Fidelis Endpoint EDR detects endpoint activity in real-time and retrospectively so you can accelerate your response and stop adversaries at the point of entry.
This document provides information about the Fidelis EDR Connector, which facilitates automated interactions, with a Fidelis EDR server using FortiSOAR™ playbooks. Add the Fidelis EDR Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fidelis EDR.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 7.2.2-1098
Authored By: Fortinet
Certified: Yes
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-fidelis-edr
The minimum privileges that require to be assigned to users who are going to use this connector and run actions using Fidelis EDR are as follows:
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Fidelis EDR connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Specify the URL or IP address of the Fidelis EDR server to which you will connect and perform automated operations. |
Username | Specify the username that is configured for your account to access the Fidelis EDR server to which you will connect and perform automated operations. |
Password | Specify the password that is configured for your account to access the Fidelis EDR server to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
Function | Description | Annotation and Category |
---|---|---|
Get Alerts | Retrieves a list of all alerts or specific alerts from Fidelis EDR based on the input parameters you have specified. | get_alerts Investigation |
Get Endpoints | Retrieves information for specific endpoints from Fidelis EDR based on the offset, limit, and other input parameters you have specified. | get_endpoints Investigation |
Get Endpoint By Name | Retrieves the IDs of specific endpoints from Fidelis EDR based on the endpoint names you have specified. | get_endpoints_by_name Investigation |
Delete Endpoint | Deletes a specific endpoint from Fidelis EDR based on the endpoint ID you have specified. | delete_endpoint Investigation |
Get Playbooks | Retrieves a list of playbooks and their details from Fidelis EDR. | get_playbooks Investigation |
Get Playbooks And Scripts | Retrieves details of all Fidelis playbooks and scripts or specific Fidelis playbooks and scripts from the Fidelis EDR based on the input parameters you have specified. | get_playbooks_scripts Investigation |
Get Playbooks Details | Retrieves details for a specific playbook from Fidelis EDR based on the playbook ID you have specified. | get_playbooks_detail Investigation |
Get API version Information | Retrieves information on the API version from Fidelis EDR. | get_api_info Investigation |
Get Script Packages | Retrieves a list of all script packages from Fidelis EDR. | get_script_packages Investigation |
Get Script Packages File | Retrieves the specific script packages file from Fidelis EDR and adds this script file to the "Attachment Module" in FortiSOAR based on the script package ID you have specified. | get_script_packages_file Investigation |
Get Script Packages Manifest | Retrieves the manifest for a specific script package from Fidelis EDR based on the script package ID you have specified. | get_script_packages_manifest Investigation |
Get Script Packages Metadata | Retrieves the metadata for a specific script package from Fidelis EDR based on the script package ID you have specified. | get_script_packages_metadata Investigation |
Get Script Packages Template | Retrieves the template for a specific script package from Fidelis EDR based on the script package ID you have specified. | get_script_packages_template Investigation |
Execute Script Package | Executes a specific script package on Fidelis EDR based on the script package ID, timeout value, host information, and other input parameters you have specified. | execute_script_package Investigation |
Get Script Job Results | Retrieves the results of a script job from Fidelis EDR based on the job result ID you have specified. | script_job_results Investigation |
Execute Task | Executes a task (run a script job or a playbook) on Fidelis Endpoint EDR based on the script package IDs and endpoint IDs you have specified. | create_task Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of alerts) is returned.
