When files are submitted to FireEye MAS 7.x through Data Enrichment these files will not create an analysis task.
Instead the /var/log/messages log will show something like this:
Nov 6 06:09:55 bluecoat-10g Data-Enrichment: error: ERR_CODE_RUNTIME_EXCEPTION : Failed to submit artifact: % File bluecoat-10g_2014-11-06T08.45.00-0500_18.104.22.168-51098_192.168.2.122-80_172e6256e2f6ca8f587b322dcab6c94f1_22.exe does not exist
This can be caused by insufficient privileges of the user specified for MAS submission.
Make sure the MAS user is an admin user, not analyst.
To verify the problem you can use the attached python script.
Connect to the Security Analytics appliance via SSH.
1. Backup the existing fireeye.py script file:
cp /usr/lib64/python3.3/site-packages/derp/providers/fireeye.py /usr/lib64/python3.3/site-packages/derp/providers/fireeye.bak 1. Replace the fireeye.py file in
/usr/lib64/python3.3/site-packages/derp/providers with the attached version of the file
2. Restart derpd:
service derpd restart
3. Request for FireEye analysis
/var/log/messages will show the permission error if you search for the submitted filename.