Fidelis Elevate Network

Automate Detection and Response to Network Threats and data leakage in your organization with Fidelis Elevate Network Integration. This integration was integrated and tested with version 9.2.4 of Fidelis Elevate Network

Configure Fidelis Elevate Network on Demisto#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Fidelis Elevate Network.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
server_urlServer URLTrue
credentialsCredentialsTrue
unsecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
fetch_timeFirst fetch timestamp (\<number> \<time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)False
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

fidelis-get-alert#


Gets alert details from Fidelis Elevate.

Base Command#

fidelis-get-alert

Input#
Argument NameDescriptionRequired
alert_idAlert IDRequired
Context Output#
PathTypeDescription
Fidelis.Alert.IDstringAlert ID.
Fidelis.Alert.ThreatScorenumberAlert threat score.
Fidelis.Alert.TimedateAlert time.
Fidelis.Alert.RuleIDstringRelated rule ID.
Fidelis.Alert.RuleNamestringRelated rule name.
Fidelis.Alert.SummarystringAlert summary.
Fidelis.Alert.PolicyNamestringRelated policy name.
Fidelis.Alert.SeveritystringAlert severity.
Fidelis.Alert.ProtocolstringProtocol involved in the alert.
Fidelis.Alert.TypestringAlert type.
Fidelis.Alert.AssignedUserstringAssigned user ID.
Command Example#

!fidelis-get-alert alert_id=1

Context Example#
{
"Fidelis": {
"Alert": {
"AlertUUID": "80d0ccf5-5879-11ea-b430-0eb174ee0947",
"AssignedUser": 0,
"ID": 1,
"PolicyName": "Endpoint Alerts",
"Protocol": "",
"RuleID": 227,
"RuleName": null,
"Severity": "Medium",
"Summary": "Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact: ",
"ThreatScore": 100,
"Time": "2020-02-26 09:21:02",
"Type": "ENDPOINT"
}
}
}
Human Readable Output#

Alert 1#

Alert UUIDAssigned UserIDPolicy NameRule IDSeveritySummaryThreat ScoreTimeType
80d0ccf5-5879-11ea-b430-0eb174ee094701Endpoint Alerts227MediumEndpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact:1002020-02-26 09:21:02ENDPOINT

fidelis-delete-alert#


Deletes an alert from Fidelis Elevate.

Base Command#

fidelis-delete-alert

Input#
Argument NameDescriptionRequired
alert_idID of the alert to delete.Required
Context Output#

There is no context output for this command.

Command Example#

!fidelis-delete-alert alert_id=3

Human Readable Output#

Alert (3) deleted successfully!

fidelis-get-malware-data#


Retrieves malware data related to a "Malware" type alert.

Base Command#

fidelis-get-malware-data

Input#
Argument NameDescriptionRequired
alert_idAlert ID.Required
Context Output#
PathTypeDescription
Fidelis.Alert.IDstringAlert ID.
Fidelis.Alert.Malware.NamestringMalware name.
Fidelis.Alert.Malware.TypestringMalware type.
Fidelis.Alert.Malware.BehaviorstringMalware behavior.
Fidelis.Alert.Malware.PlatformstringMalware platform.
Fidelis.Alert.Malware.DetailNamestringMalware detail name from Fidelis Elevate.
Fidelis.Alert.Malware.VariantstringMalware variant.
Fidelis.Alert.Malware.DescriptionstringMalware description from Fidelis Elevate.
Command Example#

!fidelis-get-malware-data alert_id=6

Context Example#
{
"Fidelis": {
"Alert": {
"ID": "6",
"Malware": {
"Behavior": null,
"Description": null,
"DetailName": null,
"Name": "",
"Platform": null,
"Type": "",
"Variant": null
}
}
}
}
Human Readable Output#

Alert 6 Malware:#

Malware BehaviorMalware DescriptionMalware Detail NameMalware NameMalware PlatformMalware TypeMalware Variant

fidelis-get-alert-report#


Downloads a PDF report for a specified alert.

Base Command#

fidelis-get-alert-report

Input#
Argument NameDescriptionRequired
alert_idAlert ID of the alert for which to download a PDF report.Required
Context Output#

There is no context output for this command.

Command Example#

!fidelis-get-alert-report alert_id=5

Context Example#
{
"InfoFile": {
"EntryID": "7382@99f96547-c492-48d1-84bc-070759449a5d",
"Extension": "pdf",
"Info": "application/pdf",
"Name": "Alert_Details_5.pdf",
"Size": 69507,
"Type": "PDF document, version 1.4"
}
}

fidelis-list-alerts#


Returns a list of open alerts from Fidelis Elevate.

