FireEye HX (Deprecated)
FireEye HX Pack.#
This Integration is part of theDeprecated
Use FireEyeHX v2 instead.
FireEye Endpoint Security is an integrated solution that detects what others miss and protects endpoint against known and unknown threats. The HX Demisto integration provides access to information about endpoints, acquisitions, alerts, indicators, and containment. Customers can extract critical data and effectively operate security operations automated playbook.
#
Configure FireEye HX in CortexParameter | Required |
---|---|
Server URL (e.g. https://192.168.0.1:3000) | True |
Credentials | True |
Password | True |
Version | True |
Trust any certificate (not secure) | False |
Use system proxy settings | False |
Fetch incidents | False |
Incident type | False |
Fetch limit | False |
Incidents Fetch Interval | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
fireeye-hx-host-containmentApply containment for a specific host, so that it no longer has access to other systems.
#
Base Commandfireeye-hx-host-containment
#
InputArgument Name | Description | Required |
---|---|---|
hostName | The host name to be contained. If the hostName is not specified, the agentId must be specified. | Optional |
agentId | The agent id running on the host to be contained. If the agentId is not specified, the hostName must be specified. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Hosts._id | Unknown | FireEye HX Agent ID. |
FireEyeHX.Hosts.agent_version | Unknown | The agent version. |
FireEyeHX.Hosts.excluded_from_containment | Unknown | Determines whether the host is excluded from containment. |
FireEyeHX.Hosts.containment_missing_software | Unknown | Boolean value to indicate for containment missing software. |
FireEyeHX.Hosts.containment_queued | Unknown | Determines whether the host is queued for containment. |
FireEyeHX.Hosts.containment_state | Unknown | The containment state of the host. Possible values normal, contain, contain_fail, containing, contained, uncontain, uncontaining, wtfc, wtfu. |
FireEyeHX.Hosts.stats.alerting_conditions | Unknown | The number of conditions that have alerted for the host. |
FireEyeHX.Hosts.stats.alerts | Unknown | Total number of alerts, including exploit-detection alerts. |
FireEyeHX.Hosts.stats.exploit_blocks | Unknown | The number of blocked exploits on the host. |
FireEyeHX.Hosts.stats.malware_alerts | Unknown | The number of malware alerts associated with the host. |
FireEyeHX.Hosts.hostname | Unknown | The host name. |
FireEyeHX.Hosts.domain | Unknown | Domain name. |
FireEyeHX.Hosts.timezone | Unknown | Host time zone. |
FireEyeHX.Hosts.primary_ip_address | Unknown | The host IP address. |
FireEyeHX.Hosts.last_poll_timestamp | Unknown | The timestamp of the last system poll preformed on the host. |
FireEyeHX.Hosts.initial_agent_checkin | Unknown | Timestamp of the initial agent check-in. |
FireEyeHX.Hosts.last_alert_timestamp | Unknown | The time stamp of the last alert for the host. |
FireEyeHX.Hosts.last_exploit_block_timestamp | Unknown | Time when the last exploit was blocked on the host. The value is null if no exploits have been blocked. |
FireEyeHX.Hosts.os.product_name | Unknown | Specific operating system |
FireEyeHX.Hosts.os.bitness | Unknown | OS Bitness. |
FireEyeHX.Hosts.os.platform | Unknown | Family of operating systems. Valid values are win, osx, and linux. |
FireEyeHX.Hosts.primary_mac | Unknown | The host MAC address. |
#
Command Example!fireeye-hx-host-containment agentId=”uGvn34ZkM3bfSf1nOT”
!fireeye-hx-host-containment hostname=“DESKTOP-HK8OI62”
#
Context Example#
fireeye-hx-cancel-containmentRelease a specific host from containment.
