Skip to main content

FireEye Endpoint Security (HX) v2

This Integration is part of the FireEye HX Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

FireEye Endpoint Security is an integrated solution that detects what others miss and protects endpoint against known and unknown threats. This integration provides access to information about endpoints, acquisitions, alerts, indicators, and containment. Customers can extract critical data and effectively operate security operations automated playbook

Some changes have been made that might affect your existing content. If you are upgrading from a previous of this integration, see Breaking Changes.

Configure FireEye Endpoint Security (HX) v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for FireEye Endpoint Security (HX) v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Server URL (e.g. https://192.168.0.1:3000)True
    User NameTrue
    PasswordTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Fetch incidentsFalse
    Incident typeFalse
    Fetch limitFalse
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 3 days)False
    Incidents Fetch IntervalFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

fireeye-hx-get-host-information#


Returns information on a host associated with an agent.

Base Command#

fireeye-hx-get-host-information

Input#

Argument NameDescriptionRequired
agentIdThe agent ID. If the agent ID is not specified, the hostName must be specified.Optional
hostNameThe host name. If the hostName is not specified, the agent ID must be specified.Optional

Context Output#

PathTypeDescription
FireEyeHX.Hosts._idStringThe ID of the FireEye HX Agent.
FireEyeHX.Hosts.agent_versionStringThe version of the agent.
FireEyeHX.Hosts.excluded_from_containmentBooleanDetermines whether the host is excluded from containment.
FireEyeHX.Hosts.containment_missing_softwareBooleanWhether there is containment missing software.
FireEyeHX.Hosts.containment_queuedBooleanDetermines whether the host is queued for containment.
FireEyeHX.Hosts.containment_stateStringThe containment state of the host. Possible values normal,contain,contain_fail,containing,contained,uncontain,uncontaining,wtfc,wtfu
FireEyeHX.Hosts.stats.alerting_conditionsNumberThe number of conditions that have alerted for the host.
FireEyeHX.Hosts.stats.alertsNumberThe total number of alerts, including exploit-detection alerts.
FireEyeHX.Hosts.stats.exploit_blocksNumberThe number of blocked exploits on the host.
FireEyeHX.Hosts.stats.malware_alertsNumberThe number of malware alerts associated with the host.
FireEyeHX.Hosts.hostnameStringThe name of the host.
FireEyeHX.Hosts.domainStringThe name of the domain.
FireEyeHX.Hosts.timezoneStringThe time zone of the host.
FireEyeHX.Hosts.primary_ip_addressStringThe IP address of the host.
FireEyeHX.Hosts.last_poll_timestampStringThe timestamp of the last system poll preformed on the host.
FireEyeHX.Hosts.initial_agent_checkinStringThe timestamp of the initial agent check-in.
FireEyeHX.Hosts.last_alert_timestampStringThe time stamp of the last alert for the host.
FireEyeHX.Hosts.last_exploit_block_timestampUnknownThe time when the last exploit was blocked on the host. The value is null if no exploits have been blocked.
FireEyeHX.Hosts.os.product_nameStringThe operating system of the host.
FireEyeHX.Hosts.os.bitnessStringThe bitness of the operating system.
FireEyeHX.Hosts.os.platformUnknownThe list of operating systems. Valid values are win, osx, and linux.
FireEyeHX.Hosts.primary_macStringThe MAC address of the host.

Command example#

!fireeye-hx-get-host-information hostName=XXX

Context Example#

{
"FireEyeHX": {
"Hosts": {
"_id": "YYYXXXYYY",
"agent_version": "31.28.17",
"containment_missing_software": false,
"containment_queued": false,
"containment_state": "normal",
"domain": "WORKGROUP",
"excluded_from_containment": false,
"gmt_offset_seconds": -28800,
"hostname": "XXX",
"initial_agent_checkin": "2021-03-21T13:27:48.058Z",
"last_alert": {
"_id": 365,
"url": "/hx/api/v3/alerts/365"
},
"last_alert_timestamp": "2022-02-23T07:28:34.043+00:00",
"last_audit_timestamp": "2022-02-23T07:28:33.969Z",
"last_exploit_block": null,
"last_exploit_block_timestamp": null,
"last_poll_ip": "xx.xx.xx.xx",
"last_poll_timestamp": "2022-02-23T09:08:31.000Z",
"os": {
"bitness": "64-bit",
"kernel_version": null,
"patch_level": null,
"platform": "win",
"product_name": "Windows 10 Pro"
},
"primary_ip_address": "xx.xx.xx.xx",
"primary_mac": "xx-xx-xx-xx-xx-xx",
"reported_clone": false,
"stats": {
"acqs": 15,
"alerting_conditions": 1,
"alerts": 1,
"exploit_alerts": 0,
"exploit_blocks": 0,
"false_positive_alerts": 0,
"false_positive_alerts_by_source": {},
"generic_alerts": 0,
"malware_alerts": 0,
"malware_cleaned_count": 0,
"malware_false_positive_alerts": 0,
"malware_quarantined_count": 0
},
"sysinfo": {
"url": "/hx/api/v3/hosts/YYYXXXYYY/sysinfo"
},
"timezone": "Pacific Standard Time",
"url": "/hx/api/v3/hosts/YYYXXXYYY"
}
}
}

Human Readable Output#

FireEye HX Get Host Information#

Host NameHost IPAgent IDAgent VersionOSLast PollContainment StateDomainLast Alert
XXXxx.xx.xx.xxYYYXXXYYY31.28.17win2022-02-23T09:08:31.000ZnormalWORKGROUP_id: 365
url: /hx/api/v3/alerts/365

fireeye-hx-get-all-hosts-information#


Returns information on all hosts.

Base Command#

fireeye-hx-get-all-hosts-information

Input#

Argument NameDescriptionRequired
offsetSpecifies which record to start with in the response. Default is 0.Optional
limitLimits the number of results.Optional

Context Output#

PathTypeDescription
FireEyeHX.Hosts._idStringThe FireEye HX Agent ID.
FireEyeHX.Hosts.agent_versionStringThe version of the agent.
FireEyeHX.Hosts.excluded_from_containmentBooleanDetermines whether the host is excluded from containment.
FireEyeHX.Hosts.containment_missing_softwareBooleanWhether there is containment missing software.
FireEyeHX.Hosts.containment_queuedBooleanDetermines whether the host is queued for containment.
FireEyeHX.Hosts.containment_stateStringThe containment state of the host. Possible values are normal, contain, contain_fail, containing, contained, uncontain, uncontaining, wtfc, wtfu.
FireEyeHX.Hosts.stats.alerting_conditionsNumberThe number of conditions that have been alerted for the host.
FireEyeHX.Hosts.stats.alertsNumberThe total number of alerts, including exploit-detection alerts.
FireEyeHX.Hosts.stats.exploit_blocksNumberThe number of blocked exploits on the host.
FireEyeHX.Hosts.stats.malware_alertsNumberThe number of malware alerts associated with the host.
FireEyeHX.Hosts.hostnameStringThe name of the host.
FireEyeHX.Hosts.domainStringThe name of the domain.
FireEyeHX.Hosts.timezoneStringThe time zone of the host.
FireEyeHX.Hosts.primary_ip_addressStringThe IP address of the host.
FireEyeHX.Hosts.last_poll_timestampStringThe timestamp of the last system poll preformed on the host.
FireEyeHX.Hosts.initial_agent_checkinStringThe timestamp of the initial agent check-in.
FireEyeHX.Hosts.last_alert_timestampStringThe time stamp of the last alert for the host.
FireEyeHX.Hosts.last_exploit_block_timestampUnknownThe time when the last exploit was blocked on the host. The value is null if no exploits have been blocked.
FireEyeHX.Hosts.os.product_nameStringThe operating system of the host.
FireEyeHX.Hosts.os.bitnessStringThe bitness of the operating system.
FireEyeHX.Hosts.os.platformStringThe list of operating systems. Valid values are win, osx, and linux.
FireEyeHX.Hosts.primary_macStringThe host MAC address.

Command example#

!fireeye-hx-get-all-hosts-information limit=1

Context Example#

{
"FireEyeHX": {
"Hosts": {
"Agent ID": "YYYXXXYYY",
"Agent Version": "31.28.17",
"Containment State": "normal",
"Domain": "WORKGROUP",
"Host IP": "xx.xx.xx.xx",
"Host Name": "XXX",
"Last Alert": {
"_id": 365,
"url": "/hx/api/v3/alerts/365"
},
"Last Poll": "2022-02-23T09:08:31.000Z",
"OS": "win"
}
}
}

Human Readable Output#

FireEye HX Get Hosts Information#

Host NameHost IPAgent IDAgent VersionOSLast PollContainment StateDomainLast Alert
XXXxx.xx.xx.xxYYYXXXYYY31.28.17win2022-02-23T09:08:31.000ZnormalWORKGROUP_id: 365
url: /hx/api/v3/alerts/365

fireeye-hx-host-containment#


Applies containment for a specific host, so that it no longer has access to other systems. If the user does not have the necessary permissions, the command will not approve the request. The permission required to approve the request is api_admin role.

Base Command#

fireeye-hx-host-containment

Input#

Argument NameDescriptionRequired
hostNameThe host name to be contained. If the hostName is not specified, the agentId must be specified.Optional
agentIdThe agent id running on the host to be contained. If the agentId is not specified, the hostName must be specified.Optional

Context Output#

PathTypeDescription
FireEyeHX.Hosts._idStringThe ID of the FireEye HX Agent.
FireEyeHX.Hosts.agent_versionStringThe version of the agent.
FireEyeHX.Hosts.excluded_from_containmentBooleanDetermines whether the host is excluded from containment.
FireEyeHX.Hosts.containment_missing_softwareBooleanWhether there is containment missing software.
FireEyeHX.Hosts.containment_queuedBooleanDetermines whether the host is queued for containment.
FireEyeHX.Hosts.containment_stateStringThe containment state of the host. Possible values are normal, contain, contain_fail, containing, contained, uncontain, uncontaining, wtfc, wtfu.
FireEyeHX.Hosts.stats.alerting_conditionsNumberThe number of conditions that have been alerted for the host.
FireEyeHX.Hosts.stats.alertsNumberThe total number of alerts, including exploit-detection alerts.
FireEyeHX.Hosts.stats.exploit_blocksNumberThe number of blocked exploits on the host.
FireEyeHX.Hosts.stats.malware_alertsNumberThe number of malware alerts associated with the host.
FireEyeHX.Hosts.hostnameStringThe name of the host.
FireEyeHX.Hosts.domainStringThe name of the domain.
FireEyeHX.Hosts.timezoneStringThe time zone of the host.
FireEyeHX.Hosts.primary_ip_addressStringThe IP address of the host.
FireEyeHX.Hosts.last_poll_timestampStringThe timestamp of the last system poll preformed on the host.
FireEyeHX.Hosts.initial_agent_checkinStringThe timestamp of the initial agent check-in.
FireEyeHX.Hosts.last_alert_timestampStringThe time stamp of the last alert for the host.
FireEyeHX.Hosts.last_exploit_block_timestampStringThe time when the last exploit was blocked on the host. The value is null if no exploits have been blocked.
FireEyeHX.Hosts.os.product_nameStringThe operating system of the host.
FireEyeHX.Hosts.os.bitnessStringThe bitness of the operating system.
FireEyeHX.Hosts.os.platformStringThe list of operating systems. Valid values are win, osx, and linux.
FireEyeHX.Hosts.primary_macStringThe host MAC address.

