Incoming feed - FireEye iSIGHT Intelligence Report API

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.


Specifications

Transport type

FireEye iSIGHT Intelligence Report API

Content type

FireEye Report JSON|

Ingested data

FireEye iSIGHT intelligence reports.

Processed data

STIX reports on vulnerabilities, malware, and threats such as threat actors, strategies, tactics, and techniques.

Requirements

  • FireEye public API key.

  • FireEye private API key.

Skip extraction of observables from unstructured text

By default, this extension extracts observables from unstructured text in entities ingested from the incoming feed, such as from:

  • Entity titles

  • Entity descriptions

This may result in a number of false positives when ingesting the feed.

To reduce the number of false positives from ingesting unstructured text, you can either:

  1. Uncheck the Skip extraction of observables from unstructured text option when configuring the feed.

  2. Or, Create observable rules to ignore false positives that are particular to this incoming feed.

For example, observables extracted from unstructured data when ingesting entities from FireEye iSIGHT Intelligence Report API may result in a large number of domain: fireeye.satmetrix.com observables. Create an observable rule to ignore those observables.

Configure the incoming feed

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select FireEye iSIGHT Intelligence Report API from the drop-down menu.

    Content type*

    Select FireEye Report JSON from the drop-down menu.

    API URL*

    Set this to the FireEye iSIGHT API endpoint.

    By default, this is set to https://api.isightpartners.com/

    API key (public)*

    Set this to your FireEye public API key.

    API key (private)*

    Set this to your FireEye private API key.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    SSL Cert

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

    For more information, see SSL certificates.

    Include Threat intelligence type

    Enable to retrieve threat intelligence reports when you run the feed.

    Selected by default.

    Include Malware intelligence type

    Enable to retrieve malware intelligence reports when you run the feed.

    Selected by default.

    Include Vulnerability intelligence type

    Enable to retrieve vulnerability intelligence reports when you run the feed.

    Selected by default.

    Include Overview intelligence type

    Enable to retrieve ‘Malware Overview’ and ‘Actor Overview’ intelligence reports when you run the feed.

    Selected by default.

    Download and attach PDF version of reports

    When the feed runs, it downloads and attaches a PDF version for each report it receives from the feed source.

    Selected by default.

    Enabling this makes an additional API call to FireEye for every report retrieved. Disable if the feed consumes your Daily Query Quota too quickly.

    Start ingesting from*

    Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.

  3. Store your changes by selecting Save.

SSL certificates

To use an SSL certificate with the platform, it must be:

  • Accessible on the EclecticIQ Platform host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that the platform can access the SSL certificate:

  1. Upload the SSL certificate to a location on the platform host.

  2. On the platform host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem

    Where /path/to/cert.pem is the location of the SSL certificate the platform needs to access.

Ingestion results

Retrieved reports are ingested as Report entitites on the platform, with the following attached entitites where available:

Ingested report

Resulting entities

Malware intelligence report

  • Indicators

  • TTPs, where available:

    • Malware family

    • Malware variant

    • Targeted victim

    • Targeted systems

    • Targeted information

  • Relationships from indicators to indicated TTPs

Threat intelligence report

  • Indicators

  • Threat actors

    • Motivations

    • Intended effects

  • TTPs

    • Malware

    • Targeted victim

  • Relationships from the report to related indicators, threat actors, and TTPs

Vulnerability intelligence report

  • Exploit targets

    • Vendor of the vulnerable/affected software product

    • Vulnerable/Affected software product

    • Vulnerable/Affected software product version

    • CVE-ID

    • CVSS scores

  • Courses of action

  • Relationships from exploit targets to courses of action

API version

This extension uses version 2.5 of the FireEye iSIGHT API.