Skip to main content

FireEye HX

This Integration is part of the FireEye HX Pack.#

FireEye Endpoint Security is an integrated solution that detects what others miss and protects endpoint against known and unknown threats. The HX Demisto integration provides access to information about endpoints, acquisitions, alerts, indicators, and containment. Customers can extract critical data and effectively operate security operations automated playbook.

Configure FireEye HX on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for FireEye HX.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Server URL (e.g. https://192.168.0.1:3000)True
    CredentialsTrue
    PasswordTrue
    VersionTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Fetch incidentsFalse
    Incident typeFalse
    Fetch limitFalse
    Incidents Fetch IntervalFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

fireeye-hx-host-containment#


Apply containment for a specific host, so that it no longer has access to other systems.

Base Command#

fireeye-hx-host-containment

Input#

Argument NameDescriptionRequired
hostNameThe host name to be contained. If the hostName is not specified, the agentId must be specified.Optional
agentIdThe agent id running on the host to be contained. If the agentId is not specified, the hostName must be specified.Optional

Context Output#

PathTypeDescription
FireEyeHX.Hosts._idUnknownFireEye HX Agent ID.
FireEyeHX.Hosts.agent_versionUnknownThe agent version.
FireEyeHX.Hosts.excluded_from_containmentUnknownDetermines whether the host is excluded from containment.
FireEyeHX.Hosts.containment_missing_softwareUnknownBoolean value to indicate for containment missing software.
FireEyeHX.Hosts.containment_queuedUnknownDetermines whether the host is queued for containment.
FireEyeHX.Hosts.containment_stateUnknownThe containment state of the host. Possible values normal, contain, contain_fail, containing, contained, uncontain, uncontaining, wtfc, wtfu.
FireEyeHX.Hosts.stats.alerting_conditionsUnknownThe number of conditions that have alerted for the host.
FireEyeHX.Hosts.stats.alertsUnknownTotal number of alerts, including exploit-detection alerts.
FireEyeHX.Hosts.stats.exploit_blocksUnknownThe number of blocked exploits on the host.
FireEyeHX.Hosts.stats.malware_alertsUnknownThe number of malware alerts associated with the host.
FireEyeHX.Hosts.hostnameUnknownThe host name.
FireEyeHX.Hosts.domainUnknownDomain name.
FireEyeHX.Hosts.timezoneUnknownHost time zone.
FireEyeHX.Hosts.primary_ip_addressUnknownThe host IP address.
FireEyeHX.Hosts.last_poll_timestampUnknownThe timestamp of the last system poll preformed on the host.
FireEyeHX.Hosts.initial_agent_checkinUnknownTimestamp of the initial agent check-in.
FireEyeHX.Hosts.last_alert_timestampUnknownThe time stamp of the last alert for the host.
FireEyeHX.Hosts.last_exploit_block_timestampUnknownTime when the last exploit was blocked on the host. The value is null if no exploits have been blocked.
FireEyeHX.Hosts.os.product_nameUnknownSpecific operating system
FireEyeHX.Hosts.os.bitnessUnknownOS Bitness.
FireEyeHX.Hosts.os.platformUnknownFamily of operating systems. Valid values are win, osx, and linux.
FireEyeHX.Hosts.primary_macUnknownThe host MAC address.

Command Example#

!fireeye-hx-host-containment agentId=”uGvn34ZkM3bfSf1nOT” !fireeye-hx-host-containment hostname=“DESKTOP-HK8OI62”

Context Example#

{
"FireEyeHX":{
"Hosts":{
"last_alert":{
"url":"/hx/api/v3/alerts/5",
"_id":5
},
"domain":"DEMISTO",
"last_exploit_block_timestamp":null,
"containment_state":"contain",
"timezone":"Eastern Daylight Time",
"gmt_offset_seconds":-14400,
"initial_agent_checkin":"2018-03-26T14:21:31.273Z",
"stats":{
"alerting_conditions":1,
"exploit_alerts":0,
"acqs":11,
"malware_false_positive_alerts":0,
"alerts":1,
"exploit_blocks":0,
"malware_cleaned_count":0,
"malware_alerts":0,
"malware_quarantined_count":0
},
"primary_mac":"XX-XX-XX-XX-XX-XX",
"hostname":"DESKTOP-XXX",
"primary_ip_address":"^^^XX.XX.XX.XX^^^",
"last_audit_timestamp":"2018-05-03T13:59:23.000Z",
"last_alert_timestamp":"2018-04-16T08:59:51.693+00:00",
"containment_queued":false,
"sysinfo":{
"url":"/hx/api/v3/hosts/uGvnGVpZkDSFySf2ZOiT/sysinfo"
},
"last_exploit_block":null,
"reported_clone":false,
"url":"/hx/api/v3/hosts/uGvnGVpZkeySf2ZOiT",
"excluded_from_containment":false,
"last_poll_timestamp":"2018-05-03T14:01:22.000Z",
"last_poll_ip":"^^^XX.XX.XX.XX^^^",
"containment_missing_software":false,
"_id":" uGvnGVpZkDSFySf2ZOiT ",
"os":{
"kernel_version":null,
"platform":"win",
"patch_level":null,
"bitness":"64-bit",
"product_name":"Windows 10 Enterprise Evaluation"
},
"agent_version":"26.21.10"
}
}
}

fireeye-hx-cancel-containment#


Release a specific host from containment.

Base Command#

fireeye-hx-cancel-containment

Input#

Argument NameDescriptionRequired
hostNameThe host name to be contained. If the hostName is not specified, the agentId must be specified.Optional
agentIdThe agent id running on the host to be contained. If the agentId is not specified, the hostName must be specified.Optional

