FireEye iSight

Updated 10 months ago by Elvis Hovor

Introduction

TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description how paying customers of iSight  can ingest reports and all associated indicators from iSight into their enclave in TruSTAR and correlate with other data sources stored in all TruSTAR enclaves they have access to. 

Prerequisites

This integration requires TruSTAR users to be paying customers of iSight intelligence and have access to their public(API Id) and private keys(API Secret).

Note: The public keys will be inputed as API ID in the marketplace and the private key as the API Secret key

Configure Integration

After you have retrieved your iSight  API and API secret keys follow these steps:

  1. Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Click on Closed Sources.
  3. Click on the iSight  logo and fill in your API key and API secret key.
  4. Click Submit.

TruSTAR will validate and enable the iSight integration within 48 hours. You will receive an email from us informing you as soon as it is enabled.


After the integration in enabled you should see reports from iSight  being submitted into an enclave you control in TruSTAR.

    FAQ

    What data do you currently pull from iSight? 

    Our integration currently only pulls reports from iSight and extracts and correlates the cyber IOC’s with the users other enclave data.

        How often is the data pulled?

        Our integration retrieves iSight reports every 15mins.


        Technical Details 

        Workflow:

        • Get all reports related data using /report/index API, (Add API response with key ‘indicator_details’)
        • Iterate over all items and get report details using report id of response with /report/reportid API. (Add API response with key ‘report_details’)
        • Merge response of both APIs.

        Request Example:

        https://api.isightpartners.com/report/index?startDate=1390708741&endDate=1391399948

        Sample Response:  { "reportId": "17-00004652", "title": "CLONE-QEMU 2.8.0 wdt_i6300esb Memory Leak Vulnerability", "ThreatScape": ["High Value Auction Fraud"], "audience": null, "publishDate": 1494402300, "version": "1", "version1PublishDate": 1494402300, "intelligenceType": "vulnerability", "reportType": null, "reportLink": "https://api.isightpartners.com/report/17-00004652", "webLink": "https://intelligence.fireeye.com/reports/17-00004652", "report_details": { "reportId" : "21-52014", "title" : "** ALL FIELDS REPORTS **", "publishDate" : "October 12, 2016 12:28:00 AM", "ThreatScape" : { "product" : ["ThreatScape Critical Infrastructure", "ThreatScape Cyber Crime", "ThreatScape Cyber Espionage", "ThreatScape Enterprise", "ThreatScape Hacktivism", "ThreatScape Vulnerability and Exploitation"] }, "audience" : ["Operational"], "version" : "1", "intelligenceType" : "overview", "reportType" : "Malware Overview", "threatDescription" : "The description for malware", "tagSection" : { "main" : { "affectedIndustries" : { "affectedIndustry" : ["Financial Services >> Retail Banks/ATMs/Credit Cards", "Agriculture/Farming/Forestry/Paper", "Pharmaceutical and Bio Technology", "Retail and Hospitality/Consumer Goods/Travel/Gaming/Food & Beverage", "Financial Services"] }, "operatingSystems" : { "operatingSystem" : ["Windows", "Linux", "Android", "Mac", "ios"] }, "roles" : { "role" : ["Dropper", "Backdoor", "Uploader"] }, "malwareCapabilities" : { "malwareCapability" : ["Anti-AV capabilities", "Anti-forensic capabilities", "Data theft capabilities", "Anti-VM capabilities"] }, "detectionNames" : { "detectionName" : [{ "vendor" : "FireEye", "name" : "qazx" } ] }, "malwareFamilies" : { "malwareFamily" : [{ "id" : "554e652a-4657-4a2f-9874-ad081ba82daa", "name" : "bB_1234567890-", "aliases" : ["aA~!@#$%^&*()_+{}|:\"<>?`1234567890-=[]\\;'./"] } ] } } }, "relations" : { "malwareFamilies" : [{ "name" : "cC_1234567890-", "id" : "3a440317-dd71-4c01-9171-6731802d670e" }, { "name" : "Panda Zeus", "id" : "f6bb6718-4551-41a1-b679-dded34104ed1" } ], "actors" : [{ "name" : "Cracka", "id" : "2724847a-8a3b-40ec-8ac3-d50ba5ffd1c8" } ] }, "copyright" : "\u00a9 Copyright 2016 FireEye, Inc. All rights reserved." } }

        TruSTAR Report will be  json formatted.

        TruSTAR Report Content Mapping:
        Report title - reportId (e.g 21-52014)
        External id - reportId (21-52014)
        External url - reportLink (e.g https://api.isightpartners.com/report/21-52014)
        Report Body - The entire json content received from isight to be stored as report body.
        Time begun - publishDate(1408463264)
        Tags - None

        How Did We Do?