#
Base Commandfireeye-hx-cancel-containment
#
InputArgument Name | Description | Required |
---|---|---|
hostName | The host name to be contained. If the hostName is not specified, the agentId must be specified. | Optional |
agentId | The agent id running on the host to be contained. If the agentId is not specified, the hostName must be specified. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Hosts._id | Unknown | FireEye HX Agent ID. |
FireEyeHX.Hosts.agent_version | Unknown | The agent version. |
FireEyeHX.Hosts.excluded_from_containment | Unknown | Determines whether the host is excluded from containment. |
FireEyeHX.Hosts.containment_missing_software | Unknown | Boolean value to indicate for containment missing software. |
FireEyeHX.Hosts.containment_queued | Unknown | Determines whether the host is queued for containment. |
FireEyeHX.Hosts.containment_state | Unknown | The containment state of the host. Possible values normal, contain, contain_fail, containing, contained, uncontain, uncontaining, wtfc, wtfu. |
FireEyeHX.Hosts.stats.alerting_conditions | Unknown | The number of conditions that have alerted for the host. |
FireEyeHX.Hosts.stats.alerts | Unknown | Total number of alerts, including exploit-detection alerts. |
FireEyeHX.Hosts.stats.exploit_blocks | Unknown | The number of blocked exploits on the host. |
FireEyeHX.Hosts.stats.malware_alerts | Unknown | The number of malware alerts associated with the host. |
FireEyeHX.Hosts.hostname | Unknown | The host name. |
FireEyeHX.Hosts.domain | Unknown | Domain name. |
FireEyeHX.Hosts.timezone | Unknown | Host time zone. |
FireEyeHX.Hosts.primary_ip_address | Unknown | The host IP address. |
FireEyeHX.Hosts.last_poll_timestamp | Unknown | The timestamp of the last system poll preformed on the host. |
FireEyeHX.Hosts.initial_agent_checkin | Unknown | Timestamp of the initial agent check-in. |
FireEyeHX.Hosts.last_alert_timestamp | Unknown | The time stamp of the last alert for the host. |
FireEyeHX.Hosts.last_exploit_block_timestamp | Unknown | Time when the last exploit was blocked on the host. The value is null if no exploits have been blocked. |
FireEyeHX.Hosts.os.product_name | Unknown | Specific operating system |
FireEyeHX.Hosts.os.bitness | Unknown | OS Bitness. |
FireEyeHX.Hosts.os.platform | Unknown | Family of operating systems. Valid values are win, osx, and linux. |
FireEyeHX.Hosts.primary_mac | Unknown | The host MAC address. |
#
Command Examples!fireeye-hx-cancel-containment hostname=“DESKTOP-HK8OI62”
!fireeye-hx-cancel-containment agentId=”uGvn34ZkM3bfSf1nOT”
#
Context Example#
fireeye-hx-get-alertsGet a list of alerts, use the different arguments to filter the results returned.
#
Base Commandfireeye-hx-get-alerts
#
InputArgument Name | Description | Required |
---|---|---|
hasShareMode | Identifies which alerts result from indicators with the specified share mode. Possible values are: any, restricted, unrestricted. | Optional |
resolution | Sorts the results by the specified field. Possible values are: active_threat, alert, block, partial_block. | Optional |
agentId | Filter by the agent ID. | Optional |
conditionId | Filter by condition ID. | Optional |
eventAt | Filter event occurred time. ISO-8601 timestamp.. | Optional |
alertId | Filter by alert ID. | Optional |
matchedAt | Filter by match detection time. ISO-8601 timestamp. | Optional |
minId | Filter that returns only records with an AlertId field value great than the minId value. | Optional |
reportedAt | Filter by reported time. ISO-8601 timestamp. | Optional |
IOCsource | Source of alert- indicator of compromise. Possible values are: yes. | Optional |
EXDsource | Source of alert - exploit detection. Possible values are: yes. | Optional |
MALsource | Source of alert - malware alert. Possible values are: yes. | Optional |
limit | Limit the results returned. | Optional |
sort | Sorts the results by the specified field in ascending order. Possible values are: agentId, conditionId, eventAt, alertId, matchedAt, id, reportedAt. | Optional |
sortOrder | The sort order for the results. Possible values are: ascending, descending. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Alerts._id | Unknown | FireEye alert ID. |
FireEyeHX.Alerts.agent._id | Unknown | FireEye agent ID. |
FireEyeHX.Alerts.agent.containment_state | Unknown | Host containment state. |
FireEyeHX.Alerts.condition._id | Unknown | The condition unique ID. |
FireEyeHX.Alerts.event_at | Unknown | Time when the event occoured. |
FireEyeHX.Alerts.matched_at | Unknown | Time when the event was matched. |
FireEyeHX.Alerts.reported_at | Unknown | Time when the event was reported. |
FireEyeHX.Alerts.source | Unknown | Source of alert. |
FireEyeHX.Alerts.matched_source_alerts._id | Unknown | Source alert ID. |
