Document toolboxDocument toolbox

FireEye Helix

[ 1 Connect FireEye Helix with Devo SOAR ] [ 1.1 Search ] [ 1.1.1 Input Field ] [ 1.1.2 Output ] [ 1.2 Create Alert ] [ 1.2.1 Input Field ] [ 1.2.2 Output ] [ 2 Release Notes ]

FireEye Helix is a security operations platform that makes it simple to deliver advanced security to any organization. It surfaces unseen threats and empowers expert decisions with frontline intelligence to take back control of your defenses and capture the untapped potential of your security investments.

Connect FireEye Helix with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for FireEye Helix.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Helix API Key: X-FireEye-API-Key for Helix

  8. Helix Id: Id for Helix. Example 'hexzsq689'

  9. After you've entered all the details, click Connect.

Search

Create custom search queries.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Query

Jinja-templated text containing the query. Example '{"state":{"$in":["Open","Reopened"]},"suppressed":false}'

Required

Start

Jinja-templated text containing the start time in 'yyyy-mm-ddThh:mm:ss' format. Default is Batch start time.

Optional

End

Jinja-templated text containing the end time in 'yyyy-mm-ddThh:mm:ss' format. Default is Batch end time

Optional

Output

JSON containing the following items:

``` {json}{ "alerts":[ { "_assignedAt":null, "alertThreat":"Unknown", "alertType":"fireeye_rule", "alertTypeDetails":{ "detail":{ "class":"bro_dns", "domain":"ttos019108.3322.org", "dstisp":"fq23ef qwfe qwef q34wfqe co. limited", "srcisp":"private ip address lan", "meta_ts":"2016-03-28T13:40:53.247Z", "dstdomain":"asdf.com", "dstcountry":"america", "querytypename":"a" }, "source":"172.19.1.161", "summary":{ "domain":"ttos019108.3322.org", "querytypename":"a" }, "destination":"118.184.176.43" }, "classification":0, "closedState":"Escalated", "confidence":"Medium", "context":null, "createDate":"2016-03-28T05:40:05.010000Z", "customer_id":"hexryy776", "description":"HUPIGON is capable of comprehensive remote access on a compromised system, to include remote command execution, a file system manager, audio/video capture, VNC-like remote viewing, telnet, and additional capabilities can be implemented using custom plugins. The malware communicates with a preconfigured host and installs itself as a Windows service. This is a generic signature leveraging DNS logs identifying beaconing activity for HUPIGON malware.", "displayId":6, "distinguisherKey":"1.19.1.161~,~~,~", "distinguishers":{ "srcipv4":"1.19.1.161", "srcipv6":"", "xfwdforip":"" }, "emailedAt":1459143607860, "eventCount":100, "eventsThreshold":0, "firstEventAt":"2016-03-28T13:36:20.124000Z", "lastEventAt":"2016-03-28T13:40:53.247000Z", "external":[

], "externalCount":0, "externalId":"", "id":"asodfijq3peofhrujepriuf", "infoLinks":[ "http://www.f-asodifjoa.com/v-descs/asdfijads;ocnjs;ad.shtml", "http://www.asdfjn.com/en/descriptions/6212128/Backdoor.Win32.asdoifjaso;.fdnv", "http://www.asodfjnvaos.com/security/portal/threat/asd'fjona/entry.aspx?name=Win32%2fHupigon#tab=2" ], "internal":[ ], "internalCount":0, "isThreat":false, "isTuned":false, "killChain":[ ], "lastSyncMs":2314124351243, "message":"12rewf qwefwef [DNS]", "notes":[ { "_author":{ "id":"123f123d-7ba2-1033-9f52-123df12ewrd2", "avatar":"https://secure.gravatar.com/avatar/25asdf2342rfqwef81e1c6", "name":"MR TechBar", "username":"mrbean", "primary_email":"mrbean.1996@gmail.com" }, "createDate":"2016-03-28T15:41:29.772000Z", "customer_id":"abcdef", "id":1, "updateDate":"2016-03-28T15:41:29.772000Z", "note":"Reviewing..." } ], "notesCount":1, "organization":"hexryy776", "originId":"MAP_RULE", "queues":[ "Default Queue" ], "revision":17, "revisionNotes":"", "risk":"High", "riskOrder":3, "riskScore":null, "search":"metaclass:dns domain:/(ttos|yutao)[0-9]{6}/ NOT srcipv4=inclusion.local.srcipv4", "secondsThreshold":0, "severity":"High", "sourceRevision":0, "state":"Closed", "suppressed":false, "tags":[ "asdf", "qwer", "etyru", "ertyherthn" ], "threatChangedAt":null, "threatType":0, "triggerId":"1.1.100", "triggerRevision":0, "tuningSearch":"", "updateDate":"2018-10-03T10:11:11.609162Z" }

], "error":null, "has_error":false }

