FireEye NX
Integration version: 6.0
Use Cases
- Ingest Trellix Network Security alerts to use them to create Google Security Operations SOAR alerts. Next, in Google Security Operations SOAR, alerts can be used to perform orchestrations with playbooks or manual analysis.
- Perform enrichment actions - download alert artifacts using Trellix Network Security agent from Google Security Operations SOAR.
Configure FireEye NX integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| API Root | String | https://x.x.x.x:<port> | Yes | API root of Trellix Network Security server. |
| Username | String | N/A | Yes | Username of the Trellix Network Security account. |
| Password | Password | N/A | Yes | Password of the Trellix Network Security account. |
| Verify SSL | Checkbox | Checked | No | If enabled, verifies that the SSL certificate for the connection to the Trellix Network Security server is valid. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Ping
Description
Test connectivity to Trellix Network Security with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
The action doesn't run on entities, nor has mandatory input parameters.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: Print "Successfully connected to the Trellix Network Security server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: Print "Failed to connect to the Trellix Network Security server! Error is {0}".format(exception.stacktrace) |
General |
Download Alert Artifacts
Description
Download alert artifacts.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Alert UUID | String | N/A | Yes | Specify the alert uuid from where we need to download artifacts. |
| Download Path | String | N/A | Yes | Specify where the action should save the files. |
Run On
The action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if status code 200 (is_success = true): Print "Successfully downloaded Trellix Network Security alert artifacts with alert id {0}!".format(alert uuid)
Print "Action wasn't able to download Trellix Network Security alert artifacts with alert id {0}. Reason: File with that path already exists." if status code 404 (is_success = false) : Print "Artifacts for alert with uuid {0} were not found. ".format(alert_uuid) The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: Print "Error executing action "Download Alert Artifacts". Reason: {0}''.format(error.Stacktrace) |
General |
Add IPS Policy Exception
Description
Add IPS Policy Exception in Trellix Network Security.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Victim IP Subnet | String | x.x.x.x/24 | Yes | Specify the IP subnet of the victim that should be used to create a new policy exception. Format: x.x.x.x/xx. Example: 10.0.0.1/24 |
| Interface | DDL | ALL Possible Values A B C D ALL |
Yes | Specify what interface should be used in policy exceptions. |
| Mode | DLL | Block Possible Values Block Unblock Suppress Suppress-unblock |
Yes | Specify the mode that should be used in the policy exception. |
| Name | String | N/A | No | Specify the name for the policy exception. If nothing is specified, the
action adds policy exceptions with the following name:
PRODUCT_NAME_INTERFACE_MODE
. |
Run On
The action runs on the IP entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If one or more entities didn't work (status code 400) (is success=true): "Action wasn't able to add IPS policy exceptions based on the following entities:\n{0}". if none of the entities worked: "No IPS policy exception were created". |
General |
Connectors
FireEye NX - Alerts Connector
Description
Connector ingest Trellix Network Security alert into Google Security Operations SOAR.
Configure FireEye NX - Alerts Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | eventType | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | https://x.x.x.x:x | Yes | API root of Trellix Network Security server. |
| Username | String | N/A | Yes | Username of the Trellix Network Security account. |
| Password | Password | Yes | Password of the Trellix Network Security account. | |
| Fetch Max Hours Backwards | Integer | 1 | No | Amount of hours from where to fetch alerts. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verify the SSL certificate for the connection to the Trellix Network Security server is valid. |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, dynamic list will be used as a blocklist. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
Connector Rules
Proxy Support
The connector supports proxy.