FireEye Detection on Demand

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

FireEye Detection On Demand is a threat detection service delivered as an API for integration into the SOC workflow, SIEM analytics, data repositories, or web applications, etc. It delivers flexible file and content analysis to identify malicious behavior wherever the enterprise needs it. This integration was integrated and tested with version 1.4.1 of FireEye Detection on Demand

Configure FireEye Detection on Demand on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for FireEye Detection on Demand.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlDoD hostnameTrue
apikeyAPI KeyTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

fireeye-dod-get-hashes#


Queries FireEye Detection on Demand reports for the provided md5 hashes

Base Command#

fireeye-dod-get-hashes

Input#

Argument NameDescriptionRequired
md5_hashesOne or more comma separated MD5 hashes to get the reputation of.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.ScorenumberThe actual score.
DBotScore.TypeunknownThe indicator type.
DBotScore.VendorunknownThe vendor used to calculate the score.
File.Malicious.VendorunknownN/A
File.MD5unknownThe MD5 hash of the file
FireEyeDoD.engine_results.cache_lookup.sha256StringThe sha256 value of the file
FireEyeDoD.engine_results.cache_lookup.signature_nameStringThe name of the virus signature
FireEyeDoD.engine_results.cache_lookup.is_maliciousNumberTrue/False if the file is malicious
FireEyeDoD.engine_results.cache_lookup.verdictStringThe overall verdict of all analysis engines
FireEyeDoD.engine_results.cache_lookup.file_extensionStringThe extension of the file
FireEyeDoD.engine_results.cache_lookup.weightNumberHow important this engine result is to determining malicious activity
FireEyeDoD.engine_results.dynamic_analysis.verdictStringThis particular engine's verdict on whether or not the file is malicious
FireEyeDoD.engine_results.av_lookup.verdictStringThis particular engine's verdict on whether or not the file is malicious
FireEyeDoD.engine_results.avs_lookup.verdictStringThis particular engine's verdict on whether or not the file is malicious
FireEyeDoD.engine_results.dti_lookup.verdictStringThis particular engine's verdict on whether or not the file is malicious
FireEyeDoD.md5StringThe MD5 hash of the file
FireEyeDoD.is_maliciousNumberTrue/False if the file is malicious

Command Example#

!fireeye-dod-get-hashes md5_hashes=47f9fdc617f8c98a6732be534d8dbe9c

Context Example#

{
"DBotScore": {
"Indicator": "47f9fdc617f8c98a6732be534d8dbe9c",
"Score": 0,
"Type": "file",
"Vendor": "FireEye DoD"
},
"File": {
"FireEyeDoD": {
"engine_results": {
"av_lookup": {
"verdict": "not_found"
},
"avs_lookup": {
"verdict": "not_found"
},
"cache_lookup": {
"verdict": "not_found"
},
"dti_lookup": {
"verdict": "not_found"
},
"dynamic_analysis": {
"verdict": "not_found"
}
},
"is_malicious": false
},
"MD5": "47f9fdc617f8c98a6732be534d8dbe9c"
}
}

Human Readable Output#

FireEye DoD Results#

MD5SHA256Malicious
47f9fdc617f8c98a6732be534d8dbe9c

fireeye-dod-submit-file#


Submits file to FireEye Detection on Demand for analysis

Base Command#

fireeye-dod-submit-file

Input#

Argument NameDescriptionRequired
entryIDThe file entry ID to submit.Required
passwordPassword to be used by the detection engine to decrypt a password protected file.Optional
paramCommand line parameter(s) to be used by detection engine when running the file. Mainly applicable to .exe files. For example, setting param to "start -h localhost -p 5555" will make the detection engine run a file named "malicious.exe" as "malicious.exe start -h localhost -p 5555".Optional
screenshotExtract screenshot of screen activity during dynamic analysis if true, which later can be downloaded with artifacts apiOptional
videoExtract video activity during dynamic analysis if true, which later can be downloaded with artifacts apiOptional
fileExtractionExtract dropped files from vm during dynamic analysis if true, which later can be downloaded with artifacts apiOptional
memoryDumpExtract memory dump files from vm during dynamic analysis if true, which later can be downloaded with artifacts apiOptional
pcapExtract pcap files from vm during dynamic analysis if true, which later can be downloaded with artifacts apiOptional