FireEyeHX.Alerts.matched_source_alerts.appliance_id | Unknown | Appliance ID |
FireEyeHX.Alerts.matched_source_alerts.meta | Unknown | Source alert meta. |
FireEyeHX.Alerts.matched_source_alerts.indicator_id | Unknown | Indicator ID. |
FireEyeHX.Alerts.resolution | Unknown | Alert resulotion. |
FireEyeHX.Alerts.event_type | Unknown | Event type. |
#
Command Example!fireeye-hx-get-alerts limit="10" sort="id" sortOrder="descending"
#
Context Example#
fireeye-hx-suppress-alertSuppress alert by ID
#
Base Commandfireeye-hx-suppress-alert
#
InputArgument Name | Description | Required |
---|---|---|
alertId | The alert id. The alert id is listed in the output of 'get-alerts' command. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!fireeye-hx-suppress-alert alertId=2
#
fireeye-hx-get-indicatorsGet a list of indicators
#
Base Commandfireeye-hx-get-indicators
#
InputArgument Name | Description | Required |
---|---|---|
category | The indicator category. | Optional |
searchTerm | The searchTerm can be any name, category, signature, source, or condition value. | Optional |
shareMode | Determines who can see the indicator. You must belong to the correct authorization group . Possible values are: any, restricted, unrestricted, visible. | Optional |
sort | Sorts the results by the specified field in ascending order. Possible values are: category, activeSince, createdBy, alerted. | Optional |
createdBy | Person who created the indicator. | Optional |
alerted | Whether the indicator resulted in alerts. Possible values are: yes, no. | Optional |
limit | Limit the number of results. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Indicators._id | Unknown | FireEye unique indicator ID. |
FireEyeHX.Indicators.name | Unknown | The indicator name as displayed in the UI. |
FireEyeHX.Indicators.description | Unknown | Indicator description. |
FireEyeHX.Indicators.category.name | Unknown | Catagory name. |
FireEyeHX.Indicators.created_by | Unknown | The "Created By" field as displayed in UI |
FireEyeHX.Indicators.active_since | Unknown | Date indicator became active. |
FireEyeHX.Indicators.stats.source_alerts | Unknown | Total number of source alerts associated with this indicator. |
FireEyeHX.Indicators.stats.alerted_agents | Unknown | Total number of agents with HX alerts associated with this indicator. |
FireEyeHX.Indicators.platforms | Unknown | List of families of operating systems. |
FireEyeHX.Indicators.uri_name | String | URI formatted name of the indicator. |
FireEyeHX.Indicators.category.uri_name | String | URI name of the category. |
#
Command Example!fireeye-hx-get-indicators limit=2
#
Context Example#
Human Readable Output#
FireEye HX Get Indicator- None
OS Name Created By Active Since Category Signature Active Condition Hosts With Alerts Source Alerts win, osx, linux 34757fe7-bdd7-4c85-b0e1-9adfb5e48300 api-admin 2021-10-17T11:56:18.818Z Custom 0 0 0 win, osx, linux SUNBURST SUSPICIOUS FILEWRITES (METHODOLOGY) General_Windows_unrestricted_2021.09.270849 2021-09-28T14:44:04.245Z Mandiant Unrestricted Intel 6 0 0
#
fireeye-hx-get-indicatorGet a specific indicator details
#
Base Commandfireeye-hx-get-indicator
#
InputArgument Name | Description | Required |
---|---|---|
category | Indicator category. Please use the uri_category value. | Required |
name | Indicator name. Please use the uri_name value. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Indicators._id | Unknown | FireEye unique indicator ID. |
FireEyeHX.Indicators.name | Unknown | The indicator name as displayed in the UI. |
FireEyeHX.Indicators.description | Unknown | Indicator description. |
FireEyeHX.Indicators.category.name | Unknown | Catagory name. |
FireEyeHX.Indicators.created_by | Unknown | The "Created By" field as displayed in UI |
FireEyeHX.Indicators.active_since | Unknown | Date indicator became active. |
FireEyeHX.Indicators.stats.source_alerts | Unknown | Total number of source alerts associated with this indicator. |
FireEyeHX.Indicators.stats.alerted_agents | Unknown | Total number of agents with HX alerts associated with this indicator. |
FireEyeHX.Indicators.platforms | Unknown | List of families of operating systems. |
FireEyeHX.Conditions._id | Unknown | FireEye unique condition ID. |
FireEyeHX.Conditions.event_type | Unknown | Event type. |
FireEyeHX.Conditions.enabled | Unknown | Indicates whether the condition is enabled. |
#
Command Example!fireeye-hx-get-indicator category=Custom name="5def0b16-87bc-42a2-877a-bca45ebcbc9a"
#
Context Example#
Human Readable Output#
Indicator "5def0b16-87bc-42a2-877a-bca45ebcbc9a" Alerts on
Event Type Operator Value dnsLookupEvent equal example.lol dnsLookupEvent equal example.abc
#
fireeye-hx-get-host-informationGet information on a host associated with an agent.
