Document toolboxDocument toolbox

FireEye ETP

Owned by Jonas Gonzalez
Last updated: Nov 29, 2024
6 min read
[ 1 Connect FireEye ETP with Devo SOAR ] [ 2 Actions for FireEye ETP ] [ 2.1 Get Alert ] [ 2.1.1 Input Field ] [ 2.1.2 Output ] [ 2.2 Get Message ] [ 2.2.1 Input Field ] [ 2.2.2 Output ] [ 3 Release Notes ]

FireEye Email Threat Prevention (ETP Cloud) is a cloud-based platform that protects against advanced email attacks.

Connect FireEye ETP with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for FireEye ETP.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. Server URL: Server URL to access FireEye ETP, Default is https://etp.us.fireeye.com.

  9. API Key: API Key to access FireEye ETP.

Actions for FireEye ETP

Get Alert

Get details of alert.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Alert ID

Jinja-templated text containing the alert id.

 

Example: {{alert_id_column}}.

Required

 

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Alert Details

``` {json}{ "result": { "attributes": { "meta": { "read": false, "last_modified_on": "2021-03-30T14:58:08.376", "legacy_id": 1978122, "acknowledged": false }, "ati": {}, "alert": { "product": "ETP", "alert_type": [ "at" ], "severity": "majr", "ack": "no", "malware_md5": "5bb5e69769c02b0fbbfa5ea0e23b2c", "explanation": { "analysis": "binary", "anomaly": "", "cnc_services": {}, "malware_detected": { "malware": [ { "domain": "aviautation.com", "downloaded_at": "2021-03-30T14:58:01Z", "executed_at": "2021-03-30T14:58:02Z", "md5sum": "5bb5ead697c02b0fbbfa5ea0e23b2c", "name": "PhTI.URL", "sha256": "7e5844076023e0433f3c8e483b043cae73a384173f888602f2e5af", "stype": "34", "submitted_at": "2021-03-30T14:57:59Z", "type": "url" } ] }, "os_changes": [], "protocol": "", "timestamp": "2021-03-30T14:58:02Z" }, "timestamp": "2021-03-30T14:58:03.651", "action": "notified", "name": "malware-object" }, "email": { "status": "quarantined", "source_ip": "2.2.2.2", "smtp": { "rcpt_to": "ghgh@gh.cl", "mail_from": "nobody@nobody.localdomain" }, "etp_message_id": "824B3268ee6db92", "headers": { "cc": "", "to": "nobody@nobody.cl", "from": "nobody@nobody.cl", "subject": "Aumentalinea de credito en 3 simples pasos - ( 803082 )" }, "attachment": "hxxp://nobody.com/nobody.php", "timestamp": { "accepted": "2021-03-30T14:57:55" } } }, "id": "P8-kg3gBz5rVSh6" }, "error": null, "has_error": false }

## Get Alerts Get a list of alerts. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | : -------- | : -------- | : -------- | | Legacy ID | [Jinja-templated](doc:jinja-template) text containing the Alert ID as shown in ETP Web Portal. Example: {{legacy_id_column}}. | Optional | | From Last Modified On | [Jinja-templated](doc:jinja-template) text containing the datetime in yyy-mm-ddThh:mm:ss.fff format. Default last 90 days. Example: {{from_last_modified_on_column}}. | Optional | | Message ID | [Jinja-templated](doc:jinja-template) text containing the email message id. Example: {{message_id_column}}. | Optional | | Size | [Jinja-templated](doc:jinja-template) text containing the number of alerts intended in response. (Default is 20 alerts, Valid range 1-200). Example: {{size_column}}. | Optional | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null - result: List Of Alerts ``` {json}{ "result": { "attributes": { "meta": { "read": false, "last_modified_on": "2021-03-30T14:58:08.376", "legacy_id": 1978122, "acknowledged": false }, "ati": {}, "alert": { "product": "ETP", "alert_type": [ "at" ], "severity": "majr", "ack": "no", "malware_md5": "5bb5e69769c02b0fbbfa5ea0e23b2c", "explanation": { "analysis": "binary", "anomaly": "", "cnc_services": {}, "malware_detected": { "malware": [ { "domain": "aviautation.com", "downloaded_at": "2021-03-30T14:58:01Z", "executed_at": "2021-03-30T14:58:02Z", "md5sum": "5bb5ead697c02b0fbbfa5ea0e23b2c", "name": "PhTI.URL", "sha256": "7e5844076023e0433f3c8e483b043cae73a384173f888602f2e5af", "stype": "34", "submitted_at": "2021-03-30T14:57:59Z", "type": "url" } ] }, "os_changes": [], "protocol": "", "timestamp": "2021-03-30T14:58:02Z" }, "timestamp": "2021-03-30T14:58:03.651", "action": "notified", "name": "malware-object" }, "email": { "status": "quarantined", "source_ip": "2.2.2.2", "smtp": { "rcpt_to": "ghgh@gh.cl", "mail_from": "nobody@nobody.localdomain" }, "etp_message_id": "824B3268ee6db92", "headers": { "cc": "", "to": "nobody@nobody.cl", "from": "<nobody@nobody.cl>", "subject": "Aumentalinea de credito en 3 simples pasos - ( 803082 )" }, "attachment": "hxxp://nobody.com/nobody.php", "timestamp": { "accepted": "2021-03-30T14:57:55" } } }, "id": "P8-kg3gBz5rVSh6" }, "error": null, "has_error": false }

Get Message

Get details of alert.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Message ID

Jinja-templated text containing the message id.

 

Example: {{alert_id_column}}.

Required

 

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Message Details

