FireEye ETP

FireEye Email Threat Prevention (ETP Cloud) is a cloud-based platform that protects against advanced email attacks.

Integration with LogicHub

Connecting with FireEye ETP

To connect to FireEye ETP following details are required:

Actions with FireEye ETP

Get Alert

Get details of alert.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Jinja Template Alert ID: Jinja-templated text containing the alert id. Example: {{alert_id_column}}.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Alert Details
{
  "result": {
    "attributes": {
      "meta": {
        "read": false,
        "last_modified_on": "2021-03-30T14:58:08.376",
        "legacy_id": 1978122,
        "acknowledged": false
      },
      "ati": {},
      "alert": {
        "product": "ETP",
        "alert_type": [
          "at"
        ],
        "severity": "majr",
        "ack": "no",
        "malware_md5": "5bb5e69769c02b0fbbfa5ea0e23b2c",
        "explanation": {
          "analysis": "binary",
          "anomaly": "",
          "cnc_services": {},
          "malware_detected": {
            "malware": [
              {
                "domain": "aviautation.com",
                "downloaded_at": "2021-03-30T14:58:01Z",
                "executed_at": "2021-03-30T14:58:02Z",
                "md5sum": "5bb5ead697c02b0fbbfa5ea0e23b2c",
                "name": "PhTI.URL",
                "sha256": "7e5844076023e0433f3c8e483b043cae73a384173f888602f2e5af",
                "stype": "34",
                "submitted_at": "2021-03-30T14:57:59Z",
                "type": "url"
              }
            ]
          },
          "os_changes": [],
          "protocol": "",
          "timestamp": "2021-03-30T14:58:02Z"
        },
        "timestamp": "2021-03-30T14:58:03.651",
        "action": "notified",
        "name": "malware-object"
      },
      "email": {
        "status": "quarantined",
        "source_ip": "2.2.2.2",
        "smtp": {
          "rcpt_to": "[email protected]",
          "mail_from": "[email protected]"
        },
        "etp_message_id": "824B3268ee6db92",
        "headers": {
          "cc": "",
          "to": "[email protected]",
          "from": "<[email protected]>",
          "subject": "Aumentalinea de credito en 3 simples pasos - ( 803082  )"
        },
        "attachment": "hxxp://nobody.com/nobody.php",
        "timestamp": {
          "accepted": "2021-03-30T14:57:55"
        }
      }
    },
    "id": "P8-kg3gBz5rVSh6"
  },
  "error": null,
  "has_error": false
}

Get Alerts

Get a list of alerts.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Jinja Template Legacy ID (Optional): Jinja-templated text containing the Alert ID as shown in ETP Web Portal . Example: {{legacy_id_column}}.
  • Jinja Template From Last Modified On (Optional): Jinja-templated text containing the datetime in yyy-mm-ddThh:mm:ss.fff format. Default last 90 days. Example: {{from_last_modified_on_column}}.
  • Jinja Template Message ID (Optional):Jinja-templated text containing the email message id. Example: {{message_id_column}}.
  • Jinja Template Size (Optional): Jinja-templated text containing the number of alerts intended in response. (Default is 20 alerts, Valid range 1-200). Example: {{size_column}}.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: List Of Alerts
{
  "result": {
    "attributes": {
      "meta": {
        "read": false,
        "last_modified_on": "2021-03-30T14:58:08.376",
        "legacy_id": 1978122,
        "acknowledged": false
      },
      "ati": {},
      "alert": {
        "product": "ETP",
        "alert_type": [
          "at"
        ],
        "severity": "majr",
        "ack": "no",
        "malware_md5": "5bb5e69769c02b0fbbfa5ea0e23b2c",
        "explanation": {
          "analysis": "binary",
          "anomaly": "",
          "cnc_services": {},
          "malware_detected": {
            "malware": [
              {
                "domain": "aviautation.com",
                "downloaded_at": "2021-03-30T14:58:01Z",
                "executed_at": "2021-03-30T14:58:02Z",
                "md5sum": "5bb5ead697c02b0fbbfa5ea0e23b2c",
                "name": "PhTI.URL",
                "sha256": "7e5844076023e0433f3c8e483b043cae73a384173f888602f2e5af",
                "stype": "34",
                "submitted_at": "2021-03-30T14:57:59Z",
                "type": "url"
              }
            ]
          },
          "os_changes": [],
          "protocol": "",
          "timestamp": "2021-03-30T14:58:02Z"
        },
        "timestamp": "2021-03-30T14:58:03.651",
        "action": "notified",
        "name": "malware-object"
      },
      "email": {
        "status": "quarantined",
        "source_ip": "2.2.2.2",
        "smtp": {
          "rcpt_to": "[email protected]",
          "mail_from": "[email protected]"
        },
        "etp_message_id": "824B3268ee6db92",
        "headers": {
          "cc": "",
          "to": "[email protected]",
          "from": "<[email protected]>",
          "subject": "Aumentalinea de credito en 3 simples pasos - ( 803082  )"
        },
        "attachment": "hxxp://nobody.com/nobody.php",
        "timestamp": {
          "accepted": "2021-03-30T14:57:55"
        }
      }
    },
    "id": "P8-kg3gBz5rVSh6"
  },
  "error": null,
  "has_error": false
}