Base Command#

fidelis-list-alerts

Input#
Argument NameDescriptionRequired
time_frameFilter alerts by time frame, for example, Last 48 Hours.Optional
start_timeIf the time_frame value is Custom, specify the start time for the time range, for example, 2017-06-01T12:48:16.734.Optional
end_timeIf the time_frame value is Custom, specify the end time for the time range, for example, 2017-06-01T12:48:16.734.Optional
severityFilter alerts by alert severity.Optional
typeFilter alerts by alert type.Optional
threat_scoreFilter alerts by alert threat score threshold (higher than).Optional
iocFilter alerts that are related to a specified IOC.Optional
Context Output#
PathTypeDescription
Fidelis.Alert.IDstringAlert ID.
Fidelis.Alert.TimedateAlert time.
Fidelis.Alert.SummarystringAlert summary.
Fidelis.Alert.SeveritystringAlert severity.
Fidelis.Alert.TypestringAlert type.
Command Example#

!fidelis-list-alerts

Context Example#
{
"Fidelis": {
"Alert": [
{
"ID": "6",
"Severity": "High",
"Summary": "Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown",
"Time": "2020-03-19 23:59:59",
"Type": "Endpoint"
},
{
"ID": "5",
"Severity": "Medium",
"Summary": "Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact: ",
"Time": "2020-03-12 09:21:27",
"Type": "Endpoint"
}
]
}
}
Human Readable Output#

Found 6 Alerts:#

IDSeveritySummaryTimeType
6HighEndpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown2020-03-19 23:59:59Endpoint
5MediumEndpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact:2020-03-12 09:21:27Endpoint
4LowEndpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact:2020-03-07 09:21:24Endpoint
2HighEndpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact:2020-02-27 09:21:03Endpoint
3HighEndpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact:2020-02-27 09:21:03Endpoint
1MediumEndpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact:2020-02-26 09:21:02Endpoint

fidelis-upload-pcap#


Uploads a PCAP file to Fidelis Elevate for analysis.

Base Command#

fidelis-upload-pcap

Input#
Argument NameDescriptionRequired
component_ipComponent IP address.Required
entry_idWar Room entry ID of the PCAP file, for example, "3245@6".Required
Context Output#

There is no context output for this command.

Command Example#

!fidelis-upload-pcap component_ip=1.1.1.1 entry_id=7317@99

Human Readable Output#

Pcap file uploaded successfully.

fidelis-list-pcap-components#


Gets PCAP components.

Base Command#

fidelis-list-pcap-components

Input#

There are no input arguments for this command.

Context Output#
PathTypeDescription
Fidelis.Component.NamestringComponent name.
Fidelis.Component.IPstringComponent IP address.
Command Example#

!fidelis-list-pcap-components

Context Example#
{
"Fidelis": {
"Component": {
"IP": "1.1.1.1",
"Name": "Sensor"
}
}
}
Human Readable Output#

PCAP Components#

NameIP
Sensor1.1.1.1

fidelis-run-pcap#


Runs PCAP file analysis in Fidelis Elevate.

Base Command#

fidelis-run-pcap

Input#
Argument NameDescriptionRequired
component_ipComponent IP address. Run the 'fidelis-list-pcap-components' command to get this value.Required
filesCSV list of PCAP file names in Fidelis Elevate.Required
Context Output#

There is no context output for this command.

Command Example#

!fidelis-run-pcap component_ip=1.1.1.1 files=file.pcap

Human Readable Output#

Pcap file run submitted.

fidelis-get-alert-by-uuid#


Returns an alert, by UUID.

Base Command#

fidelis-get-alert-by-uuid

Input#
Argument NameDescriptionRequired
alert_uuidThe UUID of the alert.Required
Context Output#
PathTypeDescription
Fidelis.Alert.IDNumberAlert ID.
Fidelis.Alert.SeverityStringAlert severity.
Fidelis.Alert.SummaryStringAlert summary.
Fidelis.Alert.TimeDateAlert time.
Fidelis.Alert.TypeStringAlert type.
Fidelis.Alert.UUIDStringAlert UUID.
Command Example#

!fidelis-get-alert-by-uuid alert_uuid=80d0ccf5-5879-11ea-b430-0eb174ee0947

Context Example#
{
"Fidelis": {
"Alert": {
"ID": "1",
"Severity": "Medium",
"Summary": "Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact: ",
"Time": "2020-02-26 09:21:02",
"Type": "Endpoint"
}
}
}
Human Readable Output#

Found 1 Alerts:#

IDSeveritySummaryTimeType
1MediumEndpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact:2020-02-26 09:21:02Endpoint

fidelis-list-metadata#


Returns a metadata list.