Context Output#

PathTypeDescription
FireEyeHX.Hosts._idUnknownFireEye HX Agent ID.
FireEyeHX.Hosts.agent_versionUnknownThe agent version.
FireEyeHX.Hosts.excluded_from_containmentUnknownDetermines whether the host is excluded from containment.
FireEyeHX.Hosts.containment_missing_softwareUnknownBoolean value to indicate for containment missing software.
FireEyeHX.Hosts.containment_queuedUnknownDetermines whether the host is queued for containment.
FireEyeHX.Hosts.containment_stateUnknownThe containment state of the host. Possible values normal, contain, contain_fail, containing, contained, uncontain, uncontaining, wtfc, wtfu.
FireEyeHX.Hosts.stats.alerting_conditionsUnknownThe number of conditions that have alerted for the host.
FireEyeHX.Hosts.stats.alertsUnknownTotal number of alerts, including exploit-detection alerts.
FireEyeHX.Hosts.stats.exploit_blocksUnknownThe number of blocked exploits on the host.
FireEyeHX.Hosts.stats.malware_alertsUnknownThe number of malware alerts associated with the host.
FireEyeHX.Hosts.hostnameUnknownThe host name.
FireEyeHX.Hosts.domainUnknownDomain name.
FireEyeHX.Hosts.timezoneUnknownHost time zone.
FireEyeHX.Hosts.primary_ip_addressUnknownThe host IP address.
FireEyeHX.Hosts.last_poll_timestampUnknownThe timestamp of the last system poll preformed on the host.
FireEyeHX.Hosts.initial_agent_checkinUnknownTimestamp of the initial agent check-in.
FireEyeHX.Hosts.last_alert_timestampUnknownThe time stamp of the last alert for the host.
FireEyeHX.Hosts.last_exploit_block_timestampUnknownTime when the last exploit was blocked on the host. The value is null if no exploits have been blocked.
FireEyeHX.Hosts.os.product_nameUnknownSpecific operating system
FireEyeHX.Hosts.os.bitnessUnknownOS Bitness.
FireEyeHX.Hosts.os.platformUnknownFamily of operating systems. Valid values are win, osx, and linux.
FireEyeHX.Hosts.primary_macUnknownThe host MAC address.

Command Examples#

!fireeye-hx-cancel-containment hostname=“DESKTOP-HK8OI62” !fireeye-hx-cancel-containment agentId=”uGvn34ZkM3bfSf1nOT”

Context Example#

{
"FireEyeHX": {
"Hosts": {
"last_alert": {
"url": "/hx/api/v3/alerts/5",
"_id": 5
},
"domain": "DEMISTO",
"last_exploit_block_timestamp": null,
"containment_state": "normal",
"timezone": "Eastern Daylight Time",
"gmt_offset_seconds": -14400,
"initial_agent_checkin": "2018-03-26T14:21:31.273Z",
"stats": {
"alerting_conditions": 1,
"exploit_alerts": 0,
"acqs": 11,
"malware_false_positive_alerts": 0,
"alerts": 1,
"exploit_blocks": 0,
"malware_cleaned_count": 0,
"malware_alerts": 0,
"malware_quarantined_count": 0
},
"primary_mac": "XX-XX-XX-XX-XX-XX",
"hostname": "DESKTOP-XXX",
"primary_ip_address": "^^^XX.XX.XX.XX^^^",
"last_audit_timestamp": "2018-05-03T13:59:23.000Z",
"last_alert_timestamp": "2018-04-16T08:59:51.693+00:00",
"containment_queued": false,
"sysinfo": {
"url": "/hx/api/v3/hosts/uGvnGVpZkDSFySf2ZOiT/sysinfo"
},
"last_exploit_block": null,
"reported_clone": false,
"url": "/hx/api/v3/hosts/uGvnGVpZkeySf2ZOiT",
"excluded_from_containment": false,
"last_poll_timestamp": "2018-05-03T14:01:22.000Z",
"last_poll_ip": "^^^XX.XX.XX.XX^^^",
"containment_missing_software": false,
"_id": " uGvnGVpZkDSFySf2ZOiT ",
"os": {
"kernel_version": null,
"platform": "win",
"patch_level": null,
"bitness": "64-bit",
"product_name": "Windows 10 Enterprise Evaluation"
},
"agent_version": "26.21.10"
}
}
}

fireeye-hx-get-alerts#


Get a list of alerts, use the different arguments to filter the results returned.

Base Command#

fireeye-hx-get-alerts

Input#

Argument NameDescriptionRequired
hasShareModeIdentifies which alerts result from indicators with the specified share mode. Possible values are: any, restricted, unrestricted.Optional
resolutionSorts the results by the specified field. Possible values are: active_threat, alert, block, partial_block.Optional
agentIdFilter by the agent ID.Optional
conditionIdFilter by condition ID.Optional
eventAtFilter event occurred time. ISO-8601 timestamp..Optional
alertIdFilter by alert ID.Optional
matchedAtFilter by match detection time. ISO-8601 timestamp.Optional
minIdFilter that returns only records with an AlertId field value great than the minId value.Optional
reportedAtFilter by reported time. ISO-8601 timestamp.Optional
IOCsourceSource of alert- indicator of compromise. Possible values are: yes.Optional
EXDsourceSource of alert - exploit detection. Possible values are: yes.Optional
MALsourceSource of alert - malware alert. Possible values are: yes.Optional
limitLimit the results returned.Optional
sortSorts the results by the specified field in ascending order. Possible values are: agentId, conditionId, eventAt, alertId, matchedAt, id, reportedAt.Optional
sortOrderThe sort order for the results. Possible values are: ascending, descending.Optional

Context Output#

PathTypeDescription
FireEyeHX.Alerts._idUnknownFireEye alert ID.
FireEyeHX.Alerts.agent._idUnknownFireEye agent ID.
FireEyeHX.Alerts.agent.containment_stateUnknownHost containment state.
FireEyeHX.Alerts.condition._idUnknownThe condition unique ID.
FireEyeHX.Alerts.event_atUnknownTime when the event occoured.
FireEyeHX.Alerts.matched_atUnknownTime when the event was matched.
FireEyeHX.Alerts.reported_atUnknownTime when the event was reported.
FireEyeHX.Alerts.sourceUnknownSource of alert.
FireEyeHX.Alerts.matched_source_alerts._idUnknownSource alert ID.
FireEyeHX.Alerts.matched_source_alerts.appliance_idUnknownAppliance ID
FireEyeHX.Alerts.matched_source_alerts.metaUnknownSource alert meta.
FireEyeHX.Alerts.matched_source_alerts.indicator_idUnknownIndicator ID.
FireEyeHX.Alerts.resolutionUnknownAlert resulotion.
FireEyeHX.Alerts.event_typeUnknownEvent type.

