FireEye Email Threat Prevention (ETP Cloud) is a cloud-based platform that protects against advanced email attacks.
Connect FireEye ETP with Devo SOAR
Navigate to Automations > Integrations.
Search for FireEye ETP.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
Server URL: Server URL to access FireEye ETP, Default is https://etp.us.fireeye.com.
API Key: API Key to access FireEye ETP.
Actions for FireEye ETP
Get Alert
Get details of alert.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Alert ID | Jinja-templated text containing the alert id. | |
Example: {{alert_id_column}}. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Alert Details
``` {json}{ "result": { "attributes": { "meta": { "read": false, "last_modified_on": "2021-03-30T14:58:08.376", "legacy_id": 1978122, "acknowledged": false }, "ati": {}, "alert": { "product": "ETP", "alert_type": [ "at" ], "severity": "majr", "ack": "no", "malware_md5": "5bb5e69769c02b0fbbfa5ea0e23b2c", "explanation": { "analysis": "binary", "anomaly": "", "cnc_services": {}, "malware_detected": { "malware": [ { "domain": "aviautation.com", "downloaded_at": "2021-03-30T14:58:01Z", "executed_at": "2021-03-30T14:58:02Z", "md5sum": "5bb5ead697c02b0fbbfa5ea0e23b2c", "name": "PhTI.URL", "sha256": "7e5844076023e0433f3c8e483b043cae73a384173f888602f2e5af", "stype": "34", "submitted_at": "2021-03-30T14:57:59Z", "type": "url" } ] }, "os_changes": [], "protocol": "", "timestamp": "2021-03-30T14:58:02Z" }, "timestamp": "2021-03-30T14:58:03.651", "action": "notified", "name": "malware-object" }, "email": { "status": "quarantined", "source_ip": "2.2.2.2", "smtp": { "rcpt_to": "ghgh@gh.cl", "mail_from": "nobody@nobody.localdomain" }, "etp_message_id": "824B3268ee6db92", "headers": { "cc": "", "to": "nobody@nobody.cl", "from": "nobody@nobody.cl", "subject": "Aumentalinea de credito en 3 simples pasos - ( 803082 )" }, "attachment": "hxxp://nobody.com/nobody.php", "timestamp": { "accepted": "2021-03-30T14:57:55" } } }, "id": "P8-kg3gBz5rVSh6" }, "error": null, "has_error": false }
## Get Alerts
Get a list of alerts.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| : -------- | : -------- | : -------- |
| Legacy ID | [Jinja-templated](doc:jinja-template) text containing the Alert ID as shown in ETP Web Portal.
Example: {{legacy_id_column}}. | Optional |
| From Last Modified On | [Jinja-templated](doc:jinja-template) text containing the datetime in yyy-mm-ddThh:mm:ss.fff format. Default last 90 days.
Example: {{from_last_modified_on_column}}. | Optional |
| Message ID | [Jinja-templated](doc:jinja-template) text containing the email message id.
Example: {{message_id_column}}. | Optional |
| Size | [Jinja-templated](doc:jinja-template) text containing the number of alerts intended in response. (Default is 20 alerts, Valid range 1-200).