Base Command#

fidelis-list-metadata

Input#
Argument NameDescriptionRequired
time_frameFilter alerts by time frame, for example, Last 48 Hours.Optional
start_timeIf the time_frame value is Custom, specify the start time for the time range, for example, 2017-06-01T12:48:16.734.Optional
end_timeIf the time_frame value is Custom, specify the end time for the time range, for example,2017-06-01T12:48:16.734.Optional
client_ipFilter alerts by client IP.Optional
server_ipFilter alerts by server IP address.Optional
request_directionDirection of the request. Can be "s2c" (server to client) or "c2s" (client to server).Optional
Context Output#
PathTypeDescription
Fidelis.Metadata.MalwareNameStringMalware name.
Fidelis.Metadata.ServerPortNumberServer port number.
Fidelis.Metadata.SHA256StringSHA256 hash of the file.
Fidelis.Metadata.FileNameStringFile name.
Fidelis.Metadata.PcapFilenameStringPCAP file name.
Fidelis.Metadata.SessionDurationStringThe event session duration.
Fidelis.Metadata.ServerIPStringThe server IP address.
Fidelis.Metadata.ClientCountryStringThe client country.
Fidelis.Metadata.ClientPortNumberThe client port number.
Fidelis.Metadata.SessionStartDateThe date/time that the session started.
Fidelis.Metadata.MalwareTypeStringThe malware type.
Fidelis.Metadata.URLStringRequest URL.
Fidelis.Metadata.RequestDirectionStringRequest direction (s2c or c2s).
Fidelis.Metadata.MalwareSeverityStringThe severity of the malware.
Fidelis.Metadata.ClientIPStringThe client IP address.
Fidelis.Metadata.ServerCountryStringThe country of the server.
Fidelis.Metadata.PcapTimestampDatePCAP timestamp.
Fidelis.Metadata.SensorUUIDStringSensor UUID.
Fidelis.Metadata.TimestampDateTimestamp of the event.
Fidelis.Metadata.FileTypeStringFile type.
Fidelis.Metadata.ProtocolStringEvent protocol.
Fidelis.Metadata.UserAgentStringUser agent of the request.
Fidelis.Metadata.TypeStringType of the event.
Fidelis.Metadata.FileSizeNumberThe size of the file.
Fidelis.Metadata.MD5StringMD5 hash of the file.
Command Example#

!fidelis-list-metadata

Context Example#
{
"Fidelis": {
"Metadata": null
}
}
Human Readable Output#

Found 0 Metadata:#

No entries.

fidelis-list-alerts-by-ip#


Returns a list of alerts, by source IP address or destination IP address.

Base Command#

fidelis-list-alerts-by-ip

Input#
Argument NameDescriptionRequired
time_frameToday,Yesterday,Last 7 Days,Last Hour,Last 24 Hours,Last 48 Hours,Last 30 Days,CustomOptional
start_timeIf the time_frame value is Custom, specify the start time for the time range, for example, 2017-06-01T12:48:16.734.Optional
end_timeIf the time_frame value is Custom, specify the start time for the time range, for example, 2017-06-01T12:48:16.734.Optional
src_ipFilter alerts by the source IP.Optional
dest_ipFilter alerts by the destination IP address.Optional
Context Output#
PathTypeDescription
Fidelis.Alert.SourceIPStringThe alert source IP address.
Fidelis.Alert.UserRatingStringUser rating.
Fidelis.Alert.DestinationCountryStringDestination country of the alert.
Fidelis.Alert.AssetIDNumberThe ID of the asset.
Fidelis.Alert.TimeDateDate/time that the alert started.
Fidelis.Alert.HostIPStringThe host IP address of the alert.
Fidelis.Alert.DistributedAlertIDStringAlert distributed ID.
Fidelis.Alert.DestinationIPStringAlert destination IP address.
Fidelis.Alert.AlertUUIDStringThe alert UUID.
Fidelis.Alert.TypeStringThe alert type.
Fidelis.Alert.IDNumberAlert ID.
Fidelis.Alert.SourceCountryStringAlert source country
Command Example#

!fidelis-list-alerts-by-ip

Context Example#
{
"Fidelis": {
"Alert": [
{
"AlertUUID": "151fa61c-6b08-11ea-85b0-0eb174ee0947",
"AssetID": "2",
"DestinationCountry": "",
"DestinationIP": "::",
"DistributedAlertID": "Console-6",
"HostIP": "2.2.2.2",
"ID": "6",
"SourceCountry": "",
"SourceIP": "::",
"Time": "2020-03-19 23:59:59",
"Type": "Endpoint",
"UserRating": "No Rating"
},
{
"AlertUUID": "1dee426f-6443-11ea-83d9-0eb174ee0947",
"AssetID": "2",
"DestinationCountry": "",
"DestinationIP": "::",
"DistributedAlertID": "Console-5",
"HostIP": "2.2.2.2",
"ID": "5",
"SourceCountry": "",
"SourceIP": "::",
"Time": "2020-03-12 09:21:27",
"Type": "Endpoint",
"UserRating": "No Rating"
}
]
}
}
Human Readable Output#

Found 6 Alerts:#

TimeAlertUUIDIDDistributedAlertIDUserRatingHostIPAssetIDTypeDestinationCountrySourceCountryDestinationIPSourceIP
2020-03-19 23:59:59151fa61c-6b08-11ea-85b0-0eb174ee09476Console-6No Rating2.2.2.22Endpoint::::
2020-03-12 09:21:271dee426f-6443-11ea-83d9-0eb174ee09475Console-5No Rating2.2.2.22Endpoint::::
2020-03-07 09:21:24244267da-6055-11ea-b430-0eb174ee09474Console-4No Rating2.2.2.22Endpoint::::
2020-02-27 09:21:03a2d7fa21-5942-11ea-b430-0eb174ee09472Console-2No Rating2.2.2.22Endpoint::::
2020-02-27 09:21:03a2d8eec9-5942-11ea-b430-0eb174ee09473Console-3False Positive2.2.2.22Endpoint::::
2020-02-26 09:21:0280d0ccf5-5879-11ea-b430-0eb174ee09471Console-1Actionable2.2.2.22Endpoint::::

fidelis-download-malware-file#


Downloads a malware file from a specified alert.

Base Command#

fidelis-download-malware-file

Input#
Argument NameDescriptionRequired
alert_idID of the alert from which to download the file.Required
Context Output#
PathTypeDescription
File.SizeNumberThe size of the file.
File.ExtensionStringThe file extension.
File.InfoStringInformation about the file.
File.NameStringThe name of the file.
File.SHA1StringSHA1 hash of the file.
File.TypeStringThe file type.
File.SHA256StringSHA256 hash of the file.
File.SSDeepStringSSDeep hash of the file.
File.EntryIDStringFile entry ID.
File.MD5StringMD5 hash of the file.
Command Example#

!fidelis-download-malware-file alert_id=9

Context Example#
{
"File": {
"EntryID": "7640@99f96547-c492-48d1-84bc-070759449a5d",
"Extension": "zip",
"Info": "application/zip",
"MD5": "d41d8cd98f00b204e9800998ecf8427e",
"Name": ":HTTP(file.pcap).zip",
"SHA1": "52483514f07eb14570142f6927b77deb7b4da99f",
"SHA256": "42a5e275559a1651b3df8e15d3f5912499f0f2d3d1523959c56fc5aea6371e59",
"SHA512": "3fbdc4195b66297eaa4168ad6ded010c47eaea57496b6cc1ccfa34c9579d21562451d1269c7412e31e926cbb7c50ffc160a6493f4a8df0235ecd3ea2c9bfddb5",
"SSDeep": "3::",
"Size": 0,
"Type": "empty"
}
}
Human Readable Output#

No File Found

fidelis-download-pcap-file#


Downloads the PCAP file from a specified alert.

Base Command#

fidelis-download-pcap-file

Input#
Argument NameDescriptionRequired
alert_idThe ID of the alert from which to download the file.Required
Context Output#
PathTypeDescription
File.EntryIDStringThe entry ID of the file.
File.InfoStringFile information.
File.NameStringName of the file.
File.SizeNumberFile size
File.TypeStringFile type.
File.SHA1StringSHA1 hash of the file.
File.SHA256StringSHA256 hash of the file.
File.SSDeepStringSSDeep hash of the file.
File.MD5StringMD5 hash of the file.
Command Example#

!fidelis-download-pcap-file alert_id=5

Context Example#
{
"File": {
"EntryID": "7378@99f96547-c492-48d1-84bc-070759449a5d",
"Extension": "pcap",
"Info": "application/vnd.tcpdump.pcap",
"MD5": "e8a496ed6be700ed61b8b758df3248ef",
"Name": "Alert ID_5.pcap",
"SHA1": "86a3069583b027eac8cc519c09cff1f7e18ab9c5",
"SHA256": "c7911278b27d93e1a5c6998eaca0c75348284caaba9d58ba9951be7d325279a6",
"SHA512": "3fbdc4195b66297eaa4168ad6ded010c47eaea57496b6cc1ccfa34c9579d21562451d1269c7412e31e926cbb7c50ffc160a6493f4a8df0235ecd3ea2c9bfddb5",
"SSDeep": "48:uuHYx6sS1bioEX7gyLatSqAc8kHRgd5peJB80t9qeM:uuHYx6sS1bUJBqus8v9",
"Size": 2036,
"Type": "HTML document text, ASCII text, with very long lines, with no line terminators"
}
}
Human Readable Output#

fidelis-get-alert-session-data#


Return the session information related to an alert.

