In this installment of the Tips and Insights series, Richard Ignacio gives a brief overview of the HTTPS listeners plug-in for the FireEye Security Orchestrator (FSO). The HTTPS listeners plug-in provides FSO with the capability to receive data over the HTTP protocol via a network port that listens on the FSO server itself.
Hi I’m Richard Ignacio and I’m the Senior Manager of the Orchestration Architecture team at FireEye. Today I’d like to give a brief overview of the HTTPS listeners plug-in for the FireEye Security Orchestrator. The HTTPS listeners plug-in provides FSO with the capability to receive data over the HTTP protocol via a network port that listens on the FSO server itself. This data can optionally be encrypted using SSL and can optionally use access control through the basic authentication method of HTTP. So what I’ve done was I’ve created a device here called HTTPS Text Listener Device. If we look at the details for this you’ll see the parameters that are available for this plug in.
The certificate and key field are optional but if you don’t provide those the FSO plug-in will create that for you. There’s a username and password field here if you want to you can use those as well but they’re optional. The enable logging field here is to add additional logging to the logs mainly for troubleshooting. Next in the adapters tab I pre-created an HTTPS Text Listener adapter. And if you look at the details here the adapter parameters for Timeout and Interval are both set to 60 seconds. This can be any value you want but 60 seconds seems to work well. The command we’re going to use for this adapter is going to be the text one. So if we look at that it’s going to be called the Text API receiver. This one is specifically for receiving plain text. Save Response to File is set to false. The Bind Port we’re going to use is 88 91 and the Bind IP we’re going to use is 0.0.0.0 for all IP’s. So once we’ve created these and enabled them the next step is to create the playbook. I pre-created a really simple playbook for this called Listen for Text. And if we look there’s only a start event and in this start event we’ve already chosen the adapter trigger and it’s set for the HTTPS Text Listener adapter that we created. Once you’ve created that and enabled this playbook we’re ready to test it out. I’m going to go to the All Activity tab to monitor for any incoming events. So as you see right now there’s nothing new but let’s go ahead and kicked that off using a kerl command. The kerl command I’m going to use is this here. We’re going to post to HTTPS FSO 4 2 3 which is our FSO server on port 88 91. We’re gonna send a payload of “Hello testing” and we’re gonna set the header for that for the content type to text/plain. If you see I.D. in this JSON document come back that means it was successful and so if we go back to FSO into the All Activities tab you’ll see there’s one new case. And if we load that and look at the details for that. You’ll see that the payload that we sent with the kerl command is displayed here with text hello testing. That’s a brief overview of the HTTPS Listeners plug-in for the FireEye Security Orchestrator. I hope it gave you some ideas for how this plug-in can be used with your more FireEye tips and insights.