In this installment of the Tips and Insights series, Richard Ignacio explains how to trigger a FireEye Security Orchestration (FSO) course of action or playbook through an HTML form.
Hi I’m Richard Ignacio and I’m the Senior Manager of the Orchestration Architecture team at FireEye. Today I’d like to show you how to trigger an FSO course of action or playbook through an HTML form. This feature isn’t available for the FireEye Security Orchestrator out of the box so we are going to be using the HTTPS listeners plug in. So for the device this is the way it’s configured. I pre-created one called HTTPS Form Listener Device. For the parameters I’ve specified a certificate and a key. These are optional so if you don’t fill these out the plugin will automatically create one for you. The username and password fields I’ve left at default. Enable logging is at false. And the Tls version is set to auto. Next let’s take a look at the adapters. I pre-created an adapter called HTTPS Form Listener. And the adapter configuration for Time Out and Interval set for 60 seconds each. The command we’re going to use is going to be the Form API Receiver. We’re not going to save a response to a file and we’re gonna use a default Bind port of 8 8 9 3 with the Bind IP of 0. 0.0.0. There’s an optional custom page field that you can use which will display the response HTML for when a user clicks on a submit button. If we look at what we’ve put here I’ve put in some simple HTML that just says “Response Submitted”. We should see this after the user clicks on the submit button. So now that we’ve created the device and the adapter let’s take a look at the playbook. The playbook called “Listen for Form” that I pre-created contains the start adapter. The start adapter is already pointing to the HTTPS Form Listener adapter.
I’ve created a North branch and then a South branch that has conditionals for when that start event comes in. The North bench says “Manager approved” for updating the case and for the South branch updates the case with a text “Manager did not approve”. The North branch contains a condition that looks for the text “PROCEED” within the JSON that comes in through the start event. The South branch has a condition that looks for the text “STOP” in the JSON that comes in from the start event. I’ve enabled this playbook and now we’re ready to kick it off. The email that’s gonna kick this off is gonna look like this. The HTML that is within this email has a form within it with this action. It’s gonna be pointing to the FSO server on Port 88 93 and we’re gonna use the HTTP Post method for the submission. There are two submit buttons defined in here with the same name one with the value of PROCEED and the other with the value of STOP. That should create two buttons in the HTML form that the user can click on. The email looks like this. As you can see the PROCEED and STOP buttons are there.
If we click on the PROCEED button we get the response that we’ve defined earlier. In FSO you’ll see that the case has been updated to Manager approved and if we look at the details. In the execution flow you’ll see that the execution flowed North to the North case and that the answer we got in the JSON says PROCEED. So next we’ll click on the STOP button. Again we get the response that we provided earlier and in FSO we have a new case. This time the case has been updated to Manager did not approve. If we look at the details you’ll see this time the execution flow went South. And if we look at the start event that came in you’ll see in the JSON the answer is STOP. This concludes our look at how to trigger a playbook through an for watching and stay tuned for more FireEye tips and insights.for watching and stay tuned for more FireEye tips and insights.