Command Example#

!fireeye-hx-get-alerts limit="10" sort="id" sortOrder="descending"

Context Example#

{
"FireEyeHX": {
"Alerts": {
"_id": 5,
"agent": {
"_id": "uGvnGVp…4bKeySf2ZOiT",
"containment_state": "normal",
"url": "/hx/api/v3/hosts/ uGvnGVp…4bKeySf2ZOiT "
},
"condition": {
"_id": "CSaoSZFw…JNPW0mw==",
"url": "/hx/api/v3/conditions/ CSaoSZFw…JNPW0mw =="
},
"event_at": "2018-04-16T08:59:02.061Z",
"event_id": 7885715,
"event_type": "fileWriteEvent",
"event_values": {
"fileWriteEvent/closed": 1,
"fileWriteEvent/dataAtLowestOffset": "dGVzdGVzdA==",
"fileWriteEvent/devicePath": "\\Device\\HarddiskVolume2",
"fileWriteEvent/drive": "C",
"fileWriteEvent/fileExtension": "txt",
"fileWriteEvent/fileName": "testest - Copy.txt",
"fileWriteEvent/filePath": "Users\\demistodev\\Documents",
"fileWriteEvent/fullPath": "C:\\Users\\User\\Documents\\testest - Copy.txt",
"fileWriteEvent/lowestFileOffsetSeen": 0,
"fileWriteEvent/md5": " c3add7b947…817c79f7b7bd ",
"fileWriteEvent/numBytesSeenWritten": 7,
"fileWriteEvent/pid": 3308,
"fileWriteEvent/process": "explorer.exe",
"fileWriteEvent/processPath": "C:\\Windows",
"fileWriteEvent/size": 7,
"fileWriteEvent/textAtLowestOffset": "testest",
"fileWriteEvent/timestamp": "2018-04-16T08:59:02.061Z",
"fileWriteEvent/username": "DEMISTO\\User",
"fileWriteEvent/writes": 1
},
"is_false_positive": null,
"matched_at": "2018-04-16T08:59:10.000Z",
"matched_source_alerts": [],
"reported_at": "2018-04-16T08:59:51.693Z",
"resolution": "ALERT",
"source": "IOC",
"url": "/hx/api/v3/alerts/5"
}
},
"File": [
{
"Extension": "txt",
"MD5": "c3add7b947…817c79f7b7bd",
"Name": "testest - Copy.txt",
"Path": "C:\\Users\\User\\Documents\\testest - Copy.txt"
}
],
"IP": [],
"RrgistryKey": []
}

fireeye-hx-suppress-alert#


Suppress alert by ID

Base Command#

fireeye-hx-suppress-alert

Input#

Argument NameDescriptionRequired
alertIdThe alert id. The alert id is listed in the output of 'get-alerts' command.Optional

Context Output#

There is no context output for this command.

Command Example#

!fireeye-hx-suppress-alert alertId=2

fireeye-hx-get-indicators#


Get a list of indicators

Base Command#

fireeye-hx-get-indicators

Input#

Argument NameDescriptionRequired
categoryThe indicator category.Optional
searchTermThe searchTerm can be any name, category, signature, source, or condition value.Optional
shareModeDetermines who can see the indicator. You must belong to the correct authorization group . Possible values are: any, restricted, unrestricted, visible.Optional
sortSorts the results by the specified field in ascending order. Possible values are: category, activeSince, createdBy, alerted.Optional
createdByPerson who created the indicator.Optional
alertedWhether the indicator resulted in alerts. Possible values are: yes, no.Optional
limitLimit the number of results.Optional

Context Output#

PathTypeDescription
FireEyeHX.Indicators._idUnknownFireEye unique indicator ID.
FireEyeHX.Indicators.nameUnknownThe indicator name as displayed in the UI.
FireEyeHX.Indicators.descriptionUnknownIndicator description.
FireEyeHX.Indicators.category.nameUnknownCatagory name.
FireEyeHX.Indicators.created_byUnknownThe "Created By" field as displayed in UI
FireEyeHX.Indicators.active_sinceUnknownDate indicator became active.
FireEyeHX.Indicators.stats.source_alertsUnknownTotal number of source alerts associated with this indicator.
FireEyeHX.Indicators.stats.alerted_agentsUnknownTotal number of agents with HX alerts associated with this indicator.
FireEyeHX.Indicators.platformsUnknownList of families of operating systems.
FireEyeHX.Indicators.uri_nameStringURI formatted name of the indicator.
FireEyeHX.Indicators.category.uri_nameStringURI name of the category.

Command Example#

!fireeye-hx-get-indicators limit=2

Context Example#

{
"FireEyeHX": {
"Indicators": [
{
"_id": "34757fe7-bdd7-4c85-b0e1-9adfb5e48300",
"_revision": "20211017115618818832920449",
"active_since": "2021-10-17T11:56:18.818Z",
"category": {
"_id": 2,
"name": "Custom",
"share_mode": "unrestricted",
"uri_name": "Custom",
"url": "/hx/api/v3/indicator_categories/custom"
},
"create_actor": {
"_id": 1001,
"username": "api-admin"
},
"create_text": null,
"created_by": "api-admin",
"description": null,
"display_name": null,
"meta": null,
"name": "34757fe7-bdd7-4c85-b0e1-9adfb5e48300",
"platforms": [
"win",
"osx",
"linux"
],
"signature": null,
"stats": {
"active_conditions": 0,
"alerted_agents": 0,
"source_alerts": 0
},
"update_actor": {
"_id": 1001,
"username": "api-admin"
},
"uri_name": "34757fe7-bdd7-4c85-b0e1-9adfb5e48300",
"url": "/hx/api/v3/indicators/custom/34757fe7_bdd7_4c85_b0e1_9adfb5e48300"
},
{
"_id": "c6286e1b-10bd-4046-8aff-0dbcc5b1e974",
"_revision": "20201214155227728995101265",
"active_since": "2021-09-28T14:44:04.245Z",
"category": {
"_id": 7,
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted",
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted"
},
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2021.09.270849",
"created_by": "General_Windows_unrestricted_2021.09.270849",
"description": "This IOC alerts on suspicious filewrites by the legitimate solarwinds process solarwinds.businesslayerhost.exe. solarwinds.businesslayerhost.exe is part of the the Network Performance Monitor (NPM) module of Solarwinds; responsible for detecting and diagnosing network performance issues. This may be an evidence of SUNBURST which is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.This is associated with MITRE ATT&CK (r) Tactic(s): Initial Access and Technique(s): T1195.002.",
"display_name": "SUNBURST SUSPICIOUS FILEWRITES (METHODOLOGY)",
"meta": null,
"name": "SUNBURST SUSPICIOUS FILEWRITES (METHODOLOGY)",
"platforms": [
"win",
"osx",
"linux"
],
"signature": null,
"stats": {
"active_conditions": 6,
"alerted_agents": 0,
"source_alerts": 0
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"uri_name": "c6286e1b-10bd-4046-8aff-0dbcc5b1e974",
"url": "/hx/api/v3/indicators/mandiant_unrestricted/c6286e1b_10bd_4046_8aff_0dbcc5b1e974"
}
]
}
}

