Enricher - FireEye iSIGHT#

Note

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.

Specifications

Enricher name

FireEye iSIGHT

Supported observable types

  • asn

  • domain

  • email

  • email-subject

  • file

  • hash-md5

  • hash-sha1

  • hash-sha256

  • ipv4

  • ipv6

  • malware

  • name

  • port

  • uri

Output

Enriches supported observable types related to the matching input observable types.

API endpoint

  • https://api.isightpartners.com/

Description

This enricher retrieves threat intelligence reports about threats and malware related to areas such as critical infrastructure, cyber crime and espionage, hacktivism, frauds, and vulnerability and exploitation.

Requirements#

  • Email address registered with FireEye.

  • FireEye API key.

Automatic enrichment#

Avoid setting up enrichment rules for the FireEye enricher.

Setting up enrichment rules for this enricher allows it to automatically run and rapidly consume your API request quota.

Instead, run the enricher manually.

Set up the enricher#

Before using the enricher, configure it to add your FireEye credentials:

  1. Go to Data configuration Data configuration icon > Enrichers.

  2. Select the enricher from the displayed list.

  3. Edit the enricher by selecting from the top right More More > Edit.

  4. In the Edit enricher task view, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    API key (public)*

    Set this to your FireEye public API key.

    API key (private)*

    Set this to your FireEye private API key.

    Search results limit

    Limits the number of reports found and ingested by the enricher each time it is run.

    Set to 1000 by default.

    Days offset*

    Limits the age of the oldest report found and ingested by the enricher each time it is run.

    Set to 365 by default.

    ThreatScape Products*

    For more information, see ThreatScape Products.

    By default, set to:

    • Cyber Espionage

    • Hacktivism

    • Enterprise

    • Critical infrastructure

    • Cyber Crime

    • Vulnerability and Exploitation

    • High Value Auction Fraud

    Intelligence Types*

    For more information, see Intelligence Types.

    By default, set to:

    • Threat

    • Malware

    • Vulnerability

    Download and attach PDF version of reports

    When the enricher runs, it downloads and attaches a PDF version for each report it receives from the feed source.

    May consume your Daily Query Quota rapidly if Automatic enrichment is set up.

    Selected by default.

    Caution

    Enabling this makes an additional API call to FireEye for every report retrieved. Disable if the enricher consumes your Daily Query Quota too quickly.

  5. Click Save to store your changes.

Default configuration#

These are the default configuration parameters for the FireEye enricher:

Note

Required fields are marked with an asterisk (*).

Field

Description

Name

Leave this as “FireEye iSIGHT”. Set by default.

Override TLP

Forces all entities and observables produced by this extension to inherit this TLP value.

Description*

Enter a description for this enricher.

Cache validity (sec)*

Set to 2592000 seconds (30 days) by default.

Rate limit (per sec)*

Set to 1000 seconds by default.

Monthly execution cap (runs)*

Set to 1000000 runs by default.

Source reliability*

Assign a reliability level to entities and observables produced by this extension. The values here are based on the Admiralty System.

Observable types*

Observable types to enrich. By default, this is set to the observables supported by the FireEye enricher:

  • asn

  • domain

  • email

  • email-subject

  • file

  • hash-md5

  • hash-sha1

  • hash-sha256

  • ipv4

  • ipv6

  • malware

  • name

  • port

  • uri

Enabled

Select to enable this enricher.

API URL*

Set to https://api.intel471.com/v1/ by default.

API key (public)*

Set this to your FireEye public API key.

API key (private)*

Set this to your FireEye private API key.

Search results limit

Limits the number of reports found and ingested by the enricher each time it is run.

Set to 1000 by default.

Days offset*

Limits the age of the oldest report found and ingested by the enricher each time it is run.

Set to 365 by default.

ThreatScape Products*

For more information, see ThreatScape Products.

By default, set to:

  • Cyber Espionage

  • Hacktivism

  • Enterprise

  • Critical infrastructure

  • Cyber Crime

  • Vulnerability and Exploitation

  • High Value Auction Fraud

Intelligence Types*

For more information, see Intelligence Types.

By default, set to:

  • Threat

  • Malware

  • Vulnerability

SSL verification

Selected by default. Select to enable SSL verification.

Path to SSL certificate file

Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

Download and attach PDF version of reports

When the enricher runs, it downloads and attaches a PDF version for each report it receives from the feed source.

May consume your Daily Query Quota rapidly if Automatic enrichment is set up.

Selected by default.

Caution

Enabling this makes an additional API call to FireEye for every report retrieved. Disable if the enricher consumes your Daily Query Quota too quickly.

ThreatScape Products#

The FireEye iSIGHT can enrich observables with reports from these ThreatScape products:

  • Hacktivism: Intelligence reports on hacktivists, black-hat hackers, and terrorist groups.

  • Enterprise: Intelligence reports on corporate threats.

  • Cyber Espionage: Intelligence reports on cyber and industrial espionage.

  • Critical Infrastructure: Intelligence reports on threats to critical infrastructure such as electricity generators, water suppliers, telecom, and so on.

  • Cyber Crime: Intelligence reports on criminal activities carried out through computers and Internet.

  • High Value Auction Fraud: Intelligence reports on illicit activities targeting auctions.

  • Vulnerability and Exploitation: Intelligence reports on product vulnerabilities and exploits.

Intelligence Types#

The FireEye iSIGHT can enrich observables with reports of these types:

  • Malware: the enricher searches intelligence reports on malware.

  • Threat: the enricher searches intelligence reports on threats such as threat actors, strategies, tactics, techniques, campaigns, and so on.

  • Vulnerability: the enricher searches intelligence reports on product vulnerabilities and exploits.

API version#

This extension uses version 2.5 of the FireEye iSIGHT API.