#
Base Commandfireeye-hx-get-host-information
#
InputArgument Name | Description | Required |
---|---|---|
agentId | The agent ID. If the agent ID is not specified, the host Name must be specified. | Optional |
hostName | The host name. If the host name is not specified, the agent ID must be specified. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Hosts._id | Unknown | FireEye HX Agent ID. |
FireEyeHX.Hosts.agent_version | Unknown | The agent version. |
FireEyeHX.Hosts.excluded_from_containment | Unknown | Determines whether the host is excluded from containment. |
FireEyeHX.Hosts.containment_missing_software | Unknown | Boolean value to indicate for containment missing software. |
FireEyeHX.Hosts.containment_queued | Unknown | Determines whether the host is queued for containment. |
FireEyeHX.Hosts.containment_state | Unknown | The containment state of the host. Possible values normal, contain, contain_fail, containing, contained, uncontain, uncontaining, wtfc, wtfu. |
FireEyeHX.Hosts.stats.alerting_conditions | Unknown | The number of conditions that have alerted for the host. |
FireEyeHX.Hosts.stats.alerts | Unknown | Total number of alerts, including exploit-detection alerts. |
FireEyeHX.Hosts.stats.exploit_blocks | Unknown | The number of blocked exploits on the host. |
FireEyeHX.Hosts.stats.malware_alerts | Unknown | The number of malware alerts associated with the host. |
FireEyeHX.Hosts.hostname | Unknown | The host name. |
FireEyeHX.Hosts.domain | Unknown | Domain name. |
FireEyeHX.Hosts.timezone | Unknown | Host time zone. |
FireEyeHX.Hosts.primary_ip_address | Unknown | The host IP address. |
FireEyeHX.Hosts.last_poll_timestamp | Unknown | The timestamp of the last system poll preformed on the host. |
FireEyeHX.Hosts.initial_agent_checkin | Unknown | Timestamp of the initial agent check-in. |
FireEyeHX.Hosts.last_alert_timestamp | Unknown | The time stamp of the last alert for the host. |
FireEyeHX.Hosts.last_exploit_block_timestamp | Unknown | Time when the last exploit was blocked on the host. The value is null if no exploits have been blocked. |
FireEyeHX.Hosts.os.product_name | Unknown | Specific operating system |
FireEyeHX.Hosts.os.bitness | Unknown | OS Bitness. |
FireEyeHX.Hosts.os.platform | Unknown | Family of operating systems. Valid values are win, osx, and linux. |
FireEyeHX.Hosts.primary_mac | Unknown | The host MAC address. |
#
Command Example!fireeye-hx-get-host-information hostName=”DESKTOP-XXX”
#
Context Output#
fireeye-hx-get-alertGet details of a specific alert
#
Base Commandfireeye-hx-get-alert
#
InputArgument Name | Description | Required |
---|---|---|
alertId | The alert ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Alerts._id | Unknown | FireEye alert ID. |
FireEyeHX.Alerts.agent._id | Unknown | FireEye agent ID. |
FireEyeHX.Alerts.agent.containment_state | Unknown | Host containment state. |
FireEyeHX.Alerts.condition._id | Unknown | The condition unique ID. |
FireEyeHX.Alerts.event_at | Unknown | Time when the event occoured. |
FireEyeHX.Alerts.matched_at | Unknown | Time when the event was matched. |
FireEyeHX.Alerts.reported_at | Unknown | Time when the event was reported. |
FireEyeHX.Alerts.source | Unknown | Source of alert. |
FireEyeHX.Alerts.matched_source_alerts._id | Unknown | Source alert ID. |
FireEyeHX.Alerts.matched_source_alerts.appliance_id | Unknown | Appliance ID |
FireEyeHX.Alerts.matched_source_alerts.meta | Unknown | Source alert meta. |
FireEyeHX.Alerts.matched_source_alerts.indicator_id | Unknown | Indicator ID. |
FireEyeHX.Alerts.resolution | Unknown | Alert resulotion. |
FireEyeHX.Alerts.event_type | Unknown | Event type. |
#
fireeye-hx-file-acquisitionAquire a specific file as a password protected zip file. The password for unlocking the zip file is 'unzip-me'.
