FireEye Email Threat Prevention

21 min

the fireeye etp connector integrates with fireeye's email security solutions to automate threat detection and response activities fireeye email threat prevention (etp) offers advanced threat protection and email security against phishing, malware, spam, and other sophisticated email threats the fireeye etp connector for swimlane turbine enables users to automate the retrieval of threat alerts, detailed alert information, message trace data, and message search capabilities by integrating with fireeye etp, swimlane turbine users can enhance their security automation workflows, streamline threat investigations, and respond to email based threats more efficiently prerequisites to effectively utilize the fireeye email threat prevention connector with swimlane turbine, ensure you have the following api key authentication url the endpoint url for the fireeye etp api api key a valid api key provided by fireeye to access the etp services capabilities this connector provides the following capabilities get alerts summary get detail of specified alert message trace information request search for messages configurations fireeye etp api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required x fireeye api key fireeye api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get alerts summary retrieves a summary list of advanced threat alerts from fireeye email threat prevention endpoint url /api/v1/alerts method post input argument name type required description attributes object optional parameter for get alerts summary etp message id string optional email message id email status string optional status value fromlastmodifiedon string optional date time in yyyy mm ddthh\ mm \ ss fff format inreverse chronological order default is 90 days size number optional number of alerts to include in response valid range is 1 100 output parameter type description status code number http status code of the response reason string response reason phrase data array response data attributes object output field attributes meta object output field meta read boolean output field read last modified on string output field last modified on legacy id number unique identifier acknowledged boolean output field acknowledged ati object output field ati threat type string type of the resource alert object output field alert product string output field product malware md5 string output field malware md5 timestamp string output field timestamp email object output field email status string status value smtp object output field smtp rcpt to string output field rcpt to mail from string output field mail from etp message id string unique identifier headers object http headers for the request cc string output field cc to string output field to from string output field from example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" \[], "meta" {}, "type" "alerts" } } ] get detail of specified alert retrieves detailed information for a specific advanced threat alert using the provided alert id endpoint url /api/v1/alerts/{{alert id}} method get input argument name type required description alert id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data array response data attributes object output field attributes meta object output field meta read boolean output field read last modified on string output field last modified on legacy id number unique identifier acknowledged boolean output field acknowledged ati object output field ati alert object output field alert product string output field product alert type array type of the resource severity string output field severity ack string output field ack malware md5 string output field malware md5 explanation object output field explanation analysis string output field analysis anomaly string output field anomaly cnc services object output field cnc services malware detected object output field malware detected os changes array output field os changes protocol string output field protocol timestamp string output field timestamp timestamp string output field timestamp example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" \[], "meta" {}, "type" "alerts" } } ] message trace information request retrieve attributes for a specific message using the fireeye etp message id provided in path parameters endpoint url /api/v1/messages/{{etp message id}} method get input argument name type required description etp message id string required the id of the etp message output parameter type description status code number http status code of the response reason string response reason phrase data array response data attributes object output field attributes accepteddatetime string time value countrycode string output field countrycode domain string output field domain downstreammsgid string unique identifier emailsize number output field emailsize lastmodifieddatetime string time value recipientheader array output field recipientheader recipientsmtp array output field recipientsmtp senderheader string output field senderheader sendersmtp string output field sendersmtp senderip string output field senderip status string status value subject string output field subject verdicts object output field verdicts as string output field as av string output field av at string output field at pv string output field pv included array output field included type string type of the resource id number unique identifier example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" \[], "meta" {} } } ] search for messages retrieve a list of messages with specified attributes from the fireeye email threat prevention portal endpoint url /api/v1/messages/trace method post input argument name type required description search object optional parameter for search for messages type string optional specify the type of the query currently, this can have only one value messageattributes size number optional the number of entries returned by the search query default is 20 and maximum is 100 attributes object optional parameter for search for messages fromemail object optional list of from email addresses, 10 entries maximum value array optional attributes from email value filter string optional attributes from email filter includes array optional attributes from email includes recipients object optional array of to/cc email addresses, 10 entries maximum value array optional attributes recipients value filter string optional attributes recipients filter includes array optional attributes recipients includes subject object optional text to search for in the subject value string optional attributes subject value filter string optional attributes subject filter period object optional attributes period range object optional parameter for search for messages lastmodifieddatetime object optional last modified date time format compliant with iso860 value string optional attributes last modified date time value filter string optional attributes last modified date time filter filter values are >=, <=, >, < status object optional array of email status values value array optional attributes status value filter string optional attributes status filter rejectionreason object optional response reason phrase value array optional attributes rejection reason value output parameter type description status code number http status code of the response reason string response reason phrase data array response data attributes object output field attributes accepteddatetime string time value countrycode string output field countrycode domain string output field domain emailsize number output field emailsize rejectionreason object response reason phrase code string output field code description string output field description ismarkeddeleted boolean output field ismarkeddeleted isread boolean output field isread lastmodifieddatetime string time value recipientheader array output field recipientheader recipientsmtp array output field recipientsmtp senderheader string output field senderheader sendersmtp string output field sendersmtp senderip string output field senderip status string status value subject string output field subject verdicts object output field verdicts as string output field as av string output field av at string output field at example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" \[], "meta" {} } } ]