Base Command#

fidelis-get-alert-session-data

Input#
Argument NameDescriptionRequired
alert_idAlert IDRequired
Context Output#
PathTypeDescription
Fidelis.Alert.IDNumberAlert ID.
Fidelis.Alert.SessionData.RecordingStateStringThe alert's recording state.
Fidelis.Alert.SessionData.ClientPacketsStringThe client packets.
Fidelis.Alert.SessionData.ServerSizeStringThe server size.
Fidelis.Alert.SessionData.ServerPortNumberThe server port.
Fidelis.Alert.SessionData.ServerDataCompleteBooleanIs the server data complete.
Fidelis.Alert.SessionData.ServerPacketsStringThe server packets.
Fidelis.Alert.SessionData.EndTimeStringThe end time.
Fidelis.Alert.SessionData.ServerIpStringThe server IP.
Fidelis.Alert.SessionData.ClientSizeStringThe client size.
Fidelis.Alert.SessionData.ClientPortNumberThe client port.
Fidelis.Alert.SessionData.ServerDataStringThe server data.
Fidelis.Alert.SessionData.BinaryServerDataUnknownThe binary server data.
Fidelis.Alert.SessionData.ClientDataCompleteBooleanIs the client data complete.
Fidelis.Alert.SessionData.ServerDataSizeNumberThe server data size.
Fidelis.Alert.SessionData.RecordedObjectBooleanThe recorded object.
Fidelis.Alert.SessionData.StartTimeStringThe start time.
Fidelis.Alert.SessionData.ClientDomainNameStringThe client domain name.
Fidelis.Alert.SessionData.TcpStateStringThe TCP state.
Fidelis.Alert.SessionData.ShowingDataSizeNumberShowing the data size.
Fidelis.Alert.SessionData.ClientIpStringThe client IP.
Fidelis.Alert.SessionData.DurationNumberThe session data duration.
Fidelis.Alert.SessionData.ClientDataStringThe client data.
Fidelis.Alert.SessionData.BinaryClientDataUnknownThe binary client data.
Fidelis.Alert.SessionData.ClientDataSizeNumberThe client data size.
Fidelis.Alert.SessionData.NoForensicsBooleanAre there no forensics.
Fidelis.Alert.SessionData.ExistBooleanDoes the sesison data exist.
Fidelis.Alert.SessionData.TimeZoneStringThe time zone.
Fidelis.Alert.SessionData.HighlightsUnknownHighlights in the session data.
Fidelis.Alert.SessionData.ServerDomainNameStringThe server domain name.
Command Example#

!fidelis-get-alert-session-data alert_id=9

Context Example#
{
"Fidelis": {
"Alert": {
"ID": "9",
"SessionData": {
"BinaryClientData": {file binary data},
"BinaryServerData": null,
"ClientData": {file client data},
"ClientDataComplete": true,
"ClientDataSize": 2990,
"ClientDomainName": null,
"ClientDomaniName": "",
"ClientIp": "0.0.0.0",
"ClientPackets": null,
"ClientPort": 0,
"ClientSize": null,
"Duration": 0,
"EndTime": "2020-03-30 09:07:33",
"Exist": true,
"Highlights": [],
"NoForensics": false,
"RecordedObject": true,
"RecordingState": null,
"ServerData": null,
"ServerDataComplete": true,
"ServerDataSize": null,
"ServerDomainName": null,
"ServerDomaniName": "",
"ServerIp": "0.0.0.0",
"ServerPackets": null,
"ServerPort": 0,
"ServerSize": null,
"ShowingDataSize": 4,
"StartTime": "2020-03-30 09:07:33",
"TcpState": null,
"TimeZone": "UTC"
}
}
}
}
Human Readable Output#

Alert 9#

Binary Client DataClient DataClient Data CompleteClient Data SizeClient IpClient PortDurationEnd TimeExistNo ForensicsRecorded ObjectServer Data CompleteServer IpServer PortShowing Data SizeStart TimeTime Zone
{file binary data}{file client data}true29900.0.0.0002020-03-30 09:07:33truefalsetruetrue0.0.0.0042020-03-30 09:07:33UTC

fidelis-get-alert-execution-forensics#


Get the exectution forensics for an alert.