Parameter | Description |
---|---|
Search String | Specify a filter that you want to apply to the results of this operation. By default, this is set to an "empty" string |
Start Date | Select the start time of the time range from when you want to retrieve alerts from Fidelis Endpoint EDR. |
End Date | Select the end time of the time range till when you want to retrieve alerts from Fidelis Endpoint EDR. |
Offset | Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say alerts starting from the 10th alert. By default, this is set as "0". |
Limit | Specify the maximum number of alerts that you want this operation to return in the response. By default, this is set to "all" alerts. |
Sort Alerts | Specify the property name and order (Ascending or Descending) to sort the results retrieved by this operation, before applying take and skip. By default, this is set to "CreatedDate Descending ". You can specify the name of any property of the alert object. |
The output contains the following populated JSON schema:
{
"entities": [
{
"id": "",
"createDate": "",
"endpointName": "",
"endpointId": "",
"name": "",
"description": "",
"artifactName": "",
"source": "",
"sourceType": "",
"severity": "",
"intelId": "",
"intelName": "",
"validatedDate": "",
"actionsTaken": "",
"eventId": "",
"eventTime": "",
"parentEventId": "",
"eventType": "",
"eventIndex": "",
"reportId": "",
"telemetry": "",
"insertionDate": "",
"hasJob": "",
"osType": "",
"agentTag": "",
"enrichments": []
}
],
"totalCount": ""
}
Parameter | Description |
---|---|
Offset | Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say endpoints starting from the 10th endpoint. By default, this is set as "0". |
Limit | Specify the maximum number of endpoints that you want this operation to return in the response. |
Sort | Specify the property name (and optionally the order) to sort the results retrieved by this operation, before applying the limit and offset. Examples of properties that can be specified are hostname , hostname descending , createdDate , createdDate descending , etc. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"entities": [
{
"id": "",
"hostName": "",
"ipAddress": "",
"externalAddress": "",
"description": "",
"lastContactDate": "",
"agentInstalled": "",
"agentVersion": "",
"os": "",
"macAddress": "",
"aV_Enabled": "",
"eventsStopped": "",
"locality": "",
"groupList": "",
"isGroupMember": "",
"agentConnected": "",
"isolated": "",
"osType": "",
"osArch": "",
"agentTag": "",
"createdDate": "",
"avSigVersion": "",
"advMalwareVersion": "",
"aR_Enabled": "",
"events_Enabled": "",
"agentId": "",
"groups": "",
"processorName": "",
"processorCount": "",
"processorSpeedInMhz": "",
"processorNumOfCores": "",
"processorNumOfLogicalProcessors": "",
"ramSize": "",
"flag": "",
"createdByType": "",
"interfaceIPs": "",
"agentScoreboardHash": "",
"investigativeModeEnabled": "",
"investigativeModeDuration": "",
"investigativeModeStartTime": "",
"eventsVersion": "",
"activeDirectoryId": "",
"lastAvScanDate": "",
"motherboardSerial": "",
"assetTag": "",
"manufacturer": "",
"model": "",
"protectStatus": "",
"hasAllAuthCerts": "",
"hasAllCommCerts": ""
}
],
"totalCount": ""
}
}
Parameter | Description |
---|---|
Endpoint Names | Specify the names of the endpoints in the "CSV" or "List" format whose IDs you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": []
}
Parameter | Description |
---|---|
Endpoint IDs | Specify the ID of the endpoint that you want to delete from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"error": "",
"success": ""
}
Parameter | Description |
---|---|
Limit Playbooks | Specify the maximum number of playbooks that you want this operation to return in the response. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"entities": [
{
"id": "",
"name": "",
"description": "",
"createdByName": "",
"createdById": "",
"createdDate": "",
"scriptCount": "",
"tags": "",
"hasEndpointAction": "",
"endpointActionText": ""
}
],
"totalCount": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of Fidelis playbooks and scripts) is returned.
Parameter | Description |
---|---|
Type | Select whether you want to retrieve script packages or playbooks from Fidelis EDR. By default, this is set as "2-Script Packages". |
OS Platform | Select the OS Platform for which you want to retrieve script packages or playbooks from Fidelis EDR. You can choose between All, Windows, Mac, or Linux. |
Sorting Order | Specify the property name and order (Ascending or Descending) to sort the results retrieved by this operation, before applying take and skip. By default, this is set to "name ascending ". |
Limit | Specify the maximum number of alerts that you want this operation to return in the response. By default, this is set to "all" playbooks or scripts |
Offset | Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say playbooks or scripts starting from the 10th playbook or script. By default, this is set as "0". |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"entities": [
{
"id": "",
"name": "",
"description": "",
"createdByName": "",
"createdById": "",
"createdDate": "",
"tags": "",
"platforms": {
"windows32": "",
"windows64": "",
"linux32": "",
"linux64": "",
"solaris": "",
"aix": "",
"osx": ""
},
"platformsStringList": "",
"packageType": ""
}
],
"totalCount": ""
}
}
Parameter | Description |
---|---|
Playbook ID | Specify the unique ID of the playbook whose details you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"scripts": [
{
"hash": "",
"executionOrder": "",
"scriptId": "",
"scriptName": "",
"questions": [
{
"paramNumber": "",
"question": "",
"answer": "",
"isOptional": "",
"inputType": ""
}
],
"details": {
"id": "",
"name": "",
"platforms": {
"windows32": "",
"windows64": "",
"linux32": "",
"linux64": "",
"solaris": "",
"aix": "",
"osx": ""
},
"tags": "",
"createdBy": "",
"createdByName": "",
"createdDate": "",
"fileCount": "",
"scriptPackageFiles": [
{
"fileName": "",
"fileId": ""
}
],
"platformsStringList": "",
"platformsLocalizedStringList": "",
"description": "",
"priority": "",
"resultColumns": [],
"timeoutSeconds": "",
"impersonationUser": "",
"impersonationPassword": "",
"command": "",
"wizardOverridePassword": "",
"questions": [
{
"paramNumber": "",
"question": "",
"answer": "",
"isOptional": "",
"inputType": ""
}
],
"jsonQuestions": "",
"questionsHaveLoadError": "",
"resultDelimiter": "",
"dataDependencies": [],
"hasEndpointAction": "",
"endpointActionText": "",
"tenants": "",
"hash": ""
},
"queueExpirationEnabled": "",
"queueExpirationInhours": "",
"wizardOverridePassword": "",
"impersonationUser": "",
"impersonationPassword": "",
"impersonationPasswordEnc": "",
"integrationOutputFormat": "",
"priority": "",
"filter": "",
"basicOptions": "",
"volatileDetail": "",
"processDetail": "",
"iocDetail": "",
"yaraDetail": "",
"timeoutInSeconds": "",
"jsonAnswers": "",
"jsonQuestions": "",
"isPlaybook": ""
}
],
"tenants": "",
"baseTenantId": "",
"hash": "",
"id": "",
"name": "",
"description": "",
"createdByName": "",
"createdById": "",
"createdDate": "",
"scriptCount": "",
"tags": "",
"hasEndpointAction": "",
"endpointActionText": ""
}
}
None.
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"version": ""
}
}
None.
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"scripts": [
{
"id": "",
"name": "",
"description": ""
}
],
"totalCount": ""
}
}
Parameter | Description |
---|---|
Script Package ID | Specify the ID of the script package that you want to retrieve from Fidelis EDR. This operation also adds the retrieved script file to the "Attachment Module" in FortiSOAR. |
The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": ""
}
Parameter | Description |
---|---|
Script Package ID | Specify the ID of the script package whose package manifest you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"id": "",
"name": "",
"platforms": {
"windows32": "",
"windows64": "",
"linux32": "",
"linux64": "",
"solaris": "",
"aix": "",
"osx": ""
},
"tags": "",
"createdBy": "",
"createdByName": "",
"createdDate": "",
"fileCount": "",
"scriptPackageFiles": [
{
"fileName": "",
"fileId": ""
}
],
"platformsStringList": "",
"platformsLocalizedStringList": "",
"description": "",
"priority": "",
"resultColumns": [
"Not Before",
"Serial Number"
],
"timeoutSeconds": "",
"impersonationUser": "",
"impersonationPassword": "",
"command": "",
"wizardOverridePassword": "",
"questions": [],
"jsonQuestions": "",
"questionsHaveLoadError": "",
"resultDelimiter": "",
"dataDependencies": [],
"hasEndpointAction": "",
"endpointActionText": "",
"tenants": "",
"hash": ""
}
}
Parameter | Description |
---|---|
Script Package ID | Specify the ID of the script package whose package metadata you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"integrationOutputs": "",
"scriptPackageId": "",
"useImpersonation": "",
"impersonationUser": "",
"impersonationPassword": "",
"timeoutInSeconds": "",
"hosts": "",
"endpointIds": [
{}
],
"questions": {},
"useSchedule": "",
"schedule": {
"initialDateTime": "",
"recurrenceRange": "",
"maxRecurrenceCount": "",
"endDateTime": "",
"timeUnit": "",
"period": "",
"ordinalUnit": "",
"ordinal": "",
"ordinalDayOfWeek": "",
"ordinalMonth": "",
"weekday": "",
"timeZoneName": "",
"isIncremental": ""
}
}
}
Parameter | Description |
---|---|
Script Package ID | Specify the ID of the script package whose package template you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"integrationOutputs": [],
"scriptPackageId": "",
"useImpersonation": "",
"impersonationUser": "",
"impersonationPassword": "",
"timeoutInSeconds": "",
"hosts": [],
"endpointIds": [],
"questions": {},
"useSchedule": "",
"schedule": {
"initialDateTime": "",
"recurrenceRange": "",
"maxRecurrenceCount": "",
"endDateTime": "",
"timeUnit": "",
"period": "",
"ordinalUnit": "",
"ordinal": "",
"ordinalDayOfWeek": "",
"ordinalMonth": "",
"weekday": [],
"timeZoneName": "",
"isIncremental": ""
}
}
}
Parameter | Description |
---|---|
Script Package ID | Specify the ID of the script package you want to execute on Fidelis EDR. |
Timeout In Seconds | Specify the timeout value, in seconds, after which this operation will timeout. |
Hosts | You can specify multiple endpoint IP addresses in the "hosts " key using the following format: ["10.91.96.110","10.91.96.216"] |
Integration Outputs | (Optional) You can specify the export format, for use with integrated products, using the integration Outputs key, The value of the integration Outputs key is the name of the export type as specified in the configuration file. For example, "integrationOutputs":["CEFOutput","LEEFOutput"] . For more information, see the SIEM Integrations Guide. |
Questions | (Optional) Specify the key-value pair of question data. For example, {"paramNumber": 1,"question": "Type","answer": "","isOptional": "false","inputType": "text"} |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"jobId": "",
"jobResultId": ""
}
}
Parameter | Description |
---|---|
Job Result ID | Specify the ID of the job whose result details you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"hits": {
"total": {
"value": "",
"relation": ""
},
"hits": [],
"useNonDeterministicPaging": "",
"nonDeterministicPagingInfo": ""
},
"columns": [],
"pendingMigration": ""
}
}
Parameter | Description |
---|---|
Package ID | Specify the ID of the script package/playbook you want to execute on Fidelis EDR. |
IS Playbook Or Script | Select whether you want to run a script package or playbook on Fidelis EDR. |
Endpoint IDs | Specify the IDs of the endpoints in the "CSV" or "List" format on which you want to execute the task. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": ""
}
The Sample - Fidelis EDR - 1.0.0
playbook collection comes bundled with the Fidelis EDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fidelis EDR connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Fidelis Endpoint EDR detects endpoint activity in real-time and retrospectively so you can accelerate your response and stop adversaries at the point of entry.
This document provides information about the Fidelis EDR Connector, which facilitates automated interactions, with a Fidelis EDR server using FortiSOAR™ playbooks. Add the Fidelis EDR Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fidelis EDR.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 7.2.2-1098
Authored By: Fortinet
Certified: Yes
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-fidelis-edr
The minimum privileges that require to be assigned to users who are going to use this connector and run actions using Fidelis EDR are as follows:
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Fidelis EDR connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Specify the URL or IP address of the Fidelis EDR server to which you will connect and perform automated operations. |
Username | Specify the username that is configured for your account to access the Fidelis EDR server to which you will connect and perform automated operations. |
Password | Specify the password that is configured for your account to access the Fidelis EDR server to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
Function | Description | Annotation and Category |
---|---|---|
Get Alerts | Retrieves a list of all alerts or specific alerts from Fidelis EDR based on the input parameters you have specified. | get_alerts Investigation |
Get Endpoints | Retrieves information for specific endpoints from Fidelis EDR based on the offset, limit, and other input parameters you have specified. | get_endpoints Investigation |
Get Endpoint By Name | Retrieves the IDs of specific endpoints from Fidelis EDR based on the endpoint names you have specified. | get_endpoints_by_name Investigation |
Delete Endpoint | Deletes a specific endpoint from Fidelis EDR based on the endpoint ID you have specified. | delete_endpoint Investigation |
Get Playbooks | Retrieves a list of playbooks and their details from Fidelis EDR. | get_playbooks Investigation |
Get Playbooks And Scripts | Retrieves details of all Fidelis playbooks and scripts or specific Fidelis playbooks and scripts from the Fidelis EDR based on the input parameters you have specified. | get_playbooks_scripts Investigation |
Get Playbooks Details | Retrieves details for a specific playbook from Fidelis EDR based on the playbook ID you have specified. | get_playbooks_detail Investigation |
Get API version Information | Retrieves information on the API version from Fidelis EDR. | get_api_info Investigation |
Get Script Packages | Retrieves a list of all script packages from Fidelis EDR. | get_script_packages Investigation |
Get Script Packages File | Retrieves the specific script packages file from Fidelis EDR and adds this script file to the "Attachment Module" in FortiSOAR based on the script package ID you have specified. | get_script_packages_file Investigation |
Get Script Packages Manifest | Retrieves the manifest for a specific script package from Fidelis EDR based on the script package ID you have specified. | get_script_packages_manifest Investigation |
Get Script Packages Metadata | Retrieves the metadata for a specific script package from Fidelis EDR based on the script package ID you have specified. | get_script_packages_metadata Investigation |
Get Script Packages Template | Retrieves the template for a specific script package from Fidelis EDR based on the script package ID you have specified. | get_script_packages_template Investigation |
Execute Script Package | Executes a specific script package on Fidelis EDR based on the script package ID, timeout value, host information, and other input parameters you have specified. | execute_script_package Investigation |
Get Script Job Results | Retrieves the results of a script job from Fidelis EDR based on the job result ID you have specified. | script_job_results Investigation |
Execute Task | Executes a task (run a script job or a playbook) on Fidelis Endpoint EDR based on the script package IDs and endpoint IDs you have specified. | create_task Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of alerts) is returned.
Parameter | Description |
---|---|
Search String | Specify a filter that you want to apply to the results of this operation. By default, this is set to an "empty" string |
Start Date | Select the start time of the time range from when you want to retrieve alerts from Fidelis Endpoint EDR. |
End Date | Select the end time of the time range till when you want to retrieve alerts from Fidelis Endpoint EDR. |
Offset | Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say alerts starting from the 10th alert. By default, this is set as "0". |
Limit | Specify the maximum number of alerts that you want this operation to return in the response. By default, this is set to "all" alerts. |
Sort Alerts | Specify the property name and order (Ascending or Descending) to sort the results retrieved by this operation, before applying take and skip. By default, this is set to "CreatedDate Descending ". You can specify the name of any property of the alert object. |
The output contains the following populated JSON schema:
{
"entities": [
{
"id": "",
"createDate": "",
"endpointName": "",
"endpointId": "",
"name": "",
"description": "",
"artifactName": "",
"source": "",
"sourceType": "",
"severity": "",
"intelId": "",
"intelName": "",
"validatedDate": "",
"actionsTaken": "",
"eventId": "",
"eventTime": "",
"parentEventId": "",
"eventType": "",
"eventIndex": "",
"reportId": "",
"telemetry": "",
"insertionDate": "",
"hasJob": "",
"osType": "",
"agentTag": "",
"enrichments": []
}
],
"totalCount": ""
}
Parameter | Description |
---|---|
Offset | Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say endpoints starting from the 10th endpoint. By default, this is set as "0". |
Limit | Specify the maximum number of endpoints that you want this operation to return in the response. |
Sort | Specify the property name (and optionally the order) to sort the results retrieved by this operation, before applying the limit and offset. Examples of properties that can be specified are hostname , hostname descending , createdDate , createdDate descending , etc. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"entities": [
{
"id": "",
"hostName": "",
"ipAddress": "",
"externalAddress": "",
"description": "",
"lastContactDate": "",
"agentInstalled": "",
"agentVersion": "",
"os": "",
"macAddress": "",
"aV_Enabled": "",
"eventsStopped": "",
"locality": "",
"groupList": "",
"isGroupMember": "",
"agentConnected": "",
"isolated": "",
"osType": "",
"osArch": "",
"agentTag": "",
"createdDate": "",
"avSigVersion": "",
"advMalwareVersion": "",
"aR_Enabled": "",
"events_Enabled": "",
"agentId": "",
"groups": "",
"processorName": "",
"processorCount": "",
"processorSpeedInMhz": "",
"processorNumOfCores": "",
"processorNumOfLogicalProcessors": "",
"ramSize": "",
"flag": "",
"createdByType": "",
"interfaceIPs": "",
"agentScoreboardHash": "",
"investigativeModeEnabled": "",
"investigativeModeDuration": "",
"investigativeModeStartTime": "",
"eventsVersion": "",
"activeDirectoryId": "",
"lastAvScanDate": "",
"motherboardSerial": "",
"assetTag": "",
"manufacturer": "",
"model": "",
"protectStatus": "",
"hasAllAuthCerts": "",
"hasAllCommCerts": ""
}
],
"totalCount": ""
}
}
Parameter | Description |
---|---|
Endpoint Names | Specify the names of the endpoints in the "CSV" or "List" format whose IDs you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": []
}
Parameter | Description |
---|---|
Endpoint IDs | Specify the ID of the endpoint that you want to delete from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"error": "",
"success": ""
}
Parameter | Description |
---|---|
Limit Playbooks | Specify the maximum number of playbooks that you want this operation to return in the response. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"entities": [
{
"id": "",
"name": "",
"description": "",
"createdByName": "",
"createdById": "",
"createdDate": "",
"scriptCount": "",
"tags": "",
"hasEndpointAction": "",
"endpointActionText": ""
}
],
"totalCount": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of Fidelis playbooks and scripts) is returned.
Parameter | Description |
---|---|
Type | Select whether you want to retrieve script packages or playbooks from Fidelis EDR. By default, this is set as "2-Script Packages". |
OS Platform | Select the OS Platform for which you want to retrieve script packages or playbooks from Fidelis EDR. You can choose between All, Windows, Mac, or Linux. |
Sorting Order | Specify the property name and order (Ascending or Descending) to sort the results retrieved by this operation, before applying take and skip. By default, this is set to "name ascending ". |
Limit | Specify the maximum number of alerts that you want this operation to return in the response. By default, this is set to "all" playbooks or scripts |
Offset | Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say playbooks or scripts starting from the 10th playbook or script. By default, this is set as "0". |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"entities": [
{
"id": "",
"name": "",
"description": "",
"createdByName": "",
"createdById": "",
"createdDate": "",
"tags": "",
"platforms": {
"windows32": "",
"windows64": "",
"linux32": "",
"linux64": "",
"solaris": "",
"aix": "",
"osx": ""
},
"platformsStringList": "",
"packageType": ""
}
],
"totalCount": ""
}
}
Parameter | Description |
---|---|
Playbook ID | Specify the unique ID of the playbook whose details you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"scripts": [
{
"hash": "",
"executionOrder": "",
"scriptId": "",
"scriptName": "",
"questions": [
{
"paramNumber": "",
"question": "",
"answer": "",
"isOptional": "",
"inputType": ""
}
],
"details": {
"id": "",
"name": "",
"platforms": {
"windows32": "",
"windows64": "",
"linux32": "",
"linux64": "",
"solaris": "",
"aix": "",
"osx": ""
},
"tags": "",
"createdBy": "",
"createdByName": "",
"createdDate": "",
"fileCount": "",
"scriptPackageFiles": [
{
"fileName": "",
"fileId": ""
}
],
"platformsStringList": "",
"platformsLocalizedStringList": "",
"description": "",
"priority": "",
"resultColumns": [],
"timeoutSeconds": "",
"impersonationUser": "",
"impersonationPassword": "",
"command": "",
"wizardOverridePassword": "",
"questions": [
{
"paramNumber": "",
"question": "",
"answer": "",
"isOptional": "",
"inputType": ""
}
],
"jsonQuestions": "",
"questionsHaveLoadError": "",
"resultDelimiter": "",
"dataDependencies": [],
"hasEndpointAction": "",
"endpointActionText": "",
"tenants": "",
"hash": ""
},
"queueExpirationEnabled": "",
"queueExpirationInhours": "",
"wizardOverridePassword": "",
"impersonationUser": "",
"impersonationPassword": "",
"impersonationPasswordEnc": "",
"integrationOutputFormat": "",
"priority": "",
"filter": "",
"basicOptions": "",
"volatileDetail": "",
"processDetail": "",
"iocDetail": "",
"yaraDetail": "",
"timeoutInSeconds": "",
"jsonAnswers": "",
"jsonQuestions": "",
"isPlaybook": ""
}
],
"tenants": "",
"baseTenantId": "",
"hash": "",
"id": "",
"name": "",
"description": "",
"createdByName": "",
"createdById": "",
"createdDate": "",
"scriptCount": "",
"tags": "",
"hasEndpointAction": "",
"endpointActionText": ""
}
}
None.
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"version": ""
}
}
None.
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"scripts": [
{
"id": "",
"name": "",
"description": ""
}
],
"totalCount": ""
}
}
Parameter | Description |
---|---|
Script Package ID | Specify the ID of the script package that you want to retrieve from Fidelis EDR. This operation also adds the retrieved script file to the "Attachment Module" in FortiSOAR. |
The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": ""
}
Parameter | Description |
---|---|
Script Package ID | Specify the ID of the script package whose package manifest you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"id": "",
"name": "",
"platforms": {
"windows32": "",
"windows64": "",
"linux32": "",
"linux64": "",
"solaris": "",
"aix": "",
"osx": ""
},
"tags": "",
"createdBy": "",
"createdByName": "",
"createdDate": "",
"fileCount": "",
"scriptPackageFiles": [
{
"fileName": "",
"fileId": ""
}
],
"platformsStringList": "",
"platformsLocalizedStringList": "",
"description": "",
"priority": "",
"resultColumns": [
"Not Before",
"Serial Number"
],
"timeoutSeconds": "",
"impersonationUser": "",
"impersonationPassword": "",
"command": "",
"wizardOverridePassword": "",
"questions": [],
"jsonQuestions": "",
"questionsHaveLoadError": "",
"resultDelimiter": "",
"dataDependencies": [],
"hasEndpointAction": "",
"endpointActionText": "",
"tenants": "",
"hash": ""
}
}
Parameter | Description |
---|---|
Script Package ID | Specify the ID of the script package whose package metadata you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"integrationOutputs": "",
"scriptPackageId": "",
"useImpersonation": "",
"impersonationUser": "",
"impersonationPassword": "",
"timeoutInSeconds": "",
"hosts": "",
"endpointIds": [
{}
],
"questions": {},
"useSchedule": "",
"schedule": {
"initialDateTime": "",
"recurrenceRange": "",
"maxRecurrenceCount": "",
"endDateTime": "",
"timeUnit": "",
"period": "",
"ordinalUnit": "",
"ordinal": "",
"ordinalDayOfWeek": "",
"ordinalMonth": "",
"weekday": "",
"timeZoneName": "",
"isIncremental": ""
}
}
}
Parameter | Description |
---|---|
Script Package ID | Specify the ID of the script package whose package template you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"integrationOutputs": [],
"scriptPackageId": "",
"useImpersonation": "",
"impersonationUser": "",
"impersonationPassword": "",
"timeoutInSeconds": "",
"hosts": [],
"endpointIds": [],
"questions": {},
"useSchedule": "",
"schedule": {
"initialDateTime": "",
"recurrenceRange": "",
"maxRecurrenceCount": "",
"endDateTime": "",
"timeUnit": "",
"period": "",
"ordinalUnit": "",
"ordinal": "",
"ordinalDayOfWeek": "",
"ordinalMonth": "",
"weekday": [],
"timeZoneName": "",
"isIncremental": ""
}
}
}
Parameter | Description |
---|---|
Script Package ID | Specify the ID of the script package you want to execute on Fidelis EDR. |
Timeout In Seconds | Specify the timeout value, in seconds, after which this operation will timeout. |
Hosts | You can specify multiple endpoint IP addresses in the "hosts " key using the following format: ["10.91.96.110","10.91.96.216"] |
Integration Outputs | (Optional) You can specify the export format, for use with integrated products, using the integration Outputs key, The value of the integration Outputs key is the name of the export type as specified in the configuration file. For example, "integrationOutputs":["CEFOutput","LEEFOutput"] . For more information, see the SIEM Integrations Guide. |
Questions | (Optional) Specify the key-value pair of question data. For example, {"paramNumber": 1,"question": "Type","answer": "","isOptional": "false","inputType": "text"} |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"jobId": "",
"jobResultId": ""
}
}
Parameter | Description |
---|---|
Job Result ID | Specify the ID of the job whose result details you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"hits": {
"total": {
"value": "",
"relation": ""
},
"hits": [],
"useNonDeterministicPaging": "",
"nonDeterministicPagingInfo": ""
},
"columns": [],
"pendingMigration": ""
}
}
Parameter | Description |
---|---|
Package ID | Specify the ID of the script package/playbook you want to execute on Fidelis EDR. |
IS Playbook Or Script | Select whether you want to run a script package or playbook on Fidelis EDR. |
Endpoint IDs | Specify the IDs of the endpoints in the "CSV" or "List" format on which you want to execute the task. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": ""
}
The Sample - Fidelis EDR - 1.0.0
playbook collection comes bundled with the Fidelis EDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fidelis EDR connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.