## Get Alerts View for tying together the serializer, authentication, permission and data restrictions for accessing Alerts ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :--------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- | | Query | [Jinja-templated](doc:jinja-template) text containing the Mongo JSON query syntax used to filter for specific results. Example '{"state":{"$in":["Open","Reopened"]},"suppressed":false}' | Optional | | Sort | [Jinja-templated](doc:jinja-template) text containing the comma-separated list of field names to sort the results by. Example '-updateDate,riskOrder' | Optional | | Fields | [Jinja-templated](doc:jinja-template) text containing comma-separated list of field names to only select or exclude from the resulting data. | Optional | | Includes | [Jinja-templated](doc:jinja-template) text containing comma-separated list of field names to expand an ID into a full object representation of the related data. | Optional | | Limit | [Jinja-templated](doc:jinja-template) number containing limit the no. of result. Default is '5000' | Optional | ### Output JSON containing the following items: ``` {json}{ "alerts":[ { "_assignedAt":null, "alertThreat":"Unknown", "alertType":"fireeye_rule", "alertTypeDetails":{ "detail":{ "class":"bro_dns", "domain":"ttos019108.3322.org", "dstisp":"fq23ef qwfe qwef q34wfqe co. limited", "srcisp":"private ip address lan", "meta_ts":"2016-03-28T13:40:53.247Z", "dstdomain":"asdf.com", "dstcountry":"america", "querytypename":"a" }, "source":"172.19.1.161", "summary":{ "domain":"ttos019108.3322.org", "querytypename":"a" }, "destination":"118.184.176.43" }, "classification":0, "closedState":"Escalated", "confidence":"Medium", "context":null, "createDate":"2016-03-28T05:40:05.010000Z", "customer_id":"hexryy776", "description":"HUPIGON is capable of comprehensive remote access on a compromised system, to include remote command execution, a file system manager, audio/video capture, VNC-like remote viewing, telnet, and additional capabilities can be implemented using custom plugins. The malware communicates with a preconfigured host and installs itself as a Windows service. This is a generic signature leveraging DNS logs identifying beaconing activity for HUPIGON malware.", "displayId":6, "distinguisherKey":"1.19.1.161~,~~,~", "distinguishers":{ "srcipv4":"1.19.1.161", "srcipv6":"", "xfwdforip":"" }, "emailedAt":1459143607860, "eventCount":100, "eventsThreshold":0, "firstEventAt":"2016-03-28T13:36:20.124000Z", "lastEventAt":"2016-03-28T13:40:53.247000Z", "external":[ ], "externalCount":0, "externalId":"", "id":"asodfijq3peofhrujepriuf", "infoLinks":[ "http://www.f-asodifjoa.com/v-descs/asdfijads;ocnjs;ad.shtml", "http://www.asdfjn.com/en/descriptions/6212128/Backdoor.Win32.asdoifjaso;.fdnv", "http://www.asodfjnvaos.com/security/portal/threat/asd'fjona/entry.aspx?name=Win32%2fHupigon#tab=2" ], "internal":[ ], "internalCount":0, "isThreat":false, "isTuned":false, "killChain":[ ], "lastSyncMs":2314124351243, "message":"12rewf qwefwef [DNS]", "notes":[ { "_author":{ "id":"123f123d-7ba2-1033-9f52-123df12ewrd2", "avatar":"https://secure.gravatar.com/avatar/25asdf2342rfqwef81e1c6", "name":"MR TechBar", "username":"mrbean", "primary_email":"mrbean.1996@gmail.com" }, "createDate":"2016-03-28T15:41:29.772000Z", "customer_id":"abcdef", "id":1, "updateDate":"2016-03-28T15:41:29.772000Z", "note":"Reviewing..." } ], "notesCount":1, "organization":"hexryy776", "originId":"MAP_RULE", "queues":[ "Default Queue" ], "revision":17, "revisionNotes":"", "risk":"High", "riskOrder":3, "riskScore":null, "search":"metaclass:dns domain:/(ttos|yutao)[0-9]{6}/ NOT srcipv4=inclusion.local.srcipv4", "secondsThreshold":0, "severity":"High", "sourceRevision":0, "state":"Closed", "suppressed":false, "tags":[ "asdf", "qwer", "etyru", "ertyherthn" ], "threatChangedAt":null, "threatType":0, "triggerId":"1.1.100", "triggerRevision":0, "tuningSearch":"", "updateDate":"2018-10-03T10:11:11.609162Z" } ], "error":null, "has_error":false }

Create Alert

View for tying together the serializer, authentication, permission and data restrictions for accessing Alerts

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Data

Jinja-templated JSON containing the data of the alert.

Required

Output

JSON containing the following items:

``` {json}{ "error":null, "has_error":false, "msg": "Successfully Created" }

## Update Alert View for tying together the serializer, authentication, permission and data restrictions for accessing Alerts ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :--------- | :--------------------------------------------------------------------------- | :------- | | Data | [Jinja-templated](doc:jinja-template) JSON containing the data of the alert. | Required | ### Output JSON containing the following items: ``` {json}{ "error":null, "has_error":false, "msg": "Successfully Updated" }

Release Notes

  • v1.0.0 - Added New Integration with 4 actions: Search,Get Alerts,Create Alert and Update Alert.