Human Readable Output#

FireEye HX Get Indicator- None#

OSNameCreated ByActive SinceCategorySignatureActive ConditionHosts With AlertsSource Alerts
win, osx, linux34757fe7-bdd7-4c85-b0e1-9adfb5e48300api-admin2021-10-17T11:56:18.818ZCustom000
win, osx, linuxSUNBURST SUSPICIOUS FILEWRITES (METHODOLOGY)General_Windows_unrestricted_2021.09.2708492021-09-28T14:44:04.245ZMandiant Unrestricted Intel600

fireeye-hx-get-indicator#


Get a specific indicator details

Base Command#

fireeye-hx-get-indicator

Input#

Argument NameDescriptionRequired
categoryIndicator category. Please use the uri_category value.Required
nameIndicator name. Please use the uri_name value.Required

Context Output#

PathTypeDescription
FireEyeHX.Indicators._idUnknownFireEye unique indicator ID.
FireEyeHX.Indicators.nameUnknownThe indicator name as displayed in the UI.
FireEyeHX.Indicators.descriptionUnknownIndicator description.
FireEyeHX.Indicators.category.nameUnknownCatagory name.
FireEyeHX.Indicators.created_byUnknownThe "Created By" field as displayed in UI
FireEyeHX.Indicators.active_sinceUnknownDate indicator became active.
FireEyeHX.Indicators.stats.source_alertsUnknownTotal number of source alerts associated with this indicator.
FireEyeHX.Indicators.stats.alerted_agentsUnknownTotal number of agents with HX alerts associated with this indicator.
FireEyeHX.Indicators.platformsUnknownList of families of operating systems.
FireEyeHX.Conditions._idUnknownFireEye unique condition ID.
FireEyeHX.Conditions.event_typeUnknownEvent type.
FireEyeHX.Conditions.enabledUnknownIndicates whether the condition is enabled.

Command Example#

!fireeye-hx-get-indicator category=Custom name="5def0b16-87bc-42a2-877a-bca45ebcbc9a"

Context Example#

{
"FireEyeHX": {
"Conditions": [
{
"_id": "YhXur1M8FNRDi8GAr9CMbQ==",
"enabled": true,
"event_type": "dnsLookupEvent",
"is_private": false,
"tests": [
{
"operator": "equal",
"token": "dnsLookupEvent/hostname",
"type": "text",
"value": "example.lol"
}
],
"url": "/hx/api/v3/conditions/YhXur1M8FNRDi8GAr9CMbQ",
"uuid": "6215eeaf-533c-44d4-838b-c180afd08c6d"
},
{
"_id": "gB7gGHN9RmLNdf8mwuvQ8Q==",
"enabled": true,
"event_type": "dnsLookupEvent",
"is_private": false,
"tests": [
{
"operator": "equal",
"token": "dnsLookupEvent/hostname",
"type": "text",
"value": "example.abc"
}
],
"url": "/hx/api/v3/conditions/gB7gGHN9RmLNdf8mwuvQ8Q",
"uuid": "801ee018-737d-4662-8d75-ff26c2ebd0f1"
}
],
"Indicators": {
"_id": "5def0b16-87bc-42a2-877a-bca45ebcbc9a",
"_revision": "20210920184007966360614215",
"active_since": "2021-09-20T18:40:07.966Z",
"category": {
"_id": 2,
"name": "Custom",
"share_mode": "unrestricted",
"uri_name": "Custom",
"url": "/hx/api/v3/indicator_categories/custom"
},
"create_actor": {
"_id": 1001,
"username": "api-admin"
},
"create_text": null,
"created_by": "api-admin",
"description": null,
"display_name": null,
"meta": null,
"name": "5def0b16-87bc-42a2-877a-bca45ebcbc9a",
"platforms": [
"win",
"osx",
"linux"
],
"signature": null,
"stats": {
"active_conditions": 2,
"alerted_agents": 0,
"source_alerts": 0
},
"update_actor": {
"_id": 1001,
"username": "api-admin"
},
"uri_name": "5def0b16-87bc-42a2-877a-bca45ebcbc9a",
"url": "/hx/api/v3/indicators/custom/5def0b16_87bc_42a2_877a_bca45ebcbc9a"
}
}
}

Human Readable Output#

Indicator "5def0b16-87bc-42a2-877a-bca45ebcbc9a" Alerts on#

Event TypeOperatorValue
dnsLookupEventequalexample.lol
dnsLookupEventequalexample.abc

fireeye-hx-get-host-information#


Get information on a host associated with an agent.

Base Command#

fireeye-hx-get-host-information

Input#

Argument NameDescriptionRequired
agentIdThe agent ID. If the agent ID is not specified, the host Name must be specified.Optional
hostNameThe host name. If the host name is not specified, the agent ID must be specified.Optional

Context Output#

PathTypeDescription
FireEyeHX.Hosts._idUnknownFireEye HX Agent ID.
FireEyeHX.Hosts.agent_versionUnknownThe agent version.
FireEyeHX.Hosts.excluded_from_containmentUnknownDetermines whether the host is excluded from containment.
FireEyeHX.Hosts.containment_missing_softwareUnknownBoolean value to indicate for containment missing software.
FireEyeHX.Hosts.containment_queuedUnknownDetermines whether the host is queued for containment.
FireEyeHX.Hosts.containment_stateUnknownThe containment state of the host. Possible values normal, contain, contain_fail, containing, contained, uncontain, uncontaining, wtfc, wtfu.
FireEyeHX.Hosts.stats.alerting_conditionsUnknownThe number of conditions that have alerted for the host.
FireEyeHX.Hosts.stats.alertsUnknownTotal number of alerts, including exploit-detection alerts.
FireEyeHX.Hosts.stats.exploit_blocksUnknownThe number of blocked exploits on the host.
FireEyeHX.Hosts.stats.malware_alertsUnknownThe number of malware alerts associated with the host.
FireEyeHX.Hosts.hostnameUnknownThe host name.
FireEyeHX.Hosts.domainUnknownDomain name.
FireEyeHX.Hosts.timezoneUnknownHost time zone.
FireEyeHX.Hosts.primary_ip_addressUnknownThe host IP address.
FireEyeHX.Hosts.last_poll_timestampUnknownThe timestamp of the last system poll preformed on the host.
FireEyeHX.Hosts.initial_agent_checkinUnknownTimestamp of the initial agent check-in.
FireEyeHX.Hosts.last_alert_timestampUnknownThe time stamp of the last alert for the host.
FireEyeHX.Hosts.last_exploit_block_timestampUnknownTime when the last exploit was blocked on the host. The value is null if no exploits have been blocked.
FireEyeHX.Hosts.os.product_nameUnknownSpecific operating system
FireEyeHX.Hosts.os.bitnessUnknownOS Bitness.
FireEyeHX.Hosts.os.platformUnknownFamily of operating systems. Valid values are win, osx, and linux.
FireEyeHX.Hosts.primary_macUnknownThe host MAC address.

