FireEye Threat Monitoring
App Vendor: FireEye
App Category: Data Enrichment and Threat Intelligence
Connector Version: 1.0.0
API Version: V3
FireEye Threat Monitoring application collects and analyzes web content, both on the open and dark web. It primarily focuses on the sites used for communication by malicious actors. Using keyword queries (including brands, VIPs, and partner organizations), the service conducts analysis and generates threat alerts on potentially significant matches. Threat alerts are accessible through the Alerts Dashboard within the FireEye Intelligence Portal. Each alert includes alert status, source, severity attribute, in addition to valuable insights to help manage your monitored assets. The Alerts Dashboard also enables you to take specific actions, such as communicating with a FireEye analyst, on individual or multiple alerts.
The FireEye Threat Monitoring app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Search Collections | This action is used to search data in the FireEye Threat Intelligence application. |
Get Alerts | This action retrieves the list of alerts from the FireEye Threat Intelligence application. |
Get Reports | This action retrieves the list of reports from the FireEye Threat Intelligence application. |
Get Indicators | This action retrieves the list of indicators from the FireEye Threat Intelligence application. |
Configuration Parameters
The following parameters are required for the FireEye Threat Monitoring app. The parameters can be configured by creating instances in the app.
Parameters | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Key | Enter the API key for your FireEye Threat Monitoring app. | Text | Required | |
API Secret | Enter the API secret code for your FireEye Threat Monitoring app. | Password | Required |
Action: Search Collections
This action is used to search data in the FireEye Threat Intelligence application.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Enter the search parameters as key-value pairs. | Key-Value | Optional | |
Queries | Enter the list of Query Objects. Each query object includes the type and query properties. For example, { "type":"<support object type>", "query":"<query expression on properties>"}] | Any | Required | |
Include Connected Objects | Specify if you want to include connected objects in the search result. | Boolean | Optional | Allowed values:
By default, the value is False. |
Connected Objects | Specify the list of connected objects you want to include in the search result. | Any | Optional | Allowed values:
|
Sort By | Specify the sorting preference for the search result. | Text | Optional | Note: sort_by parameter is applicable only if include_connected_object flag is set to false. |
Sort Order | Specify the sorting preference for the search result. | Text | Optional | The following sorting preferences can be applied:
Note: The sort_order is only applicable when the include_connected_object flag is set to false. |
Limit | Specify the search result limit if you want to limit the number of results. | Integer | Optional | Note: The limit maximum integer value can be 50. |
Offset | Specify the offset value if you want to start search results from a specified count. | Integer | Optional | By default, the value is 0. |
Example Request
[
{
"queries": [
{
"type": "threat-actor",
"query": "name = 'APT27'"
}
],
"sort_by": "created",
"sort_order": "desc",
"extra_params": {},
"include_connected_objects": true
}
]Action: Get Alerts
This action retrieves the list of alerts from the FireEye Threat Intelligence application.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Enter the search parameters as key-value pairs. | Key-Value | Optional | |
Added After | Specify the filter object to only include those added to the collection after the specified timestamp. If no added_after URL query parameter is provided, this action returns the oldest object. | Integer | Optional | |
Length | Specify the maximum number of objects to include on a page. | Integer | Optional | |
Alert Type | Specify the Alert Type to filter alerts. | Text | Optional | Allowed values:
|
Alert Category | Specify the category to filter the alerts. | Text | Optional | Allowed values:
|
Alert Status | Specify the status for the alert to filter. | Text | Optional | Allowed values:
|
Alert ID | Specify the Alert ID to filter the Alerts. This is the STIX ID of the object. | Text | Optional | |
Alert Severity | Specify the severity of the alert to filter alerts. | Text | Optional |
Example Request
[
{
"extra_params": {}
}
{
"queries": [
{
"type": "threat-actor",
"query": "name = 'APT27'"
}
],
"connected_objects": [
{
"connection_type": "relationship"
},
{
"connection_type": "reference"
}
]
}
]Action: Get Reports
This action retrieves the list of reports from the FireEye Threat Intelligence application.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Enter the search parameters as key-value pairs. | Key-Value | Optional | |
Added After | Specify the filter reports to only include those added to the collection after the specified timestamp. If no added_after URL query parameter is provided, this action returns the oldest reports. | Integer | Optional | |
Length | Specify the maximum number of reports to include on a page. | Integer | Optional | |
Report ID | Specify the Report ID to filter the Reports. This is the STIX ID of the object. | Text | Optional | |
Document ID | Specify the document ID to filter the reports. | Text | Optional | |
Status | Specify the report status. | Text | Optional | Allowed Values:
|
Subscription | Specify the subscription details of the report. | Text | Optional | Allowed Values: cyber-crime, cyber-espionage, hacktivism, cyber-physical, strategic, fusion, operational, vulnerability, standard |
Report Type | Specify the type of report. | Text | Optional | |
Actor Name | Specify the threat actor name to filter reports. | Text | Optional | |
Malware Name | Specify the name of the malware to filter reports. | Text | Optional |
Example Request
[
{
"extra_params": {},
"match_status": "revoked"
"subscription": "cyber-crime"
}
]Action: Get Indicators
This action retrieves the list of indicators from the FireEye Threat Intelligence application.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Added After | Specify the filter indicators to only include those added to the collection after the specified timestamp. If no added_after URL query parameter is provided, this action returns the oldest indicators. | Integer | Optional | |
Length | Specify the maximum number of indicators to include on a page. | Integer | Optional | |
ID | Specify the Alert ID to filter the Indicators. This is the STIX ID of the object. | Text | Optional | |
Status | Specify the status of the indicator to filter | Text | Optional | Allowed values:
|
Extra Params | Enter the search parameters as key-value pairs. | Key-Value | Optional |
Example Request
[
{
"length": 2,
"extra_params": {}
"status": "revoked"
}
]