FireEye AX

Integration version: 3.0

Use Cases

Perform enrichment of entities.

Configure FireEye AX integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
API Root String https:/<<ip address>> Yes API root of the Trellix Malware Analysis instance.
Username String N/A Yes Username of Trellix Malware Analysis account.
Password Password N/A Yes Password of Trellix Malware Analysis account.
Verify SSL Checkbox Checked Yes If enabled, verify the SSL certificate for the connection to the Trellix Malware Analysis server is valid.

Actions

Ping

Description

Test connectivity to Trellix Malware Analysis with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:
if successful: "Successfully connected to the Trellix Malware Analysis server with the provided connection parameters!"

The action should fail and stop a playbook execution:
if not successful: "Failed to connect to the Trellix Malware Analysis server! Error is {0}".format(exception.stacktrace)

General

Submit URL

Description

Submit file for analysis using URL in Trellix Malware Analysis. Supported entities: URL.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
VM Profile String N/A Yes Specify the virtual machine profile that should be used during analysis. Available VM profiles are available in the action "Get Appliance Details"
Application ID String N/A No Specify the ID of the application that needs to be used during the analysis of the file. By default, Trellix Malware Analysis will select the needed application automatically. In order to get a list of available applications on the profile, please execute action "Get Appliance Details"
Priority DDL

Normal

Possible Values:

Normal

Urgent

No Specify the priority for the submission. "Normal" puts submission at the bottom of the queue, while "Urgent" puts submission at the top of the queue.
Force Rescan Checkbox No If enabled, action will force Trellix Malware Analysis to rescan the submitted file.
Analysis Type DDL

Live

Possible Values:

Live

Sandbox

No Specify the type of the analysis. If "Live" is selected, Trellix Malware Analysis will analyze suspected files live within the Malware Analysis Multi-Vector Virtual Execution (MVX) analysis engine. If "Sandbox" is selected Trellix Malware Analysis will analyze suspected files in a closed, protected environment.
Create Insight Checkbox Yes If enabled, action will create an insight containing information about the submitted file.

Run On

This action runs on the URL entity.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
 {
    "details":
        {
            "explanation": {
                "malwareDetected": {
                    "malware": [
                        {
                            "md5Sum": "29ef299c80d00ee4340b3694d870fe82",
                            "sha256": "0cff2d41a69d72de30607b8fc09da90e352393e154a342efcddb91e06b3a2147"
                        },
                        {
                            "note": "",
                            "md5Sum": "29ef299c80d00ee4340b3694d870fe82",
                            "sha256": "0cff2d41a69d72de30607b8fc09da90e352393e154a342efcddb91e06b3a2147",
                            "application": "application:0",
                            "user": "xxxxx",
                            "original": "vlc-3.0.16-win64.exe",
                            "type": "exe",
                            "origid": 176
                        }
                    ]
                },
                "osChanges": [],
                "staticAnalysis": {
                    "static": [
                        {}
                    ]
                },
                "stolenData": {
                    "info": {
                        "field": []
                    }
                }
            },
            "src": {},
            "alertUrl": "https://172.18.5.2/malware_analysis/analyses?maid=177",
            "action": "notified",
            "attackTime": "2021-09-13 11:15:56 +0000",
            "dst": {},
            "applianceId": "AC1F6B7A7C8C",
            "id": 177,
            "name": "xxxxx_xxxxx",
            "severity": "MINR",
            "uuid": "61330da9-20ad-4196-a901-02b2166ad36d",
            "ack": "no",
            "product": "MAS",
            "vlan": 0,
            "malicious": "no"
        }
    ],
    "appliance": "MAS",
    "version": "MAS (MAS) 9.1.0.950877",
    "msg": "extended",
    "alertsCount": 1
}
Enrichment Table
Enrichment Field Name Logic - When to apply
malicious When available in JSON
severity When available in JSON
Entity Insight

Entity insight example:

Malicious: True

Severity: MINR C&C Services Count: 0 Executed Processes Count: 0 Registry Changes Count: 0 Extracted Files Count: 0

Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:
if data is available for one(is_success = true): "Successfully enriched the following entities using information from Trellix Malware Analysis: {entity.identifier}".

If data is not available for one (is_success=true): "Action wasn't able to enrich the following entities using information from Trellix Malware Analysis: {entity.identifier}"

If data is not available for all (is_success=false): None of the provided entities were enriched.

Async Message: Waiting for the following files to be processed: {pending files}

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

If timeout: "Error executing action "Enrich Entities". Reason: action ran into a timeout. The following files are still processing: {pending urls}. Please increase the timeout in IDE. Note: adding the same files will create a separate analysis job in Trellix Malware Analysis.

General
Case Wall Table Title: {entity.identifier} Entity

Submit File

Description

Submit file for analysis in Trellix Malware Analysis.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
File Paths CSV N/A Yes Specify a comma-separate list of absolute file paths for submission.
VM Profile String N/A Yes Specify the virtual machine profile that should be used during analysis. Available VM profiles are available in the action "Get Appliance Details"
Application ID String N/A No Specify the ID of the application that needs to be used during the analysis of the file. By default, Trellix Malware Analysis will select the needed application automatically. In order to get a list of available applications on the profile, please execute action "Get Appliance Details"
Priority DDL

Normal

Possible Values:

Normal

Urgent

No Specify the priority for the submission. "Normal" puts submission at the bottom of the queue, while "Urgent" puts submission at the top of the queue.
Force Rescan Checkbox No If enabled, action will force Trellix Malware Analysis to rescan the submitted file.
Analysis Type DDL

Live

Possible Values:

Live

Sandbox

No Specify the type of the analysis. If "Live" is selected, Trellix Malware Analysis will analyze suspected files live within the Malware Analysis Multi-Vector Virtual Execution (MVX) analysis engine. If "Sandbox" is selected Trellix Malware Analysis will analyze suspected files in a closed, protected environment.
Create Insight Checkbox Yes If enabled, action will create an insight containing information about the submitted file.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
    "absolute_path": "/opt/wow/koko.exe",
    "details":
        {
            "explanation": {
                "malwareDetected": {
                    "malware": [
                        {
                            "md5Sum": "29ef299c80d00ee4340b3694d870fe82",
                            "sha256": "0cff2d41a69d72de30607b8fc09da90e352393e154a342efcddb91e06b3a2147"
                        },
                        {
                            "note": "",
                            "md5Sum": "29ef299c80d00ee4340b3694d870fe82",
                            "sha256": "0cff2d41a69d72de30607b8fc09da90e352393e154a342efcddb91e06b3a2147",
                            "application": "application:0",
                            "user": "xxxxx",
                            "original": "vlc-3.0.16-win64.exe",
                            "type": "exe",
                            "origid": 176
                        }
                    ]
                },
                "osChanges": [],
                "staticAnalysis": {
                    "static": [
                        {}
                    ]
                },
                "stolenData": {
                    "info": {
                        "field": []
                    }
                }
            },
            "src": {},
            "alertUrl": "https://172.18.5.2/malware_analysis/analyses?maid=177",
            "action": "notified",
            "attackTime": "2021-09-13 11:15:56 +0000",
            "dst": {},
            "applianceId": "AC1F6B7A7C8C",
            "id": 177,
            "name": "xxxxx_xxxxx",
            "severity": "MINR",
            "uuid": "61330da9-20ad-4196-a901-02b2166ad36d",
            "ack": "no",
            "product": "MAS",
            "vlan": 0,
            "malicious": "no"
        }
    ],
    "appliance": "MAS",
    "version": "MAS (MAS) 9.1.0.950877",
    "msg": "extended",
    "alertsCount": 1
}
Entity Insight

Entity insight example:

Malicious: True

Severity: MAJR C&C Services Count: 15 Executed Processes Count: 0 Registry Changes Count: 13 Extracted Files Count: 10

Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:
If completed for one filepath (is_success = true): "Successfully retrieved details for the following files in Trellix Malware Analysis: {submitted files}.".

Async Message: Waiting for the following files to be processed: {pending files}

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Submit File". Reason: {0}''.format(error.Stacktrace)

If timeout: "Error executing action "Submit File". Reason: action ran into a timeout. The following files are still processing: {pending files}. Please increase the timeout in IDE. Note: adding the same files will create a separate analysis job in Trellix Malware Analysis.

If at least one file not found: "Error executing action "Attach File To Case". Reason: the following files were not found or action doesn't have enough permissions to access them: {not available files}'

General

Get Appliance Details

Description

Retrieve information about Trellix Malware Analysis appliance.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
    "absolute_path": "/opt/wow/koko.exe",
    "details":
        {
            "explanation": {
                "malwareDetected": {
                    "malware": [
                        {
                            "md5Sum": "29ef299c80d00ee4340b3694d870fe82",
                            "sha256": "0cff2d41a69d72de30607b8fc09da90e352393e154a342efcddb91e06b3a2147"
                        },
                        {
                            "note": "",
                            "md5Sum": "29ef299c80d00ee4340b3694d870fe82",
                            "sha256": "0cff2d41a69d72de30607b8fc09da90e352393e154a342efcddb91e06b3a2147",
                            "application": "application:0",
                            "user": "xxxxx",
                            "original": "vlc-3.0.16-win64.exe",
                            "type": "exe",
                            "origid": 176
                        }
                    ]
                },
                "osChanges": [],
                "staticAnalysis": {
                    "static": [
                        {}
                    ]
                },
                "stolenData": {
                    "info": {
                        "field": []
                    }
                }
            },
            "src": {},
            "alertUrl": "https://172.18.5.2/malware_analysis/analyses?maid=177",
            "action": "notified",
            "attackTime": "2021-09-13 11:15:56 +0000",
            "dst": {},
            "applianceId": "AC1F6B7A7C8C",
            "id": 177,
            "name": "xxxxx_xxxxx",
            "severity": "MINR",
            "uuid": "61330da9-20ad-4196-a901-02b2166ad36d",
            "ack": "no",
            "product": "MAS",
            "vlan": 0,
            "malicious": "no"
        }
    ],
    "appliance": "MAS",
    "version": "MAS (MAS) 9.1.0.950877",
    "msg": "extended",
    "alertsCount": 1
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:
If completed for one filepath (is_success = true): "Successfully retrieved details about Trellix Malware Analysis.".

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Get Appliance Details". Reason: {0}''.format(error.Stacktrace)

General