Base Command#

fidelis-get-alert-execution-forensics

Input#
Argument NameDescriptionRequired
alert_idAlert IDRequired
Context Output#
PathTypeDescription
Fidelis.Alert.IDNumberThe alert ID.
Fidelis.Alert.ExecutionForensics.EFEnabledBooleanIs the alert execution forensics enabled.
Fidelis.Alert.ExecutionForensics.SizeNumberThe execution forensics size.
Fidelis.Alert.ExecutionForensics.SubmitTimeNumberThe submission time.
Fidelis.Alert.ExecutionForensics.SandBoxOnBooleanIs the sandbox on.
Fidelis.Alert.ExecutionForensics.TgReportBooleanThe TG report.
Fidelis.Alert.ExecutionForensics.FileNameStringThe file name.
Fidelis.Alert.ExecutionForensics.DnsFeedBooleanIs there a DNS feed.
Fidelis.Alert.ExecutionForensics.RecordingCompleteBooleanIs the recording complete.
Fidelis.Alert.ExecutionForensics.PcapUrlStringThe PCAP URL.
Fidelis.Alert.ExecutionForensics.AlertFlagsXeNonsubmitBooleanThe alert flag xe-nonsubmit.
Fidelis.Alert.ExecutionForensics.Bit9ServerStringThe bit 9 server.
Fidelis.Alert.ExecutionForensics.DecodingPathStringThe execution forensics decoding path.
Fidelis.Alert.ExecutionForensics.FileCheckAlertBooleanThe file check alert.
Fidelis.Alert.ExecutionForensics.StatusStringThe execution forensics status.
Fidelis.Alert.ExecutionForensics.SubmitableBooleanIs the execution forensics submitable.
Fidelis.Alert.ExecutionForensics.ScoreNumberThe execution forensics score.
Fidelis.Alert.ExecutionForensics.SubmitIdStringThe execution forensics submit ID.
Fidelis.Alert.ExecutionForensics.VideoUrlStringThe video URL.
Fidelis.Alert.ExecutionForensics.StatusMessageStringThe execution forensics status message.
Fidelis.Alert.ExecutionForensics.FileTypeStringThe file type.
Fidelis.Alert.ExecutionForensics.AlertIdNumberThe alert ID.
Fidelis.Alert.ExecutionForensics.TypeStringThe type.
Fidelis.Alert.ExecutionForensics.ReportUrlStringThe report URL.
Fidelis.Alert.ExecutionForensics.JsSubmitableBooleanIs the execution forensics JS submitable.
Fidelis.Alert.ExecutionForensics.UuidStringThe UUID.
Fidelis.Alert.ExecutionForensics.JsonReportUnknownThe JSON report.
Fidelis.Alert.ExecutionForensics.FileSizeNumberThe file size.
Fidelis.Alert.ExecutionForensics.Md5StringThe file's MD5 hash.
Fidelis.Alert.ExecutionForensics.ThreatGridOnBooleanIs the threat grid on.
Command Example#

!fidelis-get-alert-execution-forensics alert_id=9

Context Example#
{
"Fidelis": {
"Alert": {
"ExecutionForensics": {
"AlertFlagsXeNonsubmit": false,
"AlertId": 9,
"Bit9Server": null,
"DecodingPath": null,
"DnsFeed": false,
"EFEnabled": true,
"FileCheckAlert": true,
"FileName": null,
"FileSize": 2990,
"FileType": "",
"JsSubmitable": true,
"JsonReport": null,
"Md5": null,
"PcapUrl": "",
"RecordingComplete": true,
"ReportUrl": "",
"SandBoxOn": true,
"Score": null,
"Size": 0,
"Status": "Submitted",
"StatusMessage": null,
"SubmitId": "0",
"SubmitTime": 1585559253000,
"Submitable": true,
"TgReport": false,
"ThreatGridOn": false,
"Type": "alert",
"Uuid": null,
"VideoUrl": ""
},
"ID": "9"
}
}
}
Human Readable Output#

Alert 9#

Alert Flags Xe NonsubmitAlert IdDns FeedEF EnabledFile Check AlertFile SizeJs SubmitableRecording CompleteSand Box OnSizeStatusSubmit IdSubmit TimeSubmitableTg ReportThreat Grid OnType
false9falsetruetrue2990truetruetrue0Submitted01585559253000truefalsefalsealert

fidelis-get-alert-forensic-text#


Get the text of the forensic data.

Base Command#

fidelis-get-alert-forensic-text

Input#
Argument NameDescriptionRequired
alert_idThe alert ID.Required
Context Output#
PathTypeDescription
Fidelis.Alert.IDNumberThe alert ID.
Fidelis.Alert.ForensicTextStringThe alert's forensic text.
Command Example#

!fidelis-get-alert-forensic-text alert_id=9

Context Example#
{
"Fidelis": {
"Alert": {
"ForensicText": {file forensic text},
"ID": "9"
}
}
}
Human Readable Output#

Alert 9 Forensic Text: {file forensic text}

fidelis-get-alert-decoding-path#


Get the alert's decoding path.

