FireEye Email Security (EX)
App Vendor: FireEye
App Category: Forensics & Malware Analysis
Connector Version: 1.0.0
API Version: 1.1.0
About App
FireEye EX is a secure gateway with an advanced email protection that can detect threats as the detection engines inspect suspicious email traffic to identify attacks that evade traditional signature- and policy-based defenses. The FireEye EX app allows security teams to integrate with the FireEye Email Security (EX Series) application. This helps security analysts in analyzing emails through the related actions and successfully quarantining spear-phishing emails used in advanced targeted attacks.
The FireEye Email Security (EX) app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Fetch Alert Acknowledgement | This action retrieves acknowledgement of an alert. |
Fetch Alert Details | This action retrieves details of an alert using the alert ID. |
Fetch Alerts | This action retrieves the alert details. |
Fetch Malware Artifact data by UUID | This action retrieves malware artifact data by UUID. |
Fetch Malware Artifacts by Alert ID | This action retrieves malware artifacts by using alert ID. |
Fetch Reports | This action retrieves the reports. |
Fetch System Appliance Configuration | This action retrieves the configuration of the system appliance. |
Fetch Yara Rule Lists | This action retrieves a list of Yara rules. |
Configuration Parameters
The following configuration parameters are required for the FireEye Email Security (EX) app to communicate with the FireEye Email Security (EX) enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL. Example: "https://api.fireeyesampledomain.com/token" | Text | Required | |
Username | Enter the username to access the FireEye EX endpoints. | Text | Required | |
Password | Enter the password to access the FireEye EX endpoints. | Password | Required | |
Client Token | Enter the client token to access the FireEye EX endpoints. | Password | Required | |
Port | Enter the port number to access the FireEye EX endpoints. | Text | Required | |
SSL verification | Optional preference to either verify or skip the SSL certificate verification. | Text | Optional | Allowed values:
Default value: False |
Action: Fetch Alert acknowledgement
This action retrieves acknowledgement for the alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID. Example: "76345119800" | Text | Required | |
Annotation | Enter the annotation. Example "discovered by john doe" | Text | Required | |
Alert type | Enter the alert type. Example: "malware object" | Text | Required |
Example Request
[
{
"alert_id":", "76345119800",
"annotation":"Discovered by John Doe",
"alert_type":"Malware Object"
}
]Action: Fetch Alert details
This action retrieves details of an alert using the alert ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to fetch the alert details. Example: "76345119800" | Text | Required | You can retrieve the Alert ID using the Fetch Alerts action. |
Example Request
[
{
"alert_id":"76345119800"
}
]Action: Fetch Alerts
This action retrieves the alert details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query string | Enter the parameters as a query string in the form of key-value pairs to filter the search results. Example: sample key: sample value | Key Value | Optional |
Example Request
[
{
"params":{
"<Sample Key>":"<Sample Value>"
}
}
]Action: Fetch Malware Artifact data by UUID
This action retrieves the malware artifact data by UUID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
UUID | Enter the UUID. Example: 4186 | Text | Required |
Example Request
[
{
"uuid":"4186"
}
]Action: Fetch Malware Artifacts by Alert ID
This action retrieves the malware artifacts by using alert ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID. Example: "76345119800" | Text | Required | You can retrieve the Alert ID using the Fetch Alerts action. |
Alert Type | Enter the alert type. Example: "malware object" | Text | Required |
Example Request
[
{
"alert_id":"76345119800",
"alert_type":"Malware Object"
}
]Action: Fetch reports
This action retrieve reports.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report Name | Enter the report name. Example: "Report123" | Text | Required | |
Parameters | Enter the parameters. Example: sample parameters | Text | Optional | |
Filters | Enter the filters. By default, the value is time. Example: ID | Text | Optional | |
Report type | Enter the report type. If the filter includes time, then the report type is mandatory. Example: CSV | Text | Optional |
Example Request
[
{
"report_name":"Report123",
"params":"<Sample parameters>",
"filters":"ID"
}
]Action: Fetch System Appliance configuration
This action retrieves the configuration of the system appliance.
Action Input Parameters
This action does not require any input parameter.
Action: Fetch Yara rule lists
This action retrieves a list of Yara rules.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Yara type | Enter the Yara type. Example: | Text | Optional | |
Parameters | Enter the parameters. Example: key-value | Key Value | Optional |
Example Request
[
{
"yara_type":"pdf",
"params":{
"<Sample key>":"<Sample value>"
}
}
]