FireEye ETP
Version: 2.0.0
FireEye Email Threat Prevention (ETP Cloud) is a cloud-based platform that protects against advanced email attacks.
Connect FireEye ETP with LogicHub
- Navigate to Automations > Integrations.
- Search for FireEye ETP.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- Server URL: Server URL to access FireEye ETP, Default is https://etp.us.fireeye.com.
- API Key: API Key to access FireEye ETP.
Actions for FireEye ETP
Get Alert
Get details of alert.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert ID | Jinja-templated text containing the alert id. Example: {{alert_id_column}}. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Alert Details
{
"result": {
"attributes": {
"meta": {
"read": false,
"last_modified_on": "2021-03-30T14:58:08.376",
"legacy_id": 1978122,
"acknowledged": false
},
"ati": {},
"alert": {
"product": "ETP",
"alert_type": [
"at"
],
"severity": "majr",
"ack": "no",
"malware_md5": "5bb5e69769c02b0fbbfa5ea0e23b2c",
"explanation": {
"analysis": "binary",
"anomaly": "",
"cnc_services": {},
"malware_detected": {
"malware": [
{
"domain": "aviautation.com",
"downloaded_at": "2021-03-30T14:58:01Z",
"executed_at": "2021-03-30T14:58:02Z",
"md5sum": "5bb5ead697c02b0fbbfa5ea0e23b2c",
"name": "PhTI.URL",
"sha256": "7e5844076023e0433f3c8e483b043cae73a384173f888602f2e5af",
"stype": "34",
"submitted_at": "2021-03-30T14:57:59Z",
"type": "url"
}
]
},
"os_changes": [],
"protocol": "",
"timestamp": "2021-03-30T14:58:02Z"
},
"timestamp": "2021-03-30T14:58:03.651",
"action": "notified",
"name": "malware-object"
},
"email": {
"status": "quarantined",
"source_ip": "2.2.2.2",
"smtp": {
"rcpt_to": "[email protected]",
"mail_from": "[email protected]"
},
"etp_message_id": "824B3268ee6db92",
"headers": {
"cc": "",
"to": "[email protected]",
"from": "<[email protected]>",
"subject": "Aumentalinea de credito en 3 simples pasos - ( 803082 )"
},
"attachment": "hxxp://nobody.com/nobody.php",
"timestamp": {
"accepted": "2021-03-30T14:57:55"
}
}
},
"id": "P8-kg3gBz5rVSh6"
},
"error": null,
"has_error": false
}
Get Alerts
Get a list of alerts.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Legacy ID | Jinja-templated text containing the Alert ID as shown in ETP Web Portal. Example: {{legacy_id_column}}. | Optional |
| From Last Modified On | Jinja-templated text containing the datetime in yyy-mm-ddThh:mm:ss.fff format. Default last 90 days. Example: {{from_last_modified_on_column}}. | Optional |
| Message ID | Jinja-templated text containing the email message id. Example: {{message_id_column}}. | Optional |
| Size | Jinja-templated text containing the number of alerts intended in response. (Default is 20 alerts, Valid range 1-200). Example: {{size_column}}. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List Of Alerts
{
"result": {
"attributes": {
"meta": {
"read": false,
"last_modified_on": "2021-03-30T14:58:08.376",
"legacy_id": 1978122,
"acknowledged": false
},
"ati": {},
"alert": {
"product": "ETP",
"alert_type": [
"at"
],
"severity": "majr",
"ack": "no",
"malware_md5": "5bb5e69769c02b0fbbfa5ea0e23b2c",
"explanation": {
"analysis": "binary",
"anomaly": "",
"cnc_services": {},
"malware_detected": {
"malware": [
{
"domain": "aviautation.com",
"downloaded_at": "2021-03-30T14:58:01Z",
"executed_at": "2021-03-30T14:58:02Z",
"md5sum": "5bb5ead697c02b0fbbfa5ea0e23b2c",
"name": "PhTI.URL",
"sha256": "7e5844076023e0433f3c8e483b043cae73a384173f888602f2e5af",
"stype": "34",
"submitted_at": "2021-03-30T14:57:59Z",
"type": "url"
}
]
},
"os_changes": [],
"protocol": "",
"timestamp": "2021-03-30T14:58:02Z"
},
"timestamp": "2021-03-30T14:58:03.651",
"action": "notified",
"name": "malware-object"
},
"email": {
"status": "quarantined",
"source_ip": "2.2.2.2",
"smtp": {
"rcpt_to": "[email protected]",
"mail_from": "[email protected]"
},
"etp_message_id": "824B3268ee6db92",
"headers": {
"cc": "",
"to": "[email protected]",
"from": "<[email protected]>",
"subject": "Aumentalinea de credito en 3 simples pasos - ( 803082 )"
},
"attachment": "hxxp://nobody.com/nobody.php",
"timestamp": {
"accepted": "2021-03-30T14:57:55"
}
}
},
"id": "P8-kg3gBz5rVSh6"
},
"error": null,
"has_error": false
}
Get Message
Get details of alert.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Message ID | Jinja-templated text containing the message id. Example: {{alert_id_column}}. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Message Details
{
"result": {
"attributes": {
"acceptedDateTime": "2021-05-29T00:00:00.000",
"countryCode": "us",
"domain": "nobody.cl",
"downStreamMsgID": "250 2.0.0 OK 16246404 q17409745pgm.113 - gsmtp",
"emailSize": 72.45,
"lastModifiedDateTime": "2021-05-29T00:00:04.331",
"originalMessageID": "<[email protected]>",
"recipientHeader": [
"<[email protected]>"
],
"recipientSMTP": [
"[email protected]"
],
"senderHeader": "Peixe - Gran Santiago <[email protected]>",
"senderSMTP": "[email protected]",
"senderIP": "2.2.2.2",
"status": "delivered",
"subject": "¡Te prs del mes! 🌟",
"verdicts": {
"AS": "",
"AV": "",
"AT": "pass",
"PV": "pass",
"YARA": "pass",
"ActionYARA": "no match"
}
},
"included": [
{
"type": "domain",
"attributes": {
"name": "bci.cl"
}
}
],
"id": "7B06a320f452",
"type": "trace"
},
"error": null,
"has_error": false
}
Get Message
Get details of message.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| From Email | Jinja-templated text containing the list of 'From' email-addresses, Max limit of entries is 10. Example: {{from_email1_column}}, {{from_email2_column}}. | Optional |
| From Email Not In | Jinja-templated text containing the list of 'From' email-addresses not to be included, Max limit of entries is 10. Example: {{from_email_not_in1_column}}, {{from_email_not_in2_column}}. | Optional |
| Recipients | Jinja-templated text containing the list of 'To'/'Cc' email-addresse, Max limit of entries is 10. Example: {{recipient1_column}}, {{recipient2_column}}. | Optional |
| Recipients Not In | Jinja-templated text containing the list of 'To'/'Cc' email-addresses not to be included, Max limit of entries is 10. Example: {{recipients_not_in1_column}}, {{recipients_not_in2_column}}. | Optional |
| Subject | Jinja-templated text containing the list of strings, Max limit of entries is 10. Example: {{subject1_column}}, {{subject2_column}}. | Optional |
| From Accepted Date Time | Jinja-templated text containing the The time stamp of the email-accepted date to specify the beginning of the date range to search (format: 2017-10- 24T10:48:51.000Z). Specify 'To Accepted Date Time' as well to set the complete date range for the search. Example: {{from_accepted_date_time_column}}. | Optional |
| To Accepted Date Time | Jinja-templated text containing the The time stamp of the email-accepted date to specify the end of the date range to search (format: 2017-10- 24T10:48:51.000Z). Specify 'From Accepted Date Time' as well to set the complete date range for the search. Example: {{to_accepted_date_time_column}}. | Optional |
| Rejection Reason | Jinja-templated text containing the list of ETP rejection reason codes ( "ETP102", "ETP103", "ETP104", "ETP200", "ETP201", "ETP203", "ETP204", "ETP205", "ETP300", "ETP301", "ETP302", "ETP401", "ETP402", "ETP403", "ETP404", "ETP405") . Example: {{rejection_reason1_column}}, {{rejection_reason2_column}}. | Optional |
| Sender IP | Jinja-templated text containing the list of sender IP addresses, max limit of entries is 10. Example: {{sender_ip1_column}}, {{sender_ip2_column}}. | Optional |
| Status | Jinja-templated text containing the list of email status values( "accepted", "deleted", "delivered", "delivered (retroactive)", "dropped", "dropped oob", "dropped (oob retroactive)", "permanent failure", "processing", "quarantined", "rejected", "temporary failure"). Example: {{status1_column}}, {{status2_column}}. | Optional |
| Status Not In | Jinja-templated text containing the list of email status values not to include( "accepted", "deleted", "delivered", "delivered (retroactive)", "dropped", "dropped oob", "dropped (oob retroactive)", "permanent failure", "processing", "quarantined", "rejected", "temporary failure"). Example: {{status_not_in1_column}}, {{status_not_in2_column}}. | Optional |
| Last Modified Date Time | Jinja-templated text containing the date corresponding to last modified date, along with one of the following operators: ">", "<", ">=", "<=". Example, use value "<2017-10-24T18:00:00.000Z" to search for messages that were last modified after the specified time stamp. Example: {{last_modified_date_time_column}}. | Optional |
| Domain | Jinja-templated text containing the list of domain names. Example: {{domain1_column}}, {{domain2_column}}. | Optional |
| Has Attachments | Boolean value to indicate if the message has attachments (Default is True). | Optional |
| Size | Jinja-templated text containing the message size (Default is 20 and maximum is 300). Example: {{size_column}}. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List Of Messages
{
"result": {
"attributes": {
"acceptedDateTime": "2021-05-29T00:00:00.000",
"countryCode": "us",
"domain": "nobody.cl",
"downStreamMsgID": "250 2.0.0 OK 16246404 q17409745pgm.113 - gsmtp",
"emailSize": 72.45,
"lastModifiedDateTime": "2021-05-29T00:00:04.331",
"originalMessageID": "<[email protected]>",
"recipientHeader": [
"<[email protected]>"
],
"recipientSMTP": [
"[email protected]"
],
"senderHeader": "Peixe - Gran Santiago <[email protected]>",
"senderSMTP": "[email protected]",
"senderIP": "2.2.2.2",
"status": "delivered",
"subject": "¡Te prs del mes! 🌟",
"verdicts": {
"AS": "",
"AV": "",
"AT": "pass",
"PV": "pass",
"YARA": "pass",
"ActionYARA": "no match"
}
},
"included": [
{
"type": "domain",
"attributes": {
"name": "bci.cl"
}
}
],
"id": "7B06a320f452",
"type": "trace"
},
"error": null,
"has_error": false
}
Release Notes
v2.0.0- Updated architecture to support IO via filesystem
Updated about 1 year ago