Skip to main content

FireEye HX - Indicators Hunting

This Playbook is part of the FireEye HX Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook facilitates threat hunting and detection of IOCs within FireEye Endpoint Security (HX) utilizing three sub-playbooks. The sub-playbooks query FireEye HX for different indicators including files, traffic, and execution flows indicators.

Note that multiple search values should be separated by commas only (without spaces or any special characters).

Supported IOCs for this playbook:

  • MD5
  • SHA1
  • SHA256
  • IP Address
  • URLDomain
  • Registry Value
  • Registry Key
  • File Name
  • Process Name
  • Port Number
  • File Path
  • FileType

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • FireEye HX - File Indicators Hunting
  • FireEye HX - Execution Flow Indicators Hunting
  • FireEye HX - Traffic Indicators Hunting

Integrations#

This playbook does not use any integrations.

Scripts#

This playbook does not use any scripts.

Commands#

This playbook does not use any commands.

Playbook Inputs#


NameDescriptionDefault ValueRequired
IPAddressA single or multiple IP address to search for in FireEye HX logs. Used for both source and destination IP addresses.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
PortNumberA single or multiple port numbers to search for in FireEye HX logs. Used for both remote and local ports.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
URLDomainSingle or multiple URLs and/or domains to search for in FireEye HX logs.
By default, the 'contains' clause is used.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
SHA256A single or multiple SHA256 file hashes to search for in FireEye HX logs.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
SHA1A single or multiple SHA1 file hashes to search for in FireEye HX logs.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
MD5A single or multiple MD5 file hashes to search for in FireEye HX logs.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
FilePathA single or multiple file paths to search for in FireEye HX logs.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
FileNameA single or multiple file names to search for in FireEye HX logs.
By default, the 'contains' clause is used.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
FileTypeA single or multiple file types to search for in FireEye HX logs.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
ProcessNameA single or multiple process names to search for in FireEye HX logs.
By default, the 'contains' clause is used.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
RegistryKeyA single or multiple registry keys to search for in FireEye HX logs.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
RegistryValueA single or multiple registry values to search for in FireEye HX logs.
By default, the 'contains' clause is used.
Optional
ApplicationSingle or multiple application names or codes to search for in FireEye HX logs.
By default, the 'contains' clause is used.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
hostSetNameThe name of host set to be searched.Required
exhaustiveWhether a search is exhaustive.
Possible values are: yes, no. Default is yes.
Optional
interval_in_secondsThe interval in seconds between each poll. Default is 60.Optional
limitLimits the results count. (When the limit is reached, the search stops).Optional

Playbook Outputs#


PathDescriptionType
FireEyeHX.HuntingResultsEmail message objects and fields that were retrieved from FireEye HX.string
FireEyeHX.HuntingResults.Timestamp - EventThe timestamp of the event.number
FireEyeHX.HuntingResults.Timestamp - AccessedThe time when the entry was last accessed.number
FireEyeHX.HuntingResults.Timestamp - ModifiedThe time when the entry was last modified.number
FireEyeHX.HuntingResults.File NameThe name of the file.string
FireEyeHX.HuntingResults.File Full PathThe full path of the file.string
FireEyeHX.HuntingResults.DNS HostnameThe name of the DNS host.string
FireEyeHX.HuntingResults.URLThe event URL.string
FireEyeHX.HuntingResults.UsernameThe event username.string
FireEyeHX.HuntingResults.File MD5 HashThe MD5 hash of the file.string
FireEyeHX.HuntingResults.PortThe port.number
FireEyeHX.HuntingResults.Process IDThe ID of the process.string
FireEyeHX.HuntingResults.Local IP AddressThe local IP address.string
FireEyeHX.HuntingResults.Local PortThe local port.number
FireEyeHX.HuntingResults.Remote PortThe remote port.number
FireEyeHX.HuntingResults.IP AddressThe IP address.string
FireEyeHX.HuntingResults.Process NameThe process name.string
FireEyeHX.HuntingResults.typeThe type of the event.string
FireEyeHX.HuntingResults.idThe ID of the result.string

Playbook Image#


FireEye HX - Indicators Hunting