Skip to main content

FireEye HX - Execution Flow Indicators Hunting

This Playbook is part of the FireEye HX Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook queries FireEye Endpoint Security (HX) for execution flow indicators, including processes name, registry keys, registry values, and applications.

Note that multiple search values should be separated by commas only (without spaces or any special characters).

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

  • FireEyeHX v2

Scripts#

  • SetAndHandleEmpty
  • IsIntegrationAvailable

Commands#

  • fireeye-hx-search

Playbook Inputs#


NameDescriptionDefault ValueRequired
ApplicationSingle or multiple application names or codes to search for within FireEye HX logs.
By default, the 'contains' clause is used.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
ProcessNameA single or multiple process names to search for within FireEye HX logs.
By default, the 'contains' clause is used.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
RegistryKeyA single or multiple registry keys to search for within FireEye HX logs.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
RegistryValueA single or multiple registry values to search for within FireEye HX logs.
By default, the 'contains' clause is used.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
hostSetNameThe name of host set to be searched.Required
exhaustiveWhether a search is exhaustive or quick.
Possible values are: yes, no. Default is yes.
Optional
interval_in_secondsThe interval in seconds between each poll. Default is 60.Optional
limitLimits the results count (once the limit is reached, the search is stopped).Optional

Playbook Outputs#


PathDescriptionType
FireEyeHX.HuntingResultsEmail message objects and fields that were retrieved from FireEye HX.string
FireEyeHX.HuntingResults.Timestamp - EventThe timestamp of the event.number
FireEyeHX.HuntingResults.Timestamp - AccessedThe last accessed time.number
FireEyeHX.HuntingResults.Timestamp - ModifiedThe time when the entry was last modified.number
FireEyeHX.HuntingResults.File NameThe name of the file.string
FireEyeHX.HuntingResults.File Full PathThe full path of the file.string
FireEyeHX.HuntingResults.DNS HostnameThe name of the DNS host.string
FireEyeHX.HuntingResults.URLThe event URL.string
FireEyeHX.HuntingResults.UsernameThe event username.string
FireEyeHX.HuntingResults.File MD5 HashThe MD5 hash of the file.string
FireEyeHX.HuntingResults.PortThe Port.number
FireEyeHX.HuntingResults.Process IDThe ID of the process.string
FireEyeHX.HuntingResults.Local IP AddressThe local IP Address.string
FireEyeHX.HuntingResults.Local PortThe local Port.number
FireEyeHX.HuntingResults.Remote PortThe remote port.number
FireEyeHX.HuntingResults.IP AddressThe IP address.string
FireEyeHX.HuntingResults.Process NameThe process name.string
FireEyeHX.HuntingResults.typeThe type of the event.string
FireEyeHX.HuntingResults.idThe ID of the result.string

Playbook Image#


FireEye HX - Execution Flow Indicators Hunting