FireEye HX brings advanced protection to endpoints. Its comprehensive endpoint visibility and threat intelligence enables analysts to adapt their defense based on real-time details to deploy informed, tailored responses to threat activity.
This document provides information about the FireEye HX connector, which facilitates automated interactions with the FireEye HX server using FortiSOAR™ playbooks. Add the FireEye HX connector as a step in FortiSOAR™ playbooks and perform automated operations such as containing hosts, releasing hosts from containment, and listing alerts from FireEye HX.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.12.0-746
Authored By: Fortinet
Certified: Yes
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-fireeye-hx
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™, on the connectors page, select the FireEye HX connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Host URL | URL of the FireEye HX server to which you will connect and perform automated operations. |
Port | Port number used for connecting to the FireEye HX server. |
Username | Username to access the FireEye HX server to which you will connect and perform automated operations. |
Password | Password to access the FireEye HX server to which you will connect and perform automated operations. |
Verify SSL | (Optional) Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Contain a Host as an Admin | Requests and approves a host for containment on FireEye HX, based on the agent ID you have specified. This action can be performed only by the user with administrator permissions. | full_containment Containment |
Create a File Acquisition for a Host | Specifies a file to be acquired from a host for investigation on FireEye HX, based on the agent ID and other input parameters you have specified. | new_file_acquisition Investigation |
Create a Triage Acquisition for a Host | Launches a triage operation on a host on FireEye HX, based on the agent ID you have specified. | new_triage_acquisition Investigation |
Request Host Containment | Submits a request to contain a host on FireEye HX, based on the agent ID you have specified. This request has to be approved by a user with administrator permissions. | request_containment Containment |
Get Host | Fetches the summary information about an agent ID on the host on FireEye HX, based on the agent ID you have specified. | get_host Investigation |
Get File Acquisition Information | Fetches the details of a file acquisition, including its status, from FireEye HX, based on the acquisition ID you have specified. | get_file_acquisition_status Investigation |
Fetch a File Acquisition Package | Fetches the output of a file acquisition request in the .zip format from FireEye HX, based on the acquisition ID you have specified. This action also creates an attachment of the acquired file in FortiSOAR™, i.e, the acquired file is added to the Attachment module in FortiSOAR™. |
get_file_acquisition_package Investigation |
Get Triage Acquisition Information | Fetches the details of a triage acquisition, including its status, from FireEye HX, based on the triage ID you have specified. | get_triage_acquisition_status Investigation |
Fetch a Triage Collection | Fetches the output of a triage acquisition request in the .mans format from FireEye HX, based on the triage ID you have specified. | get_triage_collection Investigation |
List Alerts | Fetches the list of first 50 alerts on all hosts, starting with the number that you have specified in the offset input parameter from FireEye HX. | list_alerts Investigation |
List Hosts | Fetches a list of all hosts from FireEye HX. You can optionally filter the list of hosts by the presence of alerts. | list_hosts Investigation |
List Triage Acquisitions | Fetches a list of triage acquisitions on all hosts from FireEye HX. You can optionally filter the list of hosts by based on any field you specify. | list_triage_acquisitions Investigation |