#
Base Commandfireeye-hx-file-acquisition
#
InputArgument Name | Description | Required |
---|---|---|
fileName | The file name. | Required |
filePath | The file path. | Required |
acquireUsing | Whether to aqcuire the file using the API or RAW. By default, raw file will be acquired. Use API option when file is encrypted. Possible values are: API, RAW. | Optional |
agentId | The agent ID associated with the host that holds the file. If the hostName is not specified, the agentId must be specified. | Optional |
hostName | The host that holds the file. If the agentId is not specified, hostName must be specified. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Acquisitions.Files._id | Unknown | The acquisition unique ID. |
FireEyeHX.Acquisitions.Files.state | Unknown | The acquisition state. |
FireEyeHX.Acquisitions.Files.md5 | Unknown | File md5. |
FireEyeHX.Acquisitions.Files.req_filename | Unknown | The file name. |
FireEyeHX.Acquisitions.Files.req_path | Unknown | The file path. |
FireEyeHX.Acquisitions.Files.host._id | Unknown | FireEye HX agent ID. |
#
Command Example!fireeye-hx-file-acquisition fileName="test.txt"filePath="C:\\Users\\user\\Documents" hostName="DESKTOP-DES01"
#
Context Output#
fireeye-hx-delete-file-acquisitionDelete the file acquisition, by ID.
#
Base Commandfireeye-hx-delete-file-acquisition
#
InputArgument Name | Description | Required |
---|---|---|
acquisitionId | The acquisition ID. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!fireeye-hx-delete-file-acquisition acquisitionId=10
#
fireeye-hx-data-acquisitionStart a data acquisition process to gather artifacts from the system disk and memory. The data is fetched as mans file.
#
Base Commandfireeye-hx-data-acquisition
#
InputArgument Name | Description | Required |
---|---|---|
script | Acquisition script in JSON format. | Optional |
scriptName | The script name. If the Acquisition script is specified, the script name must be specified as well. | Optional |
defaultSystemScript | Use default script. Select the host system. Possible values are: osx, win, linux. | Optional |
agentId | The agent ID. If the host name is not specified, the agent ID must be specified. | Optional |
hostName | The host name. If the agent ID is not specified, the host name must be specified. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Acquisitions.Data._id | Unknown | The acquisition unique ID. |
FireEyeHX.Acquisitions.Data.state | Unknown | The acquisition state. |
FireEyeHX.Acquisitions.Data.md5 | Unknown | File md5. |
FireEyeHX.Acquisitions.Data.finish_time | Unknown | Time when the acquisition was finished. |
FireEyeHX.Acquisitions.Data.host._id | unknown | Agent ID |
#
Command Example! fireeye-hx-data-acquisition hostName="DESKTOP-DES01" defaultSystemScript=win
#
Contex Example#
fireeye-hx-delete-data-acquisitionDelete data acquisition.
#
Base Commandfireeye-hx-delete-data-acquisition
#
InputArgument Name | Description | Required |
---|---|---|
acquisitionId | The acquisition ID. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!fireeye-hx-delete-data-acquisition acquisitionId=10
#
fireeye-hx-searchSearch endpoints to check all hosts or a subset of hosts for a specific file or indicator.
