Fidelis Endpoint EDR detects endpoint activity in real time and retrospectively so you can accelerate your response and stop adversaries at the point of entry. This connector supports following actions Get Alerts, Get Endpoints, Detete Endpoints, etc
This document provides information about the Fidelis EDR connector, which facilitates automated interactions, with a Fidelis EDR server using FortiSOAR™ playbooks. Add the Fidelis EDR connector as a step in FortiSOAR™ playbooks and perform automated operations with Fidelis EDR.
Connector Version: 1.1.0
Authored By: spryIQ.co
Certified: No
Following enhancements have been made to the Fidelis EDR connector in version 1.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-fidelis-edr
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Fidelis EDR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Specify the URL or IP address of the Fidelis EDR server to which you will connect and perform automated operations. |
| Username | Specify the username that is configured for your account to access the Fidelis EDR server to which you will connect and perform automated operations. |
| Password | Specify the password that is configured for your account to access the Fidelis EDR server to which you will connect and perform automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is selected, i.e., set to true. |
You can use the following automated operations in playbooks and also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Alerts | Retrieves a list of all alerts or specific alerts from Fidelis EDR based on the input parameters you have specified. | get_alerts Investigation |
| Get Endpoints | Retrieves information for specific endpoints from Fidelis EDR based on the offset, limit, and other input parameters you have specified. | get_endpoints Investigation |
| Get Endpoint By Name | Retrieves theIDs of specific endpoints from Fidelis EDR based on the endpoint names you have specified. | get_endpoints_by_name Investigation |
| Delete Endpoint | Deletes specific endpoints from Fidelis EDR based on the endpoint IDs you have specified. | delete_endpoint Investigation |
| Get Playbooks | Retrieves a list of playbooks and their details from Fidelis EDR. | get_playbooks Investigation |
| Get Playbooks And Scripts | Retrieves details of all Fidelis playbooks and scripts or specific Fidelis playbooks and scripts from the Fidelis EDR based on the input parameters you have specified. | get_playbooks_scripts Investigation |
| Get Playbooks Details | Retrieves details for a specific playbook from Fidelis EDR based on the playbook ID you have specified. | get_playbooks_detail Investigation |
| Get API version Information | Retrieves information on the API version from Fidelis EDR. | get_api_info Investigation |
| Get Script Packages | Retrieves a list of all script packages from Fidelis EDR. | get_script_packages Investigation |
| Get Script Packages File | Retrieves the specific script packages file from Fidelis EDR and adds this script file to the "Attachment Module" in FortiSOAR based on the script package ID you have specified. | get_script_packages_file Investigation |
| Get Script Packages Manifest | Retrieves the manifest for a specific script package from Fidelis EDR based on the script package ID you have specified. | get_script_packages_manifest Investigation |
| Get Script Packages Metadata | Retrieves the metadata for a specific script package from Fidelis EDR based on the script package ID you have specified. | get_script_packages_metadata Investigation |
| Get Script Packages Template | Retrieves the template for a specific script package from Fidelis EDR based on the script package ID you have specified. | get_script_packages_template Investigation |
| Execute Script Package | Executes a specific script package on Fidelis EDR based on the script package ID, timeout value, host information, and other input parameters you have specified. | execute_script_package Investigation |
| Get Script Job Results | Retrieves the results of a script job from Fidelis EDR based on the job result ID you have specified. | script_job_results Investigation |
| Execute Task | Executes a task (run a script job or a playbook) on Fidelis Endpoint EDR based on the script package IDs and endpoint IDs you have specified. | create_task Investigation |
| Get Installed Software | Retrieves a list of all installed Software from Fidelis EDR based on the input parameters you have specified. | get_installed_software Investigation |
| Get Alert Responses | Retrieves a list of all alerts responses from Fidelis EDR based on the input parameters you have specified. | get_alert_responses Investigation |
| Get Endpoints By Search Query | Retrieves information for specific endpoints from Fidelis EDR based on the offset, limit, and other input parameters you have specified. | get_endpoints_by_search_query Investigation |
| Get Job Status By Job ID | Retrieves the results of a script job from Fidelis EDR based on the job ID you have specified. | get_job_status_by_job_id Investigation |
| Create Custom Task | Executes a task (run a script job or a playbook) on Fidelis Endpoint EDR based on the script package IDs and endpoint IDs you have specified. | create_custom_task Investigation |
| Parameter | Description |
|---|---|
| Search String | (Optional) Specify a filter that you want to apply to the results of this operation. By default, this is set to an "empty" string |
| Start Date | (Optional) Select the start time of the time range from when you want to retrieve alerts from Fidelis Endpoint EDR. |
| End Date | (Optional) Select the end time of the time range till when you want to retrieve alerts from Fidelis Endpoint EDR. |
| Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say alerts starting from the 10th alert. By default, this is set as "0". |
| Limit | (Optional) Specify the maximum number of alerts that you want this operation to return in the response.By default, this is set to "all" alerts. |
| Sort Alerts | (Optional) Specify the property name and order (Ascending or Descending) to sort the results retrieved by this operation, before applying take and skip. By default, this is set to "id Descending". You can specify the name of any property of the alert object. |
The output contains the following populated JSON schema:
{
"entities": [
{
"id": "",
"createDate": "",
"endpointName": "",
"endpointId": "",
"name": "",
"description": "",
"artifactName": "",
"source": "",
"sourceType": "",
"severity": "",
"intelId": "",
"intelName": "",
"validatedDate": "",
"actionsTaken": "",
"eventId": "",
"eventTime": "",
"parentEventId": "",
"eventType": "",
"eventIndex": "",
"reportId": "",
"telemetry": "",
"insertionDate": "",
"hasJob": "",
"osType": "",
"agentTag": "",
"enrichments": []
}
],
"totalCount": ""
}
| Parameter | Description |
|---|---|
| Offset | Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say endpoints starting from the 10th endpoint. By default, this is set as "0". |
| Limit | Specify the maximum number of endpoints that you want this operation to return in the response. |
| Sort | Specify the property name (and optionally the order) to sort the results retrieved by this operation, before applying the limit and offset. Examples of properties that can be specified are hostname, hostname descending, createdDate, createdDate descending, etc. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"entities": [
{
"id": "",
"hostName": "",
"ipAddress": "",
"externalAddress": "",
"description": "",
"lastContactDate": "",
"agentInstalled": "",
"agentVersion": "",
"os": "",
"macAddress": "",
"aV_Enabled": "",
"eventsStopped": "",
"locality": "",
"groupList": "",
"isGroupMember": "",
"agentConnected": "",
"isolated": "",
"osType": "",
"osArch": "",
"agentTag": "",
"createdDate": "",
"avSigVersion": "",
"advMalwareVersion": "",
"aR_Enabled": "",
"events_Enabled": "",
"agentId": "",
"groups": "",
"processorName": "",
"processorCount": "",
"processorSpeedInMhz": "",
"processorNumOfCores": "",
"processorNumOfLogicalProcessors": "",
"ramSize": "",
"flag": "",
"createdByType": "",
"interfaceIPs": "",
"agentScoreboardHash": "",
"investigativeModeEnabled": "",
"investigativeModeDuration": "",
"investigativeModeStartTime": "",
"eventsVersion": "",
"activeDirectoryId": "",
"lastAvScanDate": "",
"motherboardSerial": "",
"assetTag": "",
"manufacturer": "",
"model": "",
"protectStatus": "",
"hasAllAuthCerts": "",
"hasAllCommCerts": ""
}
],
"totalCount": ""
}
}
| Parameter | Description |
|---|---|
| Endpoint Names | Specify the names of the endpoints in the "CSV" or "List" format whose IDs you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": []
}
| Parameter | Description |
|---|---|
| Endpoint ID | Specify the ID of an endpoint that you want to delete from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"error": "",
"success": ""
}
| Parameter | Description |
|---|---|
| Limit Playbooks | Specify the maximum number of playbooks that you want this operation to return in the response. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"entities": [
{
"id": "",
"name": "",
"description": "",
"createdByName": "",
"createdById": "",
"createdDate": "",
"scriptCount": "",
"tags": "",
"hasEndpointAction": "",
"endpointActionText": ""
}
],
"totalCount": ""
}
}
| Parameter | Description |
|---|---|
| Type | (Optional) Select whether you want to retrieve script packages or playbooks from Fidelis EDR. By default, this is set as "2 - Script Packages". |
| OS Platform | (Optional) Select the OS Platform for which you want to retrieve script packages or playbooks from Fidelis EDR. You can choose between All, Windows, Mac, or Linux. |
| Sorting Order | (Optional) Specify the property name and order (Ascending or Descending) to sort the results retrieved by this operation, before applying take and skip. By default, this is set to "name ascending". |
| Limit | (Optional) Specify the maximum number of alerts that you want this operation to return in the response. By default, this is set to "all" playbooks or scripts |
| Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say playbooks or scripts starting from the 10th playbook or script. By default, this is set as "0". |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"entities": [
{
"id": "",
"name": "",
"description": "",
"createdByName": "",
"createdById": "",
"createdDate": "",
"tags": "",
"platforms": {
"windows32": "",
"windows64": "",
"linux32": "",
"linux64": "",
"solaris": "",
"aix": "",
"osx": ""
},
"platformsStringList": "",
"packageType": ""
}
],
"totalCount": ""
}
}
| Parameter | Description |
|---|---|
| Playbook ID | Specify the unique ID of the playbook whose details you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"scripts": [
{
"hash": "",
"executionOrder": "",
"scriptId": "",
"scriptName": "",
"questions": [
{
"paramNumber": "",
"question": "",
"answer": "",
"isOptional": "",
"inputType": ""
}
],
"details": {
"id": "",
"name": "",
"platforms": {
"windows32": "",
"windows64": "",
"linux32": "",
"linux64": "",
"solaris": "",
"aix": "",
"osx": ""
},
"tags": "",
"createdBy": "",
"createdByName": "",
"createdDate": "",
"fileCount": "",
"scriptPackageFiles": [
{
"fileName": "",
"fileId": ""
}
],
"platformsStringList": "",
"platformsLocalizedStringList": "",
"description": "",
"priority": "",
"resultColumns": [],
"timeoutSeconds": "",
"impersonationUser": "",
"impersonationPassword": "",
"command": "",
"wizardOverridePassword": "",
"questions": [
{
"paramNumber": "",
"question": "",
"answer": "",
"isOptional": "",
"inputType": ""
}
],
"jsonQuestions": "",
"questionsHaveLoadError": "",
"resultDelimiter": "",
"dataDependencies": [],
"hasEndpointAction": "",
"endpointActionText": "",
"tenants": "",
"hash": ""
},
"queueExpirationEnabled": "",
"queueExpirationInhours": "",
"wizardOverridePassword": "",
"impersonationUser": "",
"impersonationPassword": "",
"impersonationPasswordEnc": "",
"integrationOutputFormat": "",
"priority": "",
"filter": "",
"basicOptions": "",
"volatileDetail": "",
"processDetail": "",
"iocDetail": "",
"yaraDetail": "",
"timeoutInSeconds": "",
"jsonAnswers": "",
"jsonQuestions": "",
"isPlaybook": ""
}
],
"tenants": "",
"baseTenantId": "",
"hash": "",
"id": "",
"name": "",
"description": "",
"createdByName": "",
"createdById": "",
"createdDate": "",
"scriptCount": "",
"tags": "",
"hasEndpointAction": "",
"endpointActionText": ""
}
}
None.
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"version": ""
}
}
None.
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"scripts": [
{
"id": "",
"name": "",
"description": ""
}
],
"totalCount": ""
}
}
| Parameter | Description |
|---|---|
| Script Package ID | Specify the ID of the script package that you want to retrieve from Fidelis EDR. This operation also adds the retrieved script file to the "Attachment Module" in FortiSOAR. |
The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": ""
}
| Parameter | Description |
|---|---|
| Script Package ID | Specify the ID of the script package whose package manifest you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"id": "",
"name": "",
"platforms": {
"windows32": "",
"windows64": "",
"linux32": "",
"linux64": "",
"solaris": "",
"aix": "",
"osx": ""
},
"tags": "",
"createdBy": "",
"createdByName": "",
"createdDate": "",
"fileCount": "",
"scriptPackageFiles": [
{
"fileName": "",
"fileId": ""
}
],
"platformsStringList": "",
"platformsLocalizedStringList": "",
"description": "",
"priority": "",
"resultColumns": [
"Not Before",
"Serial Number"
],
"timeoutSeconds": "",
"impersonationUser": "",
"impersonationPassword": "",
"command": "",
"wizardOverridePassword": "",
"questions": [],
"jsonQuestions": "",
"questionsHaveLoadError": "",
"resultDelimiter": "",
"dataDependencies": [],
"hasEndpointAction": "",
"endpointActionText": "",
"tenants": "",
"hash": ""
}
}
| Parameter | Description |
|---|---|
| Script Package ID | Specify the ID of the script package whose package metadata you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"integrationOutputs": "",
"scriptPackageId": "",
"useImpersonation": "",
"impersonationUser": "",
"impersonationPassword": "",
"timeoutInSeconds": "",
"hosts": "",
"endpointIds": [
{}
],
"questions": {},
"useSchedule": "",
"schedule": {
"initialDateTime": "",
"recurrenceRange": "",
"maxRecurrenceCount": "",
"endDateTime": "",
"timeUnit": "",
"period": "",
"ordinalUnit": "",
"ordinal": "",
"ordinalDayOfWeek": "",
"ordinalMonth": "",
"weekday": "",
"timeZoneName": "",
"isIncremental": ""
}
}
}
| Parameter | Description |
|---|---|
| Script Package ID | Specify the ID of the script package whose package template you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"integrationOutputs": [],
"scriptPackageId": "",
"useImpersonation": "",
"impersonationUser": "",
"impersonationPassword": "",
"timeoutInSeconds": "",
"hosts": [],
"endpointIds": [],
"questions": {},
"useSchedule": "",
"schedule": {
"initialDateTime": "",
"recurrenceRange": "",
"maxRecurrenceCount": "",
"endDateTime": "",
"timeUnit": "",
"period": "",
"ordinalUnit": "",
"ordinal": "",
"ordinalDayOfWeek": "",
"ordinalMonth": "",
"weekday": [],
"timeZoneName": "",
"isIncremental": ""
}
}
}
| Parameter | Description |
|---|---|
| Script Package ID | Specify the ID of the script package you want to execute on Fidelis EDR. |
| Timeout In Seconds | Specify the timeout value, in seconds, after which this operation will timeout. |
| Hosts | You can specify multiple endpoint IP addresses in the "hosts" key using the following format: ["10.91.96.110","10.91.96.216"] |
| Integration Outputs | (Optional) You can specify the export format, for use with integrated products, using the integration Outputskey, The value of the integration Outputskey is the name of the export type as specified in the configuration file. For example, "integrationOutputs":["CEFOutput","LEEFOutput"]. For more information, see the SIEM Integrations Guide. |
| Questions | (Optional) Specify the key-value pair of question data. For example, {"paramNumber": 1,"question": "Type","answer": "","isOptional": "false","inputType": "text"} |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"jobId": "",
"jobResultId": ""
}
}
| Parameter | Description |
|---|---|
| Job Result ID | Specify the ID of the job whose result details you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"hits": {
"total": {
"value": "",
"relation": ""
},
"hits": [],
"useNonDeterministicPaging": "",
"nonDeterministicPagingInfo": ""
},
"columns": [],
"pendingMigration": ""
}
}
| Parameter | Description |
|---|---|
| Package ID | Specify the ID of the script package/playbook you want to execute on Fidelis EDR. |
| IS Playbook Or Script | Select whether you want to run a script package or playbook onFidelis EDR. |
| Endpoint IDs | Specify the IDs of the endpoints in the "CSV" