Start Event Adapters for Playbooks in FireEye Security Orchestrator

In this installment of the Tips and Insights series, Todd Bane explains the use of start event adapters when building playbooks within FireEye Security Orchestrator (FSO).

Hi my name is Todd Bane and I’m a Technical Initiatives Manager here with FireEye’s Deployment and Integrations group. Today I’m going to be talking about the FireEye Security Orchestration platform and start event adapters when building playbooks. All automation and courses of action or COA’s begin with a single starting event. These start events are initiated by an adapter which is tied to an integrated device in the FSO platform. FSO plug-ins are what allows us to setup devices and each device is written for a specific technology or integration point which we will discuss further in another section. But for today’s discussion all you need to know is that a device maps to a plug-in which dictates what type of command sets can be executed by a device task or a start event adapter. Adapters come in two types. Interval adapters and socket adapters. An interval adapter is exactly what it sounds like. A command execution that runs on an interval or a time range. By default adapters trigger every 60 seconds unless specified otherwise. When setting up adapters there are parameters you will want to customize in accordance with the needs of the use case or the automation that you are building. While 60 seconds might work for some courses of action others may need shorter or longer intervals depending on the frequency of the desired start event or due to overlaps in computational tasks which may be occurring outside of the orchestration platform. Understanding your environment and how it interacts with other systems may be important in this scenario. A socket adapter is one where the orchestration platform listens for connections or inputs from a remote system on a specified port number and network address. Setting up a socket adapter requires specifying the transport protocol, TCP or UDP, the timeout for the command and the port number and network interface bind address to listen on. Regardless of what type of adapters you use a device command will need to be specified.

I hope this demonstration was useful in helping to enable you to build tuned for more FireEye tips and insights.

Scroll to Top