Skip to main content

FireEye (AX Series)

This Integration is part of the FireEye (AX Series) Pack.#

This article describes the way in which to set up the FireEye (AX Series) integration on Cortex XSOAR.

Setting up the FireEye Web Services API to work with Cortex XSOAR:

This section explains what needs to be done to set up a Fire Eye Web Services API for Cortex XSOAR integration on the FireEye side.

This integration supports AXSeriesWebServicesAPI versions 7.7.0 and up.

To use this integration, you need to have a Fire Eye user account of either api_analyst or api_monitor.

To set up the FireEye Web Services API:

1. On the machine where the FireEye API will run, open the CLI and enter the following:

hostname > enable

hostname # configure terminal

hostname (config) # wsapi enable

2. Make sure that FireEye Web Services API is running ether the following:

hostname(config)#showwsapi

The reply should indicate that the Server is ‘enabled’ and in ‘running’ state.

Setting up the integration on Cortex XSOAR:

1. Go to ‘Settings > Integrations > Servers & Services’

2. Locate the FireEye (AX Series) integration by searching for ‘FireEye’ using the search box on the top of the page.

3. Click ‘Add instance’ to create and configure a new integration. You should configure the following FireEye and Cortex XSOAR-specific settings:

Name : A textual name for the integration instance.
Server URL : The hostname or IP address of the FireEye’ application. Make sure the URL is reachable with respect to IP address and port.
Credentials and Password : Your FireEye username and password.
Do not validate server certificate : Select to avoid server certification validation. You may want to do this in case Cortex XSOAR cannot validate the integration server certificate (due to missing CA certificate)
Use system proxy settings – Mark this option.

4. Press the ‘Test’ button to validate connection.

5. After completing the test successfully, press the ‘Done’ button.

Commands:

fe-alert - FireEye view existing alert command. See the FireEye Web Services API Guide for details
fe-config - Configuration commands. See the FireEye Web Services API Guide for details
fe-report - Return a requested report
fe-submit - Submit a malware object for analysis by FireEye
fe-submit-result - Submission key of the submission
fe-submit-status - Get a status for a malware object submitted to FireEye analysis
fe-submit-url - Submit a URL to FireEye for analysis
fe-submit-url-status - Get the status of a URL submitted to FireEye for analysis
### fe-submit-url-result *** Results of the URL submission Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details. #### Base Command `fe-submit-url-result` #### Input | **Argument Name** | **Description** | **Required** | | --- | --- | --- | | submissionID | Submission ID of the submission. | Required | | info_level | Specifies the level of information to be returned. Unless otherwise specified, the info_level is set to concise. You can select the following information levels concise: (default), normal, extended. Possible values are: concise, normal, extended. Default is concise. | Optional | #### Context Output | **Path** | **Type** | **Description** | | --- | --- | --- | | FireEyeAX.Submissions.Key | unknown | The submission key | | FireEyeAX.Submissions.Severity | unknown | The severity level of the file | | FireEyeAX.Submissions.InfoLevel | String | The info level of the report. | | DBotScore.Score | unknown | The actual score | | DBotScore.Indicator | unknown | The indicator we tested | | DBotScore.Vendor | unknown | Vendor used to calculate the score | | File.MD5 | unknown | Bad hash found | | File.Malicious.Vendor | unknown | For malicious files, the vendor that made the decision |