Enricher - FireEye iSIGHT#
Note
This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.
Specifications |
|
|---|---|
Enricher name |
FireEye iSIGHT |
Supported observable types |
|
Output |
Enriches supported observable types related to the matching input observable types. |
API endpoint |
|
Description |
This enricher retrieves threat intelligence reports about threats and malware related to areas such as critical infrastructure, cyber crime and espionage, hacktivism, frauds, and vulnerability and exploitation. |
Requirements#
Email address registered with FireEye.
FireEye API key.
Automatic enrichment#
Avoid setting up enrichment rules for the FireEye enricher.
Setting up enrichment rules for this enricher allows it to automatically run and rapidly consume your API request quota.
Instead, run the enricher manually.
Set up the enricher#
Before using the enricher, configure it to add your FireEye credentials:
Go to Data configuration
> Enrichers.Select the enricher from the displayed list.
Edit the enricher by selecting from the top right More
> Edit.In the Edit enricher task view, fill out these fields:
Note
Required fields are marked with an asterisk (*).
Field
Description
API key (public)*
Set this to your FireEye public API key.
API key (private)*
Set this to your FireEye private API key.
Search results limit
Limits the number of reports found and ingested by the enricher each time it is run.
Set to
1000by default.Days offset*
Limits the age of the oldest report found and ingested by the enricher each time it is run.
Set to
365by default.ThreatScape Products*
For more information, see ThreatScape Products.
By default, set to:
Cyber Espionage
Hacktivism
Enterprise
Critical infrastructure
Cyber Crime
Vulnerability and Exploitation
High Value Auction Fraud
Intelligence Types*
For more information, see Intelligence Types.
By default, set to:
ThreatMalwareVulnerability
Download and attach PDF version of reports
When the enricher runs, it downloads and attaches a PDF version for each report it receives from the feed source.
May consume your Daily Query Quota rapidly if Automatic enrichment is set up.
Selected by default.
Caution
Enabling this makes an additional API call to FireEye for every report retrieved. Disable if the enricher consumes your Daily Query Quota too quickly.
Click Save to store your changes.
Default configuration#
These are the default configuration parameters for the FireEye enricher:
Note
Required fields are marked with an asterisk (*).
Field |
Description |
|---|---|
Name |
Leave this as “FireEye iSIGHT”. Set by default. |
Override TLP |
Forces all entities and observables produced by this extension to inherit this TLP value. |
Description* |
Enter a description for this enricher. |
Cache validity (sec)* |
Set to |
Rate limit (per sec)* |
Set to |
Monthly execution cap (runs)* |
Set to |
Source reliability* |
Assign a reliability level to entities and observables produced by this extension. The values here are based on the Admiralty System. |
Observable types* |
Observable types to enrich. By default, this is set to the observables supported by the FireEye enricher:
|
Enabled |
Select to enable this enricher. |
API URL* |
Set to |
API key (public)* |
Set this to your FireEye public API key. |
API key (private)* |
Set this to your FireEye private API key. |
Search results limit |
Limits the number of reports found and ingested by the enricher each time it is run. Set to |
Days offset* |
Limits the age of the oldest report found and ingested by the enricher each time it is run. Set to |
ThreatScape Products* |
For more information, see ThreatScape Products. By default, set to:
|
Intelligence Types* |
For more information, see Intelligence Types. By default, set to:
|
SSL verification |
Selected by default. Select to enable SSL verification. |
Path to SSL certificate file |
Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source. |
Download and attach PDF version of reports |
When the enricher runs, it downloads and attaches a PDF version for each report it receives from the feed source. May consume your Daily Query Quota rapidly if Automatic enrichment is set up. Selected by default. Caution Enabling this makes an additional API call to FireEye for every report retrieved. Disable if the enricher consumes your Daily Query Quota too quickly. |
ThreatScape Products#
The FireEye iSIGHT can enrich observables with reports from these ThreatScape products:
Hacktivism: Intelligence reports on hacktivists, black-hat hackers, and terrorist groups.Enterprise: Intelligence reports on corporate threats.Cyber Espionage: Intelligence reports on cyber and industrial espionage.Critical Infrastructure: Intelligence reports on threats to critical infrastructure such as electricity generators, water suppliers, telecom, and so on.Cyber Crime: Intelligence reports on criminal activities carried out through computers and Internet.High Value Auction Fraud: Intelligence reports on illicit activities targeting auctions.Vulnerability and Exploitation: Intelligence reports on product vulnerabilities and exploits.
Intelligence Types#
The FireEye iSIGHT can enrich observables with reports of these types:
Malware: the enricher searches intelligence reports on malware.Threat: the enricher searches intelligence reports on threats such as threat actors, strategies, tactics, techniques, campaigns, and so on.Vulnerability: the enricher searches intelligence reports on product vulnerabilities and exploits.
API version#
This extension uses version 2.5 of the FireEye iSIGHT API.