Series) on-premises appliances, accurately detect and can immediately stop advanced and targeted attacks, including spear-phishing and ransomware before they enter your environment. Email Security uses the signatureless Multi-Vector Virtual Execution™ (MVX) engine to analyze email attachments and URLs against a comprehensive cross-matrix of operating systems, applications, and web browsers. Threats are identified with minimal noise, and false positives are nearly nonexistent.
This document provides information about the FireEye EX connector, which facilitates automated interactions, with a FireEye EX server using FortiSOAR™ playbooks. Add the FireEye EX connector as a step in FortiSOAR™ playbooks and perform automated operations, such as searching and retrieving information about domains, IP addresses, or name servers that you have specified.
Connector Version: 1.1.0
Authored By: Fortinet.
Certified: No
Following enhancements have been made to the FireEye EX Connector in version 1.1.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-fireeye-ex
In FortiSOAR™, on the Connectors page, click the FireEye EX connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Hostname | FQDN or IP address of FireEye CMS server (using which you connect to the FireEye EX server) to which you will connect and perform the automated operations. |
Username | Username to access the FireEye EX server to which you will connect and perform the automated operations. |
Password | Password to access the FireEye EX server to which you will connect and perform the automated operations. |
API Version | Version of the API to be used for performing automated operations. For FireEye EX connector 1.1.0, the API version is set as v2.0.0 . Therefore, currently, this is a read-only field, set as v2.0.0. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
Note: To use the FireEye EX connector you must create a user with the API Analyst role. Then you must enable wsapi
from the command line as follows:
# enable
# configure terminal
# wsapi ?
# wsapi enable
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Config | Retrieves a list of all guest image profiles and application details that are available on FireEye EX. | get_config Investigation |
Get Alerts | Retrieves information of all existing alerts or specific existing alerts from FireEye EX based on alert ID, URL of the alert, and other input parameters you have specified. | get_alerts Investigation |
Get Alert Details | Retrieves details of a single alert from FireEye EX based on the alert ID you have specified. | get_alert_details Investigation |
Get Alert Related IOC | Retrieves the IOC in the XML or JSON format that is related to a specific alert from FireEye EX based on alert ID or UUID you have specified. | get_alert_ioc Investigation |
Get Artifacts Metadata By UUID | Retrieves metadata for artifacts from FireEye EX based on the alert UUID you have specified. | get_artifacts_metadata_by_uuid Investigation |
Add Custom Feed | Adds a custom feed to the FireEye EX server, based on the input parameters you have specified. | add_feed Containment |
Delete Custom Feed | Deletes a custom feed from the FireEye EX server, based on the feed name you have specified. | delete_feed Remediation |
Get Custom Feed | Retrieves a list of existing custom IOC feeds from the FireEye EX server. | get_feeds Investigation |
Add YARA Rule | Adds a YARA rule to the FireEye EX server based on the file IRI, file type, and other input parameters you have specified. | add_yara_rule Containment |
List YARA Rule | Retrieves a list of all YARA rules from the FireEye EX server based on the YARA type and other input parameters you have specified. | list_yara_rule Investigation |
Download YARA Rule | Downloads a YARA rule file from the FireEye EX server based on the YARA file name, YARA type, and other input parameters you have specified. | download_yara_rule Miscellaneous |
Delete YARA Rule | Deletes a YARA rule file from the FireEye EX server based on the YARA file name, YARA type, and other input parameters you have specified. | delete_yara_rule Miscellaneous |
List Quarantined Emails | Retrieves a list of all quarantined emails or specific quarantined emails from FireEye EX based on the input parameters you have specified. | list_quarantined_emails Investigation |
Download Quarantined Email | Downloads specific quarantined emails from FireEye EX based on the queue ID and other input parameters you have specified. | download_quarantined_email Investigation |
Release Quarantined Emails | Releases and deletes specific quarantined emails from FireEye EX based on the queue ID you have specified. | release_quarantined_emails Investigation |
Delete Quarantined Emails | Deletes specific quarantined emails from FireEye EX based on the queue ID you have specified. | delete_quarantined_emails Investigation |
None.