#
Base Commandfireeye-hx-search
#
InputArgument Name | Description | Required |
---|---|---|
agentsIds | IDs of agents to be searched. | Optional |
hostsNames | Names of hosts to be searched. | Optional |
hostSet | Id of host set to be searched. | Optional |
limit | Limit results count (once limit is reached, the search is stopped). | Optional |
exhaustive | Should search be exhaustive or quick. Possible values are: yes, no. Default is True. | Optional |
ipAddress | A valid IPv4 address to search for. | Optional |
ipAddressOperator | Which operator to apply to the given IP address. Possible values are: equals, not equals. | Optional |
fileMD5Hash | A 32-character MD5 hash value to search for. | Optional |
fileMD5HashOperator | Which operator to apply to the given MD5 hash. Possible values are: equals, not equals. | Optional |
fileFullPath | Full path of file to search. | Optional |
fileFullPathOperator | Which operator to apply to the given file path. Possible values are: equals, not equals, contains, not contains. | Optional |
dnsHostname | DNS value to search for. | Optional |
dnsHostnameOperator | Which operator to apply to the given DNS. Possible values are: equals, not equals, contains, not contains. | Optional |
stopSearch | Method in which search should be stopped after finding <limit> number of results. Possible values are: stopAndDelete, stop. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Search.Results.Timestamp - Modified | string | Time when the entry was last modified |
FireEyeHX.Search.Results.File Text Written | string | The file text content |
FireEyeHX.Search.Results.File Name | string | Name of the file |
FireEyeHX.Search.Results.File Full Path | string | The full path of the file |
FireEyeHX.Search.Results.File Bytes Written | string | Number of bytes written to the file |
FireEyeHX.Search.Results.Size in bytes | string | Size of the file in bytes |
FireEyeHX.Search.Results.Browser Version | string | Version of the browser |
FireEyeHX.Search.Results.Browser Name | string | Name of the browser |
FireEyeHX.Search.Results.Cookie Name | string | Name of the cookie |
FireEyeHX.Search.Results.DNS Hostname | string | Name of the DNS host |
FireEyeHX.Search.Results.URL | string | The event URL |
FireEyeHX.Search.Results.Username | string | The event username |
FireEyeHX.Search.Results.File MD5 Hash | string | MD5 hash of the file |
FireEyeHX.Search.HostID | string | ID of the host |
FireEyeHX.Search.HostName | string | Name of host |
FireEyeHX.Search.HostUrl | string | Inner FireEye host url |
FireEyeHX.Search.SearchID | string | ID of performed search |
FireEyeHX.Search.Results.Timestamp - Accessed | string | Last accessed time |
FireEyeHX.Search.Results.Port | number | Port |
FireEyeHX.Search.Results.Process ID | string | ID of the process |
FireEyeHX.Search.Results.Local IP Address | string | Local IP Address |
FireEyeHX.Search.Results.Local IP Address | string | Local IP Address |
FireEyeHX.Search.Results.Local Port | number | Local Port |
FireEyeHX.Search.Results.Username | string | Username |
FireEyeHX.Search.Results.Remote Port | number | Remote Port |
FireEyeHX.Search.Results.IP Address | string | IP Address |
FireEyeHX.Search.Results.Process Name | string | Process Name |
FireEyeHX.Search.Results.Timestamp - Event | string | Timestamp - Event |
FireEyeHX.Search.Results.type | string | The type of the event |
FireEyeHX.Search.Results.id | string | ID of the result |
#
fireeye-hx-get-host-set-informationGet a list of all host sets known to your HX Series appliance
#
Base Commandfireeye-hx-get-host-set-information
#
InputArgument Name | Description | Required |
---|---|---|
hostSetID | ID of a specific host set to get. | Optional |
offset | Specifies which record to start with in the response. The offset value must be an unsigned 32-bit integer. The default is 0. | Optional |
limit | Specifies how many records are returned. The limit value must be an unsigned 32-bit integer. The default is 50. | Optional |
search | Searches the names of all host sets connected to the specified HX appliance. | Optional |
sort | Sorts the results by the specified field in ascending or descending order. The default is sorting by name in ascending order. Sortable fields are _id (host set ID) and name (host set name). | Optional |
name | Specifies the name of host set to look for. | Optional |
type | Specifies the type of host sets to search for. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.HostSets._id | number | host set id |
FireEyeHX.HostSets._revision | string | Revision number |
FireEyeHX.HostSets.name | string | Host set name |
FireEyeHX.HostSets.type | string | Host set type (static/dynamic/hidden) |
FireEyeHX.HostSets.url | string | Host set FireEye url |
#
Command Example!fireeye-hx-get-host-set-information
