FireEye iSIGHT Threat Intelligence¶
Configure the FireEye iSIGHT Threat Intelligence integration to set how frequently the integration runs, how much history to initially download, how much history to use in an Intel file, and how much history to maintain in the SQLite DB. This integration uses the Mandiant Threat Intelligence v2 API.
do_notice
The do_notice
flag can be set based on the indicator type. It is set in the DB based on the settings when the indicator is downloaded, and is updated in the intel file each time it is written.
Tip
By default, only MD5 hash support is enabled on a Corelight Sensor. It is recommended that you use only one hash type. If you plan on using another hash type, update the configuration and enable the appropriate package on the sensor.
If the ‘interval_hours’ is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See Global Configuration and Policy Settings
The default settings are:
# Enable FireEye iSight Threat Intelligence
fireeye:
enabled: false
interval_hours: 1
public_key:
private_key:
download_history: 90 # days to download initially (max 90)
max_history: 365 # days to keep in the database
use_history: 180 # days to write to the intel file
accept_version: "2.6"
debug: false
# Enable indicators below
indicator_type_sender_address: true
do_notice_sender_address: true
indicator_type_source_domain: true
do_notice_source_domain: true
indicator_type_source_ip: true
do_notice_source_ip: true
indicator_type_filename: true
do_notice_filename: true
indicator_type_md5: true
do_notice_md5: true
indicator_type_sha1: false
do_notice_sha1: true
indicator_type_sha256: false
do_notice_sha256: true
indicator_type_fuzzy_hash: false
do_notice_fuzzy_hash: true
indicator_type_user_agent: true
do_notice_user_agent: true
indicator_type_cidr: true
do_notice_cidr: true
indicator_type_domain: true
do_notice_domain: true
indicator_type_ip: true
do_notice_ip: true
indicator_type_url: true
do_notice_url: true