FAQ:  FireEye Security Orchestrator

Version 2



    What is the FireEye Security Orchestrator?

    FireEye Security Orchestrator accelerates and simplifies the threat response process by unifying disparate technologies and incident handling processes into a single console that delivers real-time guided responses to improve response times, reduce risk exposure, and maintain process consistency across a security program.  By unifying threat-response tools, tactics and procedures into an operational platform, organizations dramatically improve response times and greatly reduce risk exposure.


    Acting on data ingested from security and IT tools, including FireEye, the product handles many of the post-alert tasks that security analysts currently execute manually. It codifies their knowledge for both fully or partially automating their tasks, and orchestrating their workflows from start to finish.  Core to the platform is the ability to build Courses of Action (playbooks) that contain all of the automated steps that should be taken when an event is triggered.


    FireEye is uniquely able to accentuate such a capability via uniquely designed playbooks: FireEye's years of expertise battling the world's most consequential breaches has helped to hone effective processes to detect, investigate and respond to threats. FSO enables you to overlay those best practices in pre-built or customized playbooks on to data from your FireEye deployment, SIEM and other enteprise technologies.


    What are the key features in the FireEye Security Orchestrator?


    The FireEye Security Orchestrator is an integration between the Invotas Security Orchestrator and the FireEye Integration Hub.  It is highlighted by the following features:

    • Courses of Action (CoA), which are incident response playbooks. CoAs codify security operations into human-led workflows and automated tasks. With SOC processes documented, automated, and enhanced with FireEye’s expertise fighting the world’s most advanced attacks, response times will plummet while maintaining process consistency across a security program.
    • Role-based Access.  Create role based groups and assign granular permissions to individual CoAs or specific steps within the playbook. This way each team has execution access and privileges to read the results of only the workflows that they need.
    • Pre-Defined Plug-Ins.  Integrate, unify and control an entire security architecture from a single pane of glass via the ISO plug-in framework. Plug-ins are the connective tissue that joins devices, applications, services and data into the powerful ISO engine. They are constructed to support some of the most popular industry standards for security and infrastructure.
    • Centralized Dashboards and Advanced Hunting.  An investigative dashboard to search across security tools and facilitate hunting of attack actors that have targeted your organization. Manage cases and quickly pivot from CoAs to additional context across the existing security infrastructure.
    • Reports.  You can create one-time or recurring reports that detail, correlate, and visualize related alerts. Security teams can quickly determine the sources, methodology, and targets of an attack, and prevent future reoccurrence. 
    • Professional Services.  Customized deployment services are available to design and deploy the FireEye Unified Security Orchestrator into your security program and architecture.


    What are example CoAs (Playbooks)?


    • Automated investigation of all hyperlinks contained within inbound email message bodies while also extracting full message header and body content from full packet capture platforms.  A playbook can be customized to only process messages containing a combination of pre-determined suspicious parameters.
    • Automated endpoint investigations that to determine if running processes are known to be malicious.  The playbook can include pathways to extract a file from an endpoint that is then detonated in a malware analysis tool.
    • Shrink alert investigation time for new alerts by automating investigation of internal hosts and summarizing results in human digestible format via custom e-mail message templates.


    How does FireEye Security Orchestrator enhance our capabilities?  How does this change our value proposition?


    For our customers, this means that they can achieve “1+1=3” value, where the combined value of FireEye products and their ability to function as a single, unified tool is better than their utility as single standalone products. Further, this enables open integrations with an existing IT infrastructure.

    In particular, the following benefits will now be enjoyed by our customers:

    • Accelerate and simplify alert investigations With customizable, incident response playbooks, the orchestrator enables customers to take the security technologies across their entire infrastructure and stitch them into a connected tissue, working together rather than operating as disparate data sources that must be manually accessed and outcomes that require human interaction to progress across an often inconsistent workflow.  We can take the experience responding to the world’s most sophisticated attacks and package them into playbooks that any customer can now access.
    • Facilitate proactive hunting of attackers Codify often repeatable functions, creating the bandwidth to focus on deep investigations and hunting of advanced attacks.  It has been able to consistently demonstrate a 98% efficiency gain by automating functions that are typically manual processes.
    • Accelerate ROI and reduce operational costs Replicate Tier 1 analyst functions and accelerate Tier 2-3 processes while reducing the impact of employee churn.  FireEye Security Orchestrator has been able to achieve a 99% error reduction rate through automation of tasks that would typically see errors as a result of human error.


    What are the FireEye Orchestration Deployment Services?


    FireEye’s Orchestration Deployment Service offers the industry’s best expertise in building effective Courses of Actions (CoAs) and deploying the FireEye Security Orchestrator. It ensures that the deployment is successful, easy to maintain, and includes critical knowledge transfer sessions to ensure that a security team is able to support ongoing orchestration operations.


    What is the packaging and pricing?


    The FireEye Security Orchestrator is sold with a base package, which includes 10 plug-ins and access for 5 users.  These are yearly subscriptions; additional add-ons to increase the number of plug-ins and users.

    FireEye Orchestration Deployment Services are sold as a basic and advanced package, which are differentiated below.  Add-Ons provide a pool of hours that can be used for additional CoA or plugin development and documentation for each CoA



    Basic Jumpstart

    Advanced Jumpstart

    Courses of Action



    Plug-In Assistance



    Orchestration Knowledge Transfer

    2 members of staff

    3 to 7 staff


    How is it delivered/what is the form factor?


    The FireEye Security Orchestrator is delivered as a Virtual Image.


    What APIs / integrations are currently supported?




    Device Type

    Functionality Overview

    Active Directory

    Data Enrichment and Enforcement

    The Active Directory plug-in allows for data enrichment tasks related to AD user account objects and computer objects.  Enforcement actions include adding and removing group membership for user objects and adding removing computer objects from specified AD OU’s.

    ArcSight ESM

    Ingest Adapter

    The ArcSight integration allows for ingest of forwarded ArcSight events in common event format (CEF). This plug-in also allows for CEF message transmission from the ISO platform.

    BlueCoat Proxy SG


    The BlueCoat plug-in allows for blocking and unblocking of both source and destination objects (IP addresses and web domains) via the ProxySG local proxy database.  Communication with the remote ProxySG appliance is accomplished via an authenticated Secure Shell (SSH) connection from the ISO platform.

    Cisco ASA


    The Cisco ASA plug-in allows for blocking and unblocking of both IP address objects via a specified network-object group. Communication with the remote ASA appliance is accomplished via an authenticated Secure Shell (SSH) connection from the ISO platform.

    Cisco IOS

    Data Enrichment

    ISO facilitates multiple configuration interrogation commands of Cisco IOS devices to support event data enrichment.  Examples include identifying a particular host MAC given an IP address as input and identifying a physical switch port and description given a host MAC address.

    MS Exchange (IMAP)

    Ingest Adapter

    The Exchange interval adapter is a custom ISO plug-in that was specifically developed to support the “Abuse Mailbox” use case.  Functionality includes connecting to a remote Exchange server via IMAP and polling a specified inbox for new messages on a configurable interval. This plug-in also supports parsing of any message attachments, message header and body contents.

    FireEye CMS

    Automated Malware Analysis

    This plug-in allows ISO to submit files for analysis (and parse the resulting report) by the AX appliance via the RESTful API of the CMS appliance. This means that only one device needs to be configured in ISO, but multiple (if needed) AX appliances can be added as needed to support the scanning needs to the eco-system.

    Norse IP Viking

    Threat Intelligence

    ISO facilitates IP address lookups against the Norse online threat intelligence service support event data enrichment.  Customers leveraging this plug-in will need to provide a valid account to gain access to the service.