The output contains the following populated JSON schema:
{
"ns2:sysconfig": {
"@sensor_name": "",
"sensors": {
"sensor": [
{
"features": {
"feature": {
"@name": "",
"@enabled": ""
}
},
"profiles": {
"profile": [
{
"@name": "",
"applications": {
"application": [
{
"@name": "",
"@id": ""
}
]
},
"@id": ""
}
]
},
"@address": "",
"@id": ""
}
]
},
"osdetails": {
"osdetail": {
"composite": "",
"product": "",
"release": ""
}
}
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Alert ID | ID of the alert whose information you want to retrieve from FireEye EX. |
Information Level | Level of information to be retrieved for alerts from FireEye EX. You can choose from the following options: Concise (default), Normal, or Extended. |
Alert URL | URL or the alert for which you want to search and retrieve information from FireEye EX. |
File Name | Name of the malware file for which you want to search and retrieve information from FireEye EX. |
File Type | Type of the malware file for which you want to search and retrieve information from FireEye EX. |
Malware Name | Name of the malware object for which you want to search and retrieve information from FireEye EX. |
Malware Type | Type of malware object for which you want to search and retrieve information from FireEye EX. For example, domain_match, malware_callback, malware_object, web_infection, infection_match etc. |
Start Time | DateTime from when you want to retrieve alerts from FireEye EX. |
End Time | DateTime till when you want to retrieve alerts from FireEye EX. |
The output contains the following populated JSON schema:
{
"alertsCount": "",
"version": "",
"msg": "",
"alert": [
{
"applianceId": "",
"id": "",
"action": "",
"vlan": "",
"name": "",
"ack": "",
"smtpMessage": {
"subject": ""
},
"occurred": "",
"scVersion": "",
"severity": "",
"product": "",
"uuid": "",
"explanation": {
"malwareDetected": {
"malware": [
{
"md5Sum": "",
"name": "",
"sha256": ""
}
]
},
"osChanges": []
},
"malicious": "",
"src": {
"smtpMailFrom": ""
},
"dst": {
"smtpTo": ""
},
"rootInfection": "",
"sensorIp": "",
"sensor": "",
"alertUrl": ""
}
],
"appliance": ""
}
Parameter | Description |
---|---|
Alert ID | ID of the alert whose information you want to retrieve from FireEye EX. |
The output contains the following populated JSON schema:
{
"alertsCount": "",
"appliance": "",
"msg": "",
"alert": [
{
"name": "",
"explanation": {
"malwareDetected": {
"malware": [
{
"md5Sum": "",
"name": "",
"sha256": ""
}
]
},
"osChanges": []
},
"action": "",
"vlan": "",
"alertUrl": "",
"applianceId": "",
"rootInfection": "",
"occurred": "",
"scVersion": "",
"product": "",
"severity": "",
"id": "",
"uuid": "",
"smtpMessage": {
"subject": ""
},
"malicious": "",
"src": {
"smtpMailFrom": ""
},
"dst": {
"smtpTo": ""
},
"sensorIp": "",
"sensor": "",
"ack": ""
}
],
"version": ""
}
Parameter | Description |
---|---|
Filter by | Select whether you want to filter the IOC filter by Alert ID or Alert UUID.
|
Response Format | Select the format in which you want the response data to be returned. You can choose between XML or JSON. |
The output contains the following populated JSON schema:
{
"OpenIOC": {
"@published-date": "",
"@xmlns": "",
"@id": "",
"metadata": {
"short_description": "",
"authored_by": "",
"links": {
"link": [
{
"@rel": "",
"@href": "",
"#text": ""
}
]
},
"description": "",
"authored_date": ""
},
"criteria": {
"Indicator": {
"IndicatorItem": [
{
"@preserve-case": "",
"Context": {
"@document": "",
"@search": "",
"@type": ""
},
"@condition": "",
"Content": {
"@type": "",
"#text": ""
},
"@id": "",
"@negate": ""
}
],
"@operator": "",
"@id": ""
}
},
"@last-modified": ""
}
}
Parameter | Description |
---|---|
Alert UUID | UUID of the alert whose artifacts metadata you want to retrieve from FireEye EX. |
The output contains the following populated JSON schema:
{
"artifactsInfoList": [
{
"artifactType": "",
"artifactName": "",
"artifactSize": ""
}
]
}
Parameter | Description |
---|---|
Feed Name | Name of the new feed or name of an existing feed that you want to modify or add to the FireEye EX server. |
Feed Type | Type of the feed that you want to add to the FireEye EX server. Currently, only IP type feed is supported. The future versions of this connector could support feed types such as URL, Domain, or Hash. |
Feed Action | Type of notification that will be received, if a match is found. For example, Alert. If you add Alert in this field, then an alert notification will be generated. |
Feed Source | Source of the feed. |
IOC Feed Data(CSV or List Format) | Actual IP address, URL, Domain name or Hash value that needs to be blocked on the FireEye EX server. You can add multiple IP addresses, URLs, Domain names or Hash values in these fields using the CSV or list format. For example, you can add a list of URLs as abc.com, xyz.com, def.com |
Overwrite Existing Feed | Select this option, i.e. set this option to true , if you are updating an existing feed on the FireEye EX server. Clear this option, i.e. set this option to false , if you are adding a new feed to the FireEye EX server. |
The JSON output contains the status of the add custom feed operation. The JSON output returns a Success
message if the custom feed is successfully added or updated (in case of an existing feed) on the FireEye EX server or an Error
message containing the reason for failure.