Get Message

Get details of alert.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Jinja Template Message ID: Jinja-templated text containing the message id. Example: {{alert_id_column}}.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Message Details
{
  "result": {
    "attributes": {
      "acceptedDateTime": "2021-05-29T00:00:00.000",
      "countryCode": "us",
      "domain": "nobody.cl",
      "downStreamMsgID": "250 2.0.0 OK  16246404 q17409745pgm.113 - gsmtp",
      "emailSize": 72.45,
      "lastModifiedDateTime": "2021-05-29T00:00:04.331",
      "originalMessageID": "<[email protected]>",
      "recipientHeader": [
        "<[email protected]>"
      ],
      "recipientSMTP": [
        "[email protected]"
      ],
      "senderHeader": "Peixe - Gran Santiago <[email protected]>",
      "senderSMTP": "[email protected]",
      "senderIP": "2.2.2.2",
      "status": "delivered",
      "subject": "¡Te prs del mes! 🌟",
      "verdicts": {
        "AS": "",
        "AV": "",
        "AT": "pass",
        "PV": "pass",
        "YARA": "pass",
        "ActionYARA": "no match"
      }
    },
    "included": [
      {
        "type": "domain",
        "attributes": {
          "name": "bci.cl"
        }
      }
    ],
    "id": "7B06a320f452",
    "type": "trace"
  },
  "error": null,
  "has_error": false
}

Get Message

Get details of message.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Jinja Template From Email (Optional): Jinja-templated text containing the list of 'From' email-addresses, Max limit of entries is 10. Example: {{from_email1_column}}, {{from_email2_column}}.
  • Jinja Template From Email Not In (Optional): Jinja-templated text containing the list of 'From' email-addresses not to be included, Max limit of entries is 10. Example: {{from_email_not_in1_column}}, {{from_email_not_in2_column}}.
  • Jinja Template Recipients (Optional): Jinja-templated text containing the list of 'To'/'Cc' email-addresse, Max limit of entries is 10. Example: {{recipient1_column}}, {{recipient2_column}}.
  • Jinja Template Recipients Not In (Optional): Jinja-templated text containing the list of 'To'/'Cc' email-addresses not to be included, Max limit of entries is 10. Example: {{recipients_not_in1_column}}, {{recipients_not_in2_column}}.
  • Jinja Template Subject (Optional): Jinja-templated text containing the list of strings, Max limit of entries is 10. Example: {{subject1_column}}, {{subject2_column}}.
  • Jinja Template From Accepted Date Time (Optional): Jinja-templated text containing the The time stamp of the email-accepted date to specify the beginning of the date range to search (format: 2017-10- 24T10:48:51.000Z). Specify 'To Accepted Date Time' as well to set the complete date range for the search. Example: {{from_accepted_date_time_column}}.
  • Jinja Template To Accepted Date Time (Optional): Jinja-templated text containing the The time stamp of the email-accepted date to specify the end of the date range to search (format: 2017-10- 24T10:48:51.000Z). Specify 'From Accepted Date Time' as well to set the complete date range for the search. Example: {{to_accepted_date_time_column}}.
  • Jinja Template Rejection Reason (Optional): Jinja-templated text containing the list of ETP rejection reason codes ( "ETP102", "ETP103", "ETP104", "ETP200", "ETP201", "ETP203", "ETP204", "ETP205", "ETP300", "ETP301", "ETP302", "ETP401", "ETP402", "ETP403", "ETP404", "ETP405") . Example: {{rejection_reason1_column}}, {{rejection_reason2_column}}.
  • Jinja Template Sender IP (Optional): Jinja-templated text containing the list of sender IP addresses, max limit of entries is 10. Example: {{sender_ip1_column}}, {{sender_ip2_column}}.
  • Jinja Template Status (Optional): Jinja-templated text containing the list of email status values( "accepted", "deleted", "delivered", "delivered (retroactive)", "dropped", "dropped oob", "dropped (oob retroactive)", "permanent failure", "processing", "quarantined", "rejected", "temporary failure"). Example: {{status1_column}}, {{status2_column}}.
  • Jinja Template Status Not In (Optional): Jinja-templated text containing the list of email status values not to include( "accepted", "deleted", "delivered", "delivered (retroactive)", "dropped", "dropped oob", "dropped (oob retroactive)", "permanent failure", "processing", "quarantined", "rejected", "temporary failure"). Example: {{status_not_in1_column}}, {{status_not_in2_column}}.
  • Jinja Template Last Modified Date Time (Optional): Jinja-templated text containing the date corresponding to last modified date, along with one of the following operators: ">", "<", ">=", "<=". E.g. use value "<2017-10-24T18:00:00.000Z" to search for messages that were last modified after the specified time stamp. Example: {{last_modified_date_time_column}}.
  • Jinja Template Domain (Optional): Jinja-templated text containing the list of domain names. Example: {{domain1_column}}, {{domain2_column}}.
  • Has Attachments (Optional): Boolean value to indicate if the message has attachments (Default is True).
  • Jinja Template Size (Optional): Jinja-templated text containing the message size (Default is 20 and maximum is 300). Example: {{size_column}}.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: List Of Messages
{
  "result": {
    "attributes": {
      "acceptedDateTime": "2021-05-29T00:00:00.000",
      "countryCode": "us",
      "domain": "nobody.cl",
      "downStreamMsgID": "250 2.0.0 OK  16246404 q17409745pgm.113 - gsmtp",
      "emailSize": 72.45,
      "lastModifiedDateTime": "2021-05-29T00:00:04.331",
      "originalMessageID": "<[email protected]>",
      "recipientHeader": [
        "<[email protected]>"
      ],
      "recipientSMTP": [
        "[email protected]"
      ],
      "senderHeader": "Peixe - Gran Santiago <[email protected]>",
      "senderSMTP": "[email protected]",
      "senderIP": "2.2.2.2",
      "status": "delivered",
      "subject": "¡Te prs del mes! 🌟",
      "verdicts": {
        "AS": "",
        "AV": "",
        "AT": "pass",
        "PV": "pass",
        "YARA": "pass",
        "ActionYARA": "no match"
      }
    },
    "included": [
      {
        "type": "domain",
        "attributes": {
          "name": "bci.cl"
        }
      }
    ],
    "id": "7B06a320f452",
    "type": "trace"
  },
  "error": null,
  "has_error": false
}

Did this page help you?