Fortinet black logo

Fidelis EDR v1.0.0

1.0.0
Copy Link
Copy Doc ID efc52234-6a4b-11ed-96f0-fa163e15d75b:445

About the connector

Fidelis Endpoint EDR detects endpoint activity in real-time and retrospectively so you can accelerate your response and stop adversaries at the point of entry.

This document provides information about the Fidelis EDR Connector, which facilitates automated interactions, with a Fidelis EDR server using FortiSOAR™ playbooks. Add the Fidelis EDR Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fidelis EDR.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 7.2.2-1098

Authored By: Fortinet

Certified: Yes

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-fidelis-edr

Prerequisites to configuring the connector

  • You must have the URL or IP address of the Fidelis EDR server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
  • The FortiSOAR™ server should have outbound connectivity to port 443 on the Fidelis EDR server.

Minimum Permissions Required

The minimum privileges that require to be assigned to users who are going to use this connector and run actions using Fidelis EDR are as follows:

  • For actions relating to retrieving alerts, endpoints, and script packages such as "Get Alerts", "Get Script Packages", "Get Endpoint By Name", etc.:
    • Group Permissions (Based on the endpoint)
    • Script Permission (Permissions can be assigned to users either permission to all scripts or to specific scripts)
    • Alerts: View Alerts
  • For the "Get Script Job Results" action:
    • Group Permissions (Based on the endpoint)
    • Script Permission (Permissions can be assigned to users either permission to all scripts or to specific scripts)
    • View All Tasks permission
    • View All Task Results permission
  • For the "Delete Endpoint" action:
    • Group Permissions (Based on the endpoint)
    • Configure Endpoints Permissions
  • For the "Execute Task" and "Execute Script Package" actions:
    • Read and Execute Group Permissions (Based on the endpoint)
    • Script Permission (Permissions can be assigned to users either permission to all scripts or to specific scripts)

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Fidelis EDR connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Server URL Specify the URL or IP address of the Fidelis EDR server to which you will connect and perform automated operations.
Username Specify the username that is configured for your account to access the Fidelis EDR server to which you will connect and perform automated operations.
Password Specify the password that is configured for your account to access the Fidelis EDR server to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:

Function Description Annotation and Category
Get Alerts Retrieves a list of all alerts or specific alerts from Fidelis EDR based on the input parameters you have specified. get_alerts
Investigation
Get Endpoints Retrieves information for specific endpoints from Fidelis EDR based on the offset, limit, and other input parameters you have specified. get_endpoints
Investigation
Get Endpoint By Name Retrieves the IDs of specific endpoints from Fidelis EDR based on the endpoint names you have specified. get_endpoints_by_name
Investigation
Delete Endpoint Deletes a specific endpoint from Fidelis EDR based on the endpoint ID you have specified. delete_endpoint
Investigation
Get Playbooks Retrieves a list of playbooks and their details from Fidelis EDR. get_playbooks
Investigation
Get Playbooks And Scripts Retrieves details of all Fidelis playbooks and scripts or specific Fidelis playbooks and scripts from the Fidelis EDR based on the input parameters you have specified. get_playbooks_scripts
Investigation
Get Playbooks Details Retrieves details for a specific playbook from Fidelis EDR based on the playbook ID you have specified. get_playbooks_detail
Investigation
Get API version Information Retrieves information on the API version from Fidelis EDR. get_api_info
Investigation
Get Script Packages Retrieves a list of all script packages from Fidelis EDR. get_script_packages
Investigation
Get Script Packages File Retrieves the specific script packages file from Fidelis EDR and adds this script file to the "Attachment Module" in FortiSOAR based on the script package ID you have specified. get_script_packages_file
Investigation
Get Script Packages Manifest Retrieves the manifest for a specific script package from Fidelis EDR based on the script package ID you have specified. get_script_packages_manifest
Investigation
Get Script Packages Metadata Retrieves the metadata for a specific script package from Fidelis EDR based on the script package ID you have specified. get_script_packages_metadata
Investigation
Get Script Packages Template Retrieves the template for a specific script package from Fidelis EDR based on the script package ID you have specified. get_script_packages_template
Investigation
Execute Script Package Executes a specific script package on Fidelis EDR based on the script package ID, timeout value, host information, and other input parameters you have specified. execute_script_package
Investigation
Get Script Job Results Retrieves the results of a script job from Fidelis EDR based on the job result ID you have specified. script_job_results
Investigation
Execute Task Executes a task (run a script job or a playbook) on Fidelis Endpoint EDR based on the script package IDs and endpoint IDs you have specified. create_task
Investigation

operation: Get Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of alerts) is returned.

Parameter Description
Search String Specify a filter that you want to apply to the results of this operation. By default, this is set to an "empty" string
Start Date Select the start time of the time range from when you want to retrieve alerts from Fidelis Endpoint EDR.
End Date Select the end time of the time range till when you want to retrieve alerts from Fidelis Endpoint EDR.
Offset Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say alerts starting from the 10th alert. By default, this is set as "0".
Limit Specify the maximum number of alerts that you want this operation to return in the response. By default, this is set to "all" alerts.
Sort Alerts Specify the property name and order (Ascending or Descending) to sort the results retrieved by this operation, before applying take and skip. By default, this is set to "CreatedDate Descending". You can specify the name of any property of the alert object.

Output

The output contains the following populated JSON schema:
{
"entities": [
{
"id": "",
"createDate": "",
"endpointName": "",
"endpointId": "",
"name": "",
"description": "",
"artifactName": "",
"source": "",
"sourceType": "",
"severity": "",
"intelId": "",
"intelName": "",
"validatedDate": "",
"actionsTaken": "",
"eventId": "",
"eventTime": "",
"parentEventId": "",
"eventType": "",
"eventIndex": "",
"reportId": "",
"telemetry": "",
"insertionDate": "",
"hasJob": "",
"osType": "",
"agentTag": "",
"enrichments": []
}
],
"totalCount": ""
}

operation: Get Endpoints

Input parameters

Parameter Description
Offset Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say endpoints starting from the 10th endpoint. By default, this is set as "0".
Limit Specify the maximum number of endpoints that you want this operation to return in the response.
Sort Specify the property name (and optionally the order) to sort the results retrieved by this operation, before applying the limit and offset. Examples of properties that can be specified are hostname, hostname descending, createdDate, createdDate descending, etc.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"entities": [
{
"id": "",
"hostName": "",
"ipAddress": "",
"externalAddress": "",
"description": "",
"lastContactDate": "",
"agentInstalled": "",
"agentVersion": "",
"os": "",
"macAddress": "",
"aV_Enabled": "",
"eventsStopped": "",
"locality": "",
"groupList": "",
"isGroupMember": "",
"agentConnected": "",
"isolated": "",
"osType": "",
"osArch": "",
"agentTag": "",
"createdDate": "",
"avSigVersion": "",
"advMalwareVersion": "",
"aR_Enabled": "",
"events_Enabled": "",
"agentId": "",
"groups": "",
"processorName": "",
"processorCount": "",
"processorSpeedInMhz": "",
"processorNumOfCores": "",
"processorNumOfLogicalProcessors": "",
"ramSize": "",
"flag": "",
"createdByType": "",
"interfaceIPs": "",
"agentScoreboardHash": "",
"investigativeModeEnabled": "",
"investigativeModeDuration": "",
"investigativeModeStartTime": "",
"eventsVersion": "",
"activeDirectoryId": "",
"lastAvScanDate": "",
"motherboardSerial": "",
"assetTag": "",
"manufacturer": "",
"model": "",
"protectStatus": "",
"hasAllAuthCerts": "",
"hasAllCommCerts": ""
}
],
"totalCount": ""
}
}

operation: Get Endpoint By Name

Input parameters

Parameter Description
Endpoint Names Specify the names of the endpoints in the "CSV" or "List" format whose IDs you want to retrieve from Fidelis EDR.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": []
}

operation: Delete Endpoint

Input parameters

Parameter Description
Endpoint IDs Specify the ID of the endpoint that you want to delete from Fidelis EDR.

Output

The output contains the following populated JSON schema:
{
"error": "",
"success": ""
}

operation: Get Playbooks

Input parameters

Parameter Description
Limit Playbooks Specify the maximum number of playbooks that you want this operation to return in the response.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"entities": [
{
"id": "",
"name": "",
"description": "",
"createdByName": "",
"createdById": "",
"createdDate": "",
"scriptCount": "",
"tags": "",
"hasEndpointAction": "",
"endpointActionText": ""
}
],
"totalCount": ""
}
}

operation: Get Playbooks And Scripts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of Fidelis playbooks and scripts) is returned.

Parameter Description
Type Select whether you want to retrieve script packages or playbooks from Fidelis EDR. By default, this is set as "2-Script Packages".
OS Platform Select the OS Platform for which you want to retrieve script packages or playbooks from Fidelis EDR. You can choose between All, Windows, Mac, or Linux.
Sorting Order Specify the property name and order (Ascending or Descending) to sort the results retrieved by this operation, before applying take and skip. By default, this is set to "name ascending".
Limit Specify the maximum number of alerts that you want this operation to return in the response. By default, this is set to "all" playbooks or scripts
Offset Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say playbooks or scripts starting from the 10th playbook or script. By default, this is set as "0".

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"entities": [
{
"id": "",
"name": "",
"description": "",
"createdByName": "",
"createdById": "",
"createdDate": "",
"tags": "",
"platforms": {
"windows32": "",
"windows64": "",
"linux32": "",
"linux64": "",
"solaris": "",
"aix": "",
"osx": ""
},
"platformsStringList": "",
"packageType": ""
}
],
"totalCount": ""
}
}

operation: Get Playbooks Details

Input parameters

Parameter Description
Playbook ID Specify the unique ID of the playbook whose details you want to retrieve from Fidelis EDR.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"scripts": [
{
"hash": "",
"executionOrder": "",
"scriptId": "",
"scriptName": "",
"questions": [
{
"paramNumber": "",
"question": "",
"answer": "",
"isOptional": "",
"inputType": ""
}
],
"details": {
"id": "",
"name": "",
"platforms": {
"windows32": "",
"windows64": "",
"linux32": "",
"linux64": "",
"solaris": "",
"aix": "",
"osx": ""
},
"tags": "",
"createdBy": "",
"createdByName": "",
"createdDate": "",
"fileCount": "",
"scriptPackageFiles": [
{
"fileName": "",
"fileId": ""
}
],
"platformsStringList": "",
"platformsLocalizedStringList": "",
"description": "",
"priority": "",
"resultColumns": [],
"timeoutSeconds": "",
"impersonationUser": "",
"impersonationPassword": "",
"command": "",
"wizardOverridePassword": "",
"questions": [
{
"paramNumber": "",
"question": "",
"answer": "",
"isOptional": "",
"inputType": ""
}
],
"jsonQuestions": "",
"questionsHaveLoadError": "",
"resultDelimiter": "",
"dataDependencies": [],
"hasEndpointAction": "",
"endpointActionText": "",
"tenants": "",
"hash": ""
},
"queueExpirationEnabled": "",
"queueExpirationInhours": "",
"wizardOverridePassword": "",
"impersonationUser": "",
"impersonationPassword": "",
"impersonationPasswordEnc": "",
"integrationOutputFormat": "",
"priority": "",
"filter": "",
"basicOptions": "",
"volatileDetail": "",
"processDetail": "",
"iocDetail": "",
"yaraDetail": "",
"timeoutInSeconds": "",
"jsonAnswers": "",
"jsonQuestions": "",
"isPlaybook": ""
}
],
"tenants": "",
"baseTenantId": "",
"hash": "",
"id": "",
"name": "",
"description": "",
"createdByName": "",
"createdById": "",
"createdDate": "",
"scriptCount": "",
"tags": "",
"hasEndpointAction": "",
"endpointActionText": ""
}
}

operation: Get API version Information

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"version": ""
}
}

operation: Get Script Packages

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"scripts": [
{
"id": "",
"name": "",
"description": ""
}
],
"totalCount": ""
}
}

operation: Get Script Packages File

Input parameters

Parameter Description
Script Package ID Specify the ID of the script package that you want to retrieve from Fidelis EDR. This operation also adds the retrieved script file to the "Attachment Module" in FortiSOAR.

Output

The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": ""
}

operation: Get Script Packages Manifest

Input parameters

Parameter Description
Script Package ID Specify the ID of the script package whose package manifest you want to retrieve from Fidelis EDR.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"id": "",
"name": "",
"platforms": {
"windows32": "",
"windows64": "",
"linux32": "",
"linux64": "",
"solaris": "",
"aix": "",
"osx": ""
},
"tags": "",
"createdBy": "",
"createdByName": "",
"createdDate": "",
"fileCount": "",
"scriptPackageFiles": [
{
"fileName": "",
"fileId": ""
}
],
"platformsStringList": "",
"platformsLocalizedStringList": "",
"description": "",
"priority": "",
"resultColumns": [
"Not Before",
"Serial Number"
],
"timeoutSeconds": "",
"impersonationUser": "",
"impersonationPassword": "",
"command": "",
"wizardOverridePassword": "",
"questions": [],
"jsonQuestions": "",
"questionsHaveLoadError": "",
"resultDelimiter": "",
"dataDependencies": [],
"hasEndpointAction": "",
"endpointActionText": "",
"tenants": "",
"hash": ""
}
}

operation: Get Script Packages Metadata

Input parameters

Parameter Description
Script Package ID Specify the ID of the script package whose package metadata you want to retrieve from Fidelis EDR.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"integrationOutputs": "",
"scriptPackageId": "",
"useImpersonation": "",
"impersonationUser": "",
"impersonationPassword": "",
"timeoutInSeconds": "",
"hosts": "",
"endpointIds": [
{}
],
"questions": {},
"useSchedule": "",
"schedule": {
"initialDateTime": "",
"recurrenceRange": "",
"maxRecurrenceCount": "",
"endDateTime": "",
"timeUnit": "",
"period": "",
"ordinalUnit": "",
"ordinal": "",
"ordinalDayOfWeek": "",
"ordinalMonth": "",
"weekday": "",
"timeZoneName": "",
"isIncremental": ""
}
}
}

operation: Get Script Packages Template

Input parameters

Parameter Description
Script Package ID Specify the ID of the script package whose package template you want to retrieve from Fidelis EDR.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"integrationOutputs": [],
"scriptPackageId": "",
"useImpersonation": "",
"impersonationUser": "",
"impersonationPassword": "",
"timeoutInSeconds": "",
"hosts": [],
"endpointIds": [],
"questions": {},
"useSchedule": "",
"schedule": {
"initialDateTime": "",
"recurrenceRange": "",
"maxRecurrenceCount": "",
"endDateTime": "",
"timeUnit": "",
"period": "",
"ordinalUnit": "",
"ordinal": "",
"ordinalDayOfWeek": "",
"ordinalMonth": "",
"weekday": [],
"timeZoneName": "",
"isIncremental": ""
}
}
}

operation: Execute Script Package

Input parameters

Parameter Description
Script Package ID Specify the ID of the script package you want to execute on Fidelis EDR.
Timeout In Seconds Specify the timeout value, in seconds, after which this operation will timeout.
Hosts You can specify multiple endpoint IP addresses in the "hosts" key using the following format: ["10.91.96.110","10.91.96.216"]
Integration Outputs (Optional) You can specify the export format, for use with integrated products, using the integration Outputs key, The value of the integration Outputs key is the name of the export type as specified in the configuration file. For example, "integrationOutputs":["CEFOutput","LEEFOutput"]. For more information, see the SIEM Integrations Guide.
Questions (Optional) Specify the key-value pair of question data. For example, {"paramNumber": 1,"question": "Type","answer": "","isOptional": "false","inputType": "text"}

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"jobId": "",
"jobResultId": ""
}
}

operation: Get Script Job Results

Input parameters

Parameter Description
Job Result ID Specify the ID of the job whose result details you want to retrieve from Fidelis EDR.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"hits": {
"total": {
"value": "",
"relation": ""
},
"hits": [],
"useNonDeterministicPaging": "",
"nonDeterministicPagingInfo": ""
},
"columns": [],
"pendingMigration": ""
}
}

operation: Execute Task

Input parameters

Parameter Description
Package ID Specify the ID of the script package/playbook you want to execute on Fidelis EDR.
IS Playbook Or Script Select whether you want to run a script package or playbook on Fidelis EDR.
Endpoint IDs Specify the IDs of the endpoints in the "CSV" or "List" format on which you want to execute the task.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": ""
}

Included playbooks

The Sample - Fidelis EDR - 1.0.0 playbook collection comes bundled with the Fidelis EDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fidelis EDR connector.

  • Delete Endpoint
  • Execute Script Package
  • Execute Task
  • Get API version Information
  • Get Alerts
  • Get Endpoint By Name
  • Get Endpoints
  • Get Playbooks
  • Get Playbooks And Scripts
  • Get Playbooks Details
  • Get Script Job Results
  • Get Script Packages
  • Get Script Packages File
  • Get Script Packages Manifest
  • Get Script Packages Metadata
  • Get Script Packages Template

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Previous
Next

About the connector

Fidelis Endpoint EDR detects endpoint activity in real-time and retrospectively so you can accelerate your response and stop adversaries at the point of entry.

This document provides information about the Fidelis EDR Connector, which facilitates automated interactions, with a Fidelis EDR server using FortiSOAR™ playbooks. Add the Fidelis EDR Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fidelis EDR.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 7.2.2-1098

Authored By: Fortinet

Certified: Yes

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-fidelis-edr

Prerequisites to configuring the connector

Minimum Permissions Required

The minimum privileges that require to be assigned to users who are going to use this connector and run actions using Fidelis EDR are as follows:

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Fidelis EDR connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Server URL Specify the URL or IP address of the Fidelis EDR server to which you will connect and perform automated operations.
Username Specify the username that is configured for your account to access the Fidelis EDR server to which you will connect and perform automated operations.
Password Specify the password that is configured for your account to access the Fidelis EDR server to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:

Function Description Annotation and Category
Get Alerts Retrieves a list of all alerts or specific alerts from Fidelis EDR based on the input parameters you have specified. get_alerts
Investigation
Get Endpoints Retrieves information for specific endpoints from Fidelis EDR based on the offset, limit, and other input parameters you have specified. get_endpoints
Investigation
Get Endpoint By Name Retrieves the IDs of specific endpoints from Fidelis EDR based on the endpoint names you have specified. get_endpoints_by_name
Investigation
Delete Endpoint Deletes a specific endpoint from Fidelis EDR based on the endpoint ID you have specified. delete_endpoint
Investigation
Get Playbooks Retrieves a list of playbooks and their details from Fidelis EDR. get_playbooks
Investigation
Get Playbooks And Scripts Retrieves details of all Fidelis playbooks and scripts or specific Fidelis playbooks and scripts from the Fidelis EDR based on the input parameters you have specified. get_playbooks_scripts
Investigation
Get Playbooks Details Retrieves details for a specific playbook from Fidelis EDR based on the playbook ID you have specified. get_playbooks_detail
Investigation
Get API version Information Retrieves information on the API version from Fidelis EDR. get_api_info
Investigation
Get Script Packages Retrieves a list of all script packages from Fidelis EDR. get_script_packages
Investigation
Get Script Packages File Retrieves the specific script packages file from Fidelis EDR and adds this script file to the "Attachment Module" in FortiSOAR based on the script package ID you have specified. get_script_packages_file
Investigation
Get Script Packages Manifest Retrieves the manifest for a specific script package from Fidelis EDR based on the script package ID you have specified. get_script_packages_manifest
Investigation
Get Script Packages Metadata Retrieves the metadata for a specific script package from Fidelis EDR based on the script package ID you have specified. get_script_packages_metadata
Investigation
Get Script Packages Template Retrieves the template for a specific script package from Fidelis EDR based on the script package ID you have specified. get_script_packages_template
Investigation
Execute Script Package Executes a specific script package on Fidelis EDR based on the script package ID, timeout value, host information, and other input parameters you have specified. execute_script_package
Investigation
Get Script Job Results Retrieves the results of a script job from Fidelis EDR based on the job result ID you have specified. script_job_results
Investigation
Execute Task Executes a task (run a script job or a playbook) on Fidelis Endpoint EDR based on the script package IDs and endpoint IDs you have specified. create_task
Investigation

operation: Get Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of alerts) is returned.

Parameter Description
Search String Specify a filter that you want to apply to the results of this operation. By default, this is set to an "empty" string
Start Date Select the start time of the time range from when you want to retrieve alerts from Fidelis Endpoint EDR.
End Date Select the end time of the time range till when you want to retrieve alerts from Fidelis Endpoint EDR.
Offset Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say alerts starting from the 10th alert. By default, this is set as "0".
Limit Specify the maximum number of alerts that you want this operation to return in the response. By default, this is set to "all" alerts.
Sort Alerts Specify the property name and order (Ascending or Descending) to sort the results retrieved by this operation, before applying take and skip. By default, this is set to "CreatedDate Descending". You can specify the name of any property of the alert object.

Output

The output contains the following populated JSON schema:
{
"entities": [
{
"id": "",
"createDate": "",
"endpointName": "",
"endpointId": "",
"name": "",
"description": "",
"artifactName": "",
"source": "",
"sourceType": "",
"severity": "",
"intelId": "",
"intelName": "",
"validatedDate": "",
"actionsTaken": "",
"eventId": "",
"eventTime": "",
"parentEventId": "",
"eventType": "",
"eventIndex": "",
"reportId": "",
"telemetry": "",
"insertionDate": "",
"hasJob": "",
"osType": "",
"agentTag": "",
"enrichments": []
}
],
"totalCount": ""
}

operation: Get Endpoints

Input parameters

Parameter Description
Offset Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say endpoints starting from the 10th endpoint. By default, this is set as "0".
Limit Specify the maximum number of endpoints that you want this operation to return in the response.
Sort Specify the property name (and optionally the order) to sort the results retrieved by this operation, before applying the limit and offset. Examples of properties that can be specified are hostname, hostname descending, createdDate, createdDate descending, etc.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"entities": [
{
"id": "",
"hostName": "",
"ipAddress": "",
"externalAddress": "",
"description": "",
"lastContactDate": "",
"agentInstalled": "",
"agentVersion": "",
"os": "",
"macAddress": "",
"aV_Enabled": "",
"eventsStopped": "",
"locality": "",
"groupList": "",
"isGroupMember": "",
"agentConnected": "",
"isolated": "",
"osType": "",
"osArch": "",
"agentTag": "",
"createdDate": "",
"avSigVersion": "",
"advMalwareVersion": "",
"aR_Enabled": "",
"events_Enabled": "",
"agentId": "",
"groups": "",
"processorName": "",
"processorCount": "",
"processorSpeedInMhz": "",
"processorNumOfCores": "",
"processorNumOfLogicalProcessors": "",
"ramSize": "",
"flag": "",
"createdByType": "",
"interfaceIPs": "",
"agentScoreboardHash": "",
"investigativeModeEnabled": "",
"investigativeModeDuration": "",
"investigativeModeStartTime": "",
"eventsVersion": "",
"activeDirectoryId": "",
"lastAvScanDate": "",
"motherboardSerial": "",
"assetTag": "",
"manufacturer": "",
"model": "",
"protectStatus": "",
"hasAllAuthCerts": "",
"hasAllCommCerts": ""
}
],
"totalCount": ""
}
}

operation: Get Endpoint By Name

Input parameters

Parameter Description
Endpoint Names Specify the names of the endpoints in the "CSV" or "List" format whose IDs you want to retrieve from Fidelis EDR.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": []
}

operation: Delete Endpoint

Input parameters

Parameter Description
Endpoint IDs Specify the ID of the endpoint that you want to delete from Fidelis EDR.

Output

The output contains the following populated JSON schema:
{
"error": "",
"success": ""
}

operation: Get Playbooks

Input parameters

Parameter Description
Limit Playbooks Specify the maximum number of playbooks that you want this operation to return in the response.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"entities": [
{
"id": "",
"name": "",
"description": "",
"createdByName": "",
"createdById": "",
"createdDate": "",
"scriptCount": "",
"tags": "",
"hasEndpointAction": "",
"endpointActionText": ""
}
],
"totalCount": ""
}
}

operation: Get Playbooks And Scripts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of Fidelis playbooks and scripts) is returned.

Parameter Description
Type Select whether you want to retrieve script packages or playbooks from Fidelis EDR. By default, this is set as "2-Script Packages".
OS Platform Select the OS Platform for which you want to retrieve script packages or playbooks from Fidelis EDR. You can choose between All, Windows, Mac, or Linux.
Sorting Order Specify the property name and order (Ascending or Descending) to sort the results retrieved by this operation, before applying take and skip. By default, this is set to "name ascending".
Limit Specify the maximum number of alerts that you want this operation to return in the response. By default, this is set to "all" playbooks or scripts
Offset Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say playbooks or scripts starting from the 10th playbook or script. By default, this is set as "0".

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"entities": [
{
"id": "",
"name": "",
"description": "",
"createdByName": "",
"createdById": "",
"createdDate": "",
"tags": "",
"platforms": {
"windows32": "",
"windows64": "",
"linux32": "",
"linux64": "",
"solaris": "",
"aix": "",
"osx": ""
},
"platformsStringList": "",
"packageType": ""
}
],
"totalCount": ""
}
}

operation: Get Playbooks Details

Input parameters

Parameter Description
Playbook ID Specify the unique ID of the playbook whose details you want to retrieve from Fidelis EDR.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"scripts": [
{
"hash": "",
"executionOrder": "",
"scriptId": "",
"scriptName": "",
"questions": [
{
"paramNumber": "",
"question": "",
"answer": "",
"isOptional": "",
"inputType": ""
}
],
"details": {
"id": "",
"name": "",
"platforms": {
"windows32": "",
"windows64": "",
"linux32": "",
"linux64": "",
"solaris": "",
"aix": "",
"osx": ""
},
"tags": "",
"createdBy": "",
"createdByName": "",
"createdDate": "",
"fileCount": "",
"scriptPackageFiles": [
{
"fileName": "",
"fileId": ""
}
],
"platformsStringList": "",
"platformsLocalizedStringList": "",
"description": "",
"priority": "",
"resultColumns": [],
"timeoutSeconds": "",
"impersonationUser": "",
"impersonationPassword": "",
"command": "",
"wizardOverridePassword": "",
"questions": [
{
"paramNumber": "",
"question": "",
"answer": "",
"isOptional": "",
"inputType": ""
}
],
"jsonQuestions": "",
"questionsHaveLoadError": "",
"resultDelimiter": "",
"dataDependencies": [],
"hasEndpointAction": "",
"endpointActionText": "",
"tenants": "",
"hash": ""
},
"queueExpirationEnabled": "",
"queueExpirationInhours": "",
"wizardOverridePassword": "",
"impersonationUser": "",
"impersonationPassword": "",
"impersonationPasswordEnc": "",
"integrationOutputFormat": "",
"priority": "",
"filter": "",
"basicOptions": "",
"volatileDetail": "",
"processDetail": "",
"iocDetail": "",
"yaraDetail": "",
"timeoutInSeconds": "",
"jsonAnswers": "",
"jsonQuestions": "",
"isPlaybook": ""
}
],
"tenants": "",
"baseTenantId": "",
"hash": "",
"id": "",
"name": "",
"description": "",
"createdByName": "",
"createdById": "",
"createdDate": "",
"scriptCount": "",
"tags": "",
"hasEndpointAction": "",
"endpointActionText": ""
}
}

operation: Get API version Information

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"version": ""
}
}

operation: Get Script Packages

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"scripts": [
{
"id": "",
"name": "",
"description": ""
}
],
"totalCount": ""
}
}

operation: Get Script Packages File

Input parameters

Parameter Description
Script Package ID Specify the ID of the script package that you want to retrieve from Fidelis EDR. This operation also adds the retrieved script file to the "Attachment Module" in FortiSOAR.

Output

The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": ""
}

operation: Get Script Packages Manifest

Input parameters

Parameter Description
Script Package ID Specify the ID of the script package whose package manifest you want to retrieve from Fidelis EDR.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"id": "",
"name": "",
"platforms": {
"windows32": "",
"windows64": "",
"linux32": "",
"linux64": "",
"solaris": "",
"aix": "",
"osx": ""
},
"tags": "",
"createdBy": "",
"createdByName": "",
"createdDate": "",
"fileCount": "",
"scriptPackageFiles": [
{
"fileName": "",
"fileId": ""
}
],
"platformsStringList": "",
"platformsLocalizedStringList": "",
"description": "",
"priority": "",
"resultColumns": [
"Not Before",
"Serial Number"
],
"timeoutSeconds": "",
"impersonationUser": "",
"impersonationPassword": "",
"command": "",
"wizardOverridePassword": "",
"questions": [],
"jsonQuestions": "",
"questionsHaveLoadError": "",
"resultDelimiter": "",
"dataDependencies": [],
"hasEndpointAction": "",
"endpointActionText": "",
"tenants": "",
"hash": ""
}
}

operation: Get Script Packages Metadata

Input parameters

Parameter Description
Script Package ID Specify the ID of the script package whose package metadata you want to retrieve from Fidelis EDR.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"integrationOutputs": "",
"scriptPackageId": "",
"useImpersonation": "",
"impersonationUser": "",
"impersonationPassword": "",
"timeoutInSeconds": "",
"hosts": "",
"endpointIds": [
{}
],
"questions": {},
"useSchedule": "",
"schedule": {
"initialDateTime": "",
"recurrenceRange": "",
"maxRecurrenceCount": "",
"endDateTime": "",
"timeUnit": "",
"period": "",
"ordinalUnit": "",
"ordinal": "",
"ordinalDayOfWeek": "",
"ordinalMonth": "",
"weekday": "",
"timeZoneName": "",
"isIncremental": ""
}
}
}

operation: Get Script Packages Template

Input parameters

Parameter Description
Script Package ID Specify the ID of the script package whose package template you want to retrieve from Fidelis EDR.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"integrationOutputs": [],
"scriptPackageId": "",
"useImpersonation": "",
"impersonationUser": "",
"impersonationPassword": "",
"timeoutInSeconds": "",
"hosts": [],
"endpointIds": [],
"questions": {},
"useSchedule": "",
"schedule": {
"initialDateTime": "",
"recurrenceRange": "",
"maxRecurrenceCount": "",
"endDateTime": "",
"timeUnit": "",
"period": "",
"ordinalUnit": "",
"ordinal": "",
"ordinalDayOfWeek": "",
"ordinalMonth": "",
"weekday": [],
"timeZoneName": "",
"isIncremental": ""
}
}
}

operation: Execute Script Package

Input parameters

Parameter Description
Script Package ID Specify the ID of the script package you want to execute on Fidelis EDR.
Timeout In Seconds Specify the timeout value, in seconds, after which this operation will timeout.
Hosts You can specify multiple endpoint IP addresses in the "hosts" key using the following format: ["10.91.96.110","10.91.96.216"]
Integration Outputs (Optional) You can specify the export format, for use with integrated products, using the integration Outputs key, The value of the integration Outputs key is the name of the export type as specified in the configuration file. For example, "integrationOutputs":["CEFOutput","LEEFOutput"]. For more information, see the SIEM Integrations Guide.
Questions (Optional) Specify the key-value pair of question data. For example, {"paramNumber": 1,"question": "Type","answer": "","isOptional": "false","inputType": "text"}

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"jobId": "",
"jobResultId": ""
}
}

operation: Get Script Job Results

Input parameters

Parameter Description
Job Result ID Specify the ID of the job whose result details you want to retrieve from Fidelis EDR.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"hits": {
"total": {
"value": "",
"relation": ""
},
"hits": [],
"useNonDeterministicPaging": "",
"nonDeterministicPagingInfo": ""
},
"columns": [],
"pendingMigration": ""
}
}

operation: Execute Task

Input parameters

Parameter Description
Package ID Specify the ID of the script package/playbook you want to execute on Fidelis EDR.
IS Playbook Or Script Select whether you want to run a script package or playbook on Fidelis EDR.
Endpoint IDs Specify the IDs of the endpoints in the "CSV" or "List" format on which you want to execute the task.

Output

The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": ""
}

Included playbooks

The Sample - Fidelis EDR - 1.0.0 playbook collection comes bundled with the Fidelis EDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fidelis EDR connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Previous
Next