Example: {{size_column}}. | Optional |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List Of Alerts
``` {json}{
"result": {
"attributes": {
"meta": {
"read": false,
"last_modified_on": "2021-03-30T14:58:08.376",
"legacy_id": 1978122,
"acknowledged": false
},
"ati": {},
"alert": {
"product": "ETP",
"alert_type": [
"at"
],
"severity": "majr",
"ack": "no",
"malware_md5": "5bb5e69769c02b0fbbfa5ea0e23b2c",
"explanation": {
"analysis": "binary",
"anomaly": "",
"cnc_services": {},
"malware_detected": {
"malware": [
{
"domain": "aviautation.com",
"downloaded_at": "2021-03-30T14:58:01Z",
"executed_at": "2021-03-30T14:58:02Z",
"md5sum": "5bb5ead697c02b0fbbfa5ea0e23b2c",
"name": "PhTI.URL",
"sha256": "7e5844076023e0433f3c8e483b043cae73a384173f888602f2e5af",
"stype": "34",
"submitted_at": "2021-03-30T14:57:59Z",
"type": "url"
}
]
},
"os_changes": [],
"protocol": "",
"timestamp": "2021-03-30T14:58:02Z"
},
"timestamp": "2021-03-30T14:58:03.651",
"action": "notified",
"name": "malware-object"
},
"email": {
"status": "quarantined",
"source_ip": "2.2.2.2",
"smtp": {
"rcpt_to": "ghgh@gh.cl",
"mail_from": "nobody@nobody.localdomain"
},
"etp_message_id": "824B3268ee6db92",
"headers": {
"cc": "",
"to": "nobody@nobody.cl",
"from": "<nobody@nobody.cl>",
"subject": "Aumentalinea de credito en 3 simples pasos - ( 803082 )"
},
"attachment": "hxxp://nobody.com/nobody.php",
"timestamp": {
"accepted": "2021-03-30T14:57:55"
}
}
},
"id": "P8-kg3gBz5rVSh6"
},
"error": null,
"has_error": false
}
Get Message
Get details of alert.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Message ID | Jinja-templated text containing the message id. | |
Example: {{alert_id_column}}. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Message Details
``` {json}{ "result": { "attributes": { "acceptedDateTime": "2021-05-29T00:00:00.000", "countryCode": "us", "domain": "nobody.cl", "downStreamMsgID": "250 2.0.0 OK 16246404 q17409745pgm.113 - gsmtp", "emailSize": 72.45, "lastModifiedDateTime": "2021-05-29T00:00:04.331", "originalMessageID": "20210528958.604E62102@relay-dmdsixe-41.psys.net", "recipientHeader": [ "nobody@nobody.cl" ], "recipientSMTP": [ "nobody.nobody@nobody.cl" ], "senderHeader": "Peixe - Gran Santiago noreply@peixemail.com", "senderSMTP": "noreply@nobody.com", "senderIP": "2.2.2.2", "status": "delivered", "subject": "¡Te prs del mes! 🌟", "verdicts": { "AS": "", "AV": "", "AT": "pass", "PV": "pass", "YARA": "pass", "ActionYARA": "no match" } }, "included": [ { "type": "domain", "attributes": { "name": "bci.cl" } } ], "id": "7B06a320f452", "type": "trace" }, "error": null, "has_error": false }
## Get Message
Get details of message.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| : -------- | : -------- | : -------- |
| From Email | [Jinja-templated](doc:jinja-template) text containing the list of 'From' email-addresses, Max limit of entries is 10.
Example: {{from_email1_column}}, {{from_email2_column}}. | Optional |
| From Email Not In | [Jinja-templated](doc:jinja-template) text containing the list of 'From' email-addresses not to be included, Max limit of entries is 10.
Example: {{from_email_not_in1_column}}, {{from_email_not_in2_column}}. | Optional |
| Recipients | [Jinja-templated](doc:jinja-template) text containing the list of 'To'/'Cc' email-addresse, Max limit of entries is 10.
Example: {{recipient1_column}}, {{recipient2_column}}. | Optional |
| Recipients Not In | [Jinja-templated](doc:jinja-template) text containing the list of 'To'/'Cc' email-addresses not to be included, Max limit of entries is 10.
Example: {{recipients_not_in1_column}}, {{recipients_not_in2_column}}. | Optional |
| Subject | [Jinja-templated](doc:jinja-template) text containing the list of strings, Max limit of entries is 10.
Example: {{subject1_column}}, {{subject2_column}}. | Optional |
| From Accepted Date Time | [Jinja-templated](doc:jinja-template) text containing the The time stamp of the email-accepted date to specify the beginning of the date range to search (format: 2017-10- 24T10:48:51.000Z). Specify 'To Accepted Date Time' as well to set the complete date range for the search.