#
Context Example#
Human Readable Output#
FireEye HX Get Host Sets Information
Name ID Type Demisto 1001 venn
#
fireeye-hx-create-indicatorCreate new indicator
#
Base Commandfireeye-hx-create-indicator
#
InputArgument Name | Description | Required |
---|---|---|
category | The indicator category. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Indicators.active_since | date | Date indicator became active. |
FireEyeHX.Indicators.meta | string | Meta data for new indicator |
FireEyeHX.Indicators.display_name | string | The indicator display name |
FireEyeHX.Indicators.name | string | The indicator name as displayed in the UI. |
FireEyeHX.Indicators.created_by | string | The "Created By" field as displayed in UI |
FireEyeHX.Indicators.url | string | The data URL |
FireEyeHX.Indicators.create_text | Unknown | The indicator create text |
FireEyeHX.Indicators.platforms | string | List of families of operating systems. |
FireEyeHX.Indicators.create_actor._id | number | The ID of the actor |
FireEyeHX.Indicators.create_actor.username | string | Actor user name |
FireEyeHX.Indicators.signature | string | Signature of indicator |
FireEyeHX.Indicators._revision | string | Indicator revision |
FireEyeHX.Indicators._id | string | FireEye unique indicator ID. |
FireEyeHX.Indicator.description | string | Indicator description |
FireEyeHX.Indicators.category._id | number | Category ID |
FireEyeHX.Indicators.category.name | string | Category name |
FireEyeHX.Indicators.category.share_mode | string | Category share mode |
FireEyeHX.Indicators.category.uri_name | string | Category uri name |
FireEyeHX.Indicators.category.url | string | Category URL |
FireEyeHX.Indicators.uri_name | string | The indicator uri name |
FireEyeHX.Indicators.stats.active_conditions | number | Indicator active conditions |
FireEyeHX.Indicators.stats.alerted_agents | number | Total number of agents with HX alerts associated with this indicator. |
FireEyeHX.Indicators.stats.source_alerts | number | Total number of source alerts associated with this indicator. |
FireEyeHX.Indicators.update_actor._id | number | Update actor ID |
FireEyeHX.Indicators.update_actor.username | string | Update actor name |
#
fireeye-hx-append-conditionsAdd conditions to an indicator. Conditions can be MD5, hash values, domain names and IP addresses.
#
Base Commandfireeye-hx-append-conditions
#
InputArgument Name | Description | Required |
---|---|---|
category | The indicator category. Please use the uri_category value. | Required |
name | The name of the indicator. Please use the uri_name value. | Required |
condition | A list of conditions to add. The list can include a list of IPv4 addresses, MD5 files, and domain names. For example: example.netexample.orgexample.lol. | Required |
#
Context OutputThere is no context output for this command.
#
fireeye-hx-get-all-hosts-informationGet information on all hosts
#
Base Commandfireeye-hx-get-all-hosts-information
#
InputArgument Name | Description | Required |
---|
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Hosts._id | Unknown | FireEye HX Agent ID. |
FireEyeHX.Hosts.agent_version | Unknown | The agent version. |
FireEyeHX.Hosts.excluded_from_containment | Unknown | Determines whether the host is excluded from containment. |
FireEyeHX.Hosts.containment_missing_software | Unknown | Boolean value to indicate for containment missing software. |
FireEyeHX.Hosts.containment_queued | Unknown | Determines whether the host is queued for containment. |
FireEyeHX.Hosts.containment_state | Unknown | The containment state of the host. Possible values normal, contain, contain_fail, containing, contained, uncontain, uncontaining, wtfc, wtfu. |
FireEyeHX.Hosts.stats.alerting_conditions | Unknown | The number of conditions that have alerted for the host. |
FireEyeHX.Hosts.stats.alerts | Unknown | Total number of alerts, including exploit-detection alerts. |
FireEyeHX.Hosts.stats.exploit_blocks | Unknown | The number of blocked exploits on the host. |
FireEyeHX.Hosts.stats.malware_alerts | Unknown | The number of malware alerts associated with the host. |
FireEyeHX.Hosts.hostname | Unknown | The host name. |
FireEyeHX.Hosts.domain | Unknown | Domain name. |
FireEyeHX.Hosts.timezone | Unknown | Host time zone. |
FireEyeHX.Hosts.primary_ip_address | Unknown | The host IP address. |
FireEyeHX.Hosts.last_poll_timestamp | Unknown | The timestamp of the last system poll preformed on the host. |
FireEyeHX.Hosts.initial_agent_checkin | Unknown | Timestamp of the initial agent check-in. |
FireEyeHX.Hosts.last_alert_timestamp | Unknown | The time stamp of the last alert for the host. |
FireEyeHX.Hosts.last_exploit_block_timestamp | Unknown | Time when the last exploit was blocked on the host. The value is null if no exploits have been blocked. |
