Supported Cortex XSOAR versions: 8.2.0 and later.
Use this integration to fetch email security incidents from FireEye ETP as XSIAM events.
Navigate to Settings > Configurations > Data Collection > Automation & Feed Integrations.
Search for FireEye ETP Event Collector.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Server URL (e.g., https://etp.us.fireeye.com) True API Secret Key The API Key allows you to integrate with the FireEye ETP. True Maximum number of Alerts to fetch. The maximum number of Alert events to fetch from FireEye ETP. Maximum number of Email Trace to fetch. The maximum number of Email Trace events to fetch from FireEye ETP. Maximum number of Activity Log fetch. The maximum number of Activity Log events to fetch from FireEye ETP. Trust any certificate (not secure) Use system proxy settings Fetch outbound traffic Outbound traffic will be fetched in addition to inbound traffic. Hide sensitive details from email Hide subject and attachments details from emails.
Click Test to validate the URLs, token, and connection.
All the API requests follow the domain and domain group restrictions of the user. For example, if a user has access to only a few domains in their organization, the response to the APIs will be based on only those domains and domain groups.
Email Security — Cloud REST APIs have a rate limit of 60 requests per minute per API route (/trace, /alert, and /quarantine) for every customer. This means, in 1 minute, a customer can make:
60 requests to Trace APIs (parallel or sequential) 60 requests to Alert APIs (parallel or sequential) 60 requests to Quarantine APIs (parallel or sequential)
Within the minute, the 61st request to any of these APIs would throw a rate limit exceeded error.
The rate limit applies to the customer as a whole. This means that if the customer has multiple admin users who have generated API Keys, the rate limit is applicable at the customer level and not per API key.
You can execute these commands from the Cortex XSIAM CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Gets events from FireEye ETP.
|The number of events to return. Default is 10.
|The start time by which to filter events. Date format will be the same as in the first_fetch parameter. Default is 3 days.
|Set this argument to True in order to create events, otherwise the command will only display them. Possible values are: true, false. Default is false.
There is no context output for this command.