The output contains the following populated JSON schema:
{
"message": ""
}
Parameter | Description |
---|---|
Feed Name | Name of the custom feed that you want to delete from the FireEye EX server. |
The JSON output contains the status of the delete custom feed operation. The JSON output returns a Success
message if the custom feed is successfully deleted from the FireEye EX server or an Error
message containing the reason for failure.
The output contains the following populated JSON schema:
{
"message": ""
}
None.
The JSON output contains a list of existing custom IOC feeds from the FireEye EX server.
The output contains the following populated JSON schema:
{
"customFeedInfo": [
{
"feedType": "",
"feedAction": "",
"status": "",
"feedSource": "",
"contentMeta": [],
"feedName": "",
"uploadDate": ""
}
]
}
Parameter | Description |
---|---|
File IRI | IRI of the file that you want to submit as a YARA rule to the FireEye EX server. |
File Type | File type of the YARA rule file that you are submitting to the FireEye EX server. Supported file types are .exe, .pdf, .xls, or .ppt. |
Target Type | Select the content type to which you want to apply the new YARA rule. You can choose from the following options: Active Content, Base (Default), or All. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
YARA Type | Type of the YARA file whose associated list of YARA rules you want to retrieve from the FireEye EX server. Supported YARA types are .exe, .pdf, .xls, or .ppt. |
Sensor Name | (Optional) Name of the sensor based on which you want to retrieve the list of YARA rules from the FireEye EX server. This parameter is required for Central Management. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
YARA Type | Type of the YARA file that you want to download from the FireEye EX server. Supported YARA types are .exe, .pdf, .xls, or .ppt. |
YARA File Name | Name of the YARA file that you want to download from the FireEye EX server. |
Sensor Name | (Optional) Name of the sensor whose associated YARA rule you want to download from the FireEye EX server. This parameter is required for Central Management. |
The output contains the following populated JSON schema:
{
"file_iri": "",
"attachments_iri": ""
}
Parameter | Description |
---|---|
YARA Type | Type of the YARA file that you want to delete from the FireEye EX server. Supported YARA types are .exe, .pdf, .xls, or .ppt. |
YARA File Name | Name of the YARA file that you want to delete from the FireEye EX server. |
Target Type | Select the content type from which you want to remove the YARA rule. You can choose from the following options: Active Content, Base (Default), or All. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Filter by Time | Select this checkbox, if you want to retrieve quarantined emails from FireEye Ex based on time. If you select this checkbox, i.e., set is as true, then you must specify the following parameters:
|
From | Sender of the email whose associated quarantined emails you want to retrieve from FireEye Ex. |
Subject | Subject of the email based on which you want to retrieve quarantined emails from FireEye Ex. |
Limit | Maximum number of records, based on your filter criterion, you want to include in the output of this operation. By default, it is set as 10000. |
The output contains the following populated JSON schema:
{
"email_uuid": "",
"queue_id": "",
"quarantine_path": "",
"completed_at": "",
"subject": "",
"message_id": "",
"appliance_id": "",
"from": ""
}
Parameter | Description |
---|---|
Queue ID | Queue ID of the quarantined emails that you want to download from FireEye EX. |
Sensor Name | (Optional) Display name of the sensor whose associated quarantined emails that you want to download from FireEye EX |
The output contains the following populated JSON schema:
{
"file_iri": "",
"attachments_iri": ""
}
Parameter | Description |
---|---|
Queue IDs | List of queue IDs whose associated quarantined emails you want to release from FireEye Ex. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Queue IDs | List of queue IDs whose associated quarantined emails you want to delete from FireEye Ex. |
The output contains a non-dictionary value.
