In this installment of the Tips and Insights series, Richard Ignacio gives a brief overview of the queue plugin for the FireEye Security Orchestrator (FSO).
Hi my name is Richard Ignacio and I’m the Senior Manager of the Orchestration Architecture team with FireEye. Today, I’d like to give a brief overview of the queue plugin for the FireEye Security Orchestrator.
So, in FSO we’re going to go into the plugins tab and then go to the FSO queue plug in.
And we select that, we can see what parameters are required to create this plugin. The only parameter you’re gonna need is a queue name. This queue name is going to be used with all the commands that you use to specify which queue they’re gonna do the operation against.
In the command section the first command that we’ll look at is ‘add to queue’. So in ‘add to queue’ you need to have the data and this is going to be the JSON object that you’re going to create that you’re going to add into the queue. The queue name, by default will use the queue name that you used in the device parameters, otherwise you can overwrite it with your own name.
The next command ‘get queue items’ has a limit parameter. This tells you how many results you want to pull back from the queue when you issue this command. The queue name by default will use the one that you specified in the device parameters again or you can overwrite it. ‘Custom search’ is going to use a valid elastic search query.
And ‘bind params’, this one is only used for later versions of FSO so we won’t go over this here and for the ‘sort’ parameter you can either sort by the latest or by the earliest.
In the next command, ‘get queue items’ adapter, this is an adapter command that you can use to run on an interval. The limit parameter allows you to limit how many items come back every time that interval is executed. ‘Queue name’ again is either going to use a default one or one that you can override. The case output allows you to specify how you want the results to come back as. So, if we go here you’ll see that you can either choose ‘single’ or ‘multi case’.
Single-case means that all of the results will come back as a single case. Multi-case means that each of the results will come back as its own case.
‘Custom search’ as before is going to be a valid elastic search query. ‘Bind params’ is only for later versions of FSO so we won’t cover that here and then sort is the parameter for specifying whether we want to sort by the earliest or the latest.
The next command is ‘get queue document’. For this command you have to specify the item I.D. of the object that you want to retrieve from the queue and queue name is the same as the others.
For the ‘CRON get queue items adapter’ command, this allows you to query based on a CRON string interval. So, if you look at custom CRON string and you look at the tip this will give you an example of what CRON string it would expect. This is going to look like a typical CRON tab UNIX style CRON tab.
If you don’t want to create your own custom CRON string you can use one of the pre-built ones. So if we go here you’ll see that we have several of them already pre-built for you. The other parameters are gonna be similar to the others. The queue name, the case output, custom search, bind params, and sort are all the same as the others.
The next command is ‘delete queue items’.
For this command, you specify the specific item I.D. to delete and then the queue name. If you don’t specify an item I.D. all the items in that queue will be deleted.
Finally the last command is ‘update queue item’. For this command the ‘update queue item’ you need to specify which item I.D. that you want to update and which key and value within that JSON document that you want to update. The queue name will be the one that you specified in the device parameters or you can overwrite it with your own .
This concludes the overview for the FSO queue plugin. I hope this overview helped you understand the queue plugin better and how it can be used with your orchestration use cases. Thank you for checking out our plugin overview series and stay tuned for more FireEye Tips and Insights.