Command Example#

!fireeye-hx-get-host-information hostName=”DESKTOP-XXX”

Context Output#

{
"FireEyeHX": {
"Hosts": {
"last_alert": {
"url": "/hx/api/v3/alerts/5",
"_id": 5
},
"domain": "DEMISTO",
"last_exploit_block_timestamp": null,
"containment_state": "normal",
"timezone": "Eastern Daylight Time",
"gmt_offset_seconds": -14400,
"initial_agent_checkin": "2018-03-26T14:21:31.273Z",
"stats": {
"alerting_conditions": 1,
"exploit_alerts": 0,
"acqs": 11,
"malware_false_positive_alerts": 0,
"alerts": 1,
"exploit_blocks": 0,
"malware_cleaned_count": 0,
"malware_alerts": 0,
"malware_quarantined_count": 0
},
"primary_mac": "XX-XX-XX-XX-XX-XX",
"hostname": "DESKTOP-XXX",
"primary_ip_address": "^^^XX.XX.XX.XX^^^",
"last_audit_timestamp": "2018-05-03T13:59:23.000Z",
"last_alert_timestamp": "2018-04-16T08:59:51.693+00:00",
"containment_queued": false,
"sysinfo": {
"url": "/hx/api/v3/hosts/uGvnGVpZkDSFySf2ZOiT/sysinfo"
},
"last_exploit_block": null,
"reported_clone": false,
"url": "/hx/api/v3/hosts/uGvnGVpZkeySf2ZOiT",
"excluded_from_containment": false,
"last_poll_timestamp": "2018-05-03T14:01:22.000Z",
"last_poll_ip": "^^^XX.XX.XX.XX^^^",
"containment_missing_software": false,
"_id": " uGvnGVpZkDSFySf2ZOiT ",
"os": {
"kernel_version": null,
"platform": "win",
"patch_level": null,
"bitness": "64-bit",
"product_name": "Windows 10 Enterprise Evaluation"
},
"agent_version": "26.21.10"
}
},
"Endpoint": {
"MACAddress": "XX-XX-XX-XX-XX-XX",
"Domain": "DEMISTO",
"IPAddress": "^^^XX.XX.XX.XX^^^",
"Hostname": "DESKTOP-XXX",
"OSVersion": "Windows 10 Enterprise Evaluation",
"OS": "win",
"ID": " uGvnGVpZkDSFySf2ZOiT "
},
}

fireeye-hx-get-alert#


Get details of a specific alert

Base Command#

fireeye-hx-get-alert

Input#

Argument NameDescriptionRequired
alertIdThe alert ID.Required

Context Output#

PathTypeDescription
FireEyeHX.Alerts._idUnknownFireEye alert ID.
FireEyeHX.Alerts.agent._idUnknownFireEye agent ID.
FireEyeHX.Alerts.agent.containment_stateUnknownHost containment state.
FireEyeHX.Alerts.condition._idUnknownThe condition unique ID.
FireEyeHX.Alerts.event_atUnknownTime when the event occoured.
FireEyeHX.Alerts.matched_atUnknownTime when the event was matched.
FireEyeHX.Alerts.reported_atUnknownTime when the event was reported.
FireEyeHX.Alerts.sourceUnknownSource of alert.
FireEyeHX.Alerts.matched_source_alerts._idUnknownSource alert ID.
FireEyeHX.Alerts.matched_source_alerts.appliance_idUnknownAppliance ID
FireEyeHX.Alerts.matched_source_alerts.metaUnknownSource alert meta.
FireEyeHX.Alerts.matched_source_alerts.indicator_idUnknownIndicator ID.
FireEyeHX.Alerts.resolutionUnknownAlert resulotion.
FireEyeHX.Alerts.event_typeUnknownEvent type.

fireeye-hx-file-acquisition#


Aquire a specific file as a password protected zip file. The password for unlocking the zip file is 'unzip-me'.

Base Command#

fireeye-hx-file-acquisition

Input#

Argument NameDescriptionRequired
fileNameThe file name.Required
filePathThe file path.Required
acquireUsingWhether to aqcuire the file using the API or RAW. By default, raw file will be acquired. Use API option when file is encrypted. Possible values are: API, RAW.Optional
agentIdThe agent ID associated with the host that holds the file. If the hostName is not specified, the agentId must be specified.Optional
hostNameThe host that holds the file. If the agentId is not specified, hostName must be specified.Optional

Context Output#

PathTypeDescription
FireEyeHX.Acquisitions.Files._idUnknownThe acquisition unique ID.
FireEyeHX.Acquisitions.Files.stateUnknownThe acquisition state.
FireEyeHX.Acquisitions.Files.md5UnknownFile md5.
FireEyeHX.Acquisitions.Files.req_filenameUnknownThe file name.
FireEyeHX.Acquisitions.Files.req_pathUnknownThe file path.
FireEyeHX.Acquisitions.Files.host._idUnknownFireEye HX agent ID.

Command Example#

!fireeye-hx-file-acquisition fileName="test.txt"filePath="C:\\Users\\user\\Documents" hostName="DESKTOP-DES01"

Context Output#

"FireEyeHX": {
"Acquisitions": {
"Files": {
"_id": 13,
"_revision": "206073441021688",
"alert": null,
"comment": null,
"condition": null,
"error_message": "The acquisition completed with issues.",
"external_id": null,
"finish_time": "2018-04-26T07:34:14.100Z",
"host": {
"_id": "uGvnGVpZkKeySf2ZT",
"url": "/hx/api/v3/hosts/ uGvnGVpZkKeySf2ZT "
},
"indicator": null,
"md5": "ee26908bf9…64b37da4754a",
"req_filename": "ex.txt",
"req_path": "C:\\Users\\user\\Documents",
"req_use_api": null,
"request_actor": {
"_id": 1001,
"username": "api"
},
"request_time": "2018-04-26T07:33:03.000Z",
"state": "COMPLETE",
"url": "/hx/api/v3/acqs/files/13",
"zip_passphrase": "unzip-me"
}
}
}

fireeye-hx-delete-file-acquisition#


Delete the file acquisition, by ID.