The Sample - FireEye-EX - 1.1.0
playbook collection comes bundled with the FireEye EX connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FireEye EX connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
FireEye Email Security helps organizations minimize the risk of costly breaches. Email Security (EX Series) on-premises appliances, accurately detect and can immediately stop advanced and targeted attacks, including spear-phishing and ransomware before they enter your environment. Email Security uses the signatureless Multi-Vector Virtual Execution™ (MVX) engine to analyze email attachments and URLs against a comprehensive cross-matrix of operating systems, applications, and web browsers. Threats are identified with minimal noise, and false positives are nearly nonexistent.
This document provides information about the FireEye EX connector, which facilitates automated interactions, with a FireEye EX server using FortiSOAR™ playbooks. Add the FireEye EX connector as a step in FortiSOAR™ playbooks and perform automated operations, such as searching and retrieving information about domains, IP addresses, or name servers that you have specified.
Connector Version: 1.1.0
Authored By: Fortinet.
Certified: No
Following enhancements have been made to the FireEye EX Connector in version 1.1.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-fireeye-ex
In FortiSOAR™, on the Connectors page, click the FireEye EX connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Hostname | FQDN or IP address of FireEye CMS server (using which you connect to the FireEye EX server) to which you will connect and perform the automated operations. |
Username | Username to access the FireEye EX server to which you will connect and perform the automated operations. |
Password | Password to access the FireEye EX server to which you will connect and perform the automated operations. |
API Version | Version of the API to be used for performing automated operations. For FireEye EX connector 1.1.0, the API version is set as v2.0.0 . Therefore, currently, this is a read-only field, set as v2.0.0. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
Note: To use the FireEye EX connector you must create a user with the API Analyst role. Then you must enable wsapi
from the command line as follows:
# enable
# configure terminal
# wsapi ?
# wsapi enable
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Config | Retrieves a list of all guest image profiles and application details that are available on FireEye EX. | get_config Investigation |
Get Alerts | Retrieves information of all existing alerts or specific existing alerts from FireEye EX based on alert ID, URL of the alert, and other input parameters you have specified. | get_alerts Investigation |
Get Alert Details | Retrieves details of a single alert from FireEye EX based on the alert ID you have specified. | get_alert_details Investigation |
Get Alert Related IOC | Retrieves the IOC in the XML or JSON format that is related to a specific alert from FireEye EX based on alert ID or UUID you have specified. | get_alert_ioc Investigation |
Get Artifacts Metadata By UUID | Retrieves metadata for artifacts from FireEye EX based on the alert UUID you have specified. | get_artifacts_metadata_by_uuid Investigation |
Add Custom Feed | Adds a custom feed to the FireEye EX server, based on the input parameters you have specified. | add_feed Containment |
Delete Custom Feed | Deletes a custom feed from the FireEye EX server, based on the feed name you have specified. | delete_feed Remediation |
Get Custom Feed | Retrieves a list of existing custom IOC feeds from the FireEye EX server. | get_feeds Investigation |
Add YARA Rule | Adds a YARA rule to the FireEye EX server based on the file IRI, file type, and other input parameters you have specified. | add_yara_rule Containment |
List YARA Rule | Retrieves a list of all YARA rules from the FireEye EX server based on the YARA type and other input parameters you have specified. | list_yara_rule Investigation |
Download YARA Rule | Downloads a YARA rule file from the FireEye EX server based on the YARA file name, YARA type, and other input parameters you have specified. | download_yara_rule Miscellaneous |
Delete YARA Rule | Deletes a YARA rule file from the FireEye EX server based on the YARA file name, YARA type, and other input parameters you have specified. | delete_yara_rule Miscellaneous |
List Quarantined Emails | Retrieves a list of all quarantined emails or specific quarantined emails from FireEye EX based on the input parameters you have specified. | list_quarantined_emails Investigation |
Download Quarantined Email | Downloads specific quarantined emails from FireEye EX based on the queue ID and other input parameters you have specified. | download_quarantined_email Investigation |
Release Quarantined Emails | Releases and deletes specific quarantined emails from FireEye EX based on the queue ID you have specified. | release_quarantined_emails Investigation |
Delete Quarantined Emails | Deletes specific quarantined emails from FireEye EX based on the queue ID you have specified. | delete_quarantined_emails Investigation |
None.
