FireEye ETP

Version: 2.0.0

FireEye Email Threat Prevention (ETP Cloud) is a cloud-based platform that protects against advanced email attacks.

Connect FireEye ETP with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for FireEye ETP.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • Server URL: Server URL to access FireEye ETP, Default is https://etp.us.fireeye.com.
    • API Key: API Key to access FireEye ETP.

Actions for FireEye ETP

Get Alert

Get details of alert.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alert IDJinja-templated text containing the alert id.
Example: {{alert_id_column}}.
Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Alert Details
{
  "result": {
    "attributes": {
      "meta": {
        "read": false,
        "last_modified_on": "2021-03-30T14:58:08.376",
        "legacy_id": 1978122,
        "acknowledged": false
      },
      "ati": {},
      "alert": {
        "product": "ETP",
        "alert_type": [
          "at"
        ],
        "severity": "majr",
        "ack": "no",
        "malware_md5": "5bb5e69769c02b0fbbfa5ea0e23b2c",
        "explanation": {
          "analysis": "binary",
          "anomaly": "",
          "cnc_services": {},
          "malware_detected": {
            "malware": [
              {
                "domain": "aviautation.com",
                "downloaded_at": "2021-03-30T14:58:01Z",
                "executed_at": "2021-03-30T14:58:02Z",
                "md5sum": "5bb5ead697c02b0fbbfa5ea0e23b2c",
                "name": "PhTI.URL",
                "sha256": "7e5844076023e0433f3c8e483b043cae73a384173f888602f2e5af",
                "stype": "34",
                "submitted_at": "2021-03-30T14:57:59Z",
                "type": "url"
              }
            ]
          },
          "os_changes": [],
          "protocol": "",
          "timestamp": "2021-03-30T14:58:02Z"
        },
        "timestamp": "2021-03-30T14:58:03.651",
        "action": "notified",
        "name": "malware-object"
      },
      "email": {
        "status": "quarantined",
        "source_ip": "2.2.2.2",
        "smtp": {
          "rcpt_to": "[email protected]",
          "mail_from": "[email protected]"
        },
        "etp_message_id": "824B3268ee6db92",
        "headers": {
          "cc": "",
          "to": "[email protected]",
          "from": "<[email protected]>",
          "subject": "Aumentalinea de credito en 3 simples pasos - ( 803082  )"
        },
        "attachment": "hxxp://nobody.com/nobody.php",
        "timestamp": {
          "accepted": "2021-03-30T14:57:55"
        }
      }
    },
    "id": "P8-kg3gBz5rVSh6"
  },
  "error": null,
  "has_error": false
}

Get Alerts

Get a list of alerts.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Legacy IDJinja-templated text containing the Alert ID as shown in ETP Web Portal.
Example: {{legacy_id_column}}.
Optional
From Last Modified OnJinja-templated text containing the datetime in yyy-mm-ddThh:mm:ss.fff format. Default last 90 days.
Example: {{from_last_modified_on_column}}.
Optional
Message IDJinja-templated text containing the email message id.
Example: {{message_id_column}}.
Optional
SizeJinja-templated text containing the number of alerts intended in response. (Default is 20 alerts, Valid range 1-200).
Example: {{size_column}}.
Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: List Of Alerts
{
  "result": {
    "attributes": {
      "meta": {
        "read": false,
        "last_modified_on": "2021-03-30T14:58:08.376",
        "legacy_id": 1978122,
        "acknowledged": false
      },
      "ati": {},
      "alert": {
        "product": "ETP",
        "alert_type": [
          "at"
        ],
        "severity": "majr",
        "ack": "no",
        "malware_md5": "5bb5e69769c02b0fbbfa5ea0e23b2c",
        "explanation": {
          "analysis": "binary",
          "anomaly": "",
          "cnc_services": {},
          "malware_detected": {
            "malware": [
              {
                "domain": "aviautation.com",
                "downloaded_at": "2021-03-30T14:58:01Z",
                "executed_at": "2021-03-30T14:58:02Z",
                "md5sum": "5bb5ead697c02b0fbbfa5ea0e23b2c",
                "name": "PhTI.URL",
                "sha256": "7e5844076023e0433f3c8e483b043cae73a384173f888602f2e5af",
                "stype": "34",
                "submitted_at": "2021-03-30T14:57:59Z",
                "type": "url"
              }
            ]
          },
          "os_changes": [],
          "protocol": "",
          "timestamp": "2021-03-30T14:58:02Z"
        },
        "timestamp": "2021-03-30T14:58:03.651",
        "action": "notified",
        "name": "malware-object"
      },
      "email": {
        "status": "quarantined",
        "source_ip": "2.2.2.2",
        "smtp": {
          "rcpt_to": "[email protected]",
          "mail_from": "[email protected]"
        },
        "etp_message_id": "824B3268ee6db92",
        "headers": {
          "cc": "",
          "to": "[email protected]",
          "from": "<[email protected]>",
          "subject": "Aumentalinea de credito en 3 simples pasos - ( 803082  )"
        },
        "attachment": "hxxp://nobody.com/nobody.php",
        "timestamp": {
          "accepted": "2021-03-30T14:57:55"
        }
      }
    },
    "id": "P8-kg3gBz5rVSh6"
  },
  "error": null,
  "has_error": false
}

Get Message

Get details of alert.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Message IDJinja-templated text containing the message id.
Example: {{alert_id_column}}.
Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Message Details
{
  "result": {
    "attributes": {
      "acceptedDateTime": "2021-05-29T00:00:00.000",
      "countryCode": "us",
      "domain": "nobody.cl",
      "downStreamMsgID": "250 2.0.0 OK  16246404 q17409745pgm.113 - gsmtp",
      "emailSize": 72.45,
      "lastModifiedDateTime": "2021-05-29T00:00:04.331",
      "originalMessageID": "<[email protected]>",
      "recipientHeader": [
        "<[email protected]>"
      ],
      "recipientSMTP": [
        "[email protected]"
      ],
      "senderHeader": "Peixe - Gran Santiago <[email protected]>",
      "senderSMTP": "[email protected]",
      "senderIP": "2.2.2.2",
      "status": "delivered",
      "subject": "¡Te prs del mes! 🌟",
      "verdicts": {
        "AS": "",
        "AV": "",
        "AT": "pass",
        "PV": "pass",
        "YARA": "pass",
        "ActionYARA": "no match"
      }
    },
    "included": [
      {
        "type": "domain",
        "attributes": {
          "name": "bci.cl"
        }
      }
    ],
    "id": "7B06a320f452",
    "type": "trace"
  },
  "error": null,
  "has_error": false
}

Get Message

Get details of message.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
From EmailJinja-templated text containing the list of 'From' email-addresses, Max limit of entries is 10.
Example: {{from_email1_column}}, {{from_email2_column}}.
Optional
From Email Not InJinja-templated text containing the list of 'From' email-addresses not to be included, Max limit of entries is 10.
Example: {{from_email_not_in1_column}}, {{from_email_not_in2_column}}.
Optional
RecipientsJinja-templated text containing the list of 'To'/'Cc' email-addresse, Max limit of entries is 10.
Example: {{recipient1_column}}, {{recipient2_column}}.
Optional
Recipients Not InJinja-templated text containing the list of 'To'/'Cc' email-addresses not to be included, Max limit of entries is 10.
Example: {{recipients_not_in1_column}}, {{recipients_not_in2_column}}.
Optional
SubjectJinja-templated text containing the list of strings, Max limit of entries is 10.
Example: {{subject1_column}}, {{subject2_column}}.
Optional
From Accepted Date TimeJinja-templated text containing the The time stamp of the email-accepted date to specify the beginning of the date range to search (format: 2017-10- 24T10:48:51.000Z). Specify 'To Accepted Date Time' as well to set the complete date range for the search.
Example: {{from_accepted_date_time_column}}.
Optional
To Accepted Date TimeJinja-templated text containing the The time stamp of the email-accepted date to specify the end of the date range to search (format: 2017-10- 24T10:48:51.000Z). Specify 'From Accepted Date Time' as well to set the complete date range for the search. Example: {{to_accepted_date_time_column}}.Optional
Rejection ReasonJinja-templated text containing the list of ETP rejection reason codes ( "ETP102", "ETP103", "ETP104", "ETP200", "ETP201", "ETP203", "ETP204", "ETP205", "ETP300", "ETP301", "ETP302", "ETP401", "ETP402", "ETP403", "ETP404", "ETP405") . Example: {{rejection_reason1_column}}, {{rejection_reason2_column}}.Optional
Sender IPJinja-templated text containing the list of sender IP addresses, max limit of entries is 10.
Example: {{sender_ip1_column}}, {{sender_ip2_column}}.
Optional
StatusJinja-templated text containing the list of email status values( "accepted", "deleted", "delivered", "delivered (retroactive)", "dropped", "dropped oob", "dropped (oob retroactive)", "permanent failure", "processing", "quarantined", "rejected", "temporary failure").
Example: {{status1_column}}, {{status2_column}}.
Optional
Status Not InJinja-templated text containing the list of email status values not to include( "accepted", "deleted", "delivered", "delivered (retroactive)", "dropped", "dropped oob", "dropped (oob retroactive)", "permanent failure", "processing", "quarantined", "rejected", "temporary failure").
Example: {{status_not_in1_column}}, {{status_not_in2_column}}.
Optional
Last Modified Date TimeJinja-templated text containing the date corresponding to last modified date, along with one of the following operators: ">", "<", ">=", "<=". Example, use value "<2017-10-24T18:00:00.000Z" to search for messages that were last modified after the specified time stamp.
Example: {{last_modified_date_time_column}}.
Optional
DomainJinja-templated text containing the list of domain names.
Example: {{domain1_column}}, {{domain2_column}}.
Optional
Has AttachmentsBoolean value to indicate if the message has attachments (Default is True).Optional
SizeJinja-templated text containing the message size (Default is 20 and maximum is 300). Example: {{size_column}}.Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: List Of Messages
{
  "result": {
    "attributes": {
      "acceptedDateTime": "2021-05-29T00:00:00.000",
      "countryCode": "us",
      "domain": "nobody.cl",
      "downStreamMsgID": "250 2.0.0 OK  16246404 q17409745pgm.113 - gsmtp",
      "emailSize": 72.45,
      "lastModifiedDateTime": "2021-05-29T00:00:04.331",
      "originalMessageID": "<[email protected]>",
      "recipientHeader": [
        "<[email protected]>"
      ],
      "recipientSMTP": [
        "[email protected]"
      ],
      "senderHeader": "Peixe - Gran Santiago <[email protected]>",
      "senderSMTP": "[email protected]",
      "senderIP": "2.2.2.2",
      "status": "delivered",
      "subject": "¡Te prs del mes! 🌟",
      "verdicts": {
        "AS": "",
        "AV": "",
        "AT": "pass",
        "PV": "pass",
        "YARA": "pass",
        "ActionYARA": "no match"
      }
    },
    "included": [
      {
        "type": "domain",
        "attributes": {
          "name": "bci.cl"
        }
      }
    ],
    "id": "7B06a320f452",
    "type": "trace"
  },
  "error": null,
  "has_error": false
}

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem

© Devo Technology Inc. All Rights Reserved.