Command example#

!fireeye-hx-host-containment hostName=XXX

Context Example#

{
"Endpoint": {
"Domain": "WORKGROUP",
"Hostname": "XXX",
"ID": "YYYXXXYYY",
"IPAddress": "xx.xx.xx.xx",
"MACAddress": "xx-xx-xx-xx-xx-xx",
"OS": "win",
"OSVersion": "Windows 10 Pro"
},
"FireEyeHX": {
"Hosts": {
"_id": "YYYXXXYYY",
"agent_version": "31.28.17",
"containment_missing_software": false,
"containment_queued": true,
"containment_state": "contain",
"domain": "WORKGROUP",
"excluded_from_containment": false,
"gmt_offset_seconds": -28800,
"hostname": "XXX",
"initial_agent_checkin": "2021-03-21T13:27:48.058Z",
"last_alert": {
"_id": 365,
"url": "/hx/api/v3/alerts/365"
},
"last_alert_timestamp": "2022-02-23T07:28:34.043+00:00",
"last_audit_timestamp": "2022-02-23T07:28:33.969Z",
"last_exploit_block": null,
"last_exploit_block_timestamp": null,
"last_poll_ip": "xx.xx.xx.xx",
"last_poll_timestamp": "2022-02-23T09:08:31.000Z",
"os": {
"bitness": "64-bit",
"kernel_version": null,
"patch_level": null,
"platform": "win",
"product_name": "Windows 10 Pro"
},
"primary_ip_address": "xx.xx.xx.xx",
"primary_mac": "xx-xx-xx-xx-xx-xx",
"reported_clone": false,
"stats": {
"acqs": 15,
"alerting_conditions": 1,
"alerts": 1,
"exploit_alerts": 0,
"exploit_blocks": 0,
"false_positive_alerts": 0,
"false_positive_alerts_by_source": {},
"generic_alerts": 0,
"malware_alerts": 0,
"malware_cleaned_count": 0,
"malware_false_positive_alerts": 0,
"malware_quarantined_count": 0
},
"sysinfo": {
"url": "/hx/api/v3/hosts/YYYXXXYYY/sysinfo"
},
"timezone": "Pacific Standard Time",
"url": "/hx/api/v3/hosts/YYYXXXYYY"
}
}
}

Human Readable Output#

Results#

DomainHostnameIDIPAddressMACAddressOSOSVersion
WORKGROUPXXXYYYXXXYYYxx.xx.xx.xxxx-xx-xx-xx-xx-xxwinWindows 10 Pro

fireeye-hx-cancel-containment#


Releases a specific host from containment.

Base Command#

fireeye-hx-cancel-containment

Input#

Argument NameDescriptionRequired
hostNameThe host name to be contained. If the hostName is not specified, the agentId must be specified.Optional
agentIdThe agent ID running on the host to be contained. If the agentId is not specified, the hostName must be specified.Optional

Context Output#

There is no context output for this command.

Command example#

!fireeye-hx-cancel-containment hostName=XXX

Human Readable Output#

Success

fireeye-hx-initiate-data-acquisition#


Initiates a data acquisition process to collect artifacts from the system disk and memory.

Base Command#

fireeye-hx-initiate-data-acquisition

Input#

Argument NameDescriptionRequired
scriptThe acquisition script in JSON format.Optional
scriptNameThe script name. If the acquisition script is specified, the script name must be specified as well.Optional
defaultSystemScriptSelect the host system to use the default system script. Possible values are: osx, win, linux.Optional
agentIdThe agent ID. If the hostName is not specified, the agent ID must be specified.Optional
hostNameThe host name. If the agent ID is not specified, the hostName must be specified.Optional

Context Output#

PathTypeDescription
FireEyeHX.Acquisitions.Data._idstringThe unique ID of the acquisition.
FireEyeHX.Acquisitions.Data.statestringThe state of the acquisition.
FireEyeHX.Acquisitions.Data.md5stringThe MD5 of the file.
FireEyeHX.Acquisitions.Data.host._idstringThe ID of the agent.
FireEyeHX.Acquisitions.Data.host.hostnamestringThe name of the host.
FireEyeHX.Acquisitions.Data.instancestringThe FireEye HX instance.
FireEyeHX.Acquisitions.Data.finish_timedateThe time when the acquisition finished.

fireeye-hx-get-host-set-information#


Returns a list of all host sets known to your HX Series appliance.

Base Command#

fireeye-hx-get-host-set-information

Input#

Argument NameDescriptionRequired
hostSetIDThe ID of a specific host set to return.Optional
offsetSpecifies which record to start with in the response. The offset value must be an unsigned 32-bit integer. Default is 0.Optional
limitSpecifies how many records are returned. The limit value must be an unsigned 32-bit integer. Default is 50.Optional
searchSearches the names of all host sets connected to the specified HX appliance.Optional
sortSorts the results by the specified field in ascending or descending order. The default sorts in ascending order, by name. Sortable fields are _id (host set ID) and name (host set name).Optional
nameSpecifies the name of the host set for which to search.Optional
typeSpecifies the type of host set for which to search. Possible values are: venn, static.Optional

Context Output#

PathTypeDescription
FireEyeHX.HostSets._idnumberThe ID of the host set.
FireEyeHX.HostSets._revisionstringThe number of the host set revision.
FireEyeHX.HostSets.namestringThe name of the host set.
FireEyeHX.HostSets.typestringThe type of the host set (static/dynamic/hidden).
FireEyeHX.HostSets.urlstringThe FireEye URL of the host set.
FireEyeHX.HostSets.deletedBooleanWas the host set deleted.

Command example#

!fireeye-hx-get-host-set-information hostSetID=1001

Context Example#

{
"FireEyeHX": {
"HostSets": {
"_id": 1001,
"_revision": "20210308150955358783164361",
"name": "Test",
"type": "venn",
"url": "/hx/api/v3/host_sets/1001",
"deleted": false
}
}
}

Human Readable Output#

FireEye HX Get Host Sets Information#

NameIDType
Test1001venn

fireeye-hx-list-policy#


Returns a list of all policies.

Base Command#

fireeye-hx-list-policy

Input#

Argument NameDescriptionRequired
offsetSpecifies which record to start with in the response. Default is 0.Optional
limitLimits the number of results.Optional
policyNameThe name of the policy.Optional
policyIdThe unique policy ID.Optional
enabledWhether the policy is enabled ("true") or disabled ("false"). Possible values are: true, false.Optional

Context Output#

PathTypeDescription
FireEyeHX.Policy._idStringThe ID of the unique policy.
FireEyeHX.Policy.nameStringThe name of the policy.
FireEyeHX.Policy.descriptionStringThe description of the policy.
FireEyeHX.Policy.policy_type_idStringThe ID of the unique policy type.
FireEyeHX.Policy.priorityNumberThe priority order of the policy.
FireEyeHX.Policy.enabledBooleanWhether the policy is enabled ("true") or disabled ("false").
FireEyeHX.Policy.defaultBooleanWhether it is the default policy (true). There can only be one policy marked as default.
FireEyeHX.Policy.migratedBooleanWhether it is a migrated policy (true).
FireEyeHX.Policy.created_byStringThe user who created the policy.
FireEyeHX.Policy.created_atStringThe time the policy was first created.
FireEyeHX.Policy.updated_atStringThe time the policy was last updated.
FireEyeHX.Policy.categoriesUnknownThe collection of categories that the policy is associated.
FireEyeHX.Policy.display_created_atStringThe time since the display was first created.
FireEyeHX.Policy.display_updated_atStringThe time since the display was last updated.

Command example#

!fireeye-hx-list-policy limit=2 policyName=Test

Context Example#

{
"FireEyeHX": {
"Policy": {
"data": {
"entries": [],
"limit": 2,
"offset": 0,
"query": {
"limit": "2",
"name": "Test",
"offset": "0"
},
"sort": {},
"total": 0
},
"details": [],
"message": "OK",
"route": "/hx/api/v3/policies"
}
}
}

Human Readable Output#

FireEye HX List Policies#

No entries.

fireeye-hx-list-host-set-policy#


Returns a list of all policies for all host sets.

Base Command#

fireeye-hx-list-host-set-policy

Input#

Argument NameDescriptionRequired
offsetSpecifies which record to start with in the response. Default is 0.Optional
limitLimits the number of results.Optional
hostSetIdThe host set ID.Optional
policyIdThe unique policy ID.Optional

Context Output#

PathTypeDescription
FireEyeHX.HostSets.Policy.policy_idStringThe ID of the unique policy.
FireEyeHX.HostSets.Policy.persist_idNumberThe ID of the host set.

Command example#

!fireeye-hx-list-host-set-policy limit=1

Context Example#

{
"FireEyeHX": {
"HostSets": {
"Policy": [
{
"persist_id": 1001,
"policy_id": "YYYXXXYYY"
},
{
"persist_id": 1002,
"policy_id": "YYYXXXYYY"
},
{
"persist_id": 1005,
"policy_id": "YYYXXXYYY"
},
{
"persist_id": 1005,
"policy_id": "YYYXXXYYY"
}
]
}
}
}

Human Readable Output#

FireEye HX Host Set Policies#

Policy IdHost Set Id
YYYXXXYYY1001
YYYXXXYYY1002
YYYXXXYYY1005
YYYXXXYYY1005

fireeye-hx-list-containment#


Fetches all containment states across known hosts.

Base Command#

fireeye-hx-list-containment

Input#

Argument NameDescriptionRequired
offsetSpecifies which record to start with in the response. Default is 0.Optional
limitLimits the number of results.Optional
state_update_timeMust be from type of -> String: date-time.Optional

Context Output#

PathTypeDescription
FireEyeHX.Hosts._idStringThe FireEye HX Agent ID.
FireEyeHX.Hosts.last_sysinfoStringThe Last Sysinfo date.
FireEyeHX.Hosts.requested_by_actorStringThe action requested by actor.
FireEyeHX.Hosts.requested_onStringWhen the containment was requested.
FireEyeHX.Hosts.contained_by_actorStringThe action contained by actor.
FireEyeHX.Hosts.contained_onStringWhen the host was contained.
FireEyeHX.Hosts.queuedBooleanDetermines whether the hosts are queued for containment.
FireEyeHX.Hosts.excludedBooleanWhether the hosts are excluded.
FireEyeHX.Hosts.missing_softwareBooleanWhether there is missing software.
FireEyeHX.Hosts.reported_cloneBooleanWhether there is a reported clone.
FireEyeHX.Hosts.stateStringThe state of the hosts.
FireEyeHX.Hosts.state_update_timeStringThe state update time of the hosts.
FireEyeHX.Hosts.urlStringThe URL of the hosts.

Command example#

!fireeye-hx-list-containment limit=2

Context Example#

{
"FireEyeHX": {
"Hosts": [
{
"_id": "YYYXXXYYY",
"contained_by_actor": null,
"contained_on": null,
"excluded": false,
"last_sysinfo": "2022-02-23T07:28:33.969Z",
"missing_software": false,
"queued": false,
"reported_clone": false,
"requested_by_actor": null,
"requested_on": null,
"state": "normal",
"state_update_time": "2022-02-22T14:00:31.056Z",
"url": "/hx/api/v3/hosts/YYYXXXYYY"
},
{
"_id": "YYYXXXYYY",
"contained_by_actor": null,
"contained_on": null,
"excluded": false,
"last_sysinfo": "2022-02-23T08:23:25.592Z",
"missing_software": false,
"queued": false,
"reported_clone": false,
"requested_by_actor": null,
"requested_on": null,
"state": "normal",
"state_update_time": "2021-03-17T12:54:56.481Z",
"url": "/hx/api/v3/hosts/YYYXXXYYY"
}
]
}
}

Human Readable Output#

List Containment#

IdStateRequest OriginRequest DateContainment OriginContainment DateLast System information date
YYYXXXYYYnormal2022-02-23T07:28:33.969Z
YYYXXXYYYnormal2022-02-23T08:23:25.592Z

fireeye-hx-search-list#


Fetches all enterprise searches.

Base Command#

fireeye-hx-search-list

Input#

Argument NameDescriptionRequired
offsetSpecifies which record to start with in the response. Default is 0.Optional
limitSpecifies how many records are returned. Default is 50.Optional
stateFilter by search state. Select either STOPPED or RUNNING. Possible values are: RUNNING, STOPPED.Optional
sortSorts the results by the specified field. Default is sort by _id. Possible values are: _id, state, host_set._id, update_time, create_time, update_actor._id, update_actor.username, create_actor._id, create_actor.username.Optional
hostSetIdFilters searches by host set ID - <Integer>.Optional
searchIdReturns a single enterprise search record. If you enter this argument there is no need for other arguments.Optional
actorUsernameFilters searches by username that created searches - <String>.Optional

Context Output#

PathTypeDescription
FireEyeHX.Search._idNumberThe ID of the unique search.
FireEyeHX.Search.stateStringThe state of the search, whether it stopped or ran.
FireEyeHX.Search.scriptsUnknownA list of reference objects for the scripts utilized in this search.
FireEyeHX.Search.update_timeStringThe time the search was last updated.
FireEyeHX.Search.create_timeStringThe time the search was created.
FireEyeHX.Search.scripts.platformUnknownThe platform for which this script is used.
FireEyeHX.Search.update_actorUnknownThe actor who last updated the search.
FireEyeHX.Search.create_actorUnknownThe actor who created the search.
FireEyeHX.Search.errorUnknownCollection of errors per agents for the search.
FireEyeHX.Search._revisionStringThe ETag that can be used for concurrency checking.
FireEyeHX.Search.input_typeStringThe input method that was used to start the search.
FireEyeHX.Search.urlStringThe URI to retrieve data for this record.
FireEyeHX.Search.host_setUnknownThe Host Set information.
FireEyeHX.Search.statsUnknownThe stats information.
FireEyeHX.Search.stats.hostsNumberThe number of hosts running this operation.
FireEyeHX.Search.stats.skipped_hostsNumberThe number of hosts that were skipped.
FireEyeHX.Search.stats.search_stateUnknownThe number of search in different states.
FireEyeHX.Search.stats.search_issuesUnknownThe issues encountered for searches.
FireEyeHX.Search.settings.query_terms.termsUnknownThe terms for the operation.
FireEyeHX.Search.stats.hosts.settings.query_terms.exhaustive_termsUnknownThe exhaustive terms for the operation.
FireEyeHX.Search.stats.settings.search_typeStringThe type of search.
FireEyeHX.Search.stats.settings.exhaustiveStringWhether a search is exhaustive.
FireEyeHX.Search.stats.settings.modeStringWhether a search is a HOST type or GRID type.
FireEyeHX.Search.stats.settings.displaynameStringThe name of the search.

Command example#

!fireeye-hx-search-list limit=1

Context Example#

{
"FireEyeHX": {
"Search": {
"_id": 143,
"_revision": "20220223091811214662597541",
"create_actor": {
"_id": 1001,
"username": "test"
},
"create_time": "2022-02-23T09:18:11.214Z",
"error": null,
"host_set": null,
"input_type": "api",
"scripts": [
{
"_id": "YYYXXXYYY",
"download": "/hx/api/v3/scripts/YYYXXXYYY.json",
"platform": "win",
"url": "/hx/api/v3/scripts/YYYXXXYYY"
},
{
"_id": "YYYXXXYYY",
"download": "/hx/api/v3/scripts/YYYXXXYYY.json",
"platform": "osx",
"url": "/hx/api/v3/scripts/YYYXXXYYY"
}
],
"settings": {
"displayname": null,
"exhaustive": true,
"mode": "HOST",
"query_terms": {
"exhaustive_terms": [],
"terms": [
{
"field": "IP Address",
"operator": "equals",
"value": "xx.xx.xx.xx"
}
]
},
"search_type": "QUERY"
},
"state": "RUNNING",
"stats": {
"hosts": 1,
"running_state": {
"ABORTED": 0,
"CANCELLED": 0,
"COMPLETE": 0,
"DELETED": 0,
"FAILED": 0,
"NEW": 1,
"QUEUED": 0,
"REFRESH": 0
},
"search_issues": {},
"search_state": {
"ERROR": 0,
"MATCHED": 0,
"NOT_MATCHED": 0,
"PENDING": 1
},
"skipped_hosts": 0
},
"update_actor": {
"_id": 1001,
"username": "test"
},
"update_time": "2022-02-23T09:18:11.214Z",
"url": "/hx/api/v3/searches/143"
}
}
}

Human Readable Output#

IdStateHost SetCreated ByCreated AtUpdated ByUpdated At
143RUNNING_id: 1001
username: test
2022-02-23T09:18:11.214Z_id: 1001
username: test
2022-02-23T09:18:11.214Z

fireeye-hx-search-stop#


Stops a specific running search.

Base Command#

fireeye-hx-search-stop

Input#

Argument NameDescriptionRequired
searchIdUnique search ID - Required.Required

Context Output#

PathTypeDescription
FireEyeHX.Search._idNumberThe ID of the unique search.
FireEyeHX.Search.stateStringThe state of the search, whether it stopped or ran.
FireEyeHX.Search.scriptsUnknownA list of reference objects for the scripts utilized in this search.
FireEyeHX.Search.update_timeStringThe time the search was last updated.
FireEyeHX.Search.create_timeStringThe time the search was created.
FireEyeHX.Search.scripts.platformUnknownThe platform for which this script is used.
FireEyeHX.Search.update_actorUnknownThe actor who last updated the search.
FireEyeHX.Search.create_actorUnknownThe actor who created the search.
FireEyeHX.Search.errorUnknownThe collection of errors per agents for the search.
FireEyeHX.Search._revisionUnknownETag that can be used for concurrency checking.
FireEyeHX.Search.input_typeStringThe input method that was used to start the search.
FireEyeHX.Search.urlStringThe URI to retrieve data for this record.
FireEyeHX.Search.host_setUnknownThe Host Set information.
FireEyeHX.Search.statsUnknownThe stats information.
FireEyeHX.Search.stats.hostsNumberThe number of hosts running this operation.
FireEyeHX.Search.stats.skipped_hostsNumberThe number of hosts that were skipped.
FireEyeHX.Search.stats.search_stateUnknownThe number of search in different states.
FireEyeHX.Search.stats.search_issuesUnknownThe issues encountered for searches.
FireEyeHX.Search.settings.query_terms.termsUnknownThe terms for the operation.
FireEyeHX.Search.stats.hosts.settings.query_terms.exhaustive_termsUnknownThe exhaustive terms for the operation
FireEyeHX.Search.stats.settings.search_typeStringThe type of search.
FireEyeHX.Search.stats.settings.exhaustiveStringWhether a search is exhaustive.
FireEyeHX.Search.stats.settings.modeStringWhether a search is a HOST type or GRID type.
FireEyeHX.Search.stats.settings.displaynameStringThe name of the search.

Command example#

!fireeye-hx-search-stop searchId=141

Context Example#

{
"FireEyeHX": {
"Search": {
"_id": 141,
"_revision": "20220223091838188310597550",
"create_actor": {
"_id": 1001,
"username": "test"
},
"create_time": "2022-02-23T09:05:54.645Z",
"error": null,
"host_set": null,
"input_type": "api",
"scripts": [
{
"_id": "YYYXXXYYY",
"download": "/hx/api/v3/scripts/YYYXXXYYY.json",
"platform": "win",
"url": "/hx/api/v3/scripts/YYYXXXYYY"
},
{
"_id": "YYYXXXYYY",
"download": "/hx/api/v3/scripts/YYYXXXYYY.json",
"platform": "osx",
"url": "/hx/api/v3/scripts/YYYXXXYYY"
}
],
"settings": {
"displayname": null,
"exhaustive": true,
"mode": "HOST",
"query_terms": {
"exhaustive_terms": [],
"terms": [
{
"field": "IP Address",
"operator": "equals",
"value": "xx.xx.xx.xx"
}
]
},
"search_type": "QUERY"
},
"state": "STOPPED",
"stats": {
"hosts": 1,
"running_state": {
"ABORTED": 0,
"CANCELLED": 0,
"COMPLETE": 1,
"DELETED": 0,
"FAILED": 0,
"NEW": 0,
"QUEUED": 0,
"REFRESH": 0
},
"search_issues": {},
"search_state": {
"ERROR": 0,
"MATCHED": 1,
"NOT_MATCHED": 0,
"PENDING": 0
},
"skipped_hosts": 0
},
"update_actor": {
"_id": 1001,
"username": "test"
},
"update_time": "2022-02-23T09:18:38.188Z",
"url": "/hx/api/v3/searches/141"
}
}
}

Human Readable Output#

Results Search Id 141: Success

fireeye-hx-search-result-get#


Fetches the results for a specific enterprise search.

Base Command#

fireeye-hx-search-result-get

Input#

Argument NameDescriptionRequired
searchIdThe Unique search ID.Required

Context Output#

PathTypeDescription
FireEyeHX.Search.host._idStringThe ID of the unique agent.
FireEyeHX.Search.host.urlStringThe URI to retrieve data for this record.
FireEyeHX.Search.host.hostnameStringThe name of the host.
FireEyeHX.Search.results._idNumberThe unique ID.
FireEyeHX.Search.results.typeStringThe type of the search result data.
FireEyeHX.Search.results.dataUnknownThe object containing data relating to the search result for the host.

Command example#

!fireeye-hx-search-result-get searchId=141

Context Example#

{
"FireEyeHX": {
"Search": {
"host": {
"_id": "YYYXXXYYY",
"hostname": "XXX",
"url": "/hx/api/v3/hosts/YYYXXXYYY"
},
"results": [
{
"data": {
"IP Address": "xx.xx.xx.xx",
"Local IP Address": "xx.xx.xx.xx",
"Local Port": "64924",
"Port": "443",
"Process ID": "8696",
"Process Name": "chrome.exe",
"Remote IP Address": "xx.xx.xx.xx",
"Remote Port": "443",
"Timestamp - Accessed": "2022-01-20T09:41:51.470Z",
"Timestamp - Event": "2022-01-20T09:41:51.470Z",
"Username": "XXX\\User"
},
"id": 1,
"type": "IPv4 Network Event"
},
{
"data": {
"IP Address": "xx.xx.xx.xx",
"Local IP Address": "xx.xx.xx.xx",
"Local Port": "64925",
"Port": "443",
"Process ID": "8696",
"Process Name": "chrome.exe",
"Remote IP Address": "xx.xx.xx.xx",
"Remote Port": "443",
"Timestamp - Accessed": "2022-01-20T09:41:51.470Z",
"Timestamp - Event": "2022-01-20T09:41:51.470Z",
"Username": "XXX\\User"
},
"id": 2,
"type": "IPv4 Network Event"
},
{
"data": {
"IP Address": "xx.xx.xx.xx",
"Local IP Address": "xx.xx.xx.xx",
"Local Port": "64926",
"Port": "443",
"Process ID": "8696",
"Process Name": "chrome.exe",
"Remote IP Address": "xx.xx.xx.xx",
"Remote Port": "443",
"Timestamp - Accessed": "2022-01-20T09:41:51.470Z",
"Timestamp - Event": "2022-01-20T09:41:51.470Z",
"Username": "XXX\\User"
},
"id": 3,
"type": "IPv4 Network Event"
},
{
"data": {
"IP Address": "xx.xx.xx.xx",
"Local IP Address": "xx.xx.xx.xx",
"Local Port": "56687",
"Port": "443",
"Process ID": "8696",
"Process Name": "chrome.exe",
"Remote IP Address": "xx.xx.xx.xx",
"Remote Port": "443",
"Timestamp - Accessed": "2022-01-31T06:56:37.591Z",
"Timestamp - Event": "2022-01-31T06:56:37.591Z",
"Username": "XXX\\User"
},
"id": 4,
"type": "IPv4 Network Event"
},
{
"data": {
"IP Address": "xx.xx.xx.xx",
"Local IP Address": "xx.xx.xx.xx",
"Local Port": "58763",
"Port": "443",
"Process ID": "8696",
"Process Name": "chrome.exe",
"Remote IP Address": "xx.xx.xx.xx",
"Remote Port": "443",
"Timestamp - Accessed": "2022-02-01T07:51:38.928Z",
"Timestamp - Event": "2022-02-01T07:51:38.928Z",
"Username": "XXX\\User"
},
"id": 5,
"type": "IPv4 Network Event"
},
{
"data": {
"IP Address": "xx.xx.xx.xx",
"Local IP Address": "xx.xx.xx.xx",
"Local Port": "58766",
"Port": "443",
"Process ID": "8696",
"Process Name": "chrome.exe",
"Remote IP Address": "xx.xx.xx.xx",
"Remote Port": "443",
"Timestamp - Accessed": "2022-02-01T07:53:03.630Z",
"Timestamp - Event": "2022-02-01T07:53:03.630Z",
"Username": "XXX\\User"
},
"id": 6,
"type": "IPv4 Network Event"
},
{
"data": {
"IP Address": "xx.xx.xx.xx",
"Local IP Address": "xx.xx.xx.xx",
"Local Port": "59099",
"Port": "443",
"Process ID": "8696",
"Process Name": "chrome.exe",
"Remote IP Address": "xx.xx.xx.xx",
"Remote Port": "443",
"Timestamp - Accessed": "2022-02-01T12:04:14.969Z",
"Timestamp - Event": "2022-02-01T12:04:14.969Z",
"Username": "XXX\\User"
},
"id": 7,
"type": "IPv4 Network Event"
},
{
"data": {
"IP Address": "xx.xx.xx.xx",
"Local IP Address": "xx.xx.xx.xx",
"Local Port": "55107",
"Port": "443",
"Process ID": "8696",
"Process Name": "chrome.exe",
"Remote IP Address": "xx.xx.xx.xx",
"Remote Port": "443",
"Timestamp - Accessed": "2022-02-07T10:51:46.951Z",
"Timestamp - Event": "2022-02-07T10:51:46.951Z",
"Username": "XXX\\User"
},
"id": 8,
"type": "IPv4 Network Event"
},
{
"data": {
"IP Address": "xx.xx.xx.xx",
"Local IP Address": "xx.xx.xx.xx",
"Local Port": "55107",
"Port": "443",
"Process ID": "8696",
"Process Name": "chrome.exe",
"Remote IP Address": "xx.xx.xx.xx",
"Remote Port": "443",
"Timestamp - Accessed": "2022-02-07T10:53:17.233Z",
"Timestamp - Event": "2022-02-07T10:53:17.233Z",
"Username": "XXX\\User"
},
"id": 9,
"type": "IPv4 Network Event"
}
]
}
}
}

Human Readable Output#

Host Id YYYXXXYYY#

Host Name XXX |Item Type|Summary| |---|---| | IPv4 Network Event | Process Name: chrome.exe,
Process ID: 8696,
Username: XXX\User,
Local IP Address: xx.xx.xx.xx,
Remote IP Address: xx.xx.xx.xx,
IP Address: xx.xx.xx.xx,
Port: 443,
Local Port: 64924,
Remote Port: 443,
Timestamp - Event: 2022-01-20T09:41:51.470Z,
Timestamp - Accessed: 2022-01-20T09:41:51.470Z | | IPv4 Network Event | Process Name: chrome.exe,
Process ID: 8696,
Username: XXX\User,
Local IP Address: xx.xx.xx.xx,
Remote IP Address: xx.xx.xx.xx,
IP Address: xx.xx.xx.xx,
Port: 443,
Local Port: 64925,
Remote Port: 443,
Timestamp - Event: 2022-01-20T09:41:51.470Z,
Timestamp - Accessed: 2022-01-20T09:41:51.470Z | | IPv4 Network Event | Process Name: chrome.exe,
Process ID: 8696,
Username: XXX\User,
Local IP Address: xx.xx.xx.xx,
Remote IP Address: xx.xx.xx.xx,
IP Address: xx.xx.xx.xx,
Port: 443,
Local Port: 64926,
Remote Port: 443,
Timestamp - Event: 2022-01-20T09:41:51.470Z,
Timestamp - Accessed: 2022-01-20T09:41:51.470Z | | IPv4 Network Event | Process Name: chrome.exe,
Process ID: 8696,
Username: XXX\User,
Local IP Address: xx.xx.xx.xx,
Remote IP Address: xx.xx.xx.xx,
IP Address: xx.xx.xx.xx,
Port: 443,
Local Port: 56687,
Remote Port: 443,
Timestamp - Event: 2022-01-31T06:56:37.591Z,
Timestamp - Accessed: 2022-01-31T06:56:37.591Z | | IPv4 Network Event | Process Name: chrome.exe,
Process ID: 8696,
Username: XXX\User,
Local IP Address: xx.xx.xx.xx,
Remote IP Address: xx.xx.xx.xx,
IP Address: xx.xx.xx.xx,
Port: 443,
Local Port: 58763,
Remote Port: 443,
Timestamp - Event: 2022-02-01T07:51:38.928Z,
Timestamp - Accessed: 2022-02-01T07:51:38.928Z | | IPv4 Network Event | Process Name: chrome.exe,
Process ID: 8696,
Username: XXX\User,
Local IP Address: xx.xx.xx.xx,
Remote IP Address: xx.xx.xx.xx,
IP Address: xx.xx.xx.xx,
Port: 443,
Local Port: 58766,
Remote Port: 443,
Timestamp - Event: 2022-02-01T07:53:03.630Z,
Timestamp - Accessed: 2022-02-01T07:53:03.630Z | | IPv4 Network Event | Process Name: chrome.exe,
Process ID: 8696,
Username: XXX\User,
Local IP Address: xx.xx.xx.xx,
Remote IP Address: xx.xx.xx.xx,
IP Address: xx.xx.xx.xx,
Port: 443,
Local Port: 59099,
Remote Port: 443,
Timestamp - Event: 2022-02-01T12:04:14.969Z,
Timestamp - Accessed: 2022-02-01T12:04:14.969Z | | IPv4 Network Event | Process Name: chrome.exe,
Process ID: 8696,
Username: XXX\User,
Local IP Address: xx.xx.xx.xx,
Remote IP Address: xx.xx.xx.xx,
IP Address: xx.xx.xx.xx,
Port: 443,
Local Port: 55107,
Remote Port: 443,
Timestamp - Event: 2022-02-07T10:51:46.951Z,
Timestamp - Accessed: 2022-02-07T10:51:46.951Z | | IPv4 Network Event | Process Name: chrome.exe,
Process ID: 8696,
Username: XXX\User,
Local IP Address: xx.xx.xx.xx,
Remote IP Address: xx.xx.xx.xx,
IP Address: xx.xx.xx.xx,
Port: 443,
Local Port: 55107,
Remote Port: 443,
Timestamp - Event: 2022-02-07T10:53:17.233Z,
Timestamp - Accessed: 2022-02-07T10:53:17.233Z |

fireeye-hx-search#


Searches endpoints to check all hosts or a subset of hosts for a specific file or indicator.

Base Command#

fireeye-hx-search

Input#

Argument NameDescriptionRequired
searchIdsearchId.Optional
agentsIdsThe IDs of the gents to be searched.Optional
hostsNamesThe names of hosts to be searched.Optional
hostSetThe ID of host set to be searched.Optional
hostSetNameThe name of host set to be searched.Optional
limitLimits the results count (once the limit is reached, the search is stopped).Optional
exhaustiveWhether a search is exhaustive or quick. Possible values are: yes, no. Default is yes.Optional
ipAddressA valid IPv4 address for which to search.Optional
ipAddressOperatorWhich operator to apply to the given IP address. Possible values are: equals, not equals.Optional
pollingWhether to use Cortex XSOAR's built-in polling to retrieve the result, when ready. Possible values are: true, false.Optional
interval_in_secondsThe interval in seconds between each poll. Default is 60.Optional
fileMD5HashA 32-character MD5 hash value for which to search.Optional
fileMD5HashOperatorWhich operator to apply to the given MD5 hash. Possible values are: equals, not equals.Optional
fileFullPathThe full path of file to search.Optional
fileFullPathOperatorWhich operator to apply to the given file path. Possible values are: equals, not equals, contains, not contains.Optional
dnsHostnameThe DNS value for which to search.Optional
dnsHostnameOperatorWhich operator to apply to the given DNS. Possible values are: equals, not equals, contains, not contains.Optional
stopSearchThe method in which the search should be stopped after finding <limit> number of results. Possible values are: stopAndDelete, stop.Optional
fieldSearchNameSearchable fields - If using this argument, the 'fieldSearchOperator' and 'fieldSearchValue' arguments are required. Possible values are: Application Name, Browser Name, Browser Version, Cookie Flags, Cookie Name, Cookie Value, Driver Device Name, Driver Module Name, Executable Exported Dll Name, Executable Exported Function Name, Executable Imported Function Name, Executable Imported Module Name, Executable Injected, Executable PE Type, Executable Resource Name, File Attributes, File Certificate Issuer, File Certificate Subject, File Download Mime Type, File Download Referrer, File Download Type, File Name, File SHA1 Hash, File SHA256 Hash, File Signature Exists, File Signature Verified, File Stream Name, File Text Written, Group Name, HTTP Header, Host Set, Hostname, Local IP Address, Local Port, Parent Process Name, Parent Process Path, Port, Port Protocol, Port State, Process Arguments, Process Name, Quarantine Event Sender Address, Quarantine Event Sender Name, Registry Key Full Path, Registry Key Value Name, Registry Key Value Text, Remote IP Address, Remote Port, Service DLL, Service Mode, Service Name, Service Status, Service Type, Size in bytes, Syslog Event ID, Syslog Event Message, Syslog Facility.Optional
fieldSearchOperatorWhich operator to apply to the given search field. Possible values are: equals, not equals, contains, not contains, less than, greater than.Optional
fieldSearchValueOne or more values that match the selected search type.Optional

Context Output#

PathTypeDescription
FireEyeHX.Search.results.Timestamp - ModifiedstringThe time when the entry was last modified.
FireEyeHX.Search.results.File Text WrittenstringThe file text content.
FireEyeHX.Search.results.File NamestringThe name of the file.
FireEyeHX.Search.results.File Full PathstringThe full path of the file.
FireEyeHX.Search.results.File Bytes WrittenstringThe number of bytes written to the file.
FireEyeHX.Search.results.Size in bytesstringThe size of the file in bytes.
FireEyeHX.Search.results.Browser VersionstringThe version of the browser.
FireEyeHX.Search.results.Browser NamestringThe name of the browser.
FireEyeHX.Search.results.Cookie NamestringThe name of the cookie.
FireEyeHX.Search.results.DNS HostnamestringThe name of the DNS host.
FireEyeHX.Search.results.URLstringThe event URL.
FireEyeHX.Search.results.UsernamestringThe event username.
FireEyeHX.Search.results.File MD5 HashstringThe MD5 hash of the file.
FireEyeHX.Search.host._idstringThe ID of the host.
FireEyeHX.Search.host.hostnamestringThe name of host.
FireEyeHX.Search.host.urlstringThe Inner FireEye host URL.
FireEyeHX.Search.results.datastringThe ID of the performed search.
FireEyeHX.Search.results.Timestamp - AccessedstringThe last accessed time.
FireEyeHX.Search.results.PortnumberThe Port.
FireEyeHX.Search.results.Process IDstringThe ID of the process.
FireEyeHX.Search.results.Local IP AddressstringThe local IP Address.
FireEyeHX.Search.results.Local IP AddressstringThe local IP Address.
FireEyeHX.Search.results.Local PortnumberThe local Port.
FireEyeHX.Search.results.UsernamestringThe username.
FireEyeHX.Search.results.Remote PortnumberThe remote port.
FireEyeHX.Search.results.IP AddressstringThe IP address.
FireEyeHX.Search.results.Process NamestringThe process name.
FireEyeHX.Search.results.Timestamp - EventstringThe timestamp of the event.
FireEyeHX.Search.results.typestringThe type of the event.
FireEyeHX.Search.results.idstringThe ID of the result.

Command example#

!fireeye-hx-search hostsNames=XXX ipAddress=xx.xx.xx.xx ipAddressOperator=equals polling=false

Human Readable Output#

Search started, Search ID: 143

fireeye-hx-get-alert#


Get details of a specific alert.

Base Command#

fireeye-hx-get-alert

Input#

Argument NameDescriptionRequired
alertIdThe alert ID.Required

Context Output#

PathTypeDescription
FireEyeHX.Alerts._idNumberThe ID of the FireEye alert.
FireEyeHX.Alerts.agent._idUnknownThe ID of the FireEye agent.
FireEyeHX.Alerts.agent.containment_stateUnknownThe containment state of the agent.
FireEyeHX.Alerts.condition._idStringThe unique ID of the condition.
FireEyeHX.Alerts.event_atStringThe time when the event occurred.
FireEyeHX.Alerts.matched_atStringThe time when the event was matched.
FireEyeHX.Alerts.reported_atStringThe time when the event was reported.
FireEyeHX.Alerts.sourceStringThe source of the alert.
FireEyeHX.Alerts.matched_source_alerts._idUnknownThe ID of the source alert.
FireEyeHX.Alerts.matched_source_alerts.appliance_idUnknownThe ID of the appliance.
FireEyeHX.Alerts.matched_source_alerts.metaUnknownThe source alert meta.
FireEyeHX.Alerts.matched_source_alerts.indicator_idUnknownThe ID of the indicator.
FireEyeHX.Alerts.resolutionStringThe alert resolution.
FireEyeHX.Alerts.event_typeStringThe type of the event.

Command example#

!fireeye-hx-get-alert alertId=8

Context Example#

{
"DBotScore": {
"Indicator": null,
"Score": 0,
"Type": "file",
"Vendor": "FireEyeHX v2"
},
"File": {
"Extension": "exe",
"Name": "feyeqatest.exe",
"Path": "C:\\Users\\User\\Desktop\\\u37cb\\feyeqatest.exe"
},
"FireEyeHX": {
"Alerts": {
"_id": 8,
"agent": {
"_id": "YYYXXXYYY",
"containment_state": "normal",
"url": "/hx/api/v3/hosts/YYYXXXYYY"
},
"appliance": {
"_id": "YYYXXXYYY"
},
"condition": {
"_id": "YYYXXXYYY",
"url": "/hx/api/v3/conditions/YYYXXXYYY"
},
"decorator_statuses": [],
"decorators": [],
"event_at": "2022-01-25T10:25:19.665Z",
"event_id": 59302205,
"event_type": "fileWriteEvent",
"event_values": {
"fileWriteEvent/closed": 1,
"fileWriteEvent/drive": "C",
"fileWriteEvent/eventReason": "Unknown",
"fileWriteEvent/fileExtension": "exe",
"fileWriteEvent/fileName": "feyeqatest.exe",
"fileWriteEvent/filePath": "Users\\User\\Desktop\\\u37cb",
"fileWriteEvent/fullPath": "C:\\Users\\User\\Desktop\\\u37cb\\feyeqatest.exe",
"fileWriteEvent/numBytesSeenWritten": 0,
"fileWriteEvent/openDuration": 0,
"fileWriteEvent/openTime": "2022-01-25T10:25:19.665Z",
"fileWriteEvent/parentPid": 5560,
"fileWriteEvent/parentProcessPath": "C:\\Windows\\System32\\userinit.exe",
"fileWriteEvent/pid": 5604,
"fileWriteEvent/process": "explorer.exe",
"fileWriteEvent/processPath": "C:\\Windows",
"fileWriteEvent/size": 70,
"fileWriteEvent/timestamp": "2022-01-25T10:25:19.665Z",
"fileWriteEvent/username": "XXX\\User",
"fileWriteEvent/writes": 0
},
"indicator": {
"_id": "2b4753b0-9972-477e-ba16-1a7c29058cee",
"category": "mandiant_unrestricted",
"display_name": "FIREEYE END2END TEST",
"name": "FIREEYE END2END TEST",
"signature": null,
"uri_name": "2b4753b0-9972-477e-ba16-1a7c29058cee",
"url": "/hx/api/v3/indicators/mandiant_unrestricted/2b4753b0_9972_477e_ba16_1a7c29058cee"
},
"is_false_positive": false,
"matched_at": "2022-01-25T10:25:34.000Z",
"matched_source_alerts": [],
"md5values": [],
"multiple_match": null,
"reported_at": "2022-01-25T10:25:44.011Z",
"resolution": "ALERT",
"source": "IOC",
"subtype": null,
"url": "/hx/api/v3/alerts/8"
}
}
}

Human Readable Output#

File#

Namemd5ExtensionPath
feyeqatest.exeexeC:\Users\User\Desktop\ใŸ‹\feyeqatest.exe

fireeye-hx-suppress-alert#


Suppresses an alert by ID.

Base Command#

fireeye-hx-suppress-alert

Input#

Argument NameDescriptionRequired
alertIdThe alert ID. The alert ID is listed in the output of 'get-alerts'. command.Required

Context Output#

There is no context output for this command.

Command example#

!fireeye-hx-suppress-alert alertId=18

Human Readable Output#

Alert 18 suppressed successfully.

fireeye-hx-get-indicators#


Get a list of indicators.

Base Command#

fireeye-hx-get-indicators

Input#

Argument NameDescriptionRequired
categoryThe category of the indicator.Optional
searchTermThe searchTerm can be any name, category, signature, source, or condition value.Optional
shareModeDetermines who can see the indicator. They must belong to the correct authorization group. Possible values are: any, restricted, unrestricted, visible.Optional
sortSorts the results by the specified field in ascending order. Possible values are: category, activeSince, createdBy, alerted.Optional
createdByThe person who created the indicator.Optional
alertedWhether the indicator resulted in alerts. Possible values are: yes, no.Optional
limitLimits the number of results.Optional

Context Output#

PathTypeDescription
FireEyeHX.Indicators._idStringFireEye unique indicator ID.
FireEyeHX.Indicators.nameStringThe indicator name as displayed in the UI.
FireEyeHX.Indicators.descriptionStringThe description of the indicator.
FireEyeHX.Indicators.category.nameStringThe Category name.
FireEyeHX.Indicators.created_byStringThe "Created By" field as displayed in UI.
FireEyeHX.Indicators.active_sinceStringThe date the indicator became active.
FireEyeHX.Indicators.stats.source_alertsUnknownThe total number of source alerts associated with this indicator.
FireEyeHX.Indicators.stats.alerted_agentsUnknownThe total number of agents with HX alerts associated with this indicator.
FireEyeHX.Indicators.platformsUnknownThe list of operating systems.
FireEyeHX.Indicators.uri_nameStringThe URI formatted name of the indicator.
FireEyeHX.Indicators.category.uri_nameStringThe URI name of the category.

Command example#

!fireeye-hx-get-indicators limit=2

Context Example#

{
"FireEyeHX": {
"Indicators": [
{
"_id": "YYYXXXYYY",
"_revision": "20220223091809012244597537",
"active_since": "2022-02-23T09:18:09.012Z",
"category": {
"_id": 2,
"name": "Custom",
"share_mode": "unrestricted",
"uri_name": "Custom",
"url": "/hx/api/v3/indicator_categories/custom"
},
"create_actor": {
"_id": 1001,
"username": "test"
},
"create_text": null,
"created_by": "test",
"description": null,
"display_name": null,
"meta": null,
"name": "YYYXXXYYY",
"platforms": [
"win",
"osx",
"linux"
],
"signature": null,
"stats": {
"active_conditions": 0,
"alerted_agents": 0,
"source_alerts": 0
},
"update_actor": {
"_id": 1001,
"username": "test"
},
"uri_name": "YYYXXXYYY",
"url": "/hx/api/v3/indicators/custom/37a97ac2_35e9_40ad_a108_6802d5d82890"
},
{
"_id": "YYYXXXYYY",
"_revision": "20220223075746635023596874",
"active_since": "2022-02-23T07:57:46.635Z",
"category": {
"_id": 2,
"name": "Custom",
"share_mode": "unrestricted",
"uri_name": "Custom",
"url": "/hx/api/v3/indicator_categories/custom"
},
"create_actor": {
"_id": 1001,
"username": "test"
},
"create_text": null,
"created_by": "test",
"description": null,
"display_name": null,
"meta": null,
"name": "YYYXXXYYY",
"platforms": [
"win",
"osx",
"linux"
],
"signature": null,
"stats": {
"active_conditions": 0,
"alerted_agents": 0,
"source_alerts": 0
},
"update_actor": {
"_id": 1001,
"username": "test"
},
"uri_name": "YYYXXXYYY",
"url": "/hx/api/v3/indicators/custom/5d5cea45_2856_4338_8de8_7ef2b16f9511"
}
]
}
}

Human Readable Output#

FireEye HX Get Indicator- None#

OSNameCreated ByActive SinceCategorySignatureActive ConditionHosts With AlertsSource Alerts
win, osx, linuxYYYXXXYYYtest2022-02-23T09:18:09.012ZCustom000
win, osx, linuxYYYXXXYYYtest2022-02-23T07:57:46.635ZCustom000

fireeye-hx-get-indicator#


Get details of a specific indicator.

Base Command#

fireeye-hx-get-indicator

Input#

Argument NameDescriptionRequired
categoryThe category of the indicator. Use the uri_category value.Required
nameThe name of the indicator. Use the uri_name value.Required

Context Output#

PathTypeDescription
FireEyeHX.Indicators._idStringThe FireEye unique indicator ID.
FireEyeHX.Indicators.nameStringThe indicator name as displayed in the UI.
FireEyeHX.Indicators.descriptionStringThe description of the indicator.
FireEyeHX.Indicators.category.nameStringThe name of the category.
FireEyeHX.Indicators.created_byStringThe "Created By" field as displayed in UI.
FireEyeHX.Indicators.active_sinceStringThe date the indicator became active.
FireEyeHX.Indicators.stats.source_alertsUnknownThe total number of source alerts associated with this indicator.
FireEyeHX.Indicators.stats.alerted_agentsUnknownThe total number of agents with HX alerts associated with this indicator.
FireEyeHX.Indicators.platformsUnknownThe list of operating systems.
FireEyeHX.Conditions._idUnknownThe ID of the FireEye unique condition.
FireEyeHX.Conditions.event_typeUnknownThe type of the event.
FireEyeHX.Conditions.enabledUnknownIndicates whether the condition is enabled.

Command example#

!fireeye-hx-get-indicator category=Custom name=YYYXXXYYY

Context Example#

{
"FireEyeHX": {
"Indicators": {
"_id": "YYYXXXYYY",
"_revision": "20220223075746635023596874",
"active_since": "2022-02-23T07:57:46.635Z",
"category": {
"_id": 2,
"name": "Custom",
"share_mode": "unrestricted",
"uri_name": "Custom",
"url": "/hx/api/v3/indicator_categories/custom"
},
"create_actor": {
"_id": 1001,
"username": "test"
},
"create_text": null,
"created_by": "test",
"description": null,
"display_name": null,
"meta": null,
"name": "YYYXXXYYY",
"platforms": [
"win",
"osx",
"linux"
],
"signature": null,
"stats": {
"active_conditions": 0,
"alerted_agents": 0,
"source_alerts": 0
},
"update_actor": {
"_id": 1001,
"username": "test"
},
"uri_name": "YYYXXXYYY",
"url": "/hx/api/v3/indicators/custom/5d5cea45_2856_4338_8de8_7ef2b16f9511"
}
}
}

Human Readable Output#

Indicator 'YYYXXXYYY' Alerts on#

No entries.

fireeye-hx-append-conditions#


Add conditions to an indicator. Conditions can be MD5, hash values, domain names and IP addresses.

Base Command#

fireeye-hx-append-conditions

Input#

Argument NameDescriptionRequired
categoryThe indicator category. Use the uri_category value.Required
nameThe name of the indicator. Use the uri_name value.Required
conditionA list of conditions to add. The list can include a list of IPv4 addresses, MD5 files, and domain names. For example, example.netexample.orgexample.lol.Required

Context Output#

There is no context output for this command.

Command example#

!fireeye-hx-append-conditions category=Custom name=YYYXXXYYY condition=exsmple.com

Context Example#

{
"FireEyeHX": {
"Conditions": {
"details": [],
"message": "OK",
"route": "/hx/api/v3/indicators/category/indicator/conditions"
}
}
}

Human Readable Output#

The conditions were added successfully#

CategoryConditionsName
Customexsmple.comYYYXXXYYY

fireeye-hx-search-delete#


Deletes the search by ID.

Base Command#

fireeye-hx-search-delete

Input#

Argument NameDescriptionRequired
searchIdThe search ID.Required

Context Output#

There is no context output for this command.

Command example#

!fireeye-hx-search-delete searchId=142

Human Readable Output#

Results Search Id 142: Deleted successfully

fireeye-hx-delete-file-acquisition#


Deletes the file acquisition by ID.

Base Command#

fireeye-hx-delete-file-acquisition

Input#

Argument NameDescriptionRequired
acquisitionIdThe acquisition ID.Required

Context Output#

There is no context output for this command.

fireeye-hx-approve-containment#


Approves pending containment requests made by other components or users. The required permission is api_admin role.

Base Command#

fireeye-hx-approve-containment

Input#

Argument NameDescriptionRequired
agentIdThe Agent ID - this argument is required.Required

Context Output#

There is no context output for this command.

fireeye-hx-assign-host-set-policy#


Inserts a new host set policy on your Endpoint Security server.

Base Command#

fireeye-hx-assign-host-set-policy

Input#

Argument NameDescriptionRequired
hostSetIdThe Host Set ID - this argument is required.Required
policyIdThe Policy ID - this argument is required.Required

Context Output#

There is no context output for this command.

Command example#

!fireeye-hx-assign-host-set-policy hostSetId=1005 policyId=YYYXXXYYY

Human Readable Output#

This hostset may already be included in this policy

fireeye-hx-get-data-acquisition#


Collects artifacts from the system disk and memory for the given acquisition ID (the data is fetched as a MANS file).

Base Command#

fireeye-hx-get-data-acquisition

Input#

Argument NameDescriptionRequired
acquisitionIdThe acquisition unique ID.Required

Context Output#

PathTypeDescription
FireEyeHX.Acquisitions.Data._idstringThe unique ID of the acquisition.
FireEyeHX.Acquisitions.Data.statestringThe state of the acquisition.
FireEyeHX.Acquisitions.Data.md5stringThe MD5 of the file.
FireEyeHX.Acquisitions.Data.host._idstringThe ID of the agent.
FireEyeHX.Acquisitions.Data.finish_timestringThe time when the acquisition finished.
FireEyeHX.Acquisitions.Data.host.hostnamestringThe hostname.
FireEyeHX.Acquisitions.Data.instancedateThe FireEye HX instance.

Command example#

!fireeye-hx-get-data-acquisition acquisitionId=102

Context Example#

{
"File": {
"EntryID": "9ZoPJQJX9vtCa9NueiEpuj@cb52b293-6977-4d1b-8326-216bf1b32052",
"Extension": "mans",
"Info": "mans",
"MD5": "fedf0fbaf4811afd9602c22b29ebed4a",
"Name": "102_agent_YYYXXXYYY_data.mans",
"SHA1": "c83819759775fe7cb1fcfaf41a8d452f69caefc7",
"SHA256": "e92aaabe1e6dab564f421e3785dc46bacfe096b154acd042386e9f606a9e0b7e",
"SHA512": "9b4be59a5fb8dcb1832ef5eb6a4c587ac7da117b660f451b0b0414e0cf01d9a6208f605703f982486185be538e3869e821b0d8546bbbb264ac5268302a11fbd4",
"SSDeep": "393216:eijalomh9coY88Wy3cHnMcfrYECADR0E19dk:ea0jXY88dMHnv8uDL19dk",
"Size": 15678868,
"Type": "Zip archive data, at least v2.0 to extract"
},
"FireEyeHX": {
"Acquisitions": {
"Data": {
"_id": 102,
"_revision": "20220223084821573006597283",
"comment": null,
"download": "/hx/api/v3/acqs/live/102.mans",
"error_message": "The triage completed with issues.",
"external_id": null,
"finish_time": "2022-02-23T08:48:21.572Z",
"host": {
"_id": "YYYXXXYYY",
"hostname": "XXX",
"url": "/hx/api/v3/hosts/YYYXXXYYY"
},
"instance": "FireEyeHX v2_instance_1",
"md5": null,
"name": "osxDefaultScript",
"request_actor": {
"_id": 1001,
"username": "test"
},
"request_time": "2022-02-23T08:42:46.000Z",
"script": {
"_id": "7387b70dcf9c54334b2302daf6840ee10167a7e8",
"download": "/hx/api/v3/scripts/7387b70dcf9c54334b2302daf6840ee10167a7e8.json",
"url": "/hx/api/v3/scripts/7387b70dcf9c54334b2302daf6840ee10167a7e8"
},
"state": "COMPLETE",
"url": "/hx/api/v3/acqs/live/102",
"zip_file_size": "15678868",
"zip_passphrase": null
}
}
}
}

Human Readable Output#

The triage completed with issues. acquisition ID: 102

fireeye-hx-data-acquisition#


Start a data acquisition process to gather artifacts from the system disk and memory (the data is fetched as mans file).

Base Command#

fireeye-hx-data-acquisition

Input#

Argument NameDescriptionRequired
scriptThe acquisition script in JSON format.Optional
scriptNameThe script name. If the Acquisition script is specified, the script name must be specified as well.Optional
defaultSystemScriptSelect the host system, which uses the default script. Possible values are: osx, win, linux.Optional
agentIdThe agent ID. If the host name is not specified, the agent ID must be specified.Optional
hostNameThe host name. If the agent ID is not specified, the host name must be specified.Optional
acquisition_idThis argument is deprecated.Optional
pollingWhether to use Cortex XSOAR's built-in polling to retrieve the result when ready. Possible values are: true, false.Optional
interval_in_secondsThe interval in seconds between each poll. Default is 60.Optional

Context Output#

PathTypeDescription
FireEyeHX.Acquisitions.Data._idNumberThe unique ID of the acquisition.
FireEyeHX.Acquisitions.Data.stateStringThe state of the acquisition.
FireEyeHX.Acquisitions.Data.md5StringThe MD5 of the file.
FireEyeHX.Acquisitions.Data.finish_timeStringThe time when the acquisition finished.
FireEyeHX.Acquisitions.Data.host._idunknownThe ID of the agent.

Command example#

!fireeye-hx-data-acquisition hostName=XXX defaultSystemScript=osx

Human Readable Output#

Acquisition request was successful Acquisition ID: 104

fireeye-hx-get-alerts#


Returns a list of alerts. Use the different arguments to filter the results returned.

Base Command#

fireeye-hx-get-alerts

Input#

Argument NameDescriptionRequired
hasShareModeIdentifies which alerts result from indicators with the specified share mode. Possible values are: any, restricted, unrestricted.Optional
resolutionSorts the results by the specified field. Possible values are: active_threat, alert, block, partial_block.Optional
agentIdFilter by the agent ID.Optional
conditionIdFilter by condition ID.Optional
eventAtFilter by the event occurred time. ISO-8601 timestamp.Optional
alertIdFilter by the alert ID.Optional
matchedAtFilter by the match detection time. ISO-8601 timestamp.Optional
minIdFilter by returning only records with an AlertId field value greater than the minId value.Optional
reportedAtFilter by the reported time. ISO-8601 timestamp.Optional
IOCsourceThe source of the alert-indicator of compromise. Possible values are: yes.Optional
EXDsourceThe source of the alert - exploit detection. Possible values are: yes.Optional
MALsourceThe Source of the malware alert. Possible values are: yes.Optional
limitLimit the results returned.Optional
sortSorts the results by the specified field in ascending order. Possible values are: agentId, conditionId, eventAt, alertId, matchedAt, id, reportedAt.Optional
sortOrderThe sort order for the results. Possible values are: ascending, descending.Optional

Context Output#

PathTypeDescription
FireEyeHX.Alerts._idNumberThe ID of the FireEye alert.
FireEyeHX.Alerts.agent._idUnknownThe ID of the FireEye agent.
FireEyeHX.Alerts.agent.containment_stateUnknownThe state of the agent containment.
FireEyeHX.Alerts.condition._idStringThe unique ID of the alert.
FireEyeHX.Alerts.event_atStringThe time when the event occurred.
FireEyeHX.Alerts.matched_atStringThe time when the event was matched.
FireEyeHX.Alerts.reported_atStringThe time when the event was reported.
FireEyeHX.Alerts.sourceStringThe source of the alert.
FireEyeHX.Alerts.matched_source_alerts._idUnknownThe ID of the source alert.
FireEyeHX.Alerts.matched_source_alerts.appliance_idUnknownThe ID of the appliance.
FireEyeHX.Alerts.matched_source_alerts.metaUnknownThe source alert meta.
FireEyeHX.Alerts.matched_source_alerts.indicator_idUnknownThe ID of the indicator.
FireEyeHX.Alerts.resolutionStringThe alert resolution.
FireEyeHX.Alerts.event_typeStringThe type of the event.

Command example#

!fireeye-hx-get-alerts limit=2 sort=alertId

Context Example#

{
"File": [
{
"Extension": "exe",
"Name": "feyeqatest.exe",
"Path": "C:\\Users\\User\\Desktop\\feyeqatest.exe",
"md5": "95b16477988ff5097e57a08332cfdb3a"
},
{
"Extension": "exe",
"Name": "feyeqatest.exe",
"Path": "C:\\Users\\User\\Desktop\\\u37cb\\feyeqatest.exe",
"md5": null
}
],
"FireEyeHX": {
"Alerts": [
{
"_id": 7,
"agent": {
"_id": "YYYXXXYYY",
"containment_state": "normal",
"url": "/hx/api/v3/hosts/YYYXXXYYY"
},
"appliance": {
"_id": "86285DC29A17"
},
"condition": {
"_id": "YYYXXXYYY",
"url": "/hx/api/v3/conditions/YYYXXXYYY"
},
"decorator_statuses": [],
"decorators": [],
"event_at": "2022-01-24T10:36:33.171Z",
"event_id": 59105127,
"event_type": "fileWriteEvent",
"event_values": {
"fileWriteEvent/closed": 1,
"fileWriteEvent/drive": "C",
"fileWriteEvent/eventReason": "Unknown",
"fileWriteEvent/fileExtension": "exe",
"fileWriteEvent/fileName": "feyeqatest.exe",
"fileWriteEvent/filePath": "Users\\User\\Desktop",
"fileWriteEvent/fullPath": "C:\\Users\\User\\Desktop\\feyeqatest.exe",
"fileWriteEvent/md5": "95b16477988ff5097e57a08332cfdb3a",
"fileWriteEvent/numBytesSeenWritten": 0,
"fileWriteEvent/openDuration": 0,
"fileWriteEvent/openTime": "2022-01-24T10:36:33.171Z",
"fileWriteEvent/parentPid": 5560,
"fileWriteEvent/parentProcessPath": "C:\\Windows\\System32\\userinit.exe",
"fileWriteEvent/pid": 5604,
"fileWriteEvent/process": "explorer.exe",
"fileWriteEvent/processPath": "C:\\Windows",
"fileWriteEvent/size": 70,
"fileWriteEvent/timestamp": "2022-01-24T10:36:33.171Z",
"fileWriteEvent/username": "XXX\\User",
"fileWriteEvent/writes": 0
},
"indicator": {
"_id": "2b4753b0-9972-477e-ba16-1a7c29058cee",
"category": "mandiant_unrestricted",
"display_name": "FIREEYE END2END TEST",
"name": "FIREEYE END2END TEST",
"signature": null,
"uri_name": "2b4753b0-9972-477e-ba16-1a7c29058cee",
"url": "/hx/api/v3/indicators/mandiant_unrestricted/2b4753b0_9972_477e_ba16_1a7c29058cee"
},
"is_false_positive": false,
"matched_at": "2022-01-24T10:37:33.000Z",
"matched_source_alerts": [],
"md5values": [
"95b16477988ff5097e57a08332cfdb3a"
],
"multiple_match": null,
"reported_at": "2022-01-24T10:37:51.306Z",
"resolution": "ALERT",
"source": "IOC",
"subtype": null,
"url": "/hx/api/v3/alerts/7"
},
{
"_id": 8,
"agent": {
"_id": "YYYXXXYYY",
"containment_state": "normal",
"url": "/hx/api/v3/hosts/YYYXXXYYY"
},
"appliance": {
"_id": "86285DC29A17"
},
"condition": {
"_id": "YYYXXXYYY",
"url": "/hx/api/v3/conditions/YYYXXXYYY"
},
"decorator_statuses": [],
"decorators": [],
"event_at": "2022-01-25T10:25:19.665Z",
"event_id": 59302205,
"event_type": "fileWriteEvent",
"event_values": {
"fileWriteEvent/closed": 1,
"fileWriteEvent/drive": "C",
"fileWriteEvent/eventReason": "Unknown",
"fileWriteEvent/fileExtension": "exe",
"fileWriteEvent/fileName": "feyeqatest.exe",
"fileWriteEvent/filePath": "Users\\User\\Desktop\\\u37cb",
"fileWriteEvent/fullPath": "C:\\Users\\User\\Desktop\\\u37cb\\feyeqatest.exe",
"fileWriteEvent/numBytesSeenWritten": 0,
"fileWriteEvent/openDuration": 0,
"fileWriteEvent/openTime": "2022-01-25T10:25:19.665Z",
"fileWriteEvent/parentPid": 5560,
"fileWriteEvent/parentProcessPath": "C:\\Windows\\System32\\userinit.exe",
"fileWriteEvent/pid": 5604,
"fileWriteEvent/process": "explorer.exe",
"fileWriteEvent/processPath": "C:\\Windows",
"fileWriteEvent/size": 70,
"fileWriteEvent/timestamp": "2022-01-25T10:25:19.665Z",
"fileWriteEvent/username": "XXX\\User",
"fileWriteEvent/writes": 0
},
"indicator": {
"_id": "2b4753b0-9972-477e-ba16-1a7c29058cee",
"category": "mandiant_unrestricted",
"display_name": "FIREEYE END2END TEST",
"name": "FIREEYE END2END TEST",
"signature": null,
"uri_name": "2b4753b0-9972-477e-ba16-1a7c29058cee",
"url": "/hx/api/v3/indicators/mandiant_unrestricted/2b4753b0_9972_477e_ba16_1a7c29058cee"
},
"is_false_positive": false,
"matched_at": "2022-01-25T10:25:34.000Z",
"matched_source_alerts": [],
"md5values": [],
"multiple_match": null,
"reported_at": "2022-01-25T10:25:44.011Z",
"resolution": "ALERT",
"source": "IOC",
"subtype": null,
"url": "/hx/api/v3/alerts/8"
}
]
}
}

Human Readable Output#

FireEye HX Get Alerts#

Alert IDReportedEvent TypeAgent ID
72022-01-24T10:37:51.306ZfileWriteEventYYYXXXYYY
82022-01-25T10:25:44.011ZfileWriteEventYYYXXXYYY

fireeye-hx-file-acquisition#


Acquires a specific file as a password protected zip file. The password for unlocking the zip file is 'unzip-me'.

Base Command#

fireeye-hx-file-acquisition

Input#

Argument NameDescriptionRequired
acquisition_idThe acquisition ID. This argument is deprecated.Optional
fileNameThe file name.Required
filePathThe file path.Required
acquireUsingWhether to acquire the file using the API or RAW. By default, the RAW file will be acquired. Use the API option when file is encrypted. Possible values are: API, RAW.Optional
agentIdThe agent ID associated with the host that holds the file. If the host name is not specified, the agentId must be specified.Optional
hostNameThe host that holds the file. If the agentId is not specified, hostName must be specified.Optional
pollingWhether to use Cortex XSOAR's built-in polling to retrieve the result when ready. Possible values are: true, false.Optional
interval_in_secondsThe interval in seconds between each poll. Default is 60.Optional

Context Output#

PathTypeDescription
FireEyeHX.Acquisitions.Files._idNumberThe acquisition unique ID.
FireEyeHX.Acquisitions.Files.stateStringThe acquisition state.
FireEyeHX.Acquisitions.Files.md5StringThe MD5 of the file.
FireEyeHX.Acquisitions.Files.req_filenameStringThe name of the file.
FireEyeHX.Acquisitions.Files.req_pathStringThe path of the file.
FireEyeHX.Acquisitions.Files.host._idStringThe ID of the FireEye HX agent.

fireeye-hx-create-indicator#


Create a new indicator.

Base Command#

fireeye-hx-create-indicator

Input#

Argument NameDescriptionRequired
categoryThe indicator category.Required

Context Output#

PathTypeDescription
FireEyeHX.Indicators.active_sincedateThe date the indicator became active.
FireEyeHX.Indicators.metastringThe meta data for new indicator.
FireEyeHX.Indicators.display_namestringThe display name of the indicator.
FireEyeHX.Indicators.namestringThe indicator name, as displayed in the UI.
FireEyeHX.Indicators.created_bystringThe "Created By" field, as displayed in UI
FireEyeHX.Indicators.urlstringThe data URL.
FireEyeHX.Indicators.create_textUnknownThe indicator created text.
FireEyeHX.Indicators.platformsstringThe list of operating systems.
FireEyeHX.Indicators.create_actor._idnumberThe ID of the actor.
FireEyeHX.Indicators.create_actor.usernamestringThe user name of the actor.
FireEyeHX.Indicators.signaturestringThe signature of the indicator.
FireEyeHX.Indicators._revisionstringThe indicator revision.
FireEyeHX.Indicators._idstringThe ID of the FireEye unique indicator.
FireEyeHX.Indicator.descriptionstringThe description of the indicator.
FireEyeHX.Indicators.category._idnumberThe ID of the category.
FireEyeHX.Indicators.category.namestringThe name of the category.
FireEyeHX.Indicators.category.share_modestringThe share mode of the category.
FireEyeHX.Indicators.category.uri_namestringThe URI name of the category.
FireEyeHX.Indicators.category.urlstringThe URL of the category.
FireEyeHX.Indicators.uri_namestringThe URI name of the indicator.
FireEyeHX.Indicators.stats.active_conditionsnumberThe active conditions of the indicator.
FireEyeHX.Indicators.stats.alerted_agentsnumberThe total number of agents with HX alerts associated with this indicator.
FireEyeHX.Indicators.stats.source_alertsnumberThe total number of source alerts associated with this indicator.
FireEyeHX.Indicators.update_actor._idnumberThe ID of the updated actor.
FireEyeHX.Indicators.update_actor.usernamestringThe updated name of the actor.

Command example#

!fireeye-hx-create-indicator category=Custom

Context Example#

{
"FireEyeHX": {
"Indicators": {
"_id": "YYYXXXYYY",
"_revision": "20220223091809012244597537",
"active_since": "2022-02-23T09:18:09.012Z",
"category": {
"_id": 2,
"name": "Custom",
"share_mode": "unrestricted",
"uri_name": "Custom",
"url": "/hx/api/v3/indicator_categories/custom"
},
"create_actor": {
"_id": 1001,
"username": "test"
},
"create_text": null,
"created_by": "test",
"description": null,
"display_name": null,
"meta": null,
"name": "YYYXXXYYY",
"platforms": [
"win",
"osx",
"linux"
],
"signature": null,
"stats": {
"active_conditions": 0,
"alerted_agents": 0,
"source_alerts": 0
},
"update_actor": {
"_id": 1001,
"username": "test"
},
"uri_name": "YYYXXXYYY",
"url": "/hx/api/v3/indicators/custom/37a97ac2_35e9_40ad_a108_6802d5d82890"
}
}
}

Human Readable Output#

FireEye HX New Indicator created successfully#

ID
YYYXXXYYY

fireeye-hx-delete-host-set-policy#


Deletes a Host Set policy.

Base Command#

fireeye-hx-delete-host-set-policy

Input#

Argument NameDescriptionRequired
hostSetIdThe host set ID.Required
policyIdThe policy ID.Required

Context Output#

There is no context output for this command.