The output contains the following populated JSON schema:
{
"ns2:sysconfig": {
"@sensor_name": "",
"sensors": {
"sensor": [
{
"features": {
"feature": {
"@name": "",
"@enabled": ""
}
},
"profiles": {
"profile": [
{
"@name": "",
"applications": {
"application": [
{
"@name": "",
"@id": ""
}
]
},
"@id": ""
}
]
},
"@address": "",
"@id": ""
}
]
},
"osdetails": {
"osdetail": {
"composite": "",
"product": "",
"release": ""
}
}
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Alert ID | ID of the alert whose information you want to retrieve from FireEye EX. |
Information Level | Level of information to be retrieved for alerts from FireEye EX. You can choose from the following options: Concise (default), Normal, or Extended. |
Alert URL | URL or the alert for which you want to search and retrieve information from FireEye EX. |
File Name | Name of the malware file for which you want to search and retrieve information from FireEye EX. |
File Type | Type of the malware file for which you want to search and retrieve information from FireEye EX. |
Malware Name | Name of the malware object for which you want to search and retrieve information from FireEye EX. |
Malware Type | Type of malware object for which you want to search and retrieve information from FireEye EX. For example, domain_match, malware_callback, malware_object, web_infection, infection_match etc. |
Start Time | DateTime from when you want to retrieve alerts from FireEye EX. |
End Time | DateTime till when you want to retrieve alerts from FireEye EX. |
The output contains the following populated JSON schema:
{
"alertsCount": "",
"version": "",
"msg": "",
"alert": [
{
"applianceId": "",
"id": "",
"action": "",
"vlan": "",
"name": "",
"ack": "",
"smtpMessage": {
"subject": ""
},
"occurred": "",
"scVersion": "",
"severity": "",
"product": "",
"uuid": "",
"explanation": {
"malwareDetected": {
"malware": [
{
"md5Sum": "",
"name": "",
"sha256": ""
}
]
},
"osChanges": []
},
"malicious": "",
"src": {
"smtpMailFrom": ""
},
"dst": {
"smtpTo": ""
},
"rootInfection": "",
"sensorIp": "",
"sensor": "",
"alertUrl": ""
}
],
"appliance": ""
}
Parameter | Description |
---|---|
Alert ID | ID of the alert whose information you want to retrieve from FireEye EX. |
The output contains the following populated JSON schema:
{
"alertsCount": "",
"appliance": "",
"msg": "",
"alert": [
{
"name": "",
"explanation": {
"malwareDetected": {
"malware": [
{
"md5Sum": "",
"name": "",
"sha256": ""
}
]
},
"osChanges": []
},
"action": "",
"vlan": "",
"alertUrl": "",
"applianceId": "",
"rootInfection": "",
"occurred": "",
"scVersion": "",
"product": "",
"severity": "",
"id": "",
"uuid": "",
"smtpMessage": {
"subject": ""
},
"malicious": "",
"src": {
"smtpMailFrom": ""
},
"dst": {
"smtpTo": ""
},
"sensorIp": "",
"sensor": "",
"ack": ""
}
],
"version": ""
}
Parameter | Description |
---|---|
Filter by | Select whether you want to filter the IOC filter by Alert ID or Alert UUID.
|
Response Format | Select the format in which you want the response data to be returned. You can choose between XML or JSON. |
The output contains the following populated JSON schema:
{
"OpenIOC": {
"@published-date": "",
"@xmlns": "",
"@id": "",
"metadata": {
"short_description": "",
"authored_by": "",
"links": {
"link": [
{
"@rel": "",
"@href": "",
"#text": ""
}
]
},
"description": "",
"authored_date": ""
},
"criteria": {
"Indicator": {
"IndicatorItem": [
{
"@preserve-case": "",
"Context": {
"@document": "",
"@search": "",
"@type": ""
},
"@condition": "",
"Content": {
"@type": "",
"#text": ""
},
"@id": "",
"@negate": ""
}
],
"@operator": "",
"@id": ""
}
},
"@last-modified": ""
}
}
Parameter | Description |
---|---|
Alert UUID | UUID of the alert whose artifacts metadata you want to retrieve from FireEye EX. |
The output contains the following populated JSON schema:
{
"artifactsInfoList": [
{
"artifactType": "",
"artifactName": "",
"artifactSize": ""
}
]
}
Parameter | Description |
---|---|
Feed Name | Name of the new feed or name of an existing feed that you want to modify or add to the FireEye EX server. |
Feed Type | Type of the feed that you want to add to the FireEye EX server. Currently, only IP type feed is supported. The future versions of this connector could support feed types such as URL, Domain, or Hash. |
Feed Action | Type of notification that will be received, if a match is found. For example, Alert. If you add Alert in this field, then an alert notification will be generated. |
Feed Source | Source of the feed. |
IOC Feed Data(CSV or List Format) | Actual IP address, URL, Domain name or Hash value that needs to be blocked on the FireEye EX server. You can add multiple IP addresses, URLs, Domain names or Hash values in these fields using the CSV or list format. For example, you can add a list of URLs as abc.com, xyz.com, def.com |
Overwrite Existing Feed | Select this option, i.e. set this option to true , if you are updating an existing feed on the FireEye EX server. Clear this option, i.e. set this option to false , if you are adding a new feed to the FireEye EX server. |
The JSON output contains the status of the add custom feed operation. The JSON output returns a Success
message if the custom feed is successfully added or updated (in case of an existing feed) on the FireEye EX server or an Error
message containing the reason for failure.