Base Command#

fireeye-hx-delete-file-acquisition

Input#

Argument NameDescriptionRequired
acquisitionIdThe acquisition ID.Required

Context Output#

There is no context output for this command.

Command Example#

!fireeye-hx-delete-file-acquisition acquisitionId=10

fireeye-hx-data-acquisition#


Start a data acquisition process to gather artifacts from the system disk and memory. The data is fetched as mans file.

Base Command#

fireeye-hx-data-acquisition

Input#

Argument NameDescriptionRequired
scriptAcquisition script in JSON format.Optional
scriptNameThe script name. If the Acquisition script is specified, the script name must be specified as well.Optional
defaultSystemScriptUse default script. Select the host system. Possible values are: osx, win, linux.Optional
agentIdThe agent ID. If the host name is not specified, the agent ID must be specified.Optional
hostNameThe host name. If the agent ID is not specified, the host name must be specified.Optional

Context Output#

PathTypeDescription
FireEyeHX.Acquisitions.Data._idUnknownThe acquisition unique ID.
FireEyeHX.Acquisitions.Data.stateUnknownThe acquisition state.
FireEyeHX.Acquisitions.Data.md5UnknownFile md5.
FireEyeHX.Acquisitions.Data.finish_timeUnknownTime when the acquisition was finished.
FireEyeHX.Acquisitions.Data.host._idunknownAgent ID

Command Example#

! fireeye-hx-data-acquisition hostName="DESKTOP-DES01" defaultSystemScript=win

Contex Example#

{
"FireEyeHX": {
"Acquisitions": {
"Data": {
"comment": null,
"zip_passphrase": null,
"request_actor": {
"username": "api",
"_id": 1001
},
"name": "test",
"script": {
"download": "/hx/api/v3/scripts/131ab1da5086fe09f5a210437de366007867fa26.json",
"url": "/hx/api/v3/scripts/^^^131ab1da5086fe09f5a210437de366007867fa26^^^",
"_id": "^^^131ab1da5086fe09f5a210437de366007867fa26^^^"
},
"finish_time": "2018-05-15T11:58:18.541Z",
"_revision": "20180515115818542250101787",
"error_message": "The triage completed with issues.",
"state": "COMPLETE",
"request_time": "2018-05-15T11:57:22.000Z",
"url": "/hx/api/v3/acqs/live/28",
"host": {
"url": "/hx/api/v3/hosts/uGvnGVpZkM4bKeySf2ZOiT",
"_id": "uGvnGVpZkXXXX2ZOiT"
},
"download": "/hx/api/v3/acqs/live/28.mans",
"_id": 28,
"external_id": null,
"md5": null
}
}
},
"File": {
"Info": "mans",
"SHA1": "^^^4374d09a27ef85XXXXX66785c040d7febff7d8^^^",
"Name": "agent_uGvnGVpZkMXXXX2ZOiT_data.mans",
"Extension": "mans",
"Size": 5154,
"EntryID": "383@1",
"SSDeep": "96:JraN9hyFIVls4Dst99i462teLuf0XXXXyU2y46Gd/pV:xapyFIVibPi462teLuf0TXdLNJLU23dt",
"SHA256": "7944d5e86ce2bXXXXe154d4c2923ddf47016a07b84b460f08b0f2f",
"Type": "Zip archive data, at least v2.0 to extract\n",
"MD5": "^^^c24a2c4aeXXXXf89e1e012dae^^^"
}
}

fireeye-hx-delete-data-acquisition#


Delete data acquisition.

Base Command#

fireeye-hx-delete-data-acquisition

Input#

Argument NameDescriptionRequired
acquisitionIdThe acquisition ID.Required

Context Output#

There is no context output for this command.

Command Example#

!fireeye-hx-delete-data-acquisition acquisitionId=10

fireeye-hx-search#


Search endpoints to check all hosts or a subset of hosts for a specific file or indicator.

Base Command#

fireeye-hx-search

Input#

Argument NameDescriptionRequired
agentsIdsIDs of agents to be searched.Optional
hostsNamesNames of hosts to be searched.Optional
hostSetId of host set to be searched.Optional
limitLimit results count (once limit is reached, the search is stopped).Optional
exhaustiveShould search be exhaustive or quick. Possible values are: yes, no. Default is True.Optional
ipAddressA valid IPv4 address to search for.Optional
ipAddressOperatorWhich operator to apply to the given IP address. Possible values are: equals, not equals.Optional
fileMD5HashA 32-character MD5 hash value to search for.Optional
fileMD5HashOperatorWhich operator to apply to the given MD5 hash. Possible values are: equals, not equals.Optional
fileFullPathFull path of file to search.Optional
fileFullPathOperatorWhich operator to apply to the given file path. Possible values are: equals, not equals, contains, not contains.Optional
dnsHostnameDNS value to search for.Optional
dnsHostnameOperatorWhich operator to apply to the given DNS. Possible values are: equals, not equals, contains, not contains.Optional
stopSearchMethod in which search should be stopped after finding <limit> number of results. Possible values are: stopAndDelete, stop.Optional

Context Output#

PathTypeDescription
FireEyeHX.Search.Results.Timestamp - ModifiedstringTime when the entry was last modified
FireEyeHX.Search.Results.File Text WrittenstringThe file text content
FireEyeHX.Search.Results.File NamestringName of the file
FireEyeHX.Search.Results.File Full PathstringThe full path of the file
FireEyeHX.Search.Results.File Bytes WrittenstringNumber of bytes written to the file
FireEyeHX.Search.Results.Size in bytesstringSize of the file in bytes
FireEyeHX.Search.Results.Browser VersionstringVersion of the browser
FireEyeHX.Search.Results.Browser NamestringName of the browser
FireEyeHX.Search.Results.Cookie NamestringName of the cookie
FireEyeHX.Search.Results.DNS HostnamestringName of the DNS host
FireEyeHX.Search.Results.URLstringThe event URL
FireEyeHX.Search.Results.UsernamestringThe event username
FireEyeHX.Search.Results.File MD5 HashstringMD5 hash of the file
FireEyeHX.Search.HostIDstringID of the host
FireEyeHX.Search.HostNamestringName of host
FireEyeHX.Search.HostUrlstringInner FireEye host url
FireEyeHX.Search.SearchIDstringID of performed search
FireEyeHX.Search.Results.Timestamp - AccessedstringLast accessed time
FireEyeHX.Search.Results.PortnumberPort
FireEyeHX.Search.Results.Process IDstringID of the process
FireEyeHX.Search.Results.Local IP AddressstringLocal IP Address
FireEyeHX.Search.Results.Local IP AddressstringLocal IP Address
FireEyeHX.Search.Results.Local PortnumberLocal Port
FireEyeHX.Search.Results.UsernamestringUsername
FireEyeHX.Search.Results.Remote PortnumberRemote Port
FireEyeHX.Search.Results.IP AddressstringIP Address
FireEyeHX.Search.Results.Process NamestringProcess Name
FireEyeHX.Search.Results.Timestamp - EventstringTimestamp - Event
FireEyeHX.Search.Results.typestringThe type of the event
FireEyeHX.Search.Results.idstringID of the result

