Skip to main content

FireEye HX - File Indicators Hunting

This Playbook is part of the FireEye HX Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook queries FireEye Endpoint Security (HX) for file indicators, including MD5 hashes, SHA256 hashes, SHA1 hashes, file names, file paths, and file types.

Note that multiple search values should be separated by commas only (without spaces or any special characters).

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

  • FireEyeHX v2

Scripts#

  • IsIntegrationAvailable
  • SetAndHandleEmpty

Commands#

  • fireeye-hx-search

Playbook Inputs#


NameDescriptionDefault ValueRequired
FileNameA single or multiple file names to search for FireEye HX logs.
By default, the 'contains' clause is used.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
SHA256A single or multiple SHA256 file hashes to search for within FireEye HX logs.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
SHA1A single or multiple SHA1 file hashes to search for within FireEye HX logs.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
FilePathA single or multiple file paths to search for within FireEye HX logs.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
FileTypeA single or multiple file types to search for within FireEye HX logs.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
MD5A single or multiple MD5 file hashes to search for within FireEye HX logs.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
hostSetNameThe name of host set to be searched.

Separate multiple search values by commas only (without spaces or any special characters).
Required
exhaustiveWhether a search is exhaustive or quick.
Possible values are: yes, no. Default is yes.
Optional
interval_in_secondsThe interval in seconds between each poll. Default is 60.Optional
limitLimits the results count (once the limit is reached, the search is stopped).Optional

Playbook Outputs#


PathDescriptionType
FireEyeHX.HuntingResultsEmail message objects and fields that were retrieved from FireEye HX.string
FireEyeHX.HuntingResults.Timestamp - EventThe timestamp of the event.number
FireEyeHX.HuntingResults.Timestamp - AccessedThe last accessed time.number
FireEyeHX.HuntingResults.Timestamp - ModifiedThe time when the entry was last modified.number
FireEyeHX.HuntingResults.File NameThe name of the file.string
FireEyeHX.HuntingResults.File Full PathThe full path of the file.string
FireEyeHX.HuntingResults.DNS HostnameThe name of the DNS host.string
FireEyeHX.HuntingResults.URLThe event URL.string
FireEyeHX.HuntingResults.UsernameThe event username.string
FireEyeHX.HuntingResults.File MD5 HashThe MD5 hash of the file.string
FireEyeHX.HuntingResults.PortThe Port.string
FireEyeHX.HuntingResults.Process IDThe ID of the process.string
FireEyeHX.HuntingResults.Local IP AddressThe local IP Address.string
FireEyeHX.HuntingResults.Local PortThe local Port.number
FireEyeHX.HuntingResults.Remote PortThe remote port.number
FireEyeHX.HuntingResults.IP AddressThe IP address.string
FireEyeHX.HuntingResults.Process NameThe process name.string
FireEyeHX.HuntingResults.typeThe type of the event.string
FireEyeHX.HuntingResults.idThe ID of the result.string

Playbook Image#


FireEye HX - File Indicators Hunting