The output contains the following populated JSON schema:
{
"message": ""
}
Parameter | Description |
---|---|
Feed Name | Name of the custom feed that you want to delete from the FireEye EX server. |
The JSON output contains the status of the delete custom feed operation. The JSON output returns a Success
message if the custom feed is successfully deleted from the FireEye EX server or an Error
message containing the reason for failure.
The output contains the following populated JSON schema:
{
"message": ""
}
None.
The JSON output contains a list of existing custom IOC feeds from the FireEye EX server.
The output contains the following populated JSON schema:
{
"customFeedInfo": [
{
"feedType": "",
"feedAction": "",
"status": "",
"feedSource": "",
"contentMeta": [],
"feedName": "",
"uploadDate": ""
}
]
}
Parameter | Description |
---|---|
File IRI | IRI of the file that you want to submit as a YARA rule to the FireEye EX server. |
File Type | File type of the YARA rule file that you are submitting to the FireEye EX server. Supported file types are .exe, .pdf, .xls, or .ppt. |
Target Type | Select the content type to which you want to apply the new YARA rule. You can choose from the following options: Active Content, Base (Default), or All. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
YARA Type | Type of the YARA file whose associated list of YARA rules you want to retrieve from the FireEye EX server. Supported YARA types are .exe, .pdf, .xls, or .ppt. |
Sensor Name | (Optional) Name of the sensor based on which you want to retrieve the list of YARA rules from the FireEye EX server. This parameter is required for Central Management. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
YARA Type | Type of the YARA file that you want to download from the FireEye EX server. Supported YARA types are .exe, .pdf, .xls, or .ppt. |
YARA File Name | Name of the YARA file that you want to download from the FireEye EX server. |
Sensor Name | (Optional) Name of the sensor whose associated YARA rule you want to download from the FireEye EX server. This parameter is required for Central Management. |
The output contains the following populated JSON schema:
{
"file_iri": "",
"attachments_iri": ""
}
Parameter | Description |
---|---|
YARA Type | Type of the YARA file that you want to delete from the FireEye EX server. Supported YARA types are .exe, .pdf, .xls, or .ppt. |
YARA File Name | Name of the YARA file that you want to delete from the FireEye EX server. |
Target Type | Select the content type from which you want to remove the YARA rule. You can choose from the following options: Active Content, Base (Default), or All. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Filter by Time | Select this checkbox, if you want to retrieve quarantined emails from FireEye Ex based on time. If you select this checkbox, i.e., set is as true, then you must specify the following parameters:
|
From | Sender of the email whose associated quarantined emails you want to retrieve from FireEye Ex. |
Subject | Subject of the email based on which you want to retrieve quarantined emails from FireEye Ex. |
Limit | Maximum number of records, based on your filter criterion, you want to include in the output of this operation. By default, it is set as 10000. |
The output contains the following populated JSON schema:
{
"email_uuid": "",
"queue_id": "",
"quarantine_path": "",
"completed_at": "",
"subject": "",
"message_id": "",
"appliance_id": "",
"from": ""
}
Parameter | Description |
---|---|
Queue ID | Queue ID of the quarantined emails that you want to download from FireEye EX. |
Sensor Name | (Optional) Display name of the sensor whose associated quarantined emails that you want to download from FireEye EX |
The output contains the following populated JSON schema:
{
"file_iri": "",
"attachments_iri": ""
}
Parameter | Description |
---|---|
Queue IDs | List of queue IDs whose associated quarantined emails you want to release from FireEye Ex. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Queue IDs | List of queue IDs whose associated quarantined emails you want to delete from FireEye Ex. |
The output contains a non-dictionary value.
The Sample - FireEye-EX - 1.1.0
playbook collection comes bundled with the FireEye EX connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FireEye EX connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.