Skip to main content

Cyware Orchestrate

FireEye Threat Monitoring

App Vendor: FireEye

App Category: Data Enrichment and Threat Intelligence

Connector Version: 1.0.0

API Version: V3

FireEye Threat Monitoring application collects and analyzes web content, both on the open and dark web. It primarily focuses on the sites used for communication by malicious actors. Using keyword queries (including brands, VIPs, and partner organizations), the service conducts analysis and generates threat alerts on potentially significant matches. Threat alerts are accessible through the Alerts Dashboard within the FireEye Intelligence Portal. Each alert includes alert status, source, severity attribute, in addition to valuable insights to help manage your monitored assets. The Alerts Dashboard also enables you to take specific actions, such as communicating with a FireEye analyst, on individual or multiple alerts.

The FireEye Threat Monitoring app is configured with the Orchestrate application to perform the following actions:

Action Name

Description

Search Collections

This action is used to search data in the FireEye Threat Intelligence application.

Get Alerts

This action retrieves the list of alerts from the FireEye Threat Intelligence application.

Get Reports

This action retrieves the list of reports from the FireEye Threat Intelligence application.

Get Indicators

This action retrieves the list of indicators from the FireEye Threat Intelligence application.

Configuration Parameters

The following parameters are required for the FireEye Threat Monitoring app. The parameters can be configured by creating instances in the app.

Parameters

Description

Field Type

Required/Optional

Comments

API Key

Enter the API key for your FireEye Threat Monitoring app.

Text

Required

API Secret

Enter the API secret code for your FireEye Threat Monitoring app.

Password

Required

Action: Search Collections

This action is used to search data in the FireEye Threat Intelligence application.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Extra Params

Enter the search parameters as key-value pairs.

Key-Value

Optional

Queries

Enter the list of Query Objects. Each query object includes the type and query properties. For example, { "type":"<support object type>", "query":"<query expression on properties>"}]

Any

Required

Include Connected Objects

Specify if you want to include connected objects in the search result.

Boolean

Optional

Allowed values:

  • True

  • False

By default, the value is False.

Connected Objects

Specify the list of connected objects you want to include in the search result.

Any

Optional

Allowed values:

  • connection_type

  • connected_type

  • object_type

  • property

  • relationship_type

Sort By

Specify the sorting preference for the search result.

Text

Optional

Note: sort_by parameter is applicable only if include_connected_object flag is set to false.

Sort Order

Specify the sorting preference for the search result.

Text

Optional

The following sorting preferences can be applied:

  • asc

  • desc

Note: The sort_order is only applicable when the include_connected_object flag is set to false.

Limit

Specify the search result limit if you want to limit the number of results.

Integer

Optional

Note: The limit maximum integer value can be 50.

Offset

Specify the offset value if you want to start search results from a specified count.

Integer

Optional

By default, the value is 0.

Example Request
[
    {
        "queries": [
            {
                "type": "threat-actor",
                "query": "name = 'APT27'"
            }
        ],
        "sort_by": "created",
        "sort_order": "desc",
        "extra_params": {},
        "include_connected_objects": true
    }
]
Action: Get Alerts

This action retrieves the list of alerts from the FireEye Threat Intelligence application.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Extra Params

Enter the search parameters as key-value pairs.

Key-Value

Optional

Added After

Specify the filter object to only include those added to the collection after the specified timestamp. If no added_after URL query parameter is provided, this action returns the oldest object.

Integer

Optional

Length

Specify the maximum number of objects to include on a page.

Integer

Optional

Alert Type

Specify the Alert Type to filter alerts.

Text

Optional

Allowed values:

  • forum_post

  • tweet

  • web_content_publish

  • paste

  • email_analysis

  • domain_discovery

  • document_analysis

Alert Category

Specify the category to filter the alerts.

Text

Optional

Allowed values:

  • social-media

  • forums

  • documents

  • malware-repository

  • network-indicators

  • web-content

  • paste-sites

Alert Status

Specify the status for the alert to filter.

Text

Optional

Allowed values:

  • new,

  • new_requested,

  • investigated,

  • under_investigation,

  • closed,

  • closed_investigated

Alert ID

Specify the Alert ID to filter the Alerts. This is the STIX ID of the object.

Text

Optional

Alert Severity

Specify the severity of the alert to filter alerts.

Text

Optional

Example Request
[
{
        "extra_params": {}
    }
{
    "queries": [
        {
            "type": "threat-actor",
            "query": "name = 'APT27'"
        }
    ],
    "connected_objects": [
        {
            "connection_type": "relationship"
        },
        {
            "connection_type": "reference"
        }
    ]
}
]
Action: Get Reports

This action retrieves the list of reports from the FireEye Threat Intelligence application.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Extra Params

Enter the search parameters as key-value pairs.

Key-Value

Optional

Added After

Specify the filter reports to only include those added to the collection after the specified timestamp. If no added_after URL query parameter is provided, this action returns the oldest reports.

Integer

Optional

Length

Specify the maximum number of reports to include on a page.

Integer

Optional

Report ID

Specify the Report ID to filter the Reports. This is the STIX ID of the object.

Text

Optional

Document ID

Specify the document ID to filter the reports.

Text

Optional

Status

Specify the report status.

Text

Optional

Allowed Values:

  • active

  • revoked

Subscription

Specify the subscription details of the report.

Text

Optional

Allowed Values:

cyber-crime, cyber-espionage, hacktivism, cyber-physical, strategic, fusion, operational, vulnerability, standard

Report Type

Specify the type of report.

Text

Optional

Actor Name

Specify the threat actor name to filter reports.

Text

Optional

Malware Name

Specify the name of the malware to filter reports.

Text

Optional

Example Request
[
    {
        "extra_params": {},
        "match_status": "revoked"
        "subscription": "cyber-crime"
    }
]
Action: Get Indicators

This action retrieves the list of indicators from the FireEye Threat Intelligence application.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Added After

Specify the filter indicators to only include those added to the collection after the specified timestamp. If no added_after URL query parameter is provided, this action returns the oldest indicators.

Integer

Optional

Length

Specify the maximum number of indicators to include on a page.

Integer

Optional

ID

Specify the Alert ID to filter the Indicators. This is the STIX ID of the object.

Text

Optional

Status

Specify the status of the indicator to filter

Text

Optional

Allowed values:

  • active

  • revoked

Extra Params

Enter the search parameters as key-value pairs.

Key-Value

Optional

Example Request
[
    {
        "length": 2,
        "extra_params": {}
        "status": "revoked"
    }
]