FireEye iSIGHT threat intelligence

Configure the FireEye iSIGHT Threat Intelligence integration to set how frequently the integration runs, how much history to initially download, how much history to use in an Intel file, and how much history to maintain in the SQLite DB. This integration uses the Mandiant Threat Intelligence v2 API.

do_notice

The do_notice flag can be set based on the indicator type. It is set in the DB based on the settings when the indicator is downloaded, and is updated in the intel file each time it is written.

Tip

By default, only MD5 hash support is enabled on a Corelight Sensor. It is recommended that you use only one hash type. If you plan on using another hash type, update the configuration and enable the appropriate package on the sensor.

If the ‘interval_hours’ is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See Global configuration and policy settings

The default settings are:

# Enable FireEye iSight Threat Intelligence
fireeye:
  enabled:                          false
  interval_hours:                   1
  public_key:
  private_key:
  download_history:                 90  # days to download initially (max 90)
  max_history:                      365 # days to keep in the database
  use_history:                      180 # days to write to the intel file
  accept_version:                   "2.6"
  debug:                            false
  # Enable indicators below
  indicator_type_sender_address:    true
  do_notice_sender_address:         true
  indicator_type_source_domain:     true
  do_notice_source_domain:          true
  indicator_type_source_ip:         true
  do_notice_source_ip:              true
  indicator_type_filename:          true
  do_notice_filename:               true
  indicator_type_md5:               true
  do_notice_md5:                    true
  indicator_type_sha1:              false
  do_notice_sha1:                   true
  indicator_type_sha256:            false
  do_notice_sha256:                 true
  indicator_type_fuzzy_hash:        false
  do_notice_fuzzy_hash:             true
  indicator_type_user_agent:        true
  do_notice_user_agent:             true
  indicator_type_cidr:              true
  do_notice_cidr:                   true
  indicator_type_domain:            true
  do_notice_domain:                 true
  indicator_type_ip:                true
  do_notice_ip:                     true
  indicator_type_url:               true
  do_notice_url:                    true