Skip to main content

FireEye NX

This Integration is part of the FireEye Network Security (NX) Pack.#

FireEye Network Security is an effective cyber threat protection solution that helps organizations minimize the risk of costly breaches by accurately detecting and immediately stopping advanced, targeted, and other evasive attacks hiding in internet traffic. This integration was integrated and tested with version 2.0.0 of FireEyeNX APIs.

Configure FireEyeNX in Cortex#

ParameterDescriptionRequired
urlURLTrue
credentialsUsernameTrue
request_timeoutHTTP(S) Request Timeout (in seconds)False
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
first_fetchFirst fetch time intervalFalse
max_fetchFetch LimitFalse
fetch_typeFetch TypesFalse
fetch_mvx_correlated_eventsFetches MVX-correlated events only.False
malware_typeAlert Malware TypeFalse
replace_alert_urlUse instance URL for all the fetched alerts URL.False
fetch_artifactsFetch artifacts for each alert.False
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

fireeye-nx-get-alerts#


Search and retrieve FireEye alerts based on several filters.

Base Command#

fireeye-nx-get-alerts

Input#

Argument NameDescriptionRequired
alert_idThe ID number of the alert to retrieve. To retrieve the alert ID, execute the fireeye-nx-get-alerts command without specifying the alert_id.Optional
src_ipThe source IPv4 address related to the malware alert to retrieve.Optional
dst_ipThe destination IPv4 address related to the malware alert to retrieve.Optional
durationThe time interval to search. This filter is used with either the start_time or end_time filter. If duration, start time, and end time are not specified, the system defaults to duration=12_hours, end_time=current_time. If only the duration is specified, the end_time defaults to the current_time. Possible values are: "1_hour", "2_hours", "6_hours", "12_hours", "24_hours", and "48_hours".Optional
start_timeThe start time of the search. This filter is used with the duration filter. If the start_time is specified but not the duration, the system defaults to duration=12_hours, starting at the specified start_time.
Formats:
YYYY-MM-dd
YYYY-MM-ddTHH:mm:ss
N days
N hours
Example:
2020-05-01
2020-05-01T00:00:00
2 days
5 hours
Optional
end_timeThe end time of the search. This filter is used with the duration filter. If the end_time is specified but not the duration, the system defaults to duration=12_hours, ending at the specified end_time.
Formats:
YYYY-MM-dd
YYYY-MM-ddTHH:mm:ss
N days
N hours
Example:
2020-05-01
2020-05-01T00:00:00
2 days
5 hours
Optional
file_nameThe name of the malware file to retrieve.Optional
file_typeThe malware file type to retrieve.Optional
info_levelThe level of information to retrieve. Possible values are: "concise", "normal", and "extended".Optional
malware_nameThe name of the malware object to retrieve.Optional
malware_typeThe type of the malware object to retrieve. Possible values are: "domain_match", "malware_callback", "malware_object", "web_infection", and "infection_match".Optional
md5The MD5 hash of the alert to retrieve. This filter is not time dependent; it does not default to duration=12_hours.Optional
urlA specific alert URL to retrieve.Optional

Context Output#

PathTypeDescription
FireEyeNX.Alert.Explanation.MalwareDetected.Malware.Md5SumStringThe md5sum of malware associated with the alert.
FireEyeNX.Alert.Explanation.MalwareDetected.Malware.Sha256StringThe SHA256 hash of malware associated with the alert.
FireEyeNX.Alert.Explanation.MalwareDetected.Malware.ApplicationStringThe application of the malware associated with the alert.
FireEyeNX.Alert.Explanation.MalwareDetected.Malware.HttpHeaderStringThe HTTP header of the malware associated with the alert.
FireEyeNX.Alert.Explanation.MalwareDetected.Malware.OriginalStringThe filename of the malware associated with the alert.
FireEyeNX.Alert.Explanation.MalwareDetected.Malware.NameStringThe name of the malware associated with the alert.
FireEyeNX.Alert.Explanation.MalwareDetected.Malware.SidStringThe SID of the malware associated with the alert.
FireEyeNX.Alert.Explanation.MalwareDetected.Malware.TypeStringThe file type of the malware associated with the alert.
FireEyeNX.Alert.Explanation.MalwareDetected.Malware.StypeStringThe STYPE of the malware associated with the alert.
FireEyeNX.Alert.Explanation.MalwareDetected.Malware.UrlStringThe URL of the malware associated with the alert.
FireEyeNX.Alert.Explanation.MalwareDetected.Malware.ContentStringThe content of the malware associated with the alert.
FireEyeNX.Alert.Explanation.CncServices.CncService.AddressStringThe CNC service IP address associated with the alert.
FireEyeNX.Alert.Explanation.CncServices.CncService.ChannelStringThe CNC service channel associated with the alert.
FireEyeNX.Alert.Explanation.CncServices.CncService.PortNumberThe CNC service port address associated with the alert.
FireEyeNX.Alert.Explanation.CncServices.CncService.ProtocolStringThe CNC service protocol associated with the alert.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.TotalmemoryNumberThe total memory of heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.LastbytesreceivedNumberThe last byte received in heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.Processinfo.ImagepathStringThe image path of the process in heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.Processinfo.Md5sumStringThe md5sum of the process in heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.Processinfo.PidNumberThe PID of the process in heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.IncrementCountNumberThe increment count in heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.NameStringThe name of the heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.BytesreceivedNumberThe bytes received in heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.LasttotalmemoryNumberThe last total memory in heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.TypeStringThe type of heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.TimestampNumberThe timestamp of the heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.RCountNumberThe RCount of the heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.TotalSizeStringThe total size of the heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.RUnitStringThe RUnit of the heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.ModeStringThe mode of the heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.PatternStringThe pattern of the heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.BytesList.Entry.PercentageNumberThe entry percentage of the bytes list in the heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.BytesList.Entry.ByteStringThe entry byte of the bytes list in the heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.BytesList.Entry.CountNumberThe entry count of the bytes list in the heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.BytesList.Entry.FirstOffsetStringThe entry offset of the bytes list in the heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.BytesList.Entry.IsNOPStringIf entry NOP appears in the bytes list in the heap spraying then yes, otherwise no.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.BytesList.DistinctNumberThe distinct number of the byte list in the heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.BytesList.CountNumberThe number of the byte list in the heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.JavascriptStringIf heap spraying has javascript then yes, otherwise no.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.DNANumberThe DNA of the heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.TotalRCountNumberThe total row count of the heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.ProcessedRCountNumberThe processed row count of the heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Heapspraying.ProcessedStringThe processed memory of the heap spraying.
FireEyeNX.Alert.Explanation.OsChanges.Process.Fid.AdsStringThe FID ads of the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.Fid.ContentNumberThe FID content of the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.ParentUserAccount.UserSidStringThe parent user account SID of the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.ParentUserAccount.SessionIdNumberThe parent user account session ID of the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.ParentUserAccount.UserAccountNameStringThe parent user account name of the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.ParentUserAccount.AuthenticationIdStringThe parent user account authentication ID of the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.ParentUserAccount.SuperPrivilegesPresentNumberIf super privileges are present in this process then 1, otherwise 0.
FireEyeNX.Alert.Explanation.OsChanges.Process.ParentnameStringThe path of the parent process.
FireEyeNX.Alert.Explanation.OsChanges.Process.Sha256sumStringThe sha256sum of the parent process.
FireEyeNX.Alert.Explanation.OsChanges.Process.PidNumberThe PID of the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.FilesizeNumberFile size of the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.PpidNumberThe PPID of the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.ModeStringThe mode of the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.CmdlineStringThe path of the command associated with the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.Sha1sumStringThe sha1sum of the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.Md5sumStringThe md5sum of the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.SrcThreadStringThe source thread name of the process.
FireEyeNX.Alert.Explanation.osChanges.Process.ValueStringThe value of the path in the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.UserAccount.UserSidStringThe SID of the user account for the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.UserAccount.SessionIdNumberThe session ID of the user account for the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.UserAccount.UserAccountNameStringThe name of the user account for the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.UserAccount.AuthenticationIdStringThe authentication ID of the user account for the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.UserAccount.SuperPrivilegesPresentNumberIf super privileges are present in this user account then 1, otherwise 0.
FireEyeNX.Alert.Explanation.OsChanges.Process.TimestampNumberThe timestamp of the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.MemoryDataStringThe memory data of the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.TelemetryData.LocalThreadCountNumberThe local thread count of the telemetry data in the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.TelemetryData.FileOpenCountNumberThe file open count of the telemetry data in the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.TelemetryData.FileModifyCountNumberThe file modify count of the telemetry data in the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.TelemetryData.FileCreateCountNumberThe file created count of the telemetry data in the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.TelemetryData.ChildProcessCountNumberThe file process count of the telemetry data in the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.TelemetryData.FileFailedCountNumberThe file failed count of the telemetry data in the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.TelemetryData.HttpReqCountNumberThe HTTP request count of the telemetry data in the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.TelemetryData.RemoteThreadCountNumberThe remote thread count of the telemetry data in the process.
FireEyeNX.Alert.Explanation.OsChanges.Process.TelemetryData.MutexCreateCountNumberThe mutex-created count of the telemetry data in the process.
FireEyeNX.Alert.Explanation.OsChanges.Regkey.ModeStringThe mode of the registry key.
FireEyeNX.Alert.Explanation.OsChanges.Regkey.Processinfo.ImagepathStringThe image path of the process in the registry key.
FireEyeNX.Alert.Explanation.OsChanges.Regkey.Processinfo.Md5sumStringThe md5sum of the process in the registry key.
FireEyeNX.Alert.Explanation.OsChanges.Regkey.Processinfo.PidNumberThe PID of the process in the registry key.
FireEyeNX.Alert.Explanation.OsChanges.Regkey.NtstatusStringThe NTSTATUS of the registry key.
FireEyeNX.Alert.Explanation.OsChanges.Regkey.SuppressedBooleanIf the registry key was suppressed then true, otherwise false.
FireEyeNX.Alert.Explanation.OsChanges.Regkey.ValueStringThe value of the registry key.
FireEyeNX.Alert.Explanation.OsChanges.Regkey.TimestampNumberThe timestamp of the registry key.
FireEyeNX.Alert.Explanation.OsChanges.Regkey.SrcThreadStringThe source thread name of the registry key.
FireEyeNX.Alert.Explanation.OsChanges.Regkey.RandomizedBooleanIf the registry key was randomized then true, otherwise false.
FireEyeNX.Alert.Explanation.OsChanges.Regkey.BufferedBooleanIf the registry key was buffered then true, otherwise false.
FireEyeNX.Alert.Explanation.OsChanges.Regkey.NoExtendBooleanIf the registry key has no_extend then true, otherwise false.
FireEyeNX.Alert.Explanation.OsChanges.Os.NameStringThe name of the operating system.
FireEyeNX.Alert.Explanation.OsChanges.Os.ArchStringThe architecture of the operating system.
FireEyeNX.Alert.Explanation.OsChanges.Os.VersionStringThe version of the operating system.
FireEyeNX.Alert.Explanation.OsChanges.Os.SpNumberThe service pack version of the operating system.
FireEyeNX.Alert.Explanation.OsChanges.OsMonitor.DateStringThe monitored date of the operating system.
FireEyeNX.Alert.Explanation.OsChanges.OsMonitor.BuildNumberThe monitored build of the operating system.
FireEyeNX.Alert.Explanation.OsChanges.OsMonitor.TimeStringThe monitored time of the operating system.
FireEyeNX.Alert.Explanation.OsChanges.OsMonitor.VersionStringThe monitored version of the operating system.
FireEyeNX.Alert.Explanation.OsChanges.Analysis.ModeStringThe mode of the analysis.
FireEyeNX.Alert.Explanation.OsChanges.Analysis.ProductStringThe product name of the analysis.
FireEyeNX.Alert.Explanation.OsChanges.Analysis.FtypeStringThe file type of the analysis.
FireEyeNX.Alert.Explanation.OsChanges.Analysis.VersionStringThe version of the analysis.
FireEyeNX.Alert.Explanation.OsChanges.Network.ModeStringThe mode of the network.
FireEyeNX.Alert.Explanation.OsChanges.Network.ProtocolTypeStringThe protocol type of the network.
FireEyeNX.Alert.Explanation.OsChanges.Network.IpaddressStringThe IP address of the network.
FireEyeNX.Alert.Explanation.OsChanges.Network.DestinationPortNumberThe destination port address of the network.
FireEyeNX.Alert.Explanation.OsChanges.Network.Processinfo.ImagepathStringThe image path of the process in the network.
FireEyeNX.Alert.Explanation.OsChanges.Network.Processinfo.TaintedBooleanIf the process state is tainted then true, otherwise false for the network.
FireEyeNX.Alert.Explanation.OsChanges.Network.Processinfo.Md5sumStringThe md5sum of the process in the network.
FireEyeNX.Alert.Explanation.OsChanges.Network.Processinfo.PidNumberThe PID of the process in the network.
FireEyeNX.Alert.Explanation.OsChanges.Network.HttpRequestStringThe HTTP request of the network.
FireEyeNX.Alert.Explanation.OsChanges.Network.TimestampNumberThe timestamp of the network.
FireEyeNX.Alert.Explanation.OsChanges.Network.HostnameStringThe hostname of the network.
FireEyeNX.Alert.Explanation.OsChanges.Network.QtypeStringThe QTYPE of the network.
FireEyeNX.Alert.Explanation.OsChanges.Network.AnswerNumberNumberThe answer number of the network.
FireEyeNX.Alert.Explanation.OsChanges.Network.DnsResponseCodeNumberThe DNS response code of the network.
FireEyeNX.Alert.Explanation.OsChanges.ActionFopen.ModeStringThe mode of opening the file.
FireEyeNX.Alert.Explanation.OsChanges.ActionFopen.ExtStringThe extension of opening the file.
FireEyeNX.Alert.Explanation.OsChanges.ActionFopen.BufferedBooleanIf the opened file was buffered then true, otherwise false.
FireEyeNX.Alert.Explanation.OsChanges.ActionFopen.NoExtendBooleanIf the opened file has no_extend then true, otherwise false.
FireEyeNX.Alert.Explanation.OsChanges.ActionFopen.NameStringThe name of the action for opening the file.
FireEyeNX.Alert.Explanation.OsChanges.ActionFopen.TimestampNumberThe timestamp of opening the file.
FireEyeNX.Alert.Explanation.OsChanges.Exploitcode.DllnameStringThe DLL file name of the exploit code.
FireEyeNX.Alert.Explanation.OsChanges.Exploitcode.ApinameStringThe API name of the exploit code.
FireEyeNX.Alert.Explanation.OsChanges.Exploitcode.AddressStringThe address of the exploit code.
FireEyeNX.Alert.Explanation.OsChanges.Exploitcode.Processinfo.ImagepathStringThe image path of the process in the exploit code.
FireEyeNX.Alert.Explanation.OsChanges.Exploitcode.Processinfo.Md5sumStringThe md5sum of the process in the exploit code.
FireEyeNX.Alert.Explanation.OsChanges.Exploitcode.Processinfo.PidNumberThe PID of the process in the exploit code.
FireEyeNX.Alert.Explanation.OsChanges.Exploitcode.SrcThreadStringThe source thread name of the exploit code.
FireEyeNX.Alert.Explanation.OsChanges.Exploitcode.ProtectionStringThe protection number of the exploit code.
FireEyeNX.Alert.Explanation.OsChanges.Exploitcode.Callstack.CallstackEntry.SymbolNameStringThe symbol name of the call stack entry in the exploit code.
FireEyeNX.Alert.Explanation.OsChanges.Exploitcode.Callstack.CallstackEntry.FrameNumberNumberThe frame number of the call stack entries in the exploit code.
FireEyeNX.Alert.Explanation.OsChanges.Exploitcode.Callstack.CallstackEntry.ModuleNameStringThe module name of the call stack entry in the exploit code.
FireEyeNX.Alert.Explanation.OsChanges.Exploitcode.Callstack.CallstackEntry.InstructionAddressStringThe instruction address of the call stack entry in the exploit code.
FireEyeNX.Alert.Explanation.OsChanges.Exploitcode.Callstack.CallstackEntry.SymbolDisplacementStringThe symbol displacement of the call stack entry in the exploit code.
FireEyeNX.Alert.Explanation.OsChanges.Exploitcode.Params.Param.IdNumberThe ID parameter of the exploit code.
FireEyeNX.Alert.Explanation.OsChanges.Exploitcode.Params.Param.ContentStringThe path parameter of the exploit code.
FireEyeNX.Alert.Explanation.OsChanges.Exploitcode.TimestampNumberThe timestamp of the exploit codes.
FireEyeNX.Alert.Explanation.OsChanges.Folder.ModeStringThe mode of the folder.
FireEyeNX.Alert.Explanation.OsChanges.Folder.Processinfo.ImagepathStringThe image path of the process in the folder.
FireEyeNX.Alert.Explanation.OsChanges.Folder.Processinfo.Md5sumStringThe md5sum of the process in the folder.
FireEyeNX.Alert.Explanation.OsChanges.Folder.Processinfo.PidNumberThe PID of the process in the folder.
FireEyeNX.Alert.Explanation.OsChanges.Folder.SrcThreadStringThe source thread name of the folder.
FireEyeNX.Alert.Explanation.OsChanges.Folder.ValueStringThe path of the folder.
FireEyeNX.Alert.Explanation.OsChanges.Folder.TimestampNumberThe timestamp of the folder.
FireEyeNX.Alert.Explanation.OsChanges.File.ModeStringThe mode of the file.
FireEyeNX.Alert.Explanation.OsChanges.File.Fid.AdsStringThe Alternate Data Stream (ADS) of the FID for the file.
FireEyeNX.Alert.Explanation.OsChanges.File.Fid.ContentNumberThe content of the FID in the file.
FireEyeNX.Alert.Explanation.OsChanges.File.Processinfo.ImagepathStringThe image path of the process for the file.
FireEyeNX.Alert.Explanation.OsChanges.File.Processinfo.Md5sumStringThe md5sum of the process for the file.
FireEyeNX.Alert.Explanation.OsChanges.File.Processinfo.PidNumberThe PID of the process for the file.
FireEyeNX.Alert.Explanation.OsChanges.File.Processinfo.TaintedBooleanIf the process state is tainted then true, otherwise false for the file.
FireEyeNX.Alert.Explanation.OsChanges.File.SrcThreadStringThe source thread name of the file.
FireEyeNX.Alert.Explanation.OsChanges.File.NtstatusStringThe NTSTATUS of the file.
FireEyeNX.Alert.Explanation.OsChanges.File.FilesizeNumberThe size of the file.
FireEyeNX.Alert.Explanation.OsChanges.File.ValueStringThe value of the file.
FireEyeNX.Alert.Explanation.OsChanges.File.CreateOptionsStringThe created option of the file.
FireEyeNX.Alert.Explanation.OsChanges.File.TimestampNumberThe timestamp of the file.
FireEyeNX.Alert.Explanation.OsChanges.File.TypeStringThe type of the file.
FireEyeNX.Alert.Explanation.OsChanges.File.Sha256sumStringThe sha256sum of the file.
FireEyeNX.Alert.Explanation.OsChanges.File.Sha1sumStringThe sha1sum of the file.
FireEyeNX.Alert.Explanation.OsChanges.File.PE.InspectionTypeStringThe inspection type of the portable executable file.
FireEyeNX.Alert.Explanation.OsChanges.File.PE.TimeDateStampStringThe time date stamp of the portable executable file.
FireEyeNX.Alert.Explanation.OsChanges.File.PE.Characteristics.Names.NameUnknownThe list of characteristic names in the portable executable file.
FireEyeNX.Alert.Explanation.OsChanges.File.PE.Characteristics.ValueStringThe characteristic value in the portable executable file.
FireEyeNX.Alert.Explanation.OsChanges.File.PE.DllCharacteristics.NamesStringThe characteristic name in the DLL portable executable file.
FireEyeNX.Alert.Explanation.OsChanges.File.PE.DllCharacteristics.ValueStringThe characteristic value in the DLL portable executable file.
FireEyeNX.Alert.Explanation.OsChanges.File.PE.DllStringIf the portable file is a DLL file then yes, otherwise no file.
FireEyeNX.Alert.Explanation.OsChanges.File.PE.MagicStringThe magic hex value of the portable executable file.
FireEyeNX.Alert.Explanation.OsChanges.File.PE.SubsystemStringThe subsystem of the portable executable file.
FireEyeNX.Alert.Explanation.OsChanges.File.PE.MachineStringThe hexadecimal address of the machine in the file.
FireEyeNX.Alert.Explanation.OsChanges.File.Md5sumStringThe md5sum of the file.
FireEyeNX.Alert.Explanation.OsChanges.Application.AppNameStringThe app name of the application.
FireEyeNX.Alert.Explanation.OsChanges.QuerySystemTime.Processinfo.ImagepathStringThe image path of the queried system process.
FireEyeNX.Alert.Explanation.OsChanges.QuerySystemTime.Processinfo.Md5sumStringThe system time process info of the md5sum that is queried.
FireEyeNX.Alert.Explanation.OsChanges.QuerySystemTime.Processinfo.PidNumberThe system time process info of the PID (process ID) that is queried
FireEyeNX.Alert.Explanation.OsChanges.QuerySystemTime.NtstatusStringThe NTSTATUS of the system time that is queried.
FireEyeNX.Alert.Explanation.OsChanges.QuerySystemTime.TimestampNumberThe timestamp of the system that is queried.
FireEyeNX.Alert.Explanation.OsChanges.QuerySystemTime.SystemTime.ValueStringThe time value of the system that is queried.
FireEyeNX.Alert.Explanation.OsChanges.QuerySystemTime.SystemTime.TimeStringThe time of the system that is queried.
FireEyeNX.Alert.Explanation.OsChanges.EndOfReportStringThe end of the report.
FireEyeNX.Alert.Explanation.OsChanges.MaliciousAlert.ClasstypeStringThe class type of the malicious alert.
FireEyeNX.Alert.Explanation.OsChanges.MaliciousAlert.DisplayMsgStringThe display message of the malicious alert.
FireEyeNX.Alert.Explanation.OsChanges.DialogDetected.HwndStringThe hexadecimal address of the dialog detected.
FireEyeNX.Alert.Explanation.OsChanges.DialogDetected.Processinfo.ImagepathStringThe image path of the process for the dialog detected.
FireEyeNX.Alert.Explanation.OsChanges.DialogDetected.Processinfo.PidNumberThe PID of the process for the dialog detected.
FireEyeNX.Alert.Explanation.OsChanges.DialogDetected.BufferedBooleanA flag indicating whether the dialog detected is buffered.
FireEyeNX.Alert.Explanation.OsChanges.DialogDetected.NoExtendBooleanA flag indicating whether NoExtend is true in the dialog detected.
FireEyeNX.Alert.Explanation.OsChanges.DialogDetected.TimestampNumberThe timestamp of the dialog detected.
FireEyeNX.Alert.Explanation.OsChanges.DialogDetected.DlgIdStringThe dialog ID of the dialog detected.
FireEyeNX.Alert.Explanation.OsChanges.DialogDismissed.NoteStringA note in the dismissed dialog.
FireEyeNX.Alert.Explanation.OsChanges.DialogDismissed.HwndStringThe hexadecimal address of the dismissed dialog.
FireEyeNX.Alert.Explanation.OsChanges.DialogDismissed.Processinfo.ImagepathStringThe image path of the process for the dismissed dialog.
FireEyeNX.Alert.Explanation.OsChanges.DialogDismissed.Processinfo.PidNumberThe PID of the process for the dismissed dialog.
FireEyeNX.Alert.Explanation.OsChanges.DialogDismissed.BufferedBooleanA flag indicating whether the dismissed dialog is buffered.
FireEyeNX.Alert.Explanation.OsChanges.DialogDismissed.NoExtendBooleanA flag indicating whether NoExtend is true in the dismissed dialog.
FireEyeNX.Alert.Explanation.OsChanges.DialogDismissed.TimestampNumberThe timestamp of the dismissed dialog.
FireEyeNX.Alert.Explanation.OsChanges.DialogDismissed.DlgIdStringThe dialog ID of the dismissed dialog.
FireEyeNX.Alert.Explanation.OsChanges.Wmiquery.Processinfo.ImagepathStringThe image path of the process for the Windows Management Instrumentation (WMI) query.
FireEyeNX.Alert.Explanation.OsChanges.Wmiquery.Processinfo.Md5sumStringThe md5sum of the process for the WMI query.
FireEyeNX.Alert.Explanation.OsChanges.Wmiquery.Processinfo.PidNumberThe PID of the process for the WMI query.
FireEyeNX.Alert.Explanation.OsChanges.Wmiquery.Wmicontents.Wmiconent.QueryStringThe query for the WMI content for WMI query.
FireEyeNX.Alert.Explanation.OsChanges.Wmiquery.Wmicontents.Wmicontent.LangStringLanguage of the WMI content for the WMI query.
FireEyeNX.Alert.Explanation.OsChanges.Wmiquery.TimestampNumberThe timestamp of the WMI query.
FireEyeNX.Alert.Explanation.OsChanges.Wmiquery.BufferedBooleanA flag indicating whether the WMI query is buffered.
FireEyeNX.Alert.Explanation.OsChanges.Wmiquery.NoExtendBooleanA flag indicating whether NoExtend is true in the WMI query.
FireEyeNX.Alert.Explanation.OsChanges.Uac.ModeStringThe mode of the User Account Control (UAC).
FireEyeNX.Alert.Explanation.OsChanges.Uac.ValueStringThe value of the User Account Control.
FireEyeNX.Alert.Explanation.OsChanges.Uac.TimestampNumberThe timestamp of the User Account Control.
FireEyeNX.Alert.Explanation.OsChanges.Uac.StatusStringThe status of the User Account Control.
FireEyeNX.Alert.Explanation.StaticAnalysis.Static.ValueStringThe value of the static analysis.
FireEyeNX.Alert.Explanation.StolenData.Info.FieldUnknownThe information field of the stolen data.
FireEyeNX.Alert.Explanation.StolenData.Info.TypeStringThe information type of the stolen data.
FireEyeNX.Alert.Explanation.StolenData.EventIdNumberThe event ID of the stolen data.
FireEyeNX.Alert.Src.IpStringThe source IP address of the alert.
FireEyeNX.Alert.Src.MacStringThe source MAC address of the alert.
FireEyeNX.Alert.Src.PortNumberThe source port address of the alert.
FireEyeNX.Alert.Src.HostStringThe source host of the alert.
FireEyeNX.Alert.AlertUrlStringThe alert URL.
FireEyeNX.Alert.ActionStringThe action of the alert.
FireEyeNX.Alert.OccurredStringThe time when the alert occurred.
FireEyeNX.Alert.AttackTimeStringThe time when an attack occurred.
FireEyeNX.Alert.Dst.MacStringThe destination MAC address of the alert.
FireEyeNX.Alert.Dst.PortNumberThe destination port address of the alert.
FireEyeNX.Alert.Dst.IpStringThe destination IP address of the alert.
FireEyeNX.Alert.ApplianceIdStringThe appliance ID of the alert.
FireEyeNX.Alert.IdNumberThe ID of the alert.
FireEyeNX.Alert.NameStringThe type of the alert.
FireEyeNX.Alert.SeverityStringThe severity of the alert.
FireEyeNX.Alert.UuidStringThe universally unique identifier (UUID) of the alert.
FireEyeNX.Alert.AckStringA flag indicating whether an acknowledgment is received.
FireEyeNX.Alert.ProductStringThe product name of the alert.
FireEyeNX.Alert.VlanNumberThe virtual LAN (VLAN) of the alert.
FireEyeNX.Alert.MaliciousStringA flag indicating whether the alert is malicious.
FireEyeNX.Alert.ScVersionStringThe SC version of the alert.

Command Example#

!fireeye-nx-get-alerts

Context Example#

{
"FireEyeNX": {
"Alert": [
{
"Ack": "no",
"Action": "notified",
"AlertUrl": "https://fireeye-941918/event_stream/events_for_bot?ev_id=11364",
"ApplianceId": "866ED7558A08",
"AttackTime": "2020-09-29 18:30:01 +0000",
"Dst": {
"Mac": "xx:xx:xx:xx:xx:xx",
"Ip": "1.1.1.1",
"Port": 0
},
"Explanation": {
"MalwareDetected": {
"Malware": [
{
"Name": "dummy malware name 1"
}
]
}
},
"Id": 1,
"Malicious": "yes",
"Name": "dummy name 1",
"Occurred": "0000-00-00 02:12:53 +0000",
"Product": "WEB_MPS",
"ScVersion": "1.000",
"Severity": "MINR",
"Src": {
"Ip": "1.1.1.1",
"Port": 0,
"Mac": "xx:xx:xx:xx:xx:xx"
},
"Uuid": "0b0b0b0b0-0b0b0b-0b0b-0b0b-0b0b0b0b0b",
"Vlan": 0
},
{
"Ack": "no",
"Action": "notified",
"AlertUrl": "https://fireeye-941918/event_stream/events_for_bot?ev_id=11365",
"ApplianceId": "866ED7558A08",
"AttackTime": "2020-09-29 19:00:01 +0000",
"Dst": {
"Mac": "xx:xx:xx:xx:xx:xx",
"Ip": "1.1.1.1",
"Port": 0
},
"Explanation": {
"MalwareDetected": {
"Malware": [
{
"Name": "dummy malware name 2"
}
]
}
},
"Id": 2,
"Malicious": "yes",
"Name": "dummy name 2",
"Occurred": "0000-00-00 02:12:53 +0000",
"Product": "WEB_MPS",
"ScVersion": "1.000",
"Severity": "MINR",
"Src": {
"Ip": "1.1.1.1",
"Port": 0,
"Mac": "xx:xx:xx:xx:xx:xx"
},
"Uuid": "0a0a0a0a0-0a0a0a-0a0a-0a0a-0a0a0a0a0a",
"Vlan": 0
}
]
}
}

Human Readable Output#

Alert(s) Information#

IDDistinguisher(UUID)Malware NameAlert TypeVictim IPTime (UTC)SeverityMaliciousSC VersionVictim PortVictim MAC AddressTarget IPTarget PortTarget MAC Address
10b0b0b0b0-0b0b0b-0b0b-0b0b-0b0b0b0b0bdummy malware name 1dummy name 11.1.1.10000-00-00 02:12:53 +0000MINRyes1.0000xx:xx:xx:xx:xx:xx1.1.1.10xx:xx:xx:xx:xx:xx
20a0a0a0a0-0a0a0a-0a0a-0a0a-0a0a0a0a0adummy malware name 2dummy name 21.1.1.10000-00-00 02:12:53 +0000MINRyes1.0000xx:xx:xx:xx:xx:xx1.1.1.10xx:xx:xx:xx:xx:xx

fireeye-nx-get-artifacts-metadata-by-alert#


Gets malware artifacts metadata for the specified UUID.

Base Command#

fireeye-nx-get-artifacts-metadata-by-alert

Input#

Argument NameDescriptionRequired
uuidUniversally unique ID (UUID) of the alert. To retrieve the UUID, execute the fireeye-nx-get-alerts command.Required

Context Output#

PathTypeDescription
FireEyeNX.Alert.UuidStringUniversally unique ID (UUID) of the alert.
FireEyeNX.Alert.ArtifactsMetadata.ArtifactTypeStringThe artifact type.
FireEyeNX.Alert.ArtifactsMetadata.ArtifactNameStringThe artifact name.
FireEyeNX.Alert.ArtifactsMetadata.ArtifactSizeStringThe artifact size.

Command Example#

!fireeye-nx-get-artifacts-metadata-by-alert uuid=0b0b0b0b-0b0b-0b0b-0b0b-0b0b0b0b0b0b

Context Example#

{
"FireEyeNX": {
"Alert": {
"ArtifactsMetadata": [
{
"ArtifactType": "artifact type test 1",
"ArtifactName": "artifact name test 1",
"ArtifactSize": "1010"
},
{
"ArtifactType": "artifact type test 2",
"ArtifactName": "artifact name test 2",
"ArtifactSize": "1010"
}
],
"Uuid": "0b0b0b0b-0b0b-0b0b-0b0b-0b0b0b0b0b0b"
}
}
}

Human Readable Output#

Artifacts Metadata#

Artifact TypeArtifact NameArtifact Size (Bytes)
artifact type test 1artifact name test 11010
artifact type test 2artifact name test 21010

fireeye-nx-get-artifacts-by-alert#


Downloads malware artifacts data for the specified UUID as a zip file.

Base Command#

fireeye-nx-get-artifacts-by-alert

Input#

Argument NameDescriptionRequired
uuidThe universally unique ID (UUID) of the alert. To get the UUID, execute the fireeye-nx-get-alerts command.Required

Context Output#

PathTypeDescription
File.SizeNumberThe size of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe SSDeep hash of the file.
File.EntryIDStringThe entry ID of the file.
File.InfoStringThe file information.
File.TypeStringThe file type.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe file extension.

Command Example#

!fireeye-nx-get-artifacts-by-alert uuid=0b0b0b0b-0b0b-0b0b-0b0b-0b0b0b0b0b0b

Context Example#

{
"File": {
"Size": 17277,
"SHA1": "574352bb238d3379429063d71990c0000000000",
"SHA256": "1f8ac8eaba9abaf9d12b9b82180a110eab15b14aeec14715f48b4dedaaaaaaaaa",
"Name": "0b0b0b0b-0b0b-0b0b-0b0b-0b0b0b0b0b0b.zip",
"SSDeep": "000:aaaaaa/aAaAaAaA+AaAaAaAaA:aa0/aAaAaAaAaAaAaA",
"EntryID": "150@1",
"Info": "zip",
"Type": "Zip archive data, at least v1.0 to extract",
"MD5": "1aA1aA1aA1aA1aA1aA1aA1aA",
"Extension": "zip"
}
}

fireeye-nx-get-reports#


Returns reports on selected alerts by specifying a time_frame value or a start_time and end_time of the search range.

Base Command#

fireeye-nx-get-reports

Input#

Argument NameDescriptionRequired
report_typeThe type of report to be queried.Required
typeThe output format of the report. Possible values are: "csv" and "pdf", or both depending upon the report type.Optional
start_timeThe start time of the search. The search occurs between the start and end times. When specifying a starttime value, you must specify both a start_time and an end time value.
Formats:
YYYY-MM-dd
YYYY-MM-ddTHH:mm:ss
N days
N hours
Example:
2020-05-01
2020-05-01T00:00:00
2 days
5 hours.
Optional
end_timeThe end time of the search. The search occurs between the start and end times. When specifying an end_ time value, you must specify both a start_time and an end_time value.
Formats:
YYYY-MM-dd
YYYY-MM-ddTHH:mm:ss
N days
N hours
Example:
2020-05-01
2020-05-01T00:00:00
2 days
5 hours.
Optional
time_frameThe time frame in which reports are searched.Optional
limitThe maximum number (N) of items covered by each IPS Top N report. This argument is required only for IPS Top N reports. Possible values are: "25", "50", "75", and "100".Optional
interfaceThe internet interface. Possible values are: "A", "B", "C", "D", "AB", and "All". This option is required only for IPS reports.Optional
infection_idThe alert ID. To retrieve the alert ID, execute the fireeye-nx-get-alerts command. Use the combination of infection_id and infection_type arguments to specify a unique alert to describe in the Alert Details Report. If one option is used alone and does not specify a unique alert, an error message is produced.Optional
infection_typeThe type of the infection. Use the combination of infection_id and infection_type arguments to specify a unique alert to describe in the Alert Details Report. If one option is used alone and does not specify a unique alert, an error message is produced. Possible values are: "malware-object", "malware-callback", "infection-match", "domain-match", and "web-infection".Optional

Context Output#

PathTypeDescription
InfoFile.NameStringThe file name.
InfoFile.EntryIDStringThe ID for locating the file in the War Room.
InfoFile.SizeNumberThe size of the file (in bytes).
InfoFile.TypeStringThe file type, as determined by libmagic (same as displayed in the file entries).
InfoFile.ExtensionStringThe file extension.
InfoFile.InfoStringBasic information about the file.