Command example#

!fireeye-hx-delete-host-set-policy hostSetId=1005 policyId=YYYXXXYYY

Human Readable Output#

Success

fireeye-hx-delete-data-acquisition#


Deletes data acquisition.

Base Command#

fireeye-hx-delete-data-acquisition

Input#

Argument NameDescriptionRequired
acquisitionIdThe acquisition ID.Required

Context Output#

There is no context output for this command.

Command example#

!fireeye-hx-delete-data-acquisition acquisitionId=102

Human Readable Output#

data acquisition 102 deleted successfully

fireeye-hx-delete-indicator-condition#


Delete an indicator condition.

Base Command#

fireeye-hx-delete-indicator-condition

Input#

Argument NameDescriptionRequired
categoryThe indicator category.Required
indicator_nameThe name of the indicator. Use the uri_name value.Required
typeThe condition type. Possible values are: presence, execution.Required
condition_idThe condition ID, which is part of the response when you request a list of all conditions known to the HX Series appliance.Required

Context Output#

There is no context output for this command.

Command example#

!fireeye-hx-delete-indicator-condition category=Custom condition_id=myFIAYoWKoWqaaYQ7CxHVA== indicator_name=7f49e4c6-14d5-4b06-8d17-843fd17f79de type=execution

Human Readable Output#

Successfully deleted condition myFIAYoWKoWqaaYQ7CxHVA== (execution) of indicator 7f49e4c6-14d5-4b06-8d17-843fd17f79de (Custom)

fireeye-hx-list-indicator-category#


Lists the indicator categories.

Base Command#

fireeye-hx-list-indicator-category

Input#

Argument NameDescriptionRequired
searchPerforms a search of indicator categories. Searchable values are based on the name, display_name, retention_policy, ui_edit_policy, ui_signature_enabled, ui_source_alerts_enabled.Optional
nameFilter for indicator categories with the specified name.Optional
display_nameFilter for indicator categories with given display name.Optional
retention_policyThe retention policy. Possible values are: manual, auto, intel.Optional
ui_edit_policyThe UI edit policy. Possible values are: full, edit_delete, delete, read_only.Optional
ui_signature_enabledWhether to enable the UI signature. Possible values are: true, false.Optional
ui_source_alerts_enabledWhether to enable UI source alerts. Possible values are: true, false.Optional
share_modeShare mode. Possible values are: restricted, unrestricted, silent, visible, any.Optional
limitThe maximum number of results to return. Default is 50.Optional
offsetResult offset. Default is 0.Optional

Context Output#

PathTypeDescription
FireEyeHX.IndicatorCategory.uri_namenumberThe policy ID of the indicator category.
FireEyeHX.IndicatorCategory.namestringThe name of the indicator category.
FireEyeHX.IndicatorCategory._revisionnumberThe revision of the indicator category.
FireEyeHX.IndicatorCategory.display_namestringThe display name of the indicator category.
FireEyeHX.IndicatorCategory.retention_policystringThe retention policy of the indicator category.
FireEyeHX.IndicatorCategory.ui_edit_policystringThe UI edit policy of the indicator category.
FireEyeHX.IndicatorCategory.ui_signature_enabledbooleanWhether the UI signature is enabled.
FireEyeHX.IndicatorCategory.ui_source_alerts_enabledbooleanWhether the UI source alerts is enabled.
FireEyeHX.IndicatorCategory.share_modestringThe share mode of the indicator category.

Command example#

!fireeye-hx-list-indicator-category search=fireEye

Context Example#

{
"FireEyeHX": {
"IndicatorCategory": [
{
"_id": 4,
"_revision": "20200423145028596495100030",
"display_name": null,
"name": "FireEye",
"retention_policy": "auto",
"share_mode": "unrestricted",
"ui_edit_policy": "delete",
"ui_signature_enabled": true,
"ui_source_alerts_enabled": true,
"uri_name": "FireEye",
"url": "/hx/api/v3/indicator_categories/fireeye"
},
{
"_id": 8,
"_revision": "20200423145028596495100038",
"display_name": "FireEye Restricted",
"name": "FireEye Restricted",
"retention_policy": "auto",
"share_mode": "restricted",
"ui_edit_policy": "delete",
"ui_signature_enabled": true,
"ui_source_alerts_enabled": true,
"uri_name": "fireeye_restricted",
"url": "/hx/api/v3/indicator_categories/fireeye_restricted"
},
{
"_id": 5,
"_revision": "20200423145028596495100032",
"display_name": null,
"name": "FireEye-CMS",
"retention_policy": "auto",
"share_mode": "unrestricted",
"ui_edit_policy": "delete",
"ui_signature_enabled": true,
"ui_source_alerts_enabled": true,
"uri_name": "FireEye-CMS",
"url": "/hx/api/v3/indicator_categories/fireeye_cms"
}
]
}
}

Human Readable Output#

3 Indicator categories found#

NamePolicy ID
FireEye4
FireEye Restricted8
FireEye-CMS5

fireeye-hx-delete-indicator#


Delete an indicator.

Base Command#

fireeye-hx-delete-indicator

Input#

Argument NameDescriptionRequired
categoryThe category name.Required
indicator_nameThe name of the indicator. Use the uri_name value.Required

Context Output#

There is no context output for this command.

Command example#

!fireeye-hx-delete-indicator category=Custom indicator_name=7f49e4c6-14d5-4b06-8d17-843fd17f79de

Human Readable Output#

Successfully deleted indicator 7f49e4c6-14d5-4b06-8d17-843fd17f79de from the Custom category

fireeye-hx-create-host-set-static#


Creates static host set.

Base Command#

fireeye-hx-create-host-set-static

Input#

Argument NameDescriptionRequired
host_set_nameThe host set name.Required
hosts_idsThe hosts IDs to add to the host set.Required

Context Output#

PathTypeDescription
FireEyeHX.HostSets._idStringThe host set ID.
FireEyeHX.HostSets.urlStringURI to retrieve data for this record.
FireEyeHX.HostSets.nameStringThe host set name.
FireEyeHX.HostSets._revisionStringTimestamp of last update. Used for preventing updates with obsolete data. If _revision in the request body does not match _revision in the database, the update will fail.
FireEyeHX.HostSets.deletedBooleanWas the host set deleted.

Command example#

!fireeye-hx-create-host-set-static host_set_name=demisto_test hosts_ids=Hqb2ns3oui1fpzg0BxI1Ch

Human Readable Output#

Static Host Set demisto_test with id 1001 was created successfully.

fireeye-hx-update-host-set-static#


Updates a static host set.

Base Command#

fireeye-hx-update-host-set-static

Input#

Argument NameDescriptionRequired
host_set_idThe host set ID.Required
host_set_nameThe host set name.Required
add_host_idsThe host sets IDs to add.Optional
remove_host_idsThe host set IDs to remove.Optional

Context Output#

PathTypeDescription
FireEyeHX.HostSets._idStringThe host set ID.
FireEyeHX.HostSets.urlStringURI to retrieve data for this record.
FireEyeHX.HostSets.nameStringThe host set name.
FireEyeHX.HostSets._revisionStringTimestamp of last update. Used for preventing updates with obsolete data. If _revision in the request body does not match _revision in the database, the update will fail.
FireEyeHX.HostSets.deletedBooleanWas the host set deleted.

Command example#

!fireeye-hx-update-host-set-static host_set_name=demisto_test host_set_id=1036 add_host_ids=GfLI00Q4zpidezw9I11rV6 remove_host_ids=Hqb2ns3oui1fpzg0BxI1Ch

Human Readable Output#

Static Host Set demisto_test was updated successfully.

fireeye-hx-create-host-set-dynamic#


Creates dynamic host set.

Base Command#

fireeye-hx-create-host-set-dynamic

Input#

Argument NameDescriptionRequired
host_set_nameThe host set name.Required
queryFree text query. Cannot be used with the other query arguments.Optional
query_keyThe query key. Must be provided with the query_value and query_operator. Possible values are: domain, product_name, patch_level, timezone, os_bitness, cloud_provider, app_version, hostname, server_time, gmt_offset_seconds, primary-ip_address, normalized_app_version, litmus_script_id, app_config_hash, platform.Optional
query_valueThe query value. Must be provided with the query_key and query_operator.Optional
query_operatorThe query operator. Must be provided with the query_key and query_value. Possible values are: eq, gt, lt, lte, gte, exists, cidr.Optional

Context Output#

PathTypeDescription
FireEyeHX.HostSets._idStringThe host set ID.
FireEyeHX.HostSets.urlStringURI to retrieve data for this record.
FireEyeHX.HostSets.nameStringThe host set name.
FireEyeHX.HostSets._revisionStringTimestamp of last update. Used for preventing updates with obsolete data. If _revision in the request body does not match _revision in the database, the update will fail.
FireEyeHX.HostSets.deletedBooleanWas the host set deleted.

Command example#

!fireeye-hx-create-host-set-dynamic host_set_name=demisto_test query_key=Bitlevel query_operator=eq query_value=64-bit !fireeye-hx-update-host-set-dynamic host_set_name=MoreTestyay query=`{"key": "AgentVersion","value": "31.28.17","operator": "gte"}`

Human Readable Output#

Dynamic Host Set demisto_test with id 1068 was created successfully.

fireeye-hx-update-host-set-dynamic#


Updates dynamic host set.

Base Command#

fireeye-hx-update-host-set-dynamic

Input#

Argument NameDescriptionRequired
host_set_nameThe host set name.Required
host_set_idThe host set ID.Required
queryFree text query. Cannot be used with the other query arguments.Optional
query_keyThe query key. Must be provided with the query_value and query_operator. Possible values are: domain, product_name, patch_level, timezone, os_bitness, cloud_provider, app_version, hostname, server_time, gmt_offset_seconds, primary-ip_address, normalized_app_version, litmus_script_id, app_config_hash, platform.Optional
query_valueThe query value. Must be provided with the query_key and query_operator.Optional
query_operatorThe query operator. Must be provided with the query_value and query_key. Possible values are: eq, gt, lt, lte, gte, exists, cidr.Optional

Context Output#

PathTypeDescription
FireEyeHX.HostSets._idStringThe host set ID.
FireEyeHX.HostSets.urlStringURI to retrieve data for this record.
FireEyeHX.HostSets.nameStringThe host set name.
FireEyeHX.HostSets._revisionStringTimestamp of last update. Used for preventing updates with obsolete data. If _revision in the request body does not match _revision in the database, the update will fail.
FireEyeHX.HostSets.deletedBooleanWas the host set deleted.

Command example#

!fireeye-hx-update-host-set-dynamic host_set_name=demisto_test query_key=Bitlevel query_operator=eq query_value=64-bit host_set_id=1061 !fireeye-hx-update-host-set-dynamic host_set_name=MoreTestyay query=`{"key": "AgentVersion","value": "31.28.17","operator": "gte"}` host_set_id=1061

Human Readable Output#

Dynamic Host Set Demisto_test was updated successfully.

fireeye-hx-delete-host-set#


Deletes a host set.

Base Command#

fireeye-hx-delete-host-set

Input#

Argument NameDescriptionRequired
host_set_idThe host set ID.Required

Context Output#

PathTypeDescription
FireEyeHX.HostSets._idStringThe host set ID.
FireEyeHX.HostSets.deletedBooleanWas the host set deleted.

Command example#

!fireeye-hx-delete-host-set host_set_id=1001

Human Readable Output#

Host set 1001 was deleted successfully.