Base Command#

fidelis-get-alert-decoding-path

Input#
Argument NameDescriptionRequired
alert_idAlert IDRequired
Context Output#
PathTypeDescription
Fidelis.Alert.IDNumberThe alert ID.
Fidelis.Alert.DecodingPath.ClickableDpathsUnknownThe clickable decoding paths
Fidelis.Alert.DecodingPath.CommandpostIpStringThe command post IP.
Fidelis.Alert.DecodingPath.DecodingPathsUnknownThe decoding path info.
Fidelis.Alert.DecodingPath.OriginalAttributesStringThe original attribute.
Fidelis.Alert.DecodingPath.OriginalDPathStringThe original path.
Fidelis.Alert.DecodingPath.AttributeMapUnknownThe attribute map.
Fidelis.Alert.DecodingPath.AttributeMapHighLightsUnknownThe attribute map highlights.
Command Example#

!fidelis-get-alert-decoding-path alert_id=9

Context Example#
{
"Fidelis": {
"Alert": {
"DecodingPath": {
"AttributeMap": {
"HTTP": [
{
"endIndex": 29,
"highLights": [],
"link": false,
"name": "Filename",
"partialAttr": "HTTP\fFilename\tfile.pcap\n",
"startIndex": 0,
"value": "file.pcap",
"valueFirst255": "file.pcap"
}
]
},
"AttributeMapHighLights": [],
"ClickableDpaths": [
"HTTP(file.pcap)"
],
"CommandpostIp": null,
"DecodingPaths": [
{
"clickable": true,
"highLights": [],
"linkPath": ":HTTP(file.pcap)",
"path": "HTTP(file.pcap)"
}
],
"OriginalAttributes": "HTTP\fFilename\tfile.pcap\n",
"OriginalDPath": ":HTTP(file.pcap)"
},
"ID": "9"
}
}
}
Human Readable Output#

Alert 9#

Attribute MapClickable DpathsDecoding PathsOriginal AttributesOriginal D Path
HTTP: {u'endIndex': 29, u'name': u'Filename', u'valueFirst255': u'file.pcap', u'highLights': [], u'value': u'file.pcap', u'startIndex': 0, u'link': False, u'partialAttr': u'HTTP\x0cFilename\tfile.pcap\n'}HTTP(file.pcap){u'clickable': True, u'highLights': [], u'linkPath': u':HTTP(file.pcap)', u'path': u'HTTP(file.pcap)'}HTTPFilename file.pcap
:HTTP(file.pcap)

fidelis-update-alert-status#


Update alert status

Base Command#

fidelis-update-alert-status

Input#
Argument NameDescriptionRequired
alert_idAlert IDRequired
statusThe new alert status.Required
Context Output#

There is no context output for this command.

Command Example#

!fidelis-update-alert-status alert_id=1 status=Actionable

Human Readable Output#

Alert 1 has been updated to Actionable status

fidelis-alert-execution-forensics-submission#


Submit an excutable file to the fidelis sandbox.

Base Command#

fidelis-alert-execution-forensics-submission

Input#
Argument NameDescriptionRequired
alert_idThe alert ID.Required
Context Output#
PathTypeDescription
Fidelis.Alert.ExecutionForensics.EFEnabledNumberIs the alert execution forensics enabled.
Fidelis.Alert.ExecutionForensics.SizeNumberThe execution forensics size.
Fidelis.Alert.ExecutionForensics.SubmitTimeNumberThe submission time.
Fidelis.Alert.ExecutionForensics.SandBoxOnBooleanIs the sandbox on.
Fidelis.Alert.ExecutionForensics.TgReportBooleanThe TG report.
Fidelis.Alert.ExecutionForensics.FileNameStringThe file name.
Fidelis.Alert.ExecutionForensics.DnsFeedBooleanIs there a DNS feed.
Fidelis.Alert.ExecutionForensics.RecordingCompleteBooleanIs the recording complete.
Fidelis.Alert.ExecutionForensics.PcapUrlStringThe PCAP URL.
Fidelis.Alert.ExecutionForensics.AlertFlagsXeNonsubmitBooleanThe alert flag xe-nonsubmit.
Fidelis.Alert.ExecutionForensics.Bit9ServerStringThe bit 9 server.
Fidelis.Alert.ExecutionForensics.DecodingPathStringThe execution forensics decoding path.
Fidelis.Alert.ExecutionForensics.FileCheckAlertBooleanThe file check alert.
Fidelis.Alert.ExecutionForensics.StatusStringThe execution forensics status.
Fidelis.Alert.ExecutionForensics.SubmitableBooleanIs the execution forensics submitable.
Fidelis.Alert.ExecutionForensics.ScoreNumberThe execution forensics score.
Fidelis.Alert.ExecutionForensics.SubmitIdStringThe execution forensics submit ID.
Fidelis.Alert.ExecutionForensics.VideoUrlStringThe video URL.
Fidelis.Alert.ExecutionForensics.StatusMessageStringThe execution forensics status message.
Fidelis.Alert.ExecutionForensics.FileTypeStringThe file type.
Fidelis.Alert.ExecutionForensics.AlertIdNumberThe alert ID.
Fidelis.Alert.ExecutionForensics.TypeStringThe type.
Fidelis.Alert.ExecutionForensics.ReportUrlStringThe report URL.
Fidelis.Alert.ExecutionForensics.JsSubmitableBooleanIs the execution forensics JS submitable.
Fidelis.Alert.ExecutionForensics.UuidStringThe UUID.
Fidelis.Alert.ExecutionForensics.JsonReportUnknownThe JSON report.
Fidelis.Alert.ExecutionForensics.FileSizeUnknownThe file size.
Fidelis.Alert.ExecutionForensics.Md5StringThe file's MD5 hash.
Fidelis.Alert.ExecutionForensics.ThreatGridOnUnknownIs the threat grid on.
Fidelis.Alert.IDNumberThe alert ID.
Command Example#

