Enricher - FireEye iSIGHT
This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.
|
|
Specifications |
|
Enricher name |
FireEye iSIGHT |
|
Supported observable types |
|
|
Output |
Enriches supported observable types related to the matching input observable types. |
|
API endpoint |
|
|
Description |
This enricher retrieves threat intelligence reports about threats and malware related to areas such as critical infrastructure, cyber crime and espionage, hacktivism, frauds, and vulnerability and exploitation. |
Requirements
Email address registered with FireEye.
FireEye API key.
Automatic enrichment
Avoid setting up enrichment rules for the FireEye enricher.
Setting up enrichment rules for this enricher allows it to automatically run and rapidly consume your API request quota.
Instead, run the enricher manually.
Set up the enricher
Before using the enricher, configure it to add your FireEye credentials:
Go to Data configuration
> Enrichers.Select the enricher from the displayed list.
Edit the enricher by selecting from the top right More
> Edit.In the Edit enricher task view, fill out these fields:
Required fields are marked with an asterisk (*).
Field
Description
API key (public)*
Set this to your FireEye public API key.
API key (private)*
Set this to your FireEye private API key.
Search results limit
Limits the number of reports found and ingested by the enricher each time it is run.
Set to 1000 by default.
Days offset*
Limits the age of the oldest report found and ingested by the enricher each time it is run.
Set to 365 by default.
ThreatScape Products*
For more information, see ThreatScape Products.
By default, set to:
Cyber Espionage
Hacktivism
Enterprise
Critical infrastructure
Cyber Crime
Vulnerability and Exploitation
High Value Auction Fraud
Intelligence Types*
For more information, see Intelligence Types.
By default, set to:
Threat
Malware
Vulnerability
Download and attach PDF version of reports
When the enricher runs, it downloads and attaches a PDF version for each report it receives from the feed source.
May consume your Daily Query Quota rapidly if Automatic enrichment is set up.
Selected by default.
Enabling this makes an additional API call to FireEye for every report retrieved. Disable if the enricher consumes your Daily Query Quota too quickly.
Click Save to store your changes.
Default configuration
These are the default configuration parameters for the FireEye enricher:
Required fields are marked with an asterisk (*).
|
Field |
Description |
|
Name |
Leave this as “FireEye iSIGHT”. Set by default. |
|
Override TLP |
Forces all entities and observables produced by this extension to inherit this TLP value. |
|
Description* |
Enter a description for this enricher. |
|
Cache validity (sec)* |
Set to 2592000 seconds (30 days) by default. |
|
Rate limit (per sec)* |
Set to 1000 seconds by default. |
|
Monthly execution cap (runs)* |
Set to 1000000 runs by default. |
|
Source reliability* |
Assign a reliability level to entities and observables produced by this extension. The values here are based on the Admiralty System. |
|
Observable types* |
Observable types to enrich. By default, this is set to the observables supported by the FireEye enricher:
|
|
Enabled |
Select to enable this enricher. |
|
API URL* |
Set to https://api.intel471.com/v1/ by default. |
|
API key (public)* |
Set this to your FireEye public API key. |
|
API key (private)* |
Set this to your FireEye private API key. |
|
Search results limit |
Limits the number of reports found and ingested by the enricher each time it is run. Set to 1000 by default. |
|
Days offset* |
Limits the age of the oldest report found and ingested by the enricher each time it is run. Set to 365 by default. |
|
ThreatScape Products* |
For more information, see ThreatScape Products. By default, set to:
|
|
Intelligence Types* |
For more information, see Intelligence Types. By default, set to:
|
|
SSL verification |
Selected by default. Select to enable SSL verification. |
|
Path to SSL certificate file |
Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source. |
|
Download and attach PDF version of reports |
When the enricher runs, it downloads and attaches a PDF version for each report it receives from the feed source. May consume your Daily Query Quota rapidly if Automatic enrichment is set up. Selected by default. Enabling this makes an additional API call to FireEye for every report retrieved. Disable if the enricher consumes your Daily Query Quota too quickly. |
ThreatScape Products
The FireEye iSIGHT can enrich observables with reports from these ThreatScape products:
Hacktivism: Intelligence reports on hacktivists, black-hat hackers, and terrorist groups.
Enterprise: Intelligence reports on corporate threats.
Cyber Espionage: Intelligence reports on cyber and industrial espionage.
Critical Infrastructure: Intelligence reports on threats to critical infrastructure such as electricity generators, water suppliers, telecom, and so on.
Cyber Crime: Intelligence reports on criminal activities carried out through computers and Internet.
High Value Auction Fraud: Intelligence reports on illicit activities targeting auctions.
Vulnerability and Exploitation: Intelligence reports on product vulnerabilities and exploits.
Intelligence Types
The FireEye iSIGHT can enrich observables with reports of these types:
Malware: the enricher searches intelligence reports on malware.
Threat: the enricher searches intelligence reports on threats such as threat actors, strategies, tactics, techniques, campaigns, and so on.
Vulnerability: the enricher searches intelligence reports on product vulnerabilities and exploits.
API version
This extension uses version 2.5 of the FireEye iSIGHT API.