Command Example#

!fireeye-nx-get-reports report_type="IPS Executive Summary Report" type=csv time_frame=between start_time=2020-01-29T23:59:59 end_time=2020-08-29T23:59:59

Context Example#

{
"InfoFile": {
"EntryID": "1052@8db8b36d-df26-4a3a-8f8a-40e45629ff54",
"Extension": "csv",
"Info": "csv",
"Name": "ips_executive_summary_report_fireeye_20200709_151727878642.csv",
"Size": 606,
"Type": "ASCII text"
}
}

fireeye-nx-get-events#


Search and retrieve FireEye events based on several filters.

Base Command#

fireeye-nx-get-events

Input#

Argument NameDescriptionRequired
durationThe time interval to search. This filter is used with the end_time filter. If the duration is not specified, the system defaults to duration=12_hours, end_time=current_time.Optional
start_timeThe start time of the search. This filter is used with the duration filter. If the start_time is specified but not the duration, the system defaults to duration=12_hours, starting at the specified start_time.
Formats:
YYYY-MM-dd
YYYY-MM-ddTHH:mm:ss
N days
N hours
Example:
2020-05-01
2020-05-01T00:00:00
2 days
5 hours
Optional
end_timeThe end time of the search. This filter is used with the duration filter. If the end_time is specified but not the duration, the system defaults to duration=12_hours, ending at the specified end_time.
Formats:
YYYY-MM-dd
YYYY-MM-ddTHH:mm:ss
N days
N hours
Example:
2020-05-01
2020-05-01T00:00:00
2 days
5 hours
Optional
mvx_correlated_onlyWhether to include all IPS events or MVX-correlated events only. Default: falseOptional

Context Output#

PathTypeDescription
FireEyeNX.Event.EventIdNumberThe ID of the event.
FireEyeNX.Event.OccurredStringThe date and time when the event occurred.
FireEyeNX.Event.SrcIpStringThe IP address of the victim.
FireEyeNX.Event.SrcPortNumberThe port number of the victim.
FireEyeNX.Event.DstIpStringThe IP address of the attacker.
FireEyeNX.Event.DstPortNumberThe port number of the attacker.
FireEyeNX.Event.SeverityNumberThe severity level of the event.
FireEyeNX.Event.SignatureRevNumberThe signature revision number of the event.
FireEyeNX.Event.SignatureIdenNumberThe signature identity number of the event.
FireEyeNX.Event.SignatureMatchCntNumberThe signature match count number of the event.
FireEyeNX.Event.VlanNumberThe virtual LAN (VLAN) of the event.
FireEyeNX.Event.VmVerifiedBooleanWhether the event VM was verified.
FireEyeNX.Event.SrcMacStringThe MAC address of the source machine.
FireEyeNX.Event.DstMacStringThe MAC address of the destination machine.
FireEyeNX.Event.RuleNameStringThe rule name for the event.
FireEyeNX.Event.SensorIdStringThe sensor ID of the FireEye machine.
FireEyeNX.Event.CveIdStringThe CVE ID found in the event.
FireEyeNX.Event.ActionTakenNumberThe IPS blocking action taken on the event.
FireEyeNX.Event.AttackModeStringThe attack mode mentioned in the event.
FireEyeNX.Event.InterfaceIdNumberThe interface ID of the event.
FireEyeNX.Event.ProtocolNumberThe protocol used in the event.
FireEyeNX.Event.IncidentIdNumberThe incident ID of the event on FireEye.

Command Example#

!fireeye-nx-get-events duration=48_hours end_time=2020-08-10T06:31:00

Context Example#

{
"FireEyeNX": {
"Event": [
{
"EventId":1,
"Occurred":"2020-08-10T06:31:00Z",
"SrcIp":"1.1.1.1",
"SrcPort":1,
"DstIp":"1.1.1.1",
"DstPort":1,
"Vlan":0,
"SignatureMatchCnt":1,
"SignatureIden":1,
"SignatureRev":1,
"Severity":1,
"VmVerified":true,
"SrcMac":"dummy",
"DstMac":"dummy",
"RuleName":"dummy",
"SensorId":"dummy",
"CveId":"CVE-123",
"ActionTaken":1,
"AttackMode":"dummy",
"InterfaceId":1,
"Protocol":1,
"IncidentId":1
}
]
}
}

Human Readable Output#

IPS Events#

Event IDTime (UTC)Victim IPAttacker IPCVE IDSeverityRuleProtocol
12020-08-10T06:31:00Z1.1.1.11.1.1.1CVE-1231dummy1