FireEye ETP

Version: 1.0.2

FireEye Email Threat Prevention (ETP Cloud) is a cloud-based platform that protects against advanced email attacks.

Connect FireEye ETP with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for FireEye ETP.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • Server URL: Server URL to access FireEye ETP, Default is https://etp.us.fireeye.com.
    • API Key: API Key to access FireEye ETP.

Actions for FireEye ETP

Get Alert

Get details of alert.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Alert ID

Jinja-templated text containing the alert id.
Example: {{alert_id_column}}.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Alert Details
{
  "result": {
    "attributes": {
      "meta": {
        "read": false,
        "last_modified_on": "2021-03-30T14:58:08.376",
        "legacy_id": 1978122,
        "acknowledged": false
      },
      "ati": {},
      "alert": {
        "product": "ETP",
        "alert_type": [
          "at"
        ],
        "severity": "majr",
        "ack": "no",
        "malware_md5": "5bb5e69769c02b0fbbfa5ea0e23b2c",
        "explanation": {
          "analysis": "binary",
          "anomaly": "",
          "cnc_services": {},
          "malware_detected": {
            "malware": [
              {
                "domain": "aviautation.com",
                "downloaded_at": "2021-03-30T14:58:01Z",
                "executed_at": "2021-03-30T14:58:02Z",
                "md5sum": "5bb5ead697c02b0fbbfa5ea0e23b2c",
                "name": "PhTI.URL",
                "sha256": "7e5844076023e0433f3c8e483b043cae73a384173f888602f2e5af",
                "stype": "34",
                "submitted_at": "2021-03-30T14:57:59Z",
                "type": "url"
              }
            ]
          },
          "os_changes": [],
          "protocol": "",
          "timestamp": "2021-03-30T14:58:02Z"
        },
        "timestamp": "2021-03-30T14:58:03.651",
        "action": "notified",
        "name": "malware-object"
      },
      "email": {
        "status": "quarantined",
        "source_ip": "2.2.2.2",
        "smtp": {
          "rcpt_to": "[email protected]",
          "mail_from": "[email protected]"
        },
        "etp_message_id": "824B3268ee6db92",
        "headers": {
          "cc": "",
          "to": "[email protected]",
          "from": "<[email protected]>",
          "subject": "Aumentalinea de credito en 3 simples pasos - ( 803082  )"
        },
        "attachment": "hxxp://nobody.com/nobody.php",
        "timestamp": {
          "accepted": "2021-03-30T14:57:55"
        }
      }
    },
    "id": "P8-kg3gBz5rVSh6"
  },
  "error": null,
  "has_error": false
}

Get Alerts

Get a list of alerts.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Legacy ID

Jinja-templated text containing the Alert ID as shown in ETP Web Portal.
Example: {{legacy_id_column}}.

Optional

From Last Modified On

Jinja-templated text containing the datetime in yyy-mm-ddThh:mm:ss.fff format. Default last 90 days.
Example: {{from_last_modified_on_column}}.

Optional

Message ID

Jinja-templated text containing the email message id.
Example: {{message_id_column}}.

Optional

Size

Jinja-templated text containing the number of alerts intended in response. (Default is 20 alerts, Valid range 1-200).
Example: {{size_column}}.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: List Of Alerts
{
  "result": {
    "attributes": {
      "meta": {
        "read": false,
        "last_modified_on": "2021-03-30T14:58:08.376",
        "legacy_id": 1978122,
        "acknowledged": false
      },
      "ati": {},
      "alert": {
        "product": "ETP",
        "alert_type": [
          "at"
        ],
        "severity": "majr",
        "ack": "no",
        "malware_md5": "5bb5e69769c02b0fbbfa5ea0e23b2c",
        "explanation": {
          "analysis": "binary",
          "anomaly": "",
          "cnc_services": {},
          "malware_detected": {
            "malware": [
              {
                "domain": "aviautation.com",
                "downloaded_at": "2021-03-30T14:58:01Z",
                "executed_at": "2021-03-30T14:58:02Z",
                "md5sum": "5bb5ead697c02b0fbbfa5ea0e23b2c",
                "name": "PhTI.URL",
                "sha256": "7e5844076023e0433f3c8e483b043cae73a384173f888602f2e5af",
                "stype": "34",
                "submitted_at": "2021-03-30T14:57:59Z",
                "type": "url"
              }
            ]
          },
          "os_changes": [],
          "protocol": "",
          "timestamp": "2021-03-30T14:58:02Z"
        },
        "timestamp": "2021-03-30T14:58:03.651",
        "action": "notified",
        "name": "malware-object"
      },
      "email": {
        "status": "quarantined",
        "source_ip": "2.2.2.2",
        "smtp": {
          "rcpt_to": "[email protected]",
          "mail_from": "[email protected]"
        },
        "etp_message_id": "824B3268ee6db92",
        "headers": {
          "cc": "",
          "to": "[email protected]",
          "from": "<[email protected]>",
          "subject": "Aumentalinea de credito en 3 simples pasos - ( 803082  )"
        },
        "attachment": "hxxp://nobody.com/nobody.php",
        "timestamp": {
          "accepted": "2021-03-30T14:57:55"
        }
      }
    },
    "id": "P8-kg3gBz5rVSh6"
  },
  "error": null,
  "has_error": false
}

Get Message

Get details of alert.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Message ID

Jinja-templated text containing the message id.
Example: {{alert_id_column}}.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Message Details
{
  "result": {
    "attributes": {
      "acceptedDateTime": "2021-05-29T00:00:00.000",
      "countryCode": "us",
      "domain": "nobody.cl",
      "downStreamMsgID": "250 2.0.0 OK  16246404 q17409745pgm.113 - gsmtp",
      "emailSize": 72.45,
      "lastModifiedDateTime": "2021-05-29T00:00:04.331",
      "originalMessageID": "<[email protected]>",
      "recipientHeader": [
        "<[email protected]>"
      ],
      "recipientSMTP": [
        "[email protected]"
      ],
      "senderHeader": "Peixe - Gran Santiago <[email protected]>",
      "senderSMTP": "[email protected]",
      "senderIP": "2.2.2.2",
      "status": "delivered",
      "subject": "¡Te prs del mes! 🌟",
      "verdicts": {
        "AS": "",
        "AV": "",
        "AT": "pass",
        "PV": "pass",
        "YARA": "pass",
        "ActionYARA": "no match"
      }
    },
    "included": [
      {
        "type": "domain",
        "attributes": {
          "name": "bci.cl"
        }
      }
    ],
    "id": "7B06a320f452",
    "type": "trace"
  },
  "error": null,
  "has_error": false
}

Get Message

Get details of message.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

From Email

Jinja-templated text containing the list of 'From' email-addresses, Max limit of entries is 10.
Example: {{from_email1_column}}, {{from_email2_column}}.

Optional

From Email Not In

Jinja-templated text containing the list of 'From' email-addresses not to be included, Max limit of entries is 10.
Example: {{from_email_not_in1_column}}, {{from_email_not_in2_column}}.

Optional

Recipients

Jinja-templated text containing the list of 'To'/'Cc' email-addresse, Max limit of entries is 10.
Example: {{recipient1_column}}, {{recipient2_column}}.

Optional

Recipients Not In

Jinja-templated text containing the list of 'To'/'Cc' email-addresses not to be included, Max limit of entries is 10.
Example: {{recipients_not_in1_column}}, {{recipients_not_in2_column}}.

Optional

Subject

Jinja-templated text containing the list of strings, Max limit of entries is 10.
Example: {{subject1_column}}, {{subject2_column}}.

Optional

From Accepted Date Time

Jinja-templated text containing the The time stamp of the email-accepted date to specify the beginning of the date range to search (format: 2017-10- 24T10:48:51.000Z). Specify 'To Accepted Date Time' as well to set the complete date range for the search.
Example: {{from_accepted_date_time_column}}.

Optional

To Accepted Date Time

Jinja-templated text containing the The time stamp of the email-accepted date to specify the end of the date range to search (format: 2017-10- 24T10:48:51.000Z). Specify 'From Accepted Date Time' as well to set the complete date range for the search. Example: {{to_accepted_date_time_column}}.

Optional

Rejection Reason

Jinja-templated text containing the list of ETP rejection reason codes ( "ETP102", "ETP103", "ETP104", "ETP200", "ETP201", "ETP203", "ETP204", "ETP205", "ETP300", "ETP301", "ETP302", "ETP401", "ETP402", "ETP403", "ETP404", "ETP405") . Example: {{rejection_reason1_column}}, {{rejection_reason2_column}}.

Optional

Sender IP

Jinja-templated text containing the list of sender IP addresses, max limit of entries is 10.
Example: {{sender_ip1_column}}, {{sender_ip2_column}}.

Optional

Status

Jinja-templated text containing the list of email status values( "accepted", "deleted", "delivered", "delivered (retroactive)", "dropped", "dropped oob", "dropped (oob retroactive)", "permanent failure", "processing", "quarantined", "rejected", "temporary failure").
Example: {{status1_column}}, {{status2_column}}.

Optional

Status Not In

Jinja-templated text containing the list of email status values not to include( "accepted", "deleted", "delivered", "delivered (retroactive)", "dropped", "dropped oob", "dropped (oob retroactive)", "permanent failure", "processing", "quarantined", "rejected", "temporary failure").
Example: {{status_not_in1_column}}, {{status_not_in2_column}}.

Optional

Last Modified Date Time

Jinja-templated text containing the date corresponding to last modified date, along with one of the following operators: ">", "<", ">=", "<=". Example, use value "<2017-10-24T18:00:00.000Z" to search for messages that were last modified after the specified time stamp.
Example: {{last_modified_date_time_column}}.

Optional

Domain

Jinja-templated text containing the list of domain names.
Example: {{domain1_column}}, {{domain2_column}}.

Optional

Has Attachments

Boolean value to indicate if the message has attachments (Default is True).

Optional

Size

Jinja-templated text containing the message size (Default is 20 and maximum is 300). Example: {{size_column}}.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: List Of Messages
{
  "result": {
    "attributes": {
      "acceptedDateTime": "2021-05-29T00:00:00.000",
      "countryCode": "us",
      "domain": "nobody.cl",
      "downStreamMsgID": "250 2.0.0 OK  16246404 q17409745pgm.113 - gsmtp",
      "emailSize": 72.45,
      "lastModifiedDateTime": "2021-05-29T00:00:04.331",
      "originalMessageID": "<[email protected]>",
      "recipientHeader": [
        "<[email protected]>"
      ],
      "recipientSMTP": [
        "[email protected]"
      ],
      "senderHeader": "Peixe - Gran Santiago <[email protected]>",
      "senderSMTP": "[email protected]",
      "senderIP": "2.2.2.2",
      "status": "delivered",
      "subject": "¡Te prs del mes! 🌟",
      "verdicts": {
        "AS": "",
        "AV": "",
        "AT": "pass",
        "PV": "pass",
        "YARA": "pass",
        "ActionYARA": "no match"
      }
    },
    "included": [
      {
        "type": "domain",
        "attributes": {
          "name": "bci.cl"
        }
      }
    ],
    "id": "7B06a320f452",
    "type": "trace"
  },
  "error": null,
  "has_error": false
}

Did this page help you?