Approve Host Containment | Approves a host for containment on FireEye HX, based on the agent ID you have specified. The approval can be provided by the user with administrator permissions only. | approve_containment Containment |
Release Host from Containment | Releases a contained host from containment on FireEye HX, based on the agent ID you have specified. | release_containment Containment |
Parameter | Description |
---|---|
Agent ID | Agent ID of the target host that you want to contain on FireEye HX. |
The output contains the following populated JSON schema:
{
"message": "",
"route": "",
"details": []
}
Parameter | Description |
---|---|
Agent ID | Agent ID of the target host. |
File Path | Path to the file to be acquired on the host. |
File Name | Name of the file to be acquired at the specified path. |
External Id | (Optional) External correlation ID, if applicable. |
The output contains the following populated JSON schema:
{
"message": "",
"data": {
"host": {
"url": "",
"_id": ""
},
"zip_passphrase": "",
"comment": "",
"request_time": "",
"url": "",
"_id": "",
"request_actor": {
"_id": "",
"username": ""
},
"req_filename": "",
"external_id": "",
"state": "",
"error_message": "",
"finish_time": "",
"md5": "",
"req_use_api": "",
"req_path": "",
"alert": {
"url": "",
"_id": ""
},
"_revision": "",
"indicator": {
"url": "",
"_id": ""
},
"condition": {
"url": "",
"_id": ""
}
},
"route": "",
"details": []
}
Parameter | Description |
---|---|
Agent ID | Agent ID of the target host for which you want to create a triage acquisition on FireEye HX. |
External Id | (Optional) External correlation ID, if applicable. |
The output contains the following populated JSON schema:
{
"message": "",
"data": {
"condition": {
"url": "",
"_id": ""
},
"request_time": "",
"host": {
"url": "",
"_id": ""
},
"_id": "",
"request_actor": {
"_id": "",
"username": ""
},
"external_id": "",
"state": "",
"error_message": "",
"finish_time": "",
"md5": "",
"req_timestamp": "",
"alert": {
"url": "",
"_id": ""
},
"_revision": "",
"indicator": {
"url": "",
"_id": ""
},
"url": ""
},
"route": "",
"details": []
}
Parameter | Description |
---|---|
Agent ID | Agent ID of the target host on which you want to request a host containment on FireEye HX. |
The output contains the following populated JSON schema:
{
"message": "",
"route": "",
"details": []
}
Parameter | Description |
---|---|
Agent ID | Agent ID of the target host whose summary information you want to retrieve from FireEye HX. |
The output contains the following populated JSON schema:
{
"message": "",
"data": {
"last_exploit_block": "",
"last_alert_timestamp": "",
"last_alert": "",
"sysinfo": {
"url": ""
},
"containment_missing_software": "",
"_id": "",
"last_audit_timestamp": "",
"domain": "",
"timezone": "",
"hostname": "",
"last_exploit_block_timestamp": "",
"reported_clone": "",
"os": {
"bitness": "",
"kernel_version": "",
"platform": "",
"patch_level": "",
"product_name": ""
},
"containment_state": "",
"primary_mac": "",
"primary_ip_address": "",
"gmt_offset_seconds": "",
"last_poll_timestamp": "",
"url": "",
"stats": {
"exploit_alerts": "",
"exploit_blocks": "",
"alerting_conditions": "",
"alerts": "",
"malware_alerts": "",
"acqs": ""
},
"agent_version": "",
"last_poll_ip": "",
"excluded_from_containment": "",
"initial_agent_checkin": ""
},
"route": "",
"details": []
}
Parameter | Description |
---|---|
Acquisition ID | Acquisition ID of the target file whose file acquisition information you want to retrieve from FireEye HX. |
The output contains the following populated JSON schema:
{
"message": "",
"data": {
"host": {
"url": "",
"_id": ""
},
"zip_passphrase": "",
"comment": "",
"request_time": "",
"url": "",
"_id": "",
"request_actor": {
"_id": "",
"username": ""
},
"req_filename": "",
"external_id": "",
"state": "",
"error_message": "",
"finish_time": "",
"md5": "",
"req_use_api": "",
"req_path": "",
"alert": {