Context Output#

PathTypeDescription
FireEyeDoD.Scan.report_idunknownThe report ID can be used to query the status and results of the file submission
FireEyeDoD.Scan.statusunknownThe current status of the file submission
FireEyeDoD.Scan.filenameunknownThe name of the file that was submitted

Command Example#

!fireeye-dod-submit-file entryID=37@760083ae-625e-4a6c-8e93-87ece7964dd0

Context Example#

{
"FireEyeDoD": {
"Scan": {
"filename": "test-infection.exe",
"md5": "47f9fdc617f8c98a6732be534d8dbe9a",
"overall_status": "RUNNING",
"report_id": "c1d32790-5b08-45ab-a3be-3e61f8826e8b"
}
}
}

Human Readable Output#

Started analysis of test-infection.exe with FireEye Detection on Demand. Results will be published to report id: c1d32790-5b08-45ab-a3be-3e61f8826e8b

fireeye-dod-submit-urls#


Submits URLs to FireEye Detection on Demand for analysis

Base Command#

fireeye-dod-submit-urls

Input#

Argument NameDescriptionRequired
urlsA comma separated list of URLs to scan. Maximum of 10 per request.Required

Context Output#

PathTypeDescription
FireEyeDoD.Scan.report_idunknownThe ID of the report
FireEyeDoD.Scan.statusunknownThe status of the file submission. Will be "DONE" when all engines are finished.

Command Example#

!fireeye-dod-submit-urls urls="https://www.google.com"

Context Example#

{
"FireEyeDoD": {
"Scan": {
"md5": "NA",
"overall_status": "RUNNING",
"report_id": "55223a00-6741-41c4-80a9-28d3c133a5db"
}
}
}

Human Readable Output#

Started analysis of ['https://www.google.com'] with FireEye Detection on Demand. Results will be published to report id: 55223a00-6741-41c4-80a9-28d3c133a5db

fireeye-dod-get-reports#


Retrieves one or more reports of file scans

Base Command#

fireeye-dod-get-reports

Input#

Argument NameDescriptionRequired
report_idsA comma separated list of one or more report IDs to fetch.Required
extended_reportIf True, additional information will be returnedOptional
get_screenshotWhether or not to get screenshot artifacts from the reportOptional
get_artifactWhich report artifacts to retrieve (if any)Optional

Context Output#

PathTypeDescription
FireEyeDoD.Scan.report_idStringThe ID of the report
FireEyeDoD.Scan.overall_statusStringThe overall status of all of the engines
FireEyeDoD.Scan.is_maliciousNumberTrue/False if the file is malicious
FireEyeDoD.Scan.started_atDateThe UTC time the scan was started
FireEyeDoD.Scan.completed_atDateThe UTC time the scan was completed
FireEyeDoD.Scan.durationNumberHow long, in seconds, the scan took to complete.
FireEyeDoD.Scan.file_nameStringThe name of the submitted file
FireEyeDoD.Scan.file_sizeNumberThe size of the file in bytes
FireEyeDoD.Scan.file_extensionStringThe extension of the submitted file. If a URL was submitted, this will be empty.
FireEyeDoD.Scan.md5StringThe MD5 hash of the submitted file
FireEyeDoD.Scan.sha256StringThe sha256 hash of the submitted file
FireEyeDoD.Scan.signature_nameStringList of signatures extracted by all engines

Command Example#

!fireeye-dod-get-reports report_ids=82e71bec-04c7-4f04-945b-4d344a758abe

Context Example#

{
"FireEyeDoD": {
"Scan": {
"completed_at": "2020-11-10 14:28:18",
"duration": 0,
"file_extension": "urlscan",
"file_name": "test-infection.exe",
"file_size": 28672,
"is_malicious": true,
"magic": null,
"md5": "NA",
"name": "test-infection.exe",
"overall_status": "DONE",
"report_id": "82e71bec-04c7-4f04-945b-4d344a758abe",
"sha1": "NA",
"sha256": "NA",
"signature_name": [
"Phish.LIVE.DTI.URL",
"Malicious.LIVE.DTI.URL",
"fe_ml_heuristic",
"FireEye.Malware.exe",
"FETestEvent"
],
"size": 28672,
"started_at": "2020-11-10 14:28:18",
"type": "urlscan",
"urls": [
"http://fedeploycheck.fireeye.com/appliance-test/block.html",
"http://165.227.14.8/?NDU2MDgz&yOyeu&YPocHQsbD=disagree&lAjd=callous&mvUq=disagree&eSCpt=disagree&mnnYBwlX=abettor&MZMJ=everyone&ipEMqw=professional&xRefGF=callous&tzsdfga4=dJORROwbnhRaGKA1hlIhYVV0W8a2ojkbXzhCf1JaG9RGIZ1hD-sGcELgL6G2xyPNRcw&cvggd54=wnfQMvXcJBXQFYbIKuXDSKxDKU7WFEaVw4-RhMG3YpjNfynz1-zURnL6tASVVFuRrbM&hMdqbI=electrical&qgZufk=disagree&egHdAM=abettor&BUfBH=professional&RGVeFwBNTM2MzY2",
"http://br430.teste.website/~idbrok92/idb/UI/Login/",
"http://www.dulys.co.zw/",
"http://fedeploycheck.fireeye.com/appliance-test/test-infection.exe",
"http://fedeploycheck.fireeye.com/appliance-test/test-infection.pdf",
"http://fedeploycheck.fireeye.com/appliance-test/alert.html",
"https://tinyurl.com/y2qezvol",
"https://fedeploycheck.fireeye.com/appliance-test/alert.html"
],
"verdict": "MALICIOUS"
}
}
}

Human Readable Output#

Scan status#

completed_atdurationfile_extensionfile_namefile_sizeis_maliciousmagicmd5nameoverall_statusreport_idsha1sha256signature_namesizestarted_attypeurlsverdict
2020-11-10 14:28:180urlscantest-infection.exe28672trueNAtest-infection.exeDONE82e71bec-04c7-4f04-945b-4d344a758abeNANAPhish.LIVE.DTI.URL,
Malicious.LIVE.DTI.URL,
fe_ml_heuristic,
FireEye.Malware.exe,
FETestEvent
286722020-11-10 14:28:18urlscanhttp://fedeploycheck.fireeye.com/appliance-test/block.html,
http://165.227.14.8/?NDU2MDgz&yOyeu&YPocHQsbD=disagree&lAjd=callous&mvUq=disagree&eSCpt=disagree&mnnYBwlX=abettor&MZMJ=everyone&ipEMqw=professional&xRefGF=callous&tzsdfga4=dJORROwbnhRaGKA1hlIhYVV0W8a2ojkbXzhCf1JaG9RGIZ1hD-sGcELgL6G2xyPNRcw&cvggd54=wnfQMvXcJBXQFYbIKuXDSKxDKU7WFEaVw4-RhMG3YpjNfynz1-zURnL6tASVVFuRrbM&hMdqbI=electrical&qgZufk=disagree&egHdAM=abettor&BUfBH=professional&RGVeFwBNTM2MzY2,
http://br430.teste.website/~idbrok92/idb/UI/Login/,
http://www.dulys.co.zw/,
http://fedeploycheck.fireeye.com/appliance-test/test-infection.exe,
http://fedeploycheck.fireeye.com/appliance-test/test-infection.pdf,
http://fedeploycheck.fireeye.com/appliance-test/alert.html,
https://tinyurl.com/y2qezvol,
https://fedeploycheck.fireeye.com/appliance-test/alert.html
MALICIOUS

fireeye-dod-get-report-url#


Generates a pre-signed URL for a report

Base Command#

fireeye-dod-get-report-url

Input#

Argument NameDescriptionRequired
report_idThe ID of the report to fetchRequired
expirationExpiration (in hours) for browser viewable report pre-signed URL link. Default value is 72 hours. Minimum is 1 hour, and maximum is 8760 hours (365 days).Optional

Context Output#

There is no context output for this command.

Command Example#

!fireeye-dod-get-report-url report_id=82e71bec-04c7-4f04-945b-4d344a758abe

Context Example#

{}

Human Readable Output#

Report 82e71bec-04c7-4f04-945b-4d344a758abe is available here