!fidelis-alert-execution-forensics-submission alert_id=9

Context Example#
{
"Fidelis": {
"Alert": {
"ExecutionForensics": {
"AlertFlagsXeNonsubmit": false,
"AlertId": 9,
"Bit9Server": null,
"DecodingPath": null,
"DnsFeed": false,
"EFEnabled": true,
"FileCheckAlert": true,
"FileName": null,
"FileSize": 2990,
"FileType": "",
"JsSubmitable": true,
"JsonReport": null,
"Md5": null,
"PcapUrl": "",
"RecordingComplete": true,
"ReportUrl": "",
"SandBoxOn": true,
"Score": null,
"Size": 0,
"Status": "Submitted",
"StatusMessage": null,
"SubmitId": "0",
"SubmitTime": 1585559253000,
"Submitable": true,
"TgReport": false,
"ThreatGridOn": false,
"Type": "alert",
"Uuid": null,
"VideoUrl": ""
},
"ID": "9"
}
}
}
Human Readable Output#

Alert 9#

Alert Flags Xe NonsubmitAlert IdDns FeedEF EnabledFile Check AlertFile SizeJs SubmitableRecording CompleteSand Box OnSizeStatusSubmit IdSubmit TimeSubmitableTg ReportThreat Grid OnType
false9falsetruetrue2990truetruetrue0Submitted01585559253000truefalsefalsealert

fidelis-add-alert-comment#


Adds a comment to an alert.

Base Command#

fidelis-add-alert-comment

Input#
Argument NameDescriptionRequired
alert_idAlert IDRequired
commentcommentRequired
Context Output#

There is no context output for this command.

Command Example#

!fidelis-add-alert-comment alert_id=1 comment="my new comment"

Human Readable Output#

Added this comment: my new comment To alert ID: 1

fidelis-assign-user-to-alert#


Assign a user to an alert.

Base Command#

fidelis-assign-user-to-alert

Input#
Argument NameDescriptionRequired
conclusion_idThe alert conclusion ID.Required
commentAdd a comment to the alertOptional
assign_userThe user to assign.Required
Context Output#
PathTypeDescription
Fidelis.Alert.AssignedUserStringAssigned user ID.
Fidelis.Alert.ConclusionIDNumberThe alert conclusion ID.
Command Example#

!fidelis-assign-user-to-alert assign_user=cloud-user conclusion_id=2

Context Example#
{
"Fidelis": {
"Alert": {
"AssignedUser": "cloud-user",
"ConclusionID": "2"
}
}
}
Human Readable Output#

Assigned User: cloud-user to alert with conclusion ID 2

fidelis-close-alert#


Closes a fidelis alert and can assign a user.

Base Command#

fidelis-close-alert

Input#
Argument NameDescriptionRequired
conclusion_idThe conclusion ID.Required
resolutionThe alert resolution.Required
commentAdd a comment to the alert.Optional
Context Output#
PathTypeDescription
Fidelis.Alert.ConclusionIDNumberThe conclusion ID.
Command Example#

!fidelis-close-alert conclusion_id=2 resolution="False Positive"

Human Readable Output#

Closed alert conclusion ID 2

fidelis-manage-alert-label#


Adds a label to an alert.

Base Command#

fidelis-manage-alert-label

Input#
Argument NameDescriptionRequired
alert_idAlert ID.Required
labelThe label to add.Required
actionWhat action should be taken.Required
Context Output#

There is no context output for this command.

Command Example#

!fidelis-manage-alert-label action=Add alert_id=3 label="example-label"

Human Readable Output#

Assigned label: example-label to alert 3