    1. IPVoid.com

    Threat Intelligence

    The IPVoid plug-in leverages the IPVoid website to lookup the reputation of a supplied IP address. This plug-in also allows the CoA author to “force” a new analysis of a previously submitted IP.

    iSight Partners

    Threat Intelligence

    ISO uses HTTP based RESTful API to submit requests to iSight Partners ThreatScape platform. Customers leveraging this plug-in will need to provide a valid API key to gain access to the service.


    Ingest Adapter

    The Kafka integration allows for ingest of forwarded Kafka topic messages that have been subscribed to.

    McAfee ePO

    Data Enrichment

    ISO leverages the ePO web based API to retrieve host based details via the McAfee agent from a specified endpoint.

    McAfee GTI

    Data Enrichment

    This plug-in provides data enrichment via the online McAfee Global Threat Intelligence (GTI) service. Examples include retrieval of current reputation of both IP addresses and web domain objects.

    Mobile Iron MDM

    Data Enrichment and Enforcement

    ISO leverages the Mobile Iron MDM RESTful API to provide several data enrichment and enforcement commands. This plug-in was specifically developed to support Mobile Iron versions: 5.9, 6.0, and 7.0.


    Data Enrichment

    ISO supports event data enrichment via NMAP to validate open ports on a given event host and/or provide remote OS fingerprinting capabilities.

    Palo Alto


    ISO uses the PAN-OS XML API version 6.0.  It currently supports adding and removing addresses from address lists (blocking and unblocking IP addresses).  It also supports retrieving an existing address list to see what IP addresses are blocked.

    BMC Remedy

    Incident Management

    ISO uses Remedy to automatically record incidents for the customer within Remedy and track any Remediation’s that were taken against that Incident.  A WSDL is used (provided from Remedy) to insure that only the correct data is sent to Remedy, to help reduce the errors seen on the response from the command.

    Reversing Labs

    Threat Intelligence

    ISO uses Reversing Labs to look-up a given file hash in the cloud-based API for the purposes of event data enrichment.  Customers leveraging this plug-in will need to provide a valid account to gain access to the service.

    SMTP client


    ISO can leverage a remote SMTP server for the purposes of sending outbound e-mail notifications to individual recipients or a list of recipients.  The plug-in also supports the sending of messages with and without file attachments.

    SolarWinds NPM

    Data Enrichment

    Ingest CSV Syslog Messages from a SolarWinds Network Performance Monitor (NPM) platform.


    Data Enrichment

    ISO can execute arbitrary queries to a remote Splunk instance via the API and parse the resulting response for processing and CoA initiation.  ISO can also use Splunk to determine if similar events/issues are occurring throughout the network.


    Data Enrichment

    ISO leverages the Tanium pytan library to execute queries against the Tanium server API.  Current capabilities include the ability to generate an MD5 hash of a supplied filename on remote hosts, get established network connections and get running processes.

    ThreatGRID (Cisco)

    Automated Malware Analysis

    The ThreatGRID plug-in allows for threat intelligence lookups of specified IP address or web domain artifacts as well as submission of new files for online analysis.  Customers leveraging this plug-in will need to provide a valid API key.


    Automated Malware Analysis

    ISO uses HTTP based RESTful API to submit requests to the ThreatStream OPTIC threat intelligence platform.  Customers leveraging this plug-in will need to provide a valid username and API key.


    Data Enrichment

    ISO can connect to the online URLVoid service to retrieve or update an existing URL scan report or submit a new URL for analysis.  Customers leveraging this plug-in will need to provide a valid API key.

    Virus Total

    Data Enrichment

    ISO uses HTTP based RESTful API to submit requests to the Virus Total service.  Customers leveraging this plug-in will need to provide a valid API key to remove the request rate API limitation.

    Whois XML API

    Data Enrichment

    ISO uses HTTP based RESTful API to submit requests to the Whois service.  Customers leveraging this plug-in will need to provide a valid account to gain access to the service.

    Windows Commands

    Data Enrichment and Enforcement

    ISO uses the Core Labs wmiexec.py utility to issue remote commands on Windows clients.  Current capabilities include multiple data enrichment actions as well as the ability to execute remote operations on files, folders and processes.