``` {json}{ "result": { "attributes": { "acceptedDateTime": "2021-05-29T00:00:00.000", "countryCode": "us", "domain": "nobody.cl", "downStreamMsgID": "250 2.0.0 OK 16246404 q17409745pgm.113 - gsmtp", "emailSize": 72.45, "lastModifiedDateTime": "2021-05-29T00:00:04.331", "originalMessageID": "20210528958.604E62102@relay-dmdsixe-41.psys.net", "recipientHeader": [ "nobody@nobody.cl" ], "recipientSMTP": [ "nobody.nobody@nobody.cl" ], "senderHeader": "Peixe - Gran Santiago noreply@peixemail.com", "senderSMTP": "noreply@nobody.com", "senderIP": "2.2.2.2", "status": "delivered", "subject": "¡Te prs del mes! 🌟", "verdicts": { "AS": "", "AV": "", "AT": "pass", "PV": "pass", "YARA": "pass", "ActionYARA": "no match" } }, "included": [ { "type": "domain", "attributes": { "name": "bci.cl" } } ], "id": "7B06a320f452", "type": "trace" }, "error": null, "has_error": false }

## Get Message Get details of message. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | : -------- | : -------- | : -------- | | From Email | [Jinja-templated](doc:jinja-template) text containing the list of 'From' email-addresses, Max limit of entries is 10. Example: {{from_email1_column}}, {{from_email2_column}}. | Optional | | From Email Not In | [Jinja-templated](doc:jinja-template) text containing the list of 'From' email-addresses not to be included, Max limit of entries is 10. Example: {{from_email_not_in1_column}}, {{from_email_not_in2_column}}. | Optional | | Recipients | [Jinja-templated](doc:jinja-template) text containing the list of 'To'/'Cc' email-addresse, Max limit of entries is 10. Example: {{recipient1_column}}, {{recipient2_column}}. | Optional | | Recipients Not In | [Jinja-templated](doc:jinja-template) text containing the list of 'To'/'Cc' email-addresses not to be included, Max limit of entries is 10. Example: {{recipients_not_in1_column}}, {{recipients_not_in2_column}}. | Optional | | Subject | [Jinja-templated](doc:jinja-template) text containing the list of strings, Max limit of entries is 10. Example: {{subject1_column}}, {{subject2_column}}. | Optional | | From Accepted Date Time | [Jinja-templated](doc:jinja-template) text containing the The time stamp of the email-accepted date to specify the beginning of the date range to search (format: 2017-10- 24T10:48:51.000Z). Specify 'To Accepted Date Time' as well to set the complete date range for the search. Example: {{from_accepted_date_time_column}}. | Optional | | To Accepted Date Time | Jinja-templated text containing the The time stamp of the email-accepted date to specify the end of the date range to search (format: 2017-10- 24T10:48:51.000Z). Specify 'From Accepted Date Time' as well to set the complete date range for the search. Example: {{to_accepted_date_time_column}}. | Optional | | Rejection Reason | [Jinja-templated](doc:jinja-template) text containing the list of ETP rejection reason codes ( "ETP102", "ETP103", "ETP104", "ETP200", "ETP201", "ETP203", "ETP204", "ETP205", "ETP300", "ETP301", "ETP302", "ETP401", "ETP402", "ETP403", "ETP404", "ETP405") . Example: {{rejection_reason1_column}}, {{rejection_reason2_column}}. | Optional | | Sender IP | [Jinja-templated](doc:jinja-template) text containing the list of sender IP addresses, max limit of entries is 10. Example: {{sender_ip1_column}}, {{sender_ip2_column}}. | Optional | | Status | [Jinja-templated](doc:jinja-template) text containing the list of email status values( "accepted", "deleted", "delivered", "delivered (retroactive)", "dropped", "dropped oob", "dropped (oob retroactive)", "permanent failure", "processing", "quarantined", "rejected", "temporary failure"). Example: {{status1_column}}, {{status2_column}}. | Optional | | Status Not In | [Jinja-templated](doc:jinja-template) text containing the list of email status values not to include( "accepted", "deleted", "delivered", "delivered (retroactive)", "dropped", "dropped oob", "dropped (oob retroactive)", "permanent failure", "processing", "quarantined", "rejected", "temporary failure"). Example: {{status_not_in1_column}}, {{status_not_in2_column}}. | Optional | | Last Modified Date Time | [Jinja-templated](doc:jinja-template) text containing the date corresponding to last modified date, along with one of the following operators: ">", "\<", ">=", "\<=". Example, use value "\<2017-10-24T18:00:00.000Z" to search for messages that were last modified after the specified time stamp. Example: {{last_modified_date_time_column}}. | Optional | | Domain | [Jinja-templated](doc:jinja-template) text containing the list of domain names. Example: {{domain1_column}}, {{domain2_column}}. | Optional | | Has Attachments | Boolean value to indicate if the message has attachments (Default is True). | Optional | | Size | [Jinja-templated](doc:jinja-template) text containing the message size (Default is 20 and maximum is 300). Example: {{size_column}}. | Optional | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null - result: List Of Messages ``` {json}{ "result": { "attributes": { "acceptedDateTime": "2021-05-29T00:00:00.000", "countryCode": "us", "domain": "nobody.cl", "downStreamMsgID": "250 2.0.0 OK 16246404 q17409745pgm.113 - gsmtp", "emailSize": 72.45, "lastModifiedDateTime": "2021-05-29T00:00:04.331", "originalMessageID": "<20210528958.604E62102@relay-dmdsixe-41.psys.net>", "recipientHeader": [ "<nobody@nobody.cl>" ], "recipientSMTP": [ "nobody.nobody@nobody.cl" ], "senderHeader": "Peixe - Gran Santiago <noreply@peixemail.com>", "senderSMTP": "noreply@nobody.com", "senderIP": "2.2.2.2", "status": "delivered", "subject": "¡Te prs del mes! 🌟", "verdicts": { "AS": "", "AV": "", "AT": "pass", "PV": "pass", "YARA": "pass", "ActionYARA": "no match" } }, "included": [ { "type": "domain", "attributes": { "name": "bci.cl" } } ], "id": "7B06a320f452", "type": "trace" }, "error": null, "has_error": false }

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem