FireEye Feed

Use the FireEye feed integration to fetch indicators from the FireEye Intelligence Feed feed.

Configure FireEye Feed on Demisto


  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for FireEye Feed.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescription
    NameA meaningful name for the integration instance.
    Fetch indicatorsWhether to fetch indicators, if checked.
    Indicator ReputationThe reputation applied to indicators from this integration instance. The default value is "Bad".
    Source ReliabilityThe reliability of the source providing the intelligence data. The default value is "A - Completely reliable"
    Traffic Light Protocol colorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. More information about the protocol can be found at https://us-cert.cisa.gov/tlp.
    Indicator Expiration MethodThe method by which to expire indicators from this feed for this integration instance.
    Indicator Expiration IntervalHow often to expire the indicators from this integration instance (in minutes). This only applies if the feedExpirationPolicy is set to "interval".
    Feed Fetch IntervalHow often to fetch indicators from the feed for this integration instance (in minutes). The default value is 240.
    Public Key + PasswordThe credentials used to access the feed's data.
    Malicious ThresholdThe minimum score from the feed in order to to determine whether the indicator is malicious. Default is "70".
    Reputation IntervalIf this amount of days passed since the indicator was created, then its reputation can be at most "Suspicious". Default is "30".
    Bypass exclusion listWhether the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.
  4. Click Test to validate the connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Get indicators from the feed


Gets the feed indicators and reports.

Base Command

!fireeye-get-indicators

Input
Argument NameDescriptionRequired
limitThe maximum number of results to return. The default value is 10.Optional
Context Output

There is no context output for this command.