Example: {{from_accepted_date_time_column}}. | Optional |
| To Accepted Date Time | Jinja-templated text containing the The time stamp of the email-accepted date to specify the end of the date range to search (format: 2017-10- 24T10:48:51.000Z). Specify 'From Accepted Date Time' as well to set the complete date range for the search. Example: {{to_accepted_date_time_column}}. | Optional |
| Rejection Reason | [Jinja-templated](doc:jinja-template) text containing the list of ETP rejection reason codes ( "ETP102", "ETP103", "ETP104", "ETP200", "ETP201", "ETP203", "ETP204", "ETP205", "ETP300", "ETP301", "ETP302", "ETP401", "ETP402", "ETP403", "ETP404", "ETP405") . Example: {{rejection_reason1_column}}, {{rejection_reason2_column}}. | Optional |
| Sender IP | [Jinja-templated](doc:jinja-template) text containing the list of sender IP addresses, max limit of entries is 10.
Example: {{sender_ip1_column}}, {{sender_ip2_column}}. | Optional |
| Status | [Jinja-templated](doc:jinja-template) text containing the list of email status values( "accepted", "deleted", "delivered", "delivered (retroactive)", "dropped", "dropped oob", "dropped (oob retroactive)", "permanent failure", "processing", "quarantined", "rejected", "temporary failure").
Example: {{status1_column}}, {{status2_column}}. | Optional |
| Status Not In | [Jinja-templated](doc:jinja-template) text containing the list of email status values not to include( "accepted", "deleted", "delivered", "delivered (retroactive)", "dropped", "dropped oob", "dropped (oob retroactive)", "permanent failure", "processing", "quarantined", "rejected", "temporary failure").
Example: {{status_not_in1_column}}, {{status_not_in2_column}}. | Optional |
| Last Modified Date Time | [Jinja-templated](doc:jinja-template) text containing the date corresponding to last modified date, along with one of the following operators: ">", "\<", ">=", "\<=". Example, use value "\<2017-10-24T18:00:00.000Z" to search for messages that were last modified after the specified time stamp.
Example: {{last_modified_date_time_column}}. | Optional |
| Domain | [Jinja-templated](doc:jinja-template) text containing the list of domain names.
Example: {{domain1_column}}, {{domain2_column}}. | Optional |
| Has Attachments | Boolean value to indicate if the message has attachments (Default is True). | Optional |
| Size | [Jinja-templated](doc:jinja-template) text containing the message size (Default is 20 and maximum is 300). Example: {{size_column}}. | Optional |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List Of Messages
``` {json}{
"result": {
"attributes": {
"acceptedDateTime": "2021-05-29T00:00:00.000",
"countryCode": "us",
"domain": "nobody.cl",
"downStreamMsgID": "250 2.0.0 OK 16246404 q17409745pgm.113 - gsmtp",
"emailSize": 72.45,
"lastModifiedDateTime": "2021-05-29T00:00:04.331",
"originalMessageID": "<20210528958.604E62102@relay-dmdsixe-41.psys.net>",
"recipientHeader": [
"<nobody@nobody.cl>"
],
"recipientSMTP": [
"nobody.nobody@nobody.cl"
],
"senderHeader": "Peixe - Gran Santiago <noreply@peixemail.com>",
"senderSMTP": "noreply@nobody.com",
"senderIP": "2.2.2.2",
"status": "delivered",
"subject": "¡Te prs del mes! 🌟",
"verdicts": {
"AS": "",
"AV": "",
"AT": "pass",
"PV": "pass",
"YARA": "pass",
"ActionYARA": "no match"
}
},
"included": [
{
"type": "domain",
"attributes": {
"name": "bci.cl"
}
}
],
"id": "7B06a320f452",
"type": "trace"
},
"error": null,
"has_error": false
}
Release Notes
v2.0.0- Updated architecture to support IO via filesystem