FireEyeHX.Hosts.os.product_name | Unknown | Specific operating system |
FireEyeHX.Hosts.os.bitness | Unknown | OS Bitness. |
FireEyeHX.Hosts.os.platform | Unknown | Family of operating systems. Valid values are win, osx, and linux. |
FireEyeHX.Hosts.primary_mac | Unknown | The host MAC address. |
#
Command Example!fireeye-hx-get-all-hosts-information
#
Context Example#
Human Readable Output#
FireEye HX Get Hosts Information
Host Name Host IP Agent ID Agent Version OS Last Poll Containment State Domain Last Alert WIN10X64 1.1.1.1 Hqb2ns3oui1fpzg0BxI1Ch 31.28.17 win 2021-10-18T13:59:44.000Z normal WORKGROUP _id: 2
url: /hx/api/v3/alerts/2localhost 1.1.1.1 GfLI00Q4zpidezw9I11rV6 31.28.17 linux 2021-10-18T14:02:32.000Z normal localdomain
#
fireeye-hx-initiate-data-acquisitionInitiate a data acquisition process to gather artifacts from the system disk and memory
#
Base Commandfireeye-hx-initiate-data-acquisition
#
InputArgument Name | Description | Required |
---|---|---|
script | Acquisition script in JSON format. | Optional |
scriptName | The script name. If the Acquisition script is specified, the script name must be specified as well. | Optional |
defaultSystemScript | Use default script. Select the host system. Possible values are: osx, win, linux. | Optional |
agentId | The agent ID. If the host name is not specified, the agent ID must be specified. | Optional |
hostName | The host name. If the agent ID is not specified, the host name must be specified. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Acquisitions.Data._id | unknown | The acquisition unique ID. |
FireEyeHX.Acquisitions.Data.state | unknown | The acquisition state |
FireEyeHX.Acquisitions.Data.md5 | unknown | File md5 |
FireEyeHX.Acquisitions.Data.host._id | unknown | Agent ID |
FireEyeHX.Acquisitions.Data.host.hostname | unknown | Hostname |
FireEyeHX.Acquisitions.Data.instance | unknown | FIreEye HX instance |
FireEyeHX.Acquisitions.Data.finish_time | unknown | Time when the acquisition finished |
#
Command Example
#
Human Readable Output#
fireeye-hx-get-data-acquisitionGather artifacts from the system disk and memory for the given acquisition id. The data is fetched as mans file
#
Base Commandfireeye-hx-get-data-acquisition
#
InputArgument Name | Description | Required |
---|---|---|
acquisitionId | The acquisition unique ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Acquisitions.Data._id | unknown | The acquisition unique ID. |
FireEyeHX.Acquisitions.Data.state | unknown | The acquisition state. |
FireEyeHX.Acquisitions.Data.md5 | unknown | File md5. |
FireEyeHX.Acquisitions.Data.host._id | unknown | Agent ID |
FireEyeHX.Acquisitions.Data.finish_time | unknown | Time when the acquisition finished |
FireEyeHX.Acquisitions.Data.host.hostname | unknown | Hostname |
FireEyeHX.Acquisitions.Data.instance | unknown | FIreEye HX instance |
#
Command Example
#
Human Readable Output#
Error Responses - Timeout ErrorTimeout error indicates that time limitation for the command has exceeded before results are returned.
To resolve this issue, configure new time limitation for the command.
- Navigate to Settings > About > Troubleshooting > Server Configuration.
- click Add Server Configuration.
- Set the key field using this format: FireEye HX.<command-name>.timeout.
- Set the value field to the desired time limit for the command to run (in minutes).
#
Known Limitations#
Acquisitions limitationsAcquisitions are stored for 14 days or until the aggregate size of all acquisitions exceeds the acquisition space limit, which is from 30 GB to 9 TB, depending on the HX Series appliance.
When the acquisition space is completely full and automatic triages fill 10 percent of the acquisition space, the HX Series appliance reclaims disk space by removing automatic triage collections.
When the acquisition space is 90 percent full, no new acquisitions can be created, and bulk acquisitions that are running might be canceled.
#
Containment LimitationsSome hosts cannot be contained.
The time it takes to contain a host varies, based on factors such as agent connectivity, network traffic, and other jobs running in your environment.
You can only contain a host if the agent package for that host is available on the HX Series appliance.
#
Command TimeoutThe following commands have high potential to exceed the default time limit for a running command. To avoid command timeout, change the command timeout settings.
- fireeye-hx-search
- fireeye-hx-data-acquisition
- fireeye-hx-file-acquisition
#
Configure Command Timeout
- Navigate to Settings > About > Troubleshooting.
- In the Server Configuration section, click Add Server Configuration.
- Set the Key field using this format: FireEye HX.timeout
- Set the Value field to the timeout you need (in minutes).