FireEye Endpoint Security (HX) v2
FireEye HX Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
FireEye Endpoint Security is an integrated solution that detects what others miss and protects endpoint against known and unknown threats. This integration provides access to information about endpoints, acquisitions, alerts, indicators, and containment. Customers can extract critical data and effectively operate security operations automated playbook
Some changes have been made that might affect your existing content. If you are upgrading from a previous of this integration, see Breaking Changes.
#
Configure FireEye Endpoint Security (HX) v2 in CortexParameter | Required |
---|---|
Server URL (e.g. https://192.168.0.1:3000) | True |
User Name | True |
Password | True |
Trust any certificate (not secure) | False |
Use system proxy settings | False |
Fetch incidents | False |
Incident type | False |
Fetch limit | False |
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 3 days) | False |
Incidents Fetch Interval | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
fireeye-hx-get-host-informationReturns information on a host associated with an agent.
#
Base Commandfireeye-hx-get-host-information
#
InputArgument Name | Description | Required |
---|---|---|
agentId | The agent ID. If the agent ID is not specified, the hostName must be specified. | Optional |
hostName | The host name. If the hostName is not specified, the agent ID must be specified. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Hosts._id | String | The ID of the FireEye HX Agent. |
FireEyeHX.Hosts.agent_version | String | The version of the agent. |
FireEyeHX.Hosts.excluded_from_containment | Boolean | Determines whether the host is excluded from containment. |
FireEyeHX.Hosts.containment_missing_software | Boolean | Whether there is containment missing software. |
FireEyeHX.Hosts.containment_queued | Boolean | Determines whether the host is queued for containment. |
FireEyeHX.Hosts.containment_state | String | The containment state of the host. Possible values normal,contain,contain_fail,containing,contained,uncontain,uncontaining,wtfc,wtfu |
FireEyeHX.Hosts.stats.alerting_conditions | Number | The number of conditions that have alerted for the host. |
FireEyeHX.Hosts.stats.alerts | Number | The total number of alerts, including exploit-detection alerts. |
FireEyeHX.Hosts.stats.exploit_blocks | Number | The number of blocked exploits on the host. |
FireEyeHX.Hosts.stats.malware_alerts | Number | The number of malware alerts associated with the host. |
FireEyeHX.Hosts.hostname | String | The name of the host. |
FireEyeHX.Hosts.domain | String | The name of the domain. |
FireEyeHX.Hosts.timezone | String | The time zone of the host. |
FireEyeHX.Hosts.primary_ip_address | String | The IP address of the host. |
FireEyeHX.Hosts.last_poll_timestamp | String | The timestamp of the last system poll preformed on the host. |
FireEyeHX.Hosts.initial_agent_checkin | String | The timestamp of the initial agent check-in. |
FireEyeHX.Hosts.last_alert_timestamp | String | The time stamp of the last alert for the host. |
FireEyeHX.Hosts.last_exploit_block_timestamp | Unknown | The time when the last exploit was blocked on the host. The value is null if no exploits have been blocked. |
FireEyeHX.Hosts.os.product_name | String | The operating system of the host. |
FireEyeHX.Hosts.os.bitness | String | The bitness of the operating system. |
FireEyeHX.Hosts.os.platform | Unknown | The list of operating systems. Valid values are win, osx, and linux. |
FireEyeHX.Hosts.primary_mac | String | The MAC address of the host. |
#
Command example!fireeye-hx-get-host-information hostName=XXX
#
Context Example#
Human Readable Output#
FireEye HX Get Host Information
Host Name Host IP Agent ID Agent Version OS Last Poll Containment State Domain Last Alert XXX xx.xx.xx.xx YYYXXXYYY 31.28.17 win 2022-02-23T09:08:31.000Z normal WORKGROUP _id: 365
url: /hx/api/v3/alerts/365
#
fireeye-hx-get-all-hosts-informationReturns information on all hosts.
#
Base Commandfireeye-hx-get-all-hosts-information
#
InputArgument Name | Description | Required |
---|---|---|
offset | Specifies which record to start with in the response. Default is 0. | Optional |
limit | Limits the number of results. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Hosts._id | String | The FireEye HX Agent ID. |
FireEyeHX.Hosts.agent_version | String | The version of the agent. |
FireEyeHX.Hosts.excluded_from_containment | Boolean | Determines whether the host is excluded from containment. |
FireEyeHX.Hosts.containment_missing_software | Boolean | Whether there is containment missing software. |
FireEyeHX.Hosts.containment_queued | Boolean | Determines whether the host is queued for containment. |
FireEyeHX.Hosts.containment_state | String | The containment state of the host. Possible values are normal, contain, contain_fail, containing, contained, uncontain, uncontaining, wtfc, wtfu. |
FireEyeHX.Hosts.stats.alerting_conditions | Number | The number of conditions that have been alerted for the host. |
FireEyeHX.Hosts.stats.alerts | Number | The total number of alerts, including exploit-detection alerts. |
FireEyeHX.Hosts.stats.exploit_blocks | Number | The number of blocked exploits on the host. |
FireEyeHX.Hosts.stats.malware_alerts | Number | The number of malware alerts associated with the host. |
FireEyeHX.Hosts.hostname | String | The name of the host. |
FireEyeHX.Hosts.domain | String | The name of the domain. |
FireEyeHX.Hosts.timezone | String | The time zone of the host. |
FireEyeHX.Hosts.primary_ip_address | String | The IP address of the host. |
FireEyeHX.Hosts.last_poll_timestamp | String | The timestamp of the last system poll preformed on the host. |
FireEyeHX.Hosts.initial_agent_checkin | String | The timestamp of the initial agent check-in. |
FireEyeHX.Hosts.last_alert_timestamp | String | The time stamp of the last alert for the host. |
FireEyeHX.Hosts.last_exploit_block_timestamp | Unknown | The time when the last exploit was blocked on the host. The value is null if no exploits have been blocked. |
FireEyeHX.Hosts.os.product_name | String | The operating system of the host. |
FireEyeHX.Hosts.os.bitness | String | The bitness of the operating system. |
FireEyeHX.Hosts.os.platform | String | The list of operating systems. Valid values are win, osx, and linux. |
FireEyeHX.Hosts.primary_mac | String | The host MAC address. |
#
Command example!fireeye-hx-get-all-hosts-information limit=1
#
Context Example#
Human Readable Output#
FireEye HX Get Hosts Information
Host Name Host IP Agent ID Agent Version OS Last Poll Containment State Domain Last Alert XXX xx.xx.xx.xx YYYXXXYYY 31.28.17 win 2022-02-23T09:08:31.000Z normal WORKGROUP _id: 365
url: /hx/api/v3/alerts/365
#
fireeye-hx-host-containmentApplies containment for a specific host, so that it no longer has access to other systems. If the user does not have the necessary permissions, the command will not approve the request. The permission required to approve the request is api_admin role.
#
Base Commandfireeye-hx-host-containment
#
InputArgument Name | Description | Required |
---|---|---|
hostName | The host name to be contained. If the hostName is not specified, the agentId must be specified. | Optional |
agentId | The agent id running on the host to be contained. If the agentId is not specified, the hostName must be specified. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Hosts._id | String | The ID of the FireEye HX Agent. |
FireEyeHX.Hosts.agent_version | String | The version of the agent. |
FireEyeHX.Hosts.excluded_from_containment | Boolean | Determines whether the host is excluded from containment. |
FireEyeHX.Hosts.containment_missing_software | Boolean | Whether there is containment missing software. |
FireEyeHX.Hosts.containment_queued | Boolean | Determines whether the host is queued for containment. |
FireEyeHX.Hosts.containment_state | String | The containment state of the host. Possible values are normal, contain, contain_fail, containing, contained, uncontain, uncontaining, wtfc, wtfu. |
FireEyeHX.Hosts.stats.alerting_conditions | Number | The number of conditions that have been alerted for the host. |
FireEyeHX.Hosts.stats.alerts | Number | The total number of alerts, including exploit-detection alerts. |
FireEyeHX.Hosts.stats.exploit_blocks | Number | The number of blocked exploits on the host. |
FireEyeHX.Hosts.stats.malware_alerts | Number | The number of malware alerts associated with the host. |
FireEyeHX.Hosts.hostname | String | The name of the host. |
FireEyeHX.Hosts.domain | String | The name of the domain. |
FireEyeHX.Hosts.timezone | String | The time zone of the host. |
FireEyeHX.Hosts.primary_ip_address | String | The IP address of the host. |
FireEyeHX.Hosts.last_poll_timestamp | String | The timestamp of the last system poll preformed on the host. |
FireEyeHX.Hosts.initial_agent_checkin | String | The timestamp of the initial agent check-in. |
FireEyeHX.Hosts.last_alert_timestamp | String | The time stamp of the last alert for the host. |
FireEyeHX.Hosts.last_exploit_block_timestamp | String | The time when the last exploit was blocked on the host. The value is null if no exploits have been blocked. |
FireEyeHX.Hosts.os.product_name | String | The operating system of the host. |
FireEyeHX.Hosts.os.bitness | String | The bitness of the operating system. |
FireEyeHX.Hosts.os.platform | String | The list of operating systems. Valid values are win, osx, and linux. |
FireEyeHX.Hosts.primary_mac | String | The host MAC address. |
#
Command example!fireeye-hx-host-containment hostName=XXX
#
Context Example#
Human Readable Output#
Results
Domain Hostname ID IPAddress MACAddress OS OSVersion WORKGROUP XXX YYYXXXYYY xx.xx.xx.xx xx-xx-xx-xx-xx-xx win Windows 10 Pro
#
fireeye-hx-cancel-containmentReleases a specific host from containment.
#
Base Commandfireeye-hx-cancel-containment
#
InputArgument Name | Description | Required |
---|---|---|
hostName | The host name to be contained. If the hostName is not specified, the agentId must be specified. | Optional |
agentId | The agent ID running on the host to be contained. If the agentId is not specified, the hostName must be specified. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!fireeye-hx-cancel-containment hostName=XXX
#
Human Readable OutputSuccess
#
fireeye-hx-initiate-data-acquisitionInitiates a data acquisition process to collect artifacts from the system disk and memory.
#
Base Commandfireeye-hx-initiate-data-acquisition
#
InputArgument Name | Description | Required |
---|---|---|
script | The acquisition script in JSON format. | Optional |
scriptName | The script name. If the acquisition script is specified, the script name must be specified as well. | Optional |
defaultSystemScript | Select the host system to use the default system script. Possible values are: osx, win, linux. | Optional |
agentId | The agent ID. If the hostName is not specified, the agent ID must be specified. | Optional |
hostName | The host name. If the agent ID is not specified, the hostName must be specified. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Acquisitions.Data._id | string | The unique ID of the acquisition. |
FireEyeHX.Acquisitions.Data.state | string | The state of the acquisition. |
FireEyeHX.Acquisitions.Data.md5 | string | The MD5 of the file. |
FireEyeHX.Acquisitions.Data.host._id | string | The ID of the agent. |
FireEyeHX.Acquisitions.Data.host.hostname | string | The name of the host. |
FireEyeHX.Acquisitions.Data.instance | string | The FireEye HX instance. |
FireEyeHX.Acquisitions.Data.finish_time | date | The time when the acquisition finished. |
#
fireeye-hx-get-host-set-informationReturns a list of all host sets known to your HX Series appliance.
#
Base Commandfireeye-hx-get-host-set-information
#
InputArgument Name | Description | Required |
---|---|---|
hostSetID | The ID of a specific host set to return. | Optional |
offset | Specifies which record to start with in the response. The offset value must be an unsigned 32-bit integer. Default is 0. | Optional |
limit | Specifies how many records are returned. The limit value must be an unsigned 32-bit integer. Default is 50. | Optional |
search | Searches the names of all host sets connected to the specified HX appliance. | Optional |
sort | Sorts the results by the specified field in ascending or descending order. The default sorts in ascending order, by name. Sortable fields are _id (host set ID) and name (host set name). | Optional |
name | Specifies the name of the host set for which to search. | Optional |
type | Specifies the type of host set for which to search. Possible values are: venn, static. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.HostSets._id | number | The ID of the host set. |
FireEyeHX.HostSets._revision | string | The number of the host set revision. |
FireEyeHX.HostSets.name | string | The name of the host set. |
FireEyeHX.HostSets.type | string | The type of the host set (static/dynamic/hidden). |
FireEyeHX.HostSets.url | string | The FireEye URL of the host set. |
FireEyeHX.HostSets.deleted | Boolean | Was the host set deleted. |
#
Command example!fireeye-hx-get-host-set-information hostSetID=1001
#
Context Example#
Human Readable Output#
FireEye HX Get Host Sets Information
Name ID Type Test 1001 venn
#
fireeye-hx-list-policyReturns a list of all policies.
#
Base Commandfireeye-hx-list-policy
#
InputArgument Name | Description | Required |
---|---|---|
offset | Specifies which record to start with in the response. Default is 0. | Optional |
limit | Limits the number of results. | Optional |
policyName | The name of the policy. | Optional |
policyId | The unique policy ID. | Optional |
enabled | Whether the policy is enabled ("true") or disabled ("false"). Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Policy._id | String | The ID of the unique policy. |
FireEyeHX.Policy.name | String | The name of the policy. |
FireEyeHX.Policy.description | String | The description of the policy. |
FireEyeHX.Policy.policy_type_id | String | The ID of the unique policy type. |
FireEyeHX.Policy.priority | Number | The priority order of the policy. |
FireEyeHX.Policy.enabled | Boolean | Whether the policy is enabled ("true") or disabled ("false"). |
FireEyeHX.Policy.default | Boolean | Whether it is the default policy (true). There can only be one policy marked as default. |
FireEyeHX.Policy.migrated | Boolean | Whether it is a migrated policy (true). |
FireEyeHX.Policy.created_by | String | The user who created the policy. |
FireEyeHX.Policy.created_at | String | The time the policy was first created. |
FireEyeHX.Policy.updated_at | String | The time the policy was last updated. |
FireEyeHX.Policy.categories | Unknown | The collection of categories that the policy is associated. |
FireEyeHX.Policy.display_created_at | String | The time since the display was first created. |
FireEyeHX.Policy.display_updated_at | String | The time since the display was last updated. |
#
Command example!fireeye-hx-list-policy limit=2 policyName=Test
#
Context Example#
Human Readable Output#
FireEye HX List PoliciesNo entries.
#
fireeye-hx-list-host-set-policyReturns a list of all policies for all host sets.
#
Base Commandfireeye-hx-list-host-set-policy
#
InputArgument Name | Description | Required |
---|---|---|
offset | Specifies which record to start with in the response. Default is 0. | Optional |
limit | Limits the number of results. | Optional |
hostSetId | The host set ID. | Optional |
policyId | The unique policy ID. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.HostSets.Policy.policy_id | String | The ID of the unique policy. |
FireEyeHX.HostSets.Policy.persist_id | Number | The ID of the host set. |
#
Command example!fireeye-hx-list-host-set-policy limit=1
#
Context Example#
Human Readable Output#
FireEye HX Host Set Policies
Policy Id Host Set Id YYYXXXYYY 1001 YYYXXXYYY 1002 YYYXXXYYY 1005 YYYXXXYYY 1005
#
fireeye-hx-list-containmentFetches all containment states across known hosts.
#
Base Commandfireeye-hx-list-containment
#
InputArgument Name | Description | Required |
---|---|---|
offset | Specifies which record to start with in the response. Default is 0. | Optional |
limit | Limits the number of results. | Optional |
state_update_time | Must be from type of -> String: date-time. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Hosts._id | String | The FireEye HX Agent ID. |
FireEyeHX.Hosts.last_sysinfo | String | The Last Sysinfo date. |
FireEyeHX.Hosts.requested_by_actor | String | The action requested by actor. |
FireEyeHX.Hosts.requested_on | String | When the containment was requested. |
FireEyeHX.Hosts.contained_by_actor | String | The action contained by actor. |
FireEyeHX.Hosts.contained_on | String | When the host was contained. |
FireEyeHX.Hosts.queued | Boolean | Determines whether the hosts are queued for containment. |
FireEyeHX.Hosts.excluded | Boolean | Whether the hosts are excluded. |
FireEyeHX.Hosts.missing_software | Boolean | Whether there is missing software. |
FireEyeHX.Hosts.reported_clone | Boolean | Whether there is a reported clone. |
FireEyeHX.Hosts.state | String | The state of the hosts. |
FireEyeHX.Hosts.state_update_time | String | The state update time of the hosts. |
FireEyeHX.Hosts.url | String | The URL of the hosts. |
#
Command example!fireeye-hx-list-containment limit=2
#
Context Example#
Human Readable Output#
List Containment
Id State Request Origin Request Date Containment Origin Containment Date Last System information date YYYXXXYYY normal 2022-02-23T07:28:33.969Z YYYXXXYYY normal 2022-02-23T08:23:25.592Z
#
fireeye-hx-search-listFetches all enterprise searches.
#
Base Commandfireeye-hx-search-list
#
InputArgument Name | Description | Required |
---|---|---|
offset | Specifies which record to start with in the response. Default is 0. | Optional |
limit | Specifies how many records are returned. Default is 50. | Optional |
state | Filter by search state. Select either STOPPED or RUNNING. Possible values are: RUNNING, STOPPED. | Optional |
sort | Sorts the results by the specified field. Default is sort by _id. Possible values are: _id, state, host_set._id, update_time, create_time, update_actor._id, update_actor.username, create_actor._id, create_actor.username. | Optional |
hostSetId | Filters searches by host set ID - <Integer>. | Optional |
searchId | Returns a single enterprise search record. If you enter this argument there is no need for other arguments. | Optional |
actorUsername | Filters searches by username that created searches - <String>. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Search._id | Number | The ID of the unique search. |
FireEyeHX.Search.state | String | The state of the search, whether it stopped or ran. |
FireEyeHX.Search.scripts | Unknown | A list of reference objects for the scripts utilized in this search. |
FireEyeHX.Search.update_time | String | The time the search was last updated. |
FireEyeHX.Search.create_time | String | The time the search was created. |
FireEyeHX.Search.scripts.platform | Unknown | The platform for which this script is used. |
FireEyeHX.Search.update_actor | Unknown | The actor who last updated the search. |
FireEyeHX.Search.create_actor | Unknown | The actor who created the search. |
FireEyeHX.Search.error | Unknown | Collection of errors per agents for the search. |
FireEyeHX.Search._revision | String | The ETag that can be used for concurrency checking. |
FireEyeHX.Search.input_type | String | The input method that was used to start the search. |
FireEyeHX.Search.url | String | The URI to retrieve data for this record. |
FireEyeHX.Search.host_set | Unknown | The Host Set information. |
FireEyeHX.Search.stats | Unknown | The stats information. |
FireEyeHX.Search.stats.hosts | Number | The number of hosts running this operation. |
FireEyeHX.Search.stats.skipped_hosts | Number | The number of hosts that were skipped. |
FireEyeHX.Search.stats.search_state | Unknown | The number of search in different states. |
FireEyeHX.Search.stats.search_issues | Unknown | The issues encountered for searches. |
FireEyeHX.Search.settings.query_terms.terms | Unknown | The terms for the operation. |
FireEyeHX.Search.stats.hosts.settings.query_terms.exhaustive_terms | Unknown | The exhaustive terms for the operation. |
FireEyeHX.Search.stats.settings.search_type | String | The type of search. |
FireEyeHX.Search.stats.settings.exhaustive | String | Whether a search is exhaustive. |
FireEyeHX.Search.stats.settings.mode | String | Whether a search is a HOST type or GRID type. |
FireEyeHX.Search.stats.settings.displayname | String | The name of the search. |
#
Command example!fireeye-hx-search-list limit=1
#
Context Example#
Human Readable Output
Id State Host Set Created By Created At Updated By Updated At 143 RUNNING _id: 1001
username: test2022-02-23T09:18:11.214Z _id: 1001
username: test2022-02-23T09:18:11.214Z
#
fireeye-hx-search-stopStops a specific running search.
#
Base Commandfireeye-hx-search-stop
#
InputArgument Name | Description | Required |
---|---|---|
searchId | Unique search ID - Required. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Search._id | Number | The ID of the unique search. |
FireEyeHX.Search.state | String | The state of the search, whether it stopped or ran. |
FireEyeHX.Search.scripts | Unknown | A list of reference objects for the scripts utilized in this search. |
FireEyeHX.Search.update_time | String | The time the search was last updated. |
FireEyeHX.Search.create_time | String | The time the search was created. |
FireEyeHX.Search.scripts.platform | Unknown | The platform for which this script is used. |
FireEyeHX.Search.update_actor | Unknown | The actor who last updated the search. |
FireEyeHX.Search.create_actor | Unknown | The actor who created the search. |
FireEyeHX.Search.error | Unknown | The collection of errors per agents for the search. |
FireEyeHX.Search._revision | Unknown | ETag that can be used for concurrency checking. |
FireEyeHX.Search.input_type | String | The input method that was used to start the search. |
FireEyeHX.Search.url | String | The URI to retrieve data for this record. |
FireEyeHX.Search.host_set | Unknown | The Host Set information. |
FireEyeHX.Search.stats | Unknown | The stats information. |
FireEyeHX.Search.stats.hosts | Number | The number of hosts running this operation. |
FireEyeHX.Search.stats.skipped_hosts | Number | The number of hosts that were skipped. |
FireEyeHX.Search.stats.search_state | Unknown | The number of search in different states. |
FireEyeHX.Search.stats.search_issues | Unknown | The issues encountered for searches. |
FireEyeHX.Search.settings.query_terms.terms | Unknown | The terms for the operation. |
FireEyeHX.Search.stats.hosts.settings.query_terms.exhaustive_terms | Unknown | The exhaustive terms for the operation |
FireEyeHX.Search.stats.settings.search_type | String | The type of search. |
FireEyeHX.Search.stats.settings.exhaustive | String | Whether a search is exhaustive. |
FireEyeHX.Search.stats.settings.mode | String | Whether a search is a HOST type or GRID type. |
FireEyeHX.Search.stats.settings.displayname | String | The name of the search. |
#
Command example!fireeye-hx-search-stop searchId=141
#
Context Example#
Human Readable OutputResults Search Id 141: Success
#
fireeye-hx-search-result-getFetches the results for a specific enterprise search.
#
Base Commandfireeye-hx-search-result-get
#
InputArgument Name | Description | Required |
---|---|---|
searchId | The Unique search ID. | Required |
limit | Limit the number of results to return per search. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Search.host._id | String | The ID of the unique agent. |
FireEyeHX.Search.host.url | String | The URI to retrieve data for this record. |
FireEyeHX.Search.host.hostname | String | The name of the host. |
FireEyeHX.Search.results._id | Number | The unique ID. |
FireEyeHX.Search.results.type | String | The type of the search result data. |
FireEyeHX.Search.results.data | Unknown | The object containing data relating to the search result for the host. |
#
Command example!fireeye-hx-search-result-get searchId=141
#
Context Example#
Human Readable Output#
Host Id YYYXXXYYYHost Name XXX |Item Type|Summary| |---|---| | IPv4 Network Event | Process Name: chrome.exe,
Process ID: 8696,
Username: XXX\User,
Local IP Address: xx.xx.xx.xx,
Remote IP Address: xx.xx.xx.xx,
IP Address: xx.xx.xx.xx,
Port: 443,
Local Port: 64924,
Remote Port: 443,
Timestamp - Event: 2022-01-20T09:41:51.470Z,
Timestamp - Accessed: 2022-01-20T09:41:51.470Z | | IPv4 Network Event | Process Name: chrome.exe,
Process ID: 8696,
Username: XXX\User,
Local IP Address: xx.xx.xx.xx,
Remote IP Address: xx.xx.xx.xx,
IP Address: xx.xx.xx.xx,
Port: 443,
Local Port: 64925,
Remote Port: 443,
Timestamp - Event: 2022-01-20T09:41:51.470Z,
Timestamp - Accessed: 2022-01-20T09:41:51.470Z | | IPv4 Network Event | Process Name: chrome.exe,
Process ID: 8696,
Username: XXX\User,
Local IP Address: xx.xx.xx.xx,
Remote IP Address: xx.xx.xx.xx,
IP Address: xx.xx.xx.xx,
Port: 443,
Local Port: 64926,
Remote Port: 443,
Timestamp - Event: 2022-01-20T09:41:51.470Z,
Timestamp - Accessed: 2022-01-20T09:41:51.470Z | | IPv4 Network Event | Process Name: chrome.exe,
Process ID: 8696,
Username: XXX\User,
Local IP Address: xx.xx.xx.xx,
Remote IP Address: xx.xx.xx.xx,
IP Address: xx.xx.xx.xx,
Port: 443,
Local Port: 56687,
Remote Port: 443,
Timestamp - Event: 2022-01-31T06:56:37.591Z,
Timestamp - Accessed: 2022-01-31T06:56:37.591Z | | IPv4 Network Event | Process Name: chrome.exe,
Process ID: 8696,
Username: XXX\User,
Local IP Address: xx.xx.xx.xx,
Remote IP Address: xx.xx.xx.xx,
IP Address: xx.xx.xx.xx,
Port: 443,
Local Port: 58763,
Remote Port: 443,
Timestamp - Event: 2022-02-01T07:51:38.928Z,
Timestamp - Accessed: 2022-02-01T07:51:38.928Z | | IPv4 Network Event | Process Name: chrome.exe,
Process ID: 8696,
Username: XXX\User,
Local IP Address: xx.xx.xx.xx,
Remote IP Address: xx.xx.xx.xx,
IP Address: xx.xx.xx.xx,
Port: 443,
Local Port: 58766,
Remote Port: 443,
Timestamp - Event: 2022-02-01T07:53:03.630Z,
Timestamp - Accessed: 2022-02-01T07:53:03.630Z | | IPv4 Network Event | Process Name: chrome.exe,
Process ID: 8696,
Username: XXX\User,
Local IP Address: xx.xx.xx.xx,
Remote IP Address: xx.xx.xx.xx,
IP Address: xx.xx.xx.xx,
Port: 443,
Local Port: 59099,
Remote Port: 443,
Timestamp - Event: 2022-02-01T12:04:14.969Z,
Timestamp - Accessed: 2022-02-01T12:04:14.969Z | | IPv4 Network Event | Process Name: chrome.exe,
Process ID: 8696,
Username: XXX\User,
Local IP Address: xx.xx.xx.xx,
Remote IP Address: xx.xx.xx.xx,
IP Address: xx.xx.xx.xx,
Port: 443,
Local Port: 55107,
Remote Port: 443,
Timestamp - Event: 2022-02-07T10:51:46.951Z,
Timestamp - Accessed: 2022-02-07T10:51:46.951Z | | IPv4 Network Event | Process Name: chrome.exe,
Process ID: 8696,
Username: XXX\User,
Local IP Address: xx.xx.xx.xx,
Remote IP Address: xx.xx.xx.xx,
IP Address: xx.xx.xx.xx,
Port: 443,
Local Port: 55107,
Remote Port: 443,
Timestamp - Event: 2022-02-07T10:53:17.233Z,
Timestamp - Accessed: 2022-02-07T10:53:17.233Z |
#
fireeye-hx-searchSearches endpoints to check all hosts or a subset of hosts for a specific file or indicator.
#
Base Commandfireeye-hx-search
#
InputArgument Name | Description | Required |
---|---|---|
searchId | searchId. | Optional |
agentsIds | The IDs of the gents to be searched. | Optional |
hostsNames | The names of hosts to be searched. | Optional |
hostSet | The ID of host set to be searched. | Optional |
hostSetName | The name of host set to be searched. | Optional |
limit | Limits the results count (once the limit is reached, the search is stopped). | Optional |
exhaustive | Whether a search is exhaustive or quick. Possible values are: yes, no. Default is yes. | Optional |
ipAddress | A valid IPv4 address for which to search. | Optional |
ipAddressOperator | Which operator to apply to the given IP address. Possible values are: equals, not equals. | Optional |
polling | Whether to use Cortex XSOAR's built-in polling to retrieve the result, when ready. Possible values are: true, false. | Optional |
interval_in_seconds | The interval in seconds between each poll. Default is 60. | Optional |
fileMD5Hash | A 32-character MD5 hash value for which to search. | Optional |
fileMD5HashOperator | Which operator to apply to the given MD5 hash. Possible values are: equals, not equals. | Optional |
fileFullPath | The full path of file to search. | Optional |
fileFullPathOperator | Which operator to apply to the given file path. Possible values are: equals, not equals, contains, not contains. | Optional |
dnsHostname | The DNS value for which to search. | Optional |
dnsHostnameOperator | Which operator to apply to the given DNS. Possible values are: equals, not equals, contains, not contains. | Optional |
stopSearch | The method in which the search should be stopped after finding <limit> number of results. Possible values are: stopAndDelete, stop. | Optional |
fieldSearchName | Searchable fields - If using this argument, the 'fieldSearchOperator' and 'fieldSearchValue' arguments are required. Possible values are: Application Name, Browser Name, Browser Version, Cookie Flags, Cookie Name, Cookie Value, Driver Device Name, Driver Module Name, Executable Exported Dll Name, Executable Exported Function Name, Executable Imported Function Name, Executable Imported Module Name, Executable Injected, Executable PE Type, Executable Resource Name, File Attributes, File Certificate Issuer, File Certificate Subject, File Download Mime Type, File Download Referrer, File Download Type, File Name, File SHA1 Hash, File SHA256 Hash, File Signature Exists, File Signature Verified, File Stream Name, File Text Written, Group Name, HTTP Header, Host Set, Hostname, Local IP Address, Local Port, Parent Process Name, Parent Process Path, Port, Port Protocol, Port State, Process Arguments, Process Name, Quarantine Event Sender Address, Quarantine Event Sender Name, Registry Key Full Path, Registry Key Value Name, Registry Key Value Text, Remote IP Address, Remote Port, Service DLL, Service Mode, Service Name, Service Status, Service Type, Size in bytes, Syslog Event ID, Syslog Event Message, Syslog Facility. | Optional |
fieldSearchOperator | Which operator to apply to the given search field. Possible values are: equals, not equals, contains, not contains, less than, greater than. | Optional |
fieldSearchValue | One or more values that match the selected search type. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Search.results.data.Timestamp - Modified | string | The time when the entry was last modified. |
FireEyeHX.Search.results.data.File Text Written | string | The file text content. |
FireEyeHX.Search.results.data.File Name | string | The name of the file. |
FireEyeHX.Search.results.data.File Full Path | string | The full path of the file. |
FireEyeHX.Search.results.data.File Bytes Written | string | The number of bytes written to the file. |
FireEyeHX.Search.results.data.Size in bytes | string | The size of the file in bytes. |
FireEyeHX.Search.results.data.Browser Version | string | The version of the browser. |
FireEyeHX.Search.results.data.Browser Name | string | The name of the browser. |
FireEyeHX.Search.results.data.Cookie Name | string | The name of the cookie. |
FireEyeHX.Search.results.data.DNS Hostname | string | The name of the DNS host. |
FireEyeHX.Search.results.data.URL | string | The event URL. |
FireEyeHX.Search.results.data.Username | string | The event username. |
FireEyeHX.Search.results.data.File MD5 Hash | string | The MD5 hash of the file. |
FireEyeHX.Search.host._id | string | The ID of the host. |
FireEyeHX.Search.host.hostname | string | The name of host. |
FireEyeHX.Search.host.url | string | The Inner FireEye host URL. |
FireEyeHX.Search.results.data | string | The ID of the performed search. |
FireEyeHX.Search.results.data.Timestamp - Accessed | string | The last accessed time. |
FireEyeHX.Search.results.data.Port | number | The Port. |
FireEyeHX.Search.results.data.Process ID | string | The ID of the process. |
FireEyeHX.Search.results.data.Local IP Address | string | The local IP Address. |
FireEyeHX.Search.results.data.Local IP Address | string | The local IP Address. |
FireEyeHX.Search.results.data.Local Port | number | The local Port. |
FireEyeHX.Search.results.data.Username | string | The username. |
FireEyeHX.Search.results.data.Remote Port | number | The remote port. |
FireEyeHX.Search.results.data.IP Address | string | The IP address. |
FireEyeHX.Search.results.data.Process Name | string | The process name. |
FireEyeHX.Search.results.data.Timestamp - Event | string | The timestamp of the event. |
FireEyeHX.Search.results.type | string | The type of the event. |
FireEyeHX.Search.results.id | string | The ID of the result. |
#
Command example!fireeye-hx-search hostsNames=XXX ipAddress=xx.xx.xx.xx ipAddressOperator=equals polling=false
#
Human Readable OutputSearch started, Search ID: 143
#
fireeye-hx-get-alertGet details of a specific alert.
#
Base Commandfireeye-hx-get-alert
#
InputArgument Name | Description | Required |
---|---|---|
alertId | The alert ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Alerts._id | Number | The ID of the FireEye alert. |
FireEyeHX.Alerts.agent._id | Unknown | The ID of the FireEye agent. |
FireEyeHX.Alerts.agent.containment_state | Unknown | The containment state of the agent. |
FireEyeHX.Alerts.condition._id | String | The unique ID of the condition. |
FireEyeHX.Alerts.event_at | String | The time when the event occurred. |
FireEyeHX.Alerts.matched_at | String | The time when the event was matched. |
FireEyeHX.Alerts.reported_at | String | The time when the event was reported. |
FireEyeHX.Alerts.source | String | The source of the alert. |
FireEyeHX.Alerts.matched_source_alerts._id | Unknown | The ID of the source alert. |
FireEyeHX.Alerts.matched_source_alerts.appliance_id | Unknown | The ID of the appliance. |
FireEyeHX.Alerts.matched_source_alerts.meta | Unknown | The source alert meta. |
FireEyeHX.Alerts.matched_source_alerts.indicator_id | Unknown | The ID of the indicator. |
FireEyeHX.Alerts.resolution | String | The alert resolution. |
FireEyeHX.Alerts.event_type | String | The type of the event. |
#
Command example!fireeye-hx-get-alert alertId=8
#
Context Example#
Human Readable Output#
File
Name md5 Extension Path feyeqatest.exe exe C:\Users\User\Desktop\㟋\feyeqatest.exe
#
fireeye-hx-suppress-alertSuppresses an alert by ID.
#
Base Commandfireeye-hx-suppress-alert
#
InputArgument Name | Description | Required |
---|---|---|
alertId | The alert ID. The alert ID is listed in the output of 'get-alerts'. command. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!fireeye-hx-suppress-alert alertId=18
#
Human Readable OutputAlert 18 suppressed successfully.
#
fireeye-hx-get-indicatorsGet a list of indicators.
#
Base Commandfireeye-hx-get-indicators
#
InputArgument Name | Description | Required |
---|---|---|
category | The category of the indicator. | Optional |
searchTerm | The searchTerm can be any name, category, signature, source, or condition value. | Optional |
shareMode | Determines who can see the indicator. They must belong to the correct authorization group. Possible values are: any, restricted, unrestricted, visible. | Optional |
sort | Sorts the results by the specified field in ascending order. Possible values are: category, activeSince, createdBy, alerted. | Optional |
createdBy | The person who created the indicator. | Optional |
alerted | Whether the indicator resulted in alerts. Possible values are: yes, no. | Optional |
limit | Limits the number of results. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Indicators._id | String | FireEye unique indicator ID. |
FireEyeHX.Indicators.name | String | The indicator name as displayed in the UI. |
FireEyeHX.Indicators.description | String | The description of the indicator. |
FireEyeHX.Indicators.category.name | String | The Category name. |
FireEyeHX.Indicators.created_by | String | The "Created By" field as displayed in UI. |
FireEyeHX.Indicators.active_since | String | The date the indicator became active. |
FireEyeHX.Indicators.stats.source_alerts | Unknown | The total number of source alerts associated with this indicator. |
FireEyeHX.Indicators.stats.alerted_agents | Unknown | The total number of agents with HX alerts associated with this indicator. |
FireEyeHX.Indicators.platforms | Unknown | The list of operating systems. |
FireEyeHX.Indicators.uri_name | String | The URI formatted name of the indicator. |
FireEyeHX.Indicators.category.uri_name | String | The URI name of the category. |
#
Command example!fireeye-hx-get-indicators limit=2
#
Context Example#
Human Readable Output#
FireEye HX Get Indicator- None
OS Name Created By Active Since Category Signature Active Condition Hosts With Alerts Source Alerts win, osx, linux YYYXXXYYY test 2022-02-23T09:18:09.012Z Custom 0 0 0 win, osx, linux YYYXXXYYY test 2022-02-23T07:57:46.635Z Custom 0 0 0
#
fireeye-hx-get-indicatorGet details of a specific indicator.
#
Base Commandfireeye-hx-get-indicator
#
InputArgument Name | Description | Required |
---|---|---|
category | The category of the indicator. Use the uri_category value. | Required |
name | The name of the indicator. Use the uri_name value. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Indicators._id | String | The FireEye unique indicator ID. |
FireEyeHX.Indicators.name | String | The indicator name as displayed in the UI. |
FireEyeHX.Indicators.description | String | The description of the indicator. |
FireEyeHX.Indicators.category.name | String | The name of the category. |
FireEyeHX.Indicators.created_by | String | The "Created By" field as displayed in UI. |
FireEyeHX.Indicators.active_since | String | The date the indicator became active. |
FireEyeHX.Indicators.stats.source_alerts | Unknown | The total number of source alerts associated with this indicator. |
FireEyeHX.Indicators.stats.alerted_agents | Unknown | The total number of agents with HX alerts associated with this indicator. |
FireEyeHX.Indicators.platforms | Unknown | The list of operating systems. |
FireEyeHX.Conditions._id | Unknown | The ID of the FireEye unique condition. |
FireEyeHX.Conditions.event_type | Unknown | The type of the event. |
FireEyeHX.Conditions.enabled | Unknown | Indicates whether the condition is enabled. |
#
Command example!fireeye-hx-get-indicator category=Custom name=YYYXXXYYY
#
Context Example#
Human Readable Output#
Indicator 'YYYXXXYYY' Alerts onNo entries.
#
fireeye-hx-append-conditionsAdd conditions to an indicator. Conditions can be MD5, hash values, domain names and IP addresses.
#
Base Commandfireeye-hx-append-conditions
#
InputArgument Name | Description | Required |
---|---|---|
category | The indicator category. Use the uri_category value. | Required |
name | The name of the indicator. Use the uri_name value. | Required |
condition | A list of conditions to add. The list can include a list of IPv4 addresses, MD5 files, and domain names. For example, example.netexample.orgexample.lol. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!fireeye-hx-append-conditions category=Custom name=YYYXXXYYY condition=exsmple.com
#
Context Example#
Human Readable Output#
The conditions were added successfully
Category Conditions Name Custom exsmple.com YYYXXXYYY
#
fireeye-hx-search-deleteDeletes the search by ID.
#
Base Commandfireeye-hx-search-delete
#
InputArgument Name | Description | Required |
---|---|---|
searchId | The search ID. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!fireeye-hx-search-delete searchId=142
#
Human Readable OutputResults Search Id 142: Deleted successfully
#
fireeye-hx-delete-file-acquisitionDeletes the file acquisition by ID.
#
Base Commandfireeye-hx-delete-file-acquisition
#
InputArgument Name | Description | Required |
---|---|---|
acquisitionId | The acquisition ID. | Required |
#
Context OutputThere is no context output for this command.
#
fireeye-hx-approve-containmentApproves pending containment requests made by other components or users. The required permission is api_admin role.
#
Base Commandfireeye-hx-approve-containment
#
InputArgument Name | Description | Required |
---|---|---|
agentId | The Agent ID - this argument is required. | Required |
#
Context OutputThere is no context output for this command.
#
fireeye-hx-assign-host-set-policyInserts a new host set policy on your Endpoint Security server.
#
Base Commandfireeye-hx-assign-host-set-policy
#
InputArgument Name | Description | Required |
---|---|---|
hostSetId | The Host Set ID - this argument is required. | Required |
policyId | The Policy ID - this argument is required. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!fireeye-hx-assign-host-set-policy hostSetId=1005 policyId=YYYXXXYYY
#
Human Readable OutputThis hostset may already be included in this policy
#
fireeye-hx-get-data-acquisitionCollects artifacts from the system disk and memory for the given acquisition ID (the data is fetched as a MANS file).
#
Base Commandfireeye-hx-get-data-acquisition
#
InputArgument Name | Description | Required |
---|---|---|
acquisitionId | The acquisition unique ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Acquisitions.Data._id | string | The unique ID of the acquisition. |
FireEyeHX.Acquisitions.Data.state | string | The state of the acquisition. |
FireEyeHX.Acquisitions.Data.md5 | string | The MD5 of the file. |
FireEyeHX.Acquisitions.Data.host._id | string | The ID of the agent. |
FireEyeHX.Acquisitions.Data.finish_time | string | The time when the acquisition finished. |
FireEyeHX.Acquisitions.Data.host.hostname | string | The hostname. |
FireEyeHX.Acquisitions.Data.instance | date | The FireEye HX instance. |
#
Command example!fireeye-hx-get-data-acquisition acquisitionId=102
#
Context Example#
Human Readable OutputThe triage completed with issues. acquisition ID: 102
#
fireeye-hx-data-acquisitionStart a data acquisition process to gather artifacts from the system disk and memory (the data is fetched as mans file).
#
Base Commandfireeye-hx-data-acquisition
#
InputArgument Name | Description | Required |
---|---|---|
script | The acquisition script in JSON format. | Optional |
scriptName | The script name. If the Acquisition script is specified, the script name must be specified as well. | Optional |
defaultSystemScript | Select the host system, which uses the default script. Possible values are: osx, win, linux. | Optional |
agentId | The agent ID. If the host name is not specified, the agent ID must be specified. | Optional |
hostName | The host name. If the agent ID is not specified, the host name must be specified. | Optional |
acquisition_id | This argument is deprecated. | Optional |
polling | Whether to use Cortex XSOAR's built-in polling to retrieve the result when ready. Possible values are: true, false. | Optional |
interval_in_seconds | The interval in seconds between each poll. Default is 60. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Acquisitions.Data._id | Number | The unique ID of the acquisition. |
FireEyeHX.Acquisitions.Data.state | String | The state of the acquisition. |
FireEyeHX.Acquisitions.Data.md5 | String | The MD5 of the file. |
FireEyeHX.Acquisitions.Data.finish_time | String | The time when the acquisition finished. |
FireEyeHX.Acquisitions.Data.host._id | unknown | The ID of the agent. |
#
Command example!fireeye-hx-data-acquisition hostName=XXX defaultSystemScript=osx
#
Human Readable OutputAcquisition request was successful Acquisition ID: 104
#
fireeye-hx-get-alertsReturns a list of alerts. Use the different arguments to filter the results returned.
#
Base Commandfireeye-hx-get-alerts
#
InputArgument Name | Description | Required |
---|---|---|
hasShareMode | Identifies which alerts result from indicators with the specified share mode. Possible values are: any, restricted, unrestricted. | Optional |
resolution | Sorts the results by the specified field. Possible values are: active_threat, alert, block, partial_block. | Optional |
agentId | Filter by the agent ID. | Optional |
conditionId | Filter by condition ID. | Optional |
eventAt | Filter by the event occurred time. ISO-8601 timestamp. | Optional |
alertId | Filter by the alert ID. | Optional |
matchedAt | Filter by the match detection time. ISO-8601 timestamp. | Optional |
minId | Filter by returning only records with an AlertId field value greater than the minId value. | Optional |
reportedAt | Filter by the reported time. ISO-8601 timestamp. | Optional |
IOCsource | The source of the alert-indicator of compromise. Possible values are: yes. | Optional |
EXDsource | The source of the alert - exploit detection. Possible values are: yes. | Optional |
MALsource | The Source of the malware alert. Possible values are: yes. | Optional |
limit | Limit the results returned. | Optional |
sort | Sorts the results by the specified field in ascending order. Possible values are: agentId, conditionId, eventAt, alertId, matchedAt, id, reportedAt. | Optional |
sortOrder | The sort order for the results. Possible values are: ascending, descending. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Alerts._id | Number | The ID of the FireEye alert. |
FireEyeHX.Alerts.agent._id | Unknown | The ID of the FireEye agent. |
FireEyeHX.Alerts.agent.containment_state | Unknown | The state of the agent containment. |
FireEyeHX.Alerts.condition._id | String | The unique ID of the alert. |
FireEyeHX.Alerts.event_at | String | The time when the event occurred. |
FireEyeHX.Alerts.matched_at | String | The time when the event was matched. |
FireEyeHX.Alerts.reported_at | String | The time when the event was reported. |
FireEyeHX.Alerts.source | String | The source of the alert. |
FireEyeHX.Alerts.matched_source_alerts._id | Unknown | The ID of the source alert. |
FireEyeHX.Alerts.matched_source_alerts.appliance_id | Unknown | The ID of the appliance. |
FireEyeHX.Alerts.matched_source_alerts.meta | Unknown | The source alert meta. |
FireEyeHX.Alerts.matched_source_alerts.indicator_id | Unknown | The ID of the indicator. |
FireEyeHX.Alerts.resolution | String | The alert resolution. |
FireEyeHX.Alerts.event_type | String | The type of the event. |
#
Command example!fireeye-hx-get-alerts limit=2 sort=alertId
#
Context Example#
Human Readable Output#
FireEye HX Get Alerts
Alert ID Reported Event Type Agent ID 7 2022-01-24T10:37:51.306Z fileWriteEvent YYYXXXYYY 8 2022-01-25T10:25:44.011Z fileWriteEvent YYYXXXYYY
#
fireeye-hx-file-acquisitionAcquires a specific file as a password protected zip file. The password for unlocking the zip file is 'unzip-me'.
#
Base Commandfireeye-hx-file-acquisition
#
InputArgument Name | Description | Required |
---|---|---|
acquisition_id | The acquisition ID. This argument is deprecated. | Optional |
fileName | The file name. | Required |
filePath | The file path. | Required |
acquireUsing | Whether to acquire the file using the API or RAW. By default, the RAW file will be acquired. Use the API option when file is encrypted. Possible values are: API, RAW. | Optional |
agentId | The agent ID associated with the host that holds the file. If the host name is not specified, the agentId must be specified. | Optional |
hostName | The host that holds the file. If the agentId is not specified, hostName must be specified. | Optional |
polling | Whether to use Cortex XSOAR's built-in polling to retrieve the result when ready. Possible values are: true, false. | Optional |
interval_in_seconds | The interval in seconds between each poll. Default is 60. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Acquisitions.Files._id | Number | The acquisition unique ID. |
FireEyeHX.Acquisitions.Files.state | String | The acquisition state. |
FireEyeHX.Acquisitions.Files.md5 | String | The MD5 of the file. |
FireEyeHX.Acquisitions.Files.req_filename | String | The name of the file. |
FireEyeHX.Acquisitions.Files.req_path | String | The path of the file. |
FireEyeHX.Acquisitions.Files.host._id | String | The ID of the FireEye HX agent. |
#
fireeye-hx-create-indicatorCreate a new indicator.
#
Base Commandfireeye-hx-create-indicator
#
InputArgument Name | Description | Required |
---|---|---|
category | The indicator category. | Required |
display_name | Display name for the indicator. | Optional |
description | Description for the indicator. | Optional |
platforms | The platform for the indicator. If not selected, the indicator will be created for all platforms. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.Indicators.active_since | date | The date the indicator became active. |
FireEyeHX.Indicators.meta | string | The meta data for new indicator. |
FireEyeHX.Indicators.display_name | string | The display name of the indicator. |
FireEyeHX.Indicators.name | string | The indicator name, as displayed in the UI. |
FireEyeHX.Indicators.created_by | string | The "Created By" field, as displayed in UI |
FireEyeHX.Indicators.url | string | The data URL. |
FireEyeHX.Indicators.create_text | Unknown | The indicator created text. |
FireEyeHX.Indicators.platforms | string | The list of operating systems. |
FireEyeHX.Indicators.create_actor._id | number | The ID of the actor. |
FireEyeHX.Indicators.create_actor.username | string | The user name of the actor. |
FireEyeHX.Indicators.signature | string | The signature of the indicator. |
FireEyeHX.Indicators._revision | string | The indicator revision. |
FireEyeHX.Indicators._id | string | The ID of the FireEye unique indicator. |
FireEyeHX.Indicator.description | string | The description of the indicator. |
FireEyeHX.Indicators.category._id | number | The ID of the category. |
FireEyeHX.Indicators.category.name | string | The name of the category. |
FireEyeHX.Indicators.category.share_mode | string | The share mode of the category. |
FireEyeHX.Indicators.category.uri_name | string | The URI name of the category. |
FireEyeHX.Indicators.category.url | string | The URL of the category. |
FireEyeHX.Indicators.uri_name | string | The URI name of the indicator. |
FireEyeHX.Indicators.stats.active_conditions | number | The active conditions of the indicator. |
FireEyeHX.Indicators.stats.alerted_agents | number | The total number of agents with HX alerts associated with this indicator. |
FireEyeHX.Indicators.stats.source_alerts | number | The total number of source alerts associated with this indicator. |
FireEyeHX.Indicators.update_actor._id | number | The ID of the updated actor. |
FireEyeHX.Indicators.update_actor.username | string | The updated name of the actor. |
#
Command example!fireeye-hx-create-indicator category=Custom
#
Context Example#
Human Readable Output#
FireEye HX New Indicator created successfully
ID YYYXXXYYY
#
fireeye-hx-delete-host-set-policyDeletes a Host Set policy.
#
Base Commandfireeye-hx-delete-host-set-policy
#
InputArgument Name | Description | Required |
---|---|---|
hostSetId | The host set ID. | Required |
policyId | The policy ID. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!fireeye-hx-delete-host-set-policy hostSetId=1005 policyId=YYYXXXYYY
#
Human Readable OutputSuccess
#
fireeye-hx-delete-data-acquisitionDeletes data acquisition.
#
Base Commandfireeye-hx-delete-data-acquisition
#
InputArgument Name | Description | Required |
---|---|---|
acquisitionId | The acquisition ID. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!fireeye-hx-delete-data-acquisition acquisitionId=102
#
Human Readable Outputdata acquisition 102 deleted successfully
#
fireeye-hx-delete-indicator-conditionDelete an indicator condition.
#
Base Commandfireeye-hx-delete-indicator-condition
#
InputArgument Name | Description | Required |
---|---|---|
category | The indicator category. | Required |
indicator_name | The name of the indicator. Use the uri_name value. | Required |
type | The condition type. Possible values are: presence, execution. | Required |
condition_id | The condition ID, which is part of the response when you request a list of all conditions known to the HX Series appliance. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!fireeye-hx-delete-indicator-condition category=Custom condition_id=myFIAYoWKoWqaaYQ7CxHVA== indicator_name=7f49e4c6-14d5-4b06-8d17-843fd17f79de type=execution
#
Human Readable OutputSuccessfully deleted condition myFIAYoWKoWqaaYQ7CxHVA== (execution) of indicator 7f49e4c6-14d5-4b06-8d17-843fd17f79de (Custom)
#
fireeye-hx-list-indicator-categoryLists the indicator categories.
#
Base Commandfireeye-hx-list-indicator-category
#
InputArgument Name | Description | Required |
---|---|---|
search | Performs a search of indicator categories. Searchable values are based on the name, display_name, retention_policy, ui_edit_policy, ui_signature_enabled, ui_source_alerts_enabled. | Optional |
name | Filter for indicator categories with the specified name. | Optional |
display_name | Filter for indicator categories with given display name. | Optional |
retention_policy | The retention policy. Possible values are: manual, auto, intel. | Optional |
ui_edit_policy | The UI edit policy. Possible values are: full, edit_delete, delete, read_only. | Optional |
ui_signature_enabled | Whether to enable the UI signature. Possible values are: true, false. | Optional |
ui_source_alerts_enabled | Whether to enable UI source alerts. Possible values are: true, false. | Optional |
share_mode | Share mode. Possible values are: restricted, unrestricted, silent, visible, any. | Optional |
limit | The maximum number of results to return. Default is 50. | Optional |
offset | Result offset. Default is 0. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.IndicatorCategory.uri_name | number | The policy ID of the indicator category. |
FireEyeHX.IndicatorCategory.name | string | The name of the indicator category. |
FireEyeHX.IndicatorCategory._revision | number | The revision of the indicator category. |
FireEyeHX.IndicatorCategory.display_name | string | The display name of the indicator category. |
FireEyeHX.IndicatorCategory.retention_policy | string | The retention policy of the indicator category. |
FireEyeHX.IndicatorCategory.ui_edit_policy | string | The UI edit policy of the indicator category. |
FireEyeHX.IndicatorCategory.ui_signature_enabled | boolean | Whether the UI signature is enabled. |
FireEyeHX.IndicatorCategory.ui_source_alerts_enabled | boolean | Whether the UI source alerts is enabled. |
FireEyeHX.IndicatorCategory.share_mode | string | The share mode of the indicator category. |
#
Command example!fireeye-hx-list-indicator-category search=fireEye
#
Context Example#
Human Readable Output#
3 Indicator categories found
Name Policy ID FireEye 4 FireEye Restricted 8 FireEye-CMS 5
#
fireeye-hx-delete-indicatorDelete an indicator.
#
Base Commandfireeye-hx-delete-indicator
#
InputArgument Name | Description | Required |
---|---|---|
category | The category name. | Required |
indicator_name | The name of the indicator. Use the uri_name value. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!fireeye-hx-delete-indicator category=Custom indicator_name=7f49e4c6-14d5-4b06-8d17-843fd17f79de
#
Human Readable OutputSuccessfully deleted indicator 7f49e4c6-14d5-4b06-8d17-843fd17f79de from the Custom category
#
fireeye-hx-create-host-set-staticCreates static host set.
#
Base Commandfireeye-hx-create-host-set-static
#
InputArgument Name | Description | Required |
---|---|---|
host_set_name | The host set name. | Required |
hosts_ids | The hosts IDs to add to the host set. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.HostSets._id | String | The host set ID. |
FireEyeHX.HostSets.url | String | URI to retrieve data for this record. |
FireEyeHX.HostSets.name | String | The host set name. |
FireEyeHX.HostSets._revision | String | Timestamp of last update. Used for preventing updates with obsolete data. If _revision in the request body does not match _revision in the database, the update will fail. |
FireEyeHX.HostSets.deleted | Boolean | Was the host set deleted. |
#
Command example!fireeye-hx-create-host-set-static host_set_name=demisto_test hosts_ids=Hqb2ns3oui1fpzg0BxI1Ch
#
Human Readable OutputStatic Host Set demisto_test with id 1001 was created successfully.
#
fireeye-hx-update-host-set-staticUpdates a static host set.
#
Base Commandfireeye-hx-update-host-set-static
#
InputArgument Name | Description | Required |
---|---|---|
host_set_id | The host set ID. | Required |
host_set_name | The host set name. | Required |
add_host_ids | The host sets IDs to add. | Optional |
remove_host_ids | The host set IDs to remove. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.HostSets._id | String | The host set ID. |
FireEyeHX.HostSets.url | String | URI to retrieve data for this record. |
FireEyeHX.HostSets.name | String | The host set name. |
FireEyeHX.HostSets._revision | String | Timestamp of last update. Used for preventing updates with obsolete data. If _revision in the request body does not match _revision in the database, the update will fail. |
FireEyeHX.HostSets.deleted | Boolean | Was the host set deleted. |
#
Command example!fireeye-hx-update-host-set-static host_set_name=demisto_test host_set_id=1036 add_host_ids=GfLI00Q4zpidezw9I11rV6 remove_host_ids=Hqb2ns3oui1fpzg0BxI1Ch
#
Human Readable OutputStatic Host Set demisto_test was updated successfully.
#
fireeye-hx-create-host-set-dynamicCreates dynamic host set.
#
Base Commandfireeye-hx-create-host-set-dynamic
#
InputArgument Name | Description | Required |
---|---|---|
host_set_name | The host set name. | Required |
query | Free text query. Cannot be used with the other query arguments. | Optional |
query_key | The query key. Must be provided with the query_value and query_operator. Possible values are: domain, product_name, patch_level, timezone, os_bitness, cloud_provider, app_version, hostname, server_time, gmt_offset_seconds, primary-ip_address, normalized_app_version, litmus_script_id, app_config_hash, platform. | Optional |
query_value | The query value. Must be provided with the query_key and query_operator. | Optional |
query_operator | The query operator. Must be provided with the query_key and query_value. Possible values are: eq, gt, lt, lte, gte, exists, cidr. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.HostSets._id | String | The host set ID. |
FireEyeHX.HostSets.url | String | URI to retrieve data for this record. |
FireEyeHX.HostSets.name | String | The host set name. |
FireEyeHX.HostSets._revision | String | Timestamp of last update. Used for preventing updates with obsolete data. If _revision in the request body does not match _revision in the database, the update will fail. |
FireEyeHX.HostSets.deleted | Boolean | Was the host set deleted. |
#
Command example!fireeye-hx-create-host-set-dynamic host_set_name=demisto_test query_key=Bitlevel query_operator=eq query_value=64-bit
!fireeye-hx-update-host-set-dynamic host_set_name=MoreTestyay query=`{"key": "AgentVersion","value": "31.28.17","operator": "gte"}`
#
Human Readable OutputDynamic Host Set demisto_test with id 1068 was created successfully.
#
fireeye-hx-update-host-set-dynamicUpdates dynamic host set.
#
Base Commandfireeye-hx-update-host-set-dynamic
#
InputArgument Name | Description | Required |
---|---|---|
host_set_name | The host set name. | Required |
host_set_id | The host set ID. | Required |
query | Free text query. Cannot be used with the other query arguments. | Optional |
query_key | The query key. Must be provided with the query_value and query_operator. Possible values are: domain, product_name, patch_level, timezone, os_bitness, cloud_provider, app_version, hostname, server_time, gmt_offset_seconds, primary-ip_address, normalized_app_version, litmus_script_id, app_config_hash, platform. | Optional |
query_value | The query value. Must be provided with the query_key and query_operator. | Optional |
query_operator | The query operator. Must be provided with the query_value and query_key. Possible values are: eq, gt, lt, lte, gte, exists, cidr. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.HostSets._id | String | The host set ID. |
FireEyeHX.HostSets.url | String | URI to retrieve data for this record. |
FireEyeHX.HostSets.name | String | The host set name. |
FireEyeHX.HostSets._revision | String | Timestamp of last update. Used for preventing updates with obsolete data. If _revision in the request body does not match _revision in the database, the update will fail. |
FireEyeHX.HostSets.deleted | Boolean | Was the host set deleted. |
#
Command example!fireeye-hx-update-host-set-dynamic host_set_name=demisto_test query_key=Bitlevel query_operator=eq query_value=64-bit host_set_id=1061
!fireeye-hx-update-host-set-dynamic host_set_name=MoreTestyay query=`{"key": "AgentVersion","value": "31.28.17","operator": "gte"}` host_set_id=1061
#
Human Readable OutputDynamic Host Set Demisto_test was updated successfully.
#
fireeye-hx-delete-host-setDeletes a host set.
#
Base Commandfireeye-hx-delete-host-set
#
InputArgument Name | Description | Required |
---|---|---|
host_set_id | The host set ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
FireEyeHX.HostSets._id | String | The host set ID. |
FireEyeHX.HostSets.deleted | Boolean | Was the host set deleted. |
#
Command example!fireeye-hx-delete-host-set host_set_id=1001
#
Human Readable OutputHost set 1001 was deleted successfully.