"url": "",
"_id": ""
},
"_revision": "",
"indicator": {
"url": "",
"_id": ""
},
"condition": {
"url": "",
"_id": ""
}
},
"route": "",
"details": []
}
Parameter | Description |
---|---|
Acquisition ID | ID of the target file acquisition request for which you want to retrieve output from FireEye HX. This operation also creates an attachment of the acquired file in FortiSOAR™, i.e, the acquired file is added to the Attachment module in FortiSOAR™. |
The output contains the following populated JSON schema:
{
"filepath": ""
}
Parameter | Description |
---|---|
Triage ID | ID of the target triage acquisition whose details you want to retrieve from FireEye HX. |
The output contains the following populated JSON schema:
{
"message": "",
"data": {
"condition": {
"url": "",
"_id": ""
},
"request_time": "",
"host": {
"url": "",
"_id": ""
},
"_id": "",
"request_actor": {
"_id": "",
"username": ""
},
"external_id": "",
"state": "",
"error_message": "",
"finish_time": "",
"md5": "",
"req_timestamp": "",
"alert": {
"url": "",
"_id": ""
},
"_revision": "",
"indicator": {
"url": "",
"_id": ""
},
"url": ""
},
"route": "",
"details": []
}
Parameter | Description |
---|---|
Triage ID | ID of the target triage acquisition request for which you want to retrieve output from FireEye HX. |
The output contains the following populated JSON schema:
{
"filepath": ""
}
Parameter | Description |
---|---|
Offset | Index (number) of the first item (alert) that this operation should return. |
The output contains the following populated JSON schema:
{
"message": "",
"data": {
"entries": [
{
"condition": {
"url": "",
"_id": ""
},
"request_time": "",
"host": {
"url": "",
"_id": ""
},
"_id": "",
"request_actor": {
"_id": "",
"username": ""
},
"external_id": "",
"state": "",
"error_message": "",
"finish_time": "",
"md5": "",
"req_timestamp": "",
"alert": {
"url": "",
"_id": ""
},
"_revision": "",
"indicator": {
"url": "",
"_id": ""
},
"url": ""
},
{
"condition": {
"url": "",
"_id": ""
},
"request_time": "",
"host": {
"url": "",
"_id": ""
},
"_id": "",
"request_actor": {
"_id": "",
"username": ""
},
"external_id": "",
"state": "",
"error_message": "",
"finish_time": "",
"md5": "",
"req_timestamp": "",
"alert": {
"url": "",
"_id": ""
},
"_revision": "",
"indicator": {
"url": "",
"_id": ""
},
"url": ""
}
],
"limit": "",
"offset": "",
"sort": {},
"query": {},
"total": ""
},
"route": "",
"details": []
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list (of hosts) is returned.
Parameter | Description |
---|---|
Filter | Filters the list of hosts retrieved from FireEye HX by the presence of alerts, or by the presence of active alerts for matching hosts. |
Search Term | Searches all hosts connected to the specified FireEye HX appliance based on the Search Term you have specified. The Search Term can be any hostname, IP address, or an agent ID. |
Offset | Index (number) of the first item (host) that this operation should return. |
The output contains the following populated JSON schema:
{
"data": {
"entries": [
{
"last_exploit_block": "",
"last_alert_timestamp": "",
"last_alert": "",
"sysinfo": {
"url": ""
},
"containment_missing_software": "",
"_id": "",
"last_audit_timestamp": "",
"domain": "",
"timezone": "",
"hostname": "",
"last_exploit_block_timestamp": "",
"reported_clone": "",
"os": {
"bitness": "",
"kernel_version": "",
"platform": "",
"patch_level": "",
"product_name": ""
},
"containment_state": "",
"primary_mac": "",
"primary_ip_address": "",
"gmt_offset_seconds": "",
"last_poll_timestamp": "",
"url": "",
"stats": {
"exploit_alerts": "",
"exploit_blocks": "",
"alerting_conditions": "",
"alerts": "",
"malware_alerts": "",
"acqs": ""
},
"agent_version": "",
"last_poll_ip": "",
"excluded_from_containment": "",
"initial_agent_checkin": ""
}
],
"limit": "",
"offset": "",
"sort": "",
"query": "",
"total": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list (of triage acquisitions) is returned.
