FireEye ETP

Integration version: 4.0

Use Cases

Ingest Trellix Email Security - Cloud Edition alerts and use them to create Google Security Operations SOAR alerts. Next, in Google Security Operations SOAR, alerts can be used to perform orchestrations with playbooks or manual analysis.

Configure FireEye ETP Integration to work with Google Security Operations SOAR

Where to find API Key

Navigate to account settings.
Select "API Keys" section
Press on the "Create API Key" button
Fill out the mandatory fields. As a product choose "Email Threat Prevention".
Press on the "Next" button
Press on the "Grant All" button
Press on the "Create API Key" button
Copy API Key and paste it in "API Key" integration configuration parameter.

Configure FireEye ETP integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
API Root	String	https://etp.us.fireeye.com	Yes	API root of the Trellix Email Security - Cloud Edition instance.
API Key	String	N/A	Yes	API Key of the Trellix Email Security - Cloud Edition account.
Verify SSL	Checkbox	Unchecked	Yes	If enabled, verify the SSL certificate for the connection to the Anomali Staxx Check Point Cloud Guard Dome9 server is valid.

Actions

Ping

Description

Test connectivity to the Trellix Email Security - Cloud Edition with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Run On

The action doesn't run on entities, nor has mandatory input parameters.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
N/A

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result type	Value/Description	Type
Output message*	The action should not fail nor stop a playbook execution: if successful: "Successfully connected to the Trellix Email Security - Cloud Edition server with the provided connection parameters!" The action should fail and stop a playbook execution: if not successful: "Failed to connect to the Trellix Email Security - Cloud Edition server! Error is {0}".format(exception.stacktrace)	General

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:
if successful: "Successfully connected to the Trellix Email Security - Cloud Edition server with the provided connection parameters!"

The action should fail and stop a playbook execution:
if not successful: "Failed to connect to the Trellix Email Security - Cloud Edition server! Error is {0}".format(exception.stacktrace)

General

Connector

FireEye ETP - Email Alerts Connector

Description

Pull alerts from Trellix Email Security - Cloud Edition. Alerts from Trellix Email Security - Cloud Edition are grouped based on the email ID into one Google Security Operations SOAR Alert.

Configure FireEye ETP - Email Alerts Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Product Field Name	String	Product Name	Yes	Enter the source field name in order to retrieve the Product Field name.
Event Field Name	String	alertType	Yes	Enter the source field name in order to retrieve the Event Field name.
Environment Field Name	String	""	No	Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment.
Environment Regex Pattern	String	.*	No	A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.
Script Timeout (Seconds)	Integer	180	Yes	Timeout limit for the python process running the current script.
API Root	String	https://etp.us.fireeye.com		API root of the Trellix Email Security - Cloud Edition instance.
API Key	String	N/A	Yes	API Key of the Trellix Email Security - Cloud Edition account.
Fetch Max Hours Backwards	Integer	1	No	Amount of hours from where to fetch alerts.
Timezone	String		No	Timezone of the instance. Default: UTC. Example: +1 will be UTC+1 and -1 will be UTC-1.
Use whitelist as a blacklist	Checkbox	Unchecked	Yes	If enabled, whitelist will be used as a blacklist.
Verify SSL	Checkbox	Unchecked	Yes	If enabled, verify the SSL certificate for the connection to the Anomali Staxx server is valid.
Proxy Server Address	String	N/A	No	The address of the proxy server to use.
Proxy Username	String	N/A	No	The proxy username to authenticate with.
Proxy Password	Password	N/A	No	The proxy password to authenticate with.