fireeye-hx-get-host-set-information#


Get a list of all host sets known to your HX Series appliance

Base Command#

fireeye-hx-get-host-set-information

Input#

Argument NameDescriptionRequired
hostSetIDID of a specific host set to get.Optional
offsetSpecifies which record to start with in the response. The offset value must be an unsigned 32-bit integer. The default is 0.Optional
limitSpecifies how many records are returned. The limit value must be an unsigned 32-bit integer. The default is 50.Optional
searchSearches the names of all host sets connected to the specified HX appliance.Optional
sortSorts the results by the specified field in ascending or descending order. The default is sorting by name in ascending order. Sortable fields are _id (host set ID) and name (host set name).Optional
nameSpecifies the name of host set to look for.Optional
typeSpecifies the type of host sets to search for.Optional

Context Output#

PathTypeDescription
FireEyeHX.HostSets._idnumberhost set id
FireEyeHX.HostSets._revisionstringRevision number
FireEyeHX.HostSets.namestringHost set name
FireEyeHX.HostSets.typestringHost set type (static/dynamic/hidden)
FireEyeHX.HostSets.urlstringHost set FireEye url

Command Example#

!fireeye-hx-get-host-set-information

Context Example#

{
"FireEyeHX": {
"HostSets": {
"_id": 1001,
"_revision": "20210308150955358783164361",
"name": "Demisto",
"type": "venn",
"url": "/hx/api/v3/host_sets/1001"
}
}
}

Human Readable Output#

FireEye HX Get Host Sets Information#

NameIDType
Demisto1001venn

fireeye-hx-create-indicator#


Create new indicator

Base Command#

fireeye-hx-create-indicator

Input#

Argument NameDescriptionRequired
categoryThe indicator category.Required

Context Output#

PathTypeDescription
FireEyeHX.Indicators.active_sincedateDate indicator became active.
FireEyeHX.Indicators.metastringMeta data for new indicator
FireEyeHX.Indicators.display_namestringThe indicator display name
FireEyeHX.Indicators.namestringThe indicator name as displayed in the UI.
FireEyeHX.Indicators.created_bystringThe "Created By" field as displayed in UI
FireEyeHX.Indicators.urlstringThe data URL
FireEyeHX.Indicators.create_textUnknownThe indicator create text
FireEyeHX.Indicators.platformsstringList of families of operating systems.
FireEyeHX.Indicators.create_actor._idnumberThe ID of the actor
FireEyeHX.Indicators.create_actor.usernamestringActor user name
FireEyeHX.Indicators.signaturestringSignature of indicator
FireEyeHX.Indicators._revisionstringIndicator revision
FireEyeHX.Indicators._idstringFireEye unique indicator ID.
FireEyeHX.Indicator.descriptionstringIndicator description
FireEyeHX.Indicators.category._idnumberCategory ID
FireEyeHX.Indicators.category.namestringCategory name
FireEyeHX.Indicators.category.share_modestringCategory share mode
FireEyeHX.Indicators.category.uri_namestringCategory uri name
FireEyeHX.Indicators.category.urlstringCategory URL
FireEyeHX.Indicators.uri_namestringThe indicator uri name
FireEyeHX.Indicators.stats.active_conditionsnumberIndicator active conditions
FireEyeHX.Indicators.stats.alerted_agentsnumberTotal number of agents with HX alerts associated with this indicator.
FireEyeHX.Indicators.stats.source_alertsnumberTotal number of source alerts associated with this indicator.
FireEyeHX.Indicators.update_actor._idnumberUpdate actor ID
FireEyeHX.Indicators.update_actor.usernamestringUpdate actor name

fireeye-hx-append-conditions#


Add conditions to an indicator. Conditions can be MD5, hash values, domain names and IP addresses.

Base Command#

fireeye-hx-append-conditions

Input#

Argument NameDescriptionRequired
categoryThe indicator category. Please use the uri_category value.Required
nameThe name of the indicator. Please use the uri_name value.Required
conditionA list of conditions to add. The list can include a list of IPv4 addresses, MD5 files, and domain names. For example: example.netexample.orgexample.lol.Required

Context Output#

There is no context output for this command.

fireeye-hx-get-all-hosts-information#


Get information on all hosts

Base Command#

fireeye-hx-get-all-hosts-information

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
FireEyeHX.Hosts._idUnknownFireEye HX Agent ID.
FireEyeHX.Hosts.agent_versionUnknownThe agent version.
FireEyeHX.Hosts.excluded_from_containmentUnknownDetermines whether the host is excluded from containment.
FireEyeHX.Hosts.containment_missing_softwareUnknownBoolean value to indicate for containment missing software.
FireEyeHX.Hosts.containment_queuedUnknownDetermines whether the host is queued for containment.
FireEyeHX.Hosts.containment_stateUnknownThe containment state of the host. Possible values normal, contain, contain_fail, containing, contained, uncontain, uncontaining, wtfc, wtfu.
FireEyeHX.Hosts.stats.alerting_conditionsUnknownThe number of conditions that have alerted for the host.
FireEyeHX.Hosts.stats.alertsUnknownTotal number of alerts, including exploit-detection alerts.
FireEyeHX.Hosts.stats.exploit_blocksUnknownThe number of blocked exploits on the host.
FireEyeHX.Hosts.stats.malware_alertsUnknownThe number of malware alerts associated with the host.
FireEyeHX.Hosts.hostnameUnknownThe host name.
FireEyeHX.Hosts.domainUnknownDomain name.
FireEyeHX.Hosts.timezoneUnknownHost time zone.
FireEyeHX.Hosts.primary_ip_addressUnknownThe host IP address.
FireEyeHX.Hosts.last_poll_timestampUnknownThe timestamp of the last system poll preformed on the host.
FireEyeHX.Hosts.initial_agent_checkinUnknownTimestamp of the initial agent check-in.
FireEyeHX.Hosts.last_alert_timestampUnknownThe time stamp of the last alert for the host.
FireEyeHX.Hosts.last_exploit_block_timestampUnknownTime when the last exploit was blocked on the host. The value is null if no exploits have been blocked.
FireEyeHX.Hosts.os.product_nameUnknownSpecific operating system
FireEyeHX.Hosts.os.bitnessUnknownOS Bitness.
FireEyeHX.Hosts.os.platformUnknownFamily of operating systems. Valid values are win, osx, and linux.
FireEyeHX.Hosts.primary_macUnknownThe host MAC address.

Command Example#

!fireeye-hx-get-all-hosts-information

Context Example#

{
"Endpoint": [
{
"Domain": "WORKGROUP",
"Hostname": "WIN10X64",
"ID": "Hqb2ns3oui1fpzg0BxI1Ch",
"IPAddress": "1.1.1.1",
"MACAddress": "00-50-56-89-1c-5b",
"OS": "win",
"OSVersion": "Windows 10 Pro"
},
{
"Domain": "localdomain",
"Hostname": "localhost",
"ID": "GfLI00Q4zpidezw9I11rV6",
"IPAddress": "1.1.1.1",
"MACAddress": "00-50-56-89-e7-22",
"OS": "linux",
"OSVersion": "CentOS Linux 7 (Core)"
}
],
"FireEyeHX": {
"Hosts": {
"Agent ID": "GfLI00Q4zpidezw9I11rV6",
"Agent Version": "31.28.17",
"Containment State": "normal",
"Domain": "localdomain",
"Host IP": "1.1.1.1",
"Host Name": "localhost",
"Last Alert": null,
"Last Poll": "2021-10-18T14:02:32.000Z",
"OS": "linux"
}
}
}

Human Readable Output#

FireEye HX Get Hosts Information#

Host NameHost IPAgent IDAgent VersionOSLast PollContainment StateDomainLast Alert
WIN10X641.1.1.1Hqb2ns3oui1fpzg0BxI1Ch31.28.17win2021-10-18T13:59:44.000ZnormalWORKGROUP_id: 2
url: /hx/api/v3/alerts/2
localhost1.1.1.1GfLI00Q4zpidezw9I11rV631.28.17linux2021-10-18T14:02:32.000Znormallocaldomain

fireeye-hx-initiate-data-acquisition#


Initiate a data acquisition process to gather artifacts from the system disk and memory

Base Command#

fireeye-hx-initiate-data-acquisition

Input#

Argument NameDescriptionRequired
scriptAcquisition script in JSON format.Optional
scriptNameThe script name. If the Acquisition script is specified, the script name must be specified as well.Optional
defaultSystemScriptUse default script. Select the host system. Possible values are: osx, win, linux.Optional
agentIdThe agent ID. If the host name is not specified, the agent ID must be specified.Optional
hostNameThe host name. If the agent ID is not specified, the host name must be specified.Optional

Context Output#

PathTypeDescription
FireEyeHX.Acquisitions.Data._idunknownThe acquisition unique ID.
FireEyeHX.Acquisitions.Data.stateunknownThe acquisition state
FireEyeHX.Acquisitions.Data.md5unknownFile md5
FireEyeHX.Acquisitions.Data.host._idunknownAgent ID
FireEyeHX.Acquisitions.Data.host.hostnameunknownHostname
FireEyeHX.Acquisitions.Data.instanceunknownFIreEye HX instance
FireEyeHX.Acquisitions.Data.finish_timeunknownTime when the acquisition finished

Command Example#

Human Readable Output#

fireeye-hx-get-data-acquisition#


Gather artifacts from the system disk and memory for the given acquisition id. The data is fetched as mans file

Base Command#

fireeye-hx-get-data-acquisition

Input#

Argument NameDescriptionRequired
acquisitionIdThe acquisition unique ID.Required

Context Output#

PathTypeDescription
FireEyeHX.Acquisitions.Data._idunknownThe acquisition unique ID.
FireEyeHX.Acquisitions.Data.stateunknownThe acquisition state.
FireEyeHX.Acquisitions.Data.md5unknownFile md5.
FireEyeHX.Acquisitions.Data.host._idunknownAgent ID
FireEyeHX.Acquisitions.Data.finish_timeunknownTime when the acquisition finished
FireEyeHX.Acquisitions.Data.host.hostnameunknownHostname
FireEyeHX.Acquisitions.Data.instanceunknownFIreEye HX instance

Command Example#

Human Readable Output#

Error Responses - Timeout Error#

Timeout error indicates that time limitation for the command has exceeded before results are returned.

To resolve this issue, configure new time limitation for the command.

  1. Navigate to Settings > About > Troubleshooting > Server Configuration.
  2. click Add Server Configuration.
  3. Set the key field using this format: FireEye HX.<command-name>.timeout.
  4. Set the value field to the desired time limit for the command to run (in minutes).

Known Limitations#

Acquisitions limitations#

  • Acquisitions are stored for 14 days or until the aggregate size of all acquisitions exceeds the acquisition space limit, which is from 30 GB to 9 TB, depending on the HX Series appliance.

  • When the acquisition space is completely full and automatic triages fill 10 percent of the acquisition space, the HX Series appliance reclaims disk space by removing automatic triage collections.

  • When the acquisition space is 90 percent full, no new acquisitions can be created, and bulk acquisitions that are running might be canceled.

    Containment Limitations#

  • Some hosts cannot be contained.

  • The time it takes to contain a host varies, based on factors such as agent connectivity, network traffic, and other jobs running in your environment.

  • You can only contain a host if the agent package for that host is available on the HX Series appliance.

Command Timeout#

The following commands have high potential to exceed the default time limit for a running command. To avoid command timeout, change the command timeout settings.

  • fireeye-hx-search
  • fireeye-hx-data-acquisition
  • fireeye-hx-file-acquisition

    Configure Command Timeout#

  1. Navigate to Settings > About > Troubleshooting.
  2. In the Server Configuration section, click Add Server Configuration.
  3. Set the Key field using this format: FireEye HX.timeout
  4. Set the Value field to the timeout you need (in minutes).