Parameter | Description |
---|---|
Filter Field | Name of the field based on which you want to filter the list of triage acquisitions retrieved from FireEye HX. |
Filter Value | Value of the field specified based on which you want to filter the list of triage acquisitions retrieved from FireEye HX. |
The output contains the following populated JSON schema:
{
"message": "",
"data": {
"entries": [
{
"host": {
"url": "",
"_id": ""
},
"zip_passphrase": "",
"comment": "",
"request_time": "",
"url": "",
"_id": "",
"request_actor": {
"_id": "",
"username": ""
},
"req_filename": "",
"external_id": "",
"state": "",
"error_message": "",
"finish_time": "",
"md5": "",
"req_use_api": "",
"req_path": "",
"alert": {
"url": "",
"_id": ""
},
"_revision": "",
"indicator": {
"url": "",
"_id": ""
},
"condition": {
"url": "",
"_id": ""
}
},
{
"host": {
"url": "",
"_id": ""
},
"zip_passphrase": "",
"comment": "",
"request_time": "",
"url": "",
"_id": "",
"request_actor": {
"_id": "",
"username": ""
},
"req_filename": "",
"external_id": "",
"state": "",
"error_message": "",
"finish_time": "",
"md5": "",
"req_use_api": "",
"req_path": "",
"alert": {
"url": "",
"_id": ""
},
"_revision": "",
"indicator": {
"url": "",
"_id": ""
},
"condition": {
"url": "",
"_id": ""
}
}
],
"limit": "",
"offset": "",
"sort": {},
"query": {},
"total": ""
},
"route": "",
"details": []
}
Parameter | Description |
---|---|
Agent ID | Agent ID of the target host whose containment you want to approve on FireEye HX. |
The output contains the following populated JSON schema:
{
"message": "",
"route": "",
"details": []
}
Parameter | Description |
---|---|
Agent ID | Agent ID of the target host that you want to release from containment on FireEye HX. |
The output contains the following populated JSON schema:
{
"message": "",
"route": "",
"details": []
}
The Sample - FireEye-HX- 1.0.0
playbook collection comes bundled with the FireEye HX connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FireEye HX connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
FireEye HX brings advanced protection to endpoints. Its comprehensive endpoint visibility and threat intelligence enables analysts to adapt their defense based on real-time details to deploy informed, tailored responses to threat activity.
This document provides information about the FireEye HX connector, which facilitates automated interactions with the FireEye HX server using FortiSOAR™ playbooks. Add the FireEye HX connector as a step in FortiSOAR™ playbooks and perform automated operations such as containing hosts, releasing hosts from containment, and listing alerts from FireEye HX.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.12.0-746
Authored By: Fortinet
Certified: Yes
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-fireeye-hx
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™, on the connectors page, select the FireEye HX connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Host URL | URL of the FireEye HX server to which you will connect and perform automated operations. |
Port | Port number used for connecting to the FireEye HX server. |
Username | Username to access the FireEye HX server to which you will connect and perform automated operations. |
Password | Password to access the FireEye HX server to which you will connect and perform automated operations. |
Verify SSL | (Optional) Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Contain a Host as an Admin | Requests and approves a host for containment on FireEye HX, based on the agent ID you have specified. This action can be performed only by the user with administrator permissions. | full_containment Containment |
Create a File Acquisition for a Host | Specifies a file to be acquired from a host for investigation on FireEye HX, based on the agent ID and other input parameters you have specified. | new_file_acquisition Investigation |
Create a Triage Acquisition for a Host | Launches a triage operation on a host on FireEye HX, based on the agent ID you have specified. | new_triage_acquisition Investigation |
Request Host Containment | Submits a request to contain a host on FireEye HX, based on the agent ID you have specified. This request has to be approved by a user with administrator permissions. | request_containment Containment |
Get Host | Fetches the summary information about an agent ID on the host on FireEye HX, based on the agent ID you have specified. | get_host Investigation |
Get File Acquisition Information | Fetches the details of a file acquisition, including its status, from FireEye HX, based on the acquisition ID you have specified. | get_file_acquisition_status Investigation |
Fetch a File Acquisition Package | Fetches the output of a file acquisition request in the .zip format from FireEye HX, based on the acquisition ID you have specified. This action also creates an attachment of the acquired file in FortiSOAR™, i.e, the acquired file is added to the Attachment module in FortiSOAR™. |
get_file_acquisition_package Investigation |
Get Triage Acquisition Information | Fetches the details of a triage acquisition, including its status, from FireEye HX, based on the triage ID you have specified. | get_triage_acquisition_status Investigation |
Fetch a Triage Collection | Fetches the output of a triage acquisition request in the .mans format from FireEye HX, based on the triage ID you have specified. | get_triage_collection Investigation |
List Alerts | Fetches the list of first 50 alerts on all hosts, starting with the number that you have specified in the offset input parameter from FireEye HX. | list_alerts Investigation |
List Hosts | Fetches a list of all hosts from FireEye HX. You can optionally filter the list of hosts by the presence of alerts. | list_hosts Investigation |
List Triage Acquisitions | Fetches a list of triage acquisitions on all hosts from FireEye HX. You can optionally filter the list of hosts by based on any field you specify. | list_triage_acquisitions Investigation |
Approve Host Containment | Approves a host for containment on FireEye HX, based on the agent ID you have specified. The approval can be provided by the user with administrator permissions only. | approve_containment Containment |
Release Host from Containment | Releases a contained host from containment on FireEye HX, based on the agent ID you have specified. | release_containment Containment |
Parameter | Description |
---|---|
Agent ID | Agent ID of the target host that you want to contain on FireEye HX. |
The output contains the following populated JSON schema:
{
"message": "",
"route": "",
"details": []
}
Parameter | Description |
---|---|
Agent ID | Agent ID of the target host. |
File Path | Path to the file to be acquired on the host. |
File Name | Name of the file to be acquired at the specified path. |
External Id | (Optional) External correlation ID, if applicable. |
The output contains the following populated JSON schema:
{
"message": "",
"data": {
"host": {
"url": "",
"_id": ""
},
"zip_passphrase": "",
"comment": "",
"request_time": "",
"url": "",
"_id": "",
"request_actor": {
"_id": "",
"username": ""
},
"req_filename": "",
"external_id": "",
"state": "",
"error_message": "",
"finish_time": "",
"md5": "",
"req_use_api": "",
"req_path": "",
"alert": {
"url": "",
"_id": ""
},
"_revision": "",
"indicator": {
"url": "",
"_id": ""
},
"condition": {
"url": "",
"_id": ""
}
},
"route": "",
"details": []
}
Parameter | Description |
---|---|
Agent ID | Agent ID of the target host for which you want to create a triage acquisition on FireEye HX. |
External Id | (Optional) External correlation ID, if applicable. |
The output contains the following populated JSON schema:
{
"message": "",
"data": {
"condition": {
"url": "",
"_id": ""
},
"request_time": "",
"host": {
"url": "",
"_id": ""
},
"_id": "",
"request_actor": {
"_id": "",
"username": ""
},
"external_id": "",
"state": "",
"error_message": "",
"finish_time": "",
"md5": "",
"req_timestamp": "",
"alert": {
"url": "",
"_id": ""
},
"_revision": "",
"indicator": {
"url": "",
"_id": ""
},
"url": ""
},
"route": "",
"details": []
}
Parameter | Description |
---|---|
Agent ID | Agent ID of the target host on which you want to request a host containment on FireEye HX. |
The output contains the following populated JSON schema:
{
"message": "",
"route": "",
"details": []
}
Parameter | Description |
---|---|
Agent ID | Agent ID of the target host whose summary information you want to retrieve from FireEye HX. |
The output contains the following populated JSON schema:
{
"message": "",
"data": {
"last_exploit_block": "",
"last_alert_timestamp": "",
"last_alert": "",
"sysinfo": {
"url": ""
},
"containment_missing_software": "",
"_id": "",
"last_audit_timestamp": "",
"domain": "",
"timezone": "",
"hostname": "",
"last_exploit_block_timestamp": "",
"reported_clone": "",
"os": {
"bitness": "",
"kernel_version": "",
"platform": "",
"patch_level": "",
"product_name": ""
},
"containment_state": "",
"primary_mac": "",
"primary_ip_address": "",
"gmt_offset_seconds": "",
"last_poll_timestamp": "",
"url": "",
"stats": {
"exploit_alerts": "",
"exploit_blocks": "",
"alerting_conditions": "",
"alerts": "",
"malware_alerts": "",
"acqs": ""
},
"agent_version": "",
"last_poll_ip": "",
"excluded_from_containment": "",
"initial_agent_checkin": ""
},
"route": "",
"details": []
}
Parameter | Description |
---|---|
Acquisition ID | Acquisition ID of the target file whose file acquisition information you want to retrieve from FireEye HX. |
The output contains the following populated JSON schema:
{
"message": "",
"data": {
"host": {
"url": "",
"_id": ""
},
"zip_passphrase": "",
"comment": "",
"request_time": "",
"url": "",
"_id": "",
"request_actor": {
"_id": "",
"username": ""
},
"req_filename": "",
"external_id": "",
"state": "",
"error_message": "",
"finish_time": "",
"md5": "",
"req_use_api": "",
"req_path": "",
"alert": {
"url": "",
"_id": ""
},
"_revision": "",
"indicator": {
"url": "",
"_id": ""
},
"condition": {
"url": "",
"_id": ""
}
},
"route": "",
"details": []
}
Parameter | Description |
---|---|
Acquisition ID | ID of the target file acquisition request for which you want to retrieve output from FireEye HX. This operation also creates an attachment of the acquired file in FortiSOAR™, i.e, the acquired file is added to the Attachment module in FortiSOAR™. |
The output contains the following populated JSON schema:
{
"filepath": ""
}
Parameter | Description |
---|---|
Triage ID | ID of the target triage acquisition whose details you want to retrieve from FireEye HX. |
The output contains the following populated JSON schema:
{
"message": "",
"data": {
"condition": {
"url": "",
"_id": ""
},
"request_time": "",
"host": {
"url": "",
"_id": ""
},
"_id": "",
"request_actor": {
"_id": "",
"username": ""
},
"external_id": "",
"state": "",
"error_message": "",
"finish_time": "",
"md5": "",
"req_timestamp": "",
"alert": {
"url": "",
"_id": ""
},
"_revision": "",
"indicator": {
"url": "",
"_id": ""
},
"url": ""
},
"route": "",
"details": []
}
Parameter | Description |
---|---|
Triage ID | ID of the target triage acquisition request for which you want to retrieve output from FireEye HX. |
The output contains the following populated JSON schema:
{
"filepath": ""
}
Parameter | Description |
---|---|
Offset | Index (number) of the first item (alert) that this operation should return. |
The output contains the following populated JSON schema:
{
"message": "",
"data": {
"entries": [
{
"condition": {
"url": "",
"_id": ""
},
"request_time": "",
"host": {
"url": "",
"_id": ""
},
"_id": "",
"request_actor": {
"_id": "",
"username": ""
},
"external_id": "",
"state": "",
"error_message": "",
"finish_time": "",
"md5": "",
"req_timestamp": "",
"alert": {
"url": "",
"_id": ""
},
"_revision": "",
"indicator": {
"url": "",
"_id": ""
},
"url": ""
},
{
"condition": {
"url": "",
"_id": ""
},
"request_time": "",
"host": {
"url": "",
"_id": ""
},
"_id": "",
"request_actor": {
"_id": "",
"username": ""
},
"external_id": "",
"state": "",
"error_message": "",
"finish_time": "",
"md5": "",
"req_timestamp": "",
"alert": {
"url": "",
"_id": ""
},
"_revision": "",
"indicator": {
"url": "",
"_id": ""
},
"url": ""
}
],
"limit": "",
"offset": "",
"sort": {},
"query": {},
"total": ""
},
"route": "",
"details": []
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list (of hosts) is returned.
Parameter | Description |
---|---|
Filter | Filters the list of hosts retrieved from FireEye HX by the presence of alerts, or by the presence of active alerts for matching hosts. |
Search Term | Searches all hosts connected to the specified FireEye HX appliance based on the Search Term you have specified. The Search Term can be any hostname, IP address, or an agent ID. |
Offset | Index (number) of the first item (host) that this operation should return. |
The output contains the following populated JSON schema:
{
"data": {
"entries": [
{
"last_exploit_block": "",
"last_alert_timestamp": "",
"last_alert": "",
"sysinfo": {
"url": ""
},
"containment_missing_software": "",
"_id": "",
"last_audit_timestamp": "",
"domain": "",
"timezone": "",
"hostname": "",
"last_exploit_block_timestamp": "",
"reported_clone": "",
"os": {
"bitness": "",
"kernel_version": "",
"platform": "",
"patch_level": "",
"product_name": ""
},
"containment_state": "",
"primary_mac": "",
"primary_ip_address": "",
"gmt_offset_seconds": "",
"last_poll_timestamp": "",
"url": "",
"stats": {
"exploit_alerts": "",
"exploit_blocks": "",
"alerting_conditions": "",
"alerts": "",
"malware_alerts": "",
"acqs": ""
},
"agent_version": "",
"last_poll_ip": "",
"excluded_from_containment": "",
"initial_agent_checkin": ""
}
],
"limit": "",
"offset": "",
"sort": "",
"query": "",
"total": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list (of triage acquisitions) is returned.
Parameter | Description |
---|---|
Filter Field | Name of the field based on which you want to filter the list of triage acquisitions retrieved from FireEye HX. |
Filter Value | Value of the field specified based on which you want to filter the list of triage acquisitions retrieved from FireEye HX. |
The output contains the following populated JSON schema:
{
"message": "",
"data": {
"entries": [
{
"host": {
"url": "",
"_id": ""
},
"zip_passphrase": "",
"comment": "",
"request_time": "",
"url": "",
"_id": "",
"request_actor": {
"_id": "",
"username": ""
},
"req_filename": "",
"external_id": "",
"state": "",
"error_message": "",
"finish_time": "",
"md5": "",
"req_use_api": "",
"req_path": "",
"alert": {
"url": "",
"_id": ""
},
"_revision": "",
"indicator": {
"url": "",
"_id": ""
},
"condition": {
"url": "",
"_id": ""
}
},
{
"host": {
"url": "",
"_id": ""
},
"zip_passphrase": "",
"comment": "",
"request_time": "",
"url": "",
"_id": "",
"request_actor": {
"_id": "",
"username": ""
},
"req_filename": "",
"external_id": "",
"state": "",
"error_message": "",
"finish_time": "",
"md5": "",
"req_use_api": "",
"req_path": "",
"alert": {
"url": "",
"_id": ""
},
"_revision": "",
"indicator": {
"url": "",
"_id": ""
},
"condition": {
"url": "",
"_id": ""
}
}
],
"limit": "",
"offset": "",
"sort": {},
"query": {},
"total": ""
},
"route": "",
"details": []
}
Parameter | Description |
---|---|
Agent ID | Agent ID of the target host whose containment you want to approve on FireEye HX. |
The output contains the following populated JSON schema:
{
"message": "",
"route": "",
"details": []
}
Parameter | Description |
---|---|
Agent ID | Agent ID of the target host that you want to release from containment on FireEye HX. |
The output contains the following populated JSON schema:
{
"message": "",
"route": "",
"details": []
}
The Sample - FireEye-HX- 1.0.0
playbook collection comes bundled with the FireEye HX connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FireEye HX connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.