Skip to main content

FireEye HX - Traffic Indicators Hunting

This Playbook is part of the FireEye HX Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook queries FireEye Endpoint Security (HX) for traffic indicators, including IP addresses, URLs, domains, and ports.

Note that multiple search values should be separated by commas only (without spaces or any special characters).

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

  • FireEyeHX v2

Scripts#

  • SetAndHandleEmpty
  • IsIntegrationAvailable

Commands#

  • fireeye-hx-search

Playbook Inputs#


NameDescriptionDefault ValueRequired
IPAddressA single or multiple IP address to search for within FireEye HX logs. Used for both source and destination IP addresses.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
PortNumberA single or multiple port numbers to search for within FireEye HX logs. Used for both remote and local ports.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
URLDomainSingle or multiple URLs and/or domains to search for within FireEye HX logs.
By default, the 'contains' clause is used.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
hostSetNameThe name of host set to be searched.Required
interval_in_secondsThe interval in seconds between each poll. Default is 60.Optional
limitLimits the results count (once the limit is reached, the search is stopped).Optional
exhaustiveWhether a search is exhaustive or quick.
Possible values are: yes, no. Default is yes.
noOptional

Playbook Outputs#


PathDescriptionType
FireEyeHX.HuntingResultsEmail message objects and fields that were retrieved from FireEye HX.string
FireEyeHX.HuntingResults.Timestamp - EventThe timestamp of the event.number
FireEyeHX.HuntingResults.Timestamp - AccessedThe last accessed time.number
FireEyeHX.HuntingResults.Timestamp - ModifiedThe time when the entry was last modified.number
FireEyeHX.HuntingResults.File NameThe name of the file.string
FireEyeHX.HuntingResults.File Full PathThe full path of the file.string
FireEyeHX.HuntingResults.DNS HostnameThe name of the DNS host.string
FireEyeHX.HuntingResults.URLThe event URL.string
FireEyeHX.HuntingResults.UsernameThe event username.string
FireEyeHX.HuntingResults.File MD5 HashThe MD5 hash of the file.string
FireEyeHX.HuntingResults.PortThe Port.number
FireEyeHX.HuntingResults.Process IDThe ID of the process.string
FireEyeHX.HuntingResults.Local IP AddressThe local IP Address.string
FireEyeHX.HuntingResults.Local PortThe local Port.number
FireEyeHX.HuntingResults.Remote PortThe remote port.number
FireEyeHX.HuntingResults.IP AddressThe IP address.string
FireEyeHX.HuntingResults.Process NameThe process name.string
FireEyeHX.HuntingResults.typeThe type of the event.string
FireEyeHX.HuntingResults.idThe ID of the result.string

Playbook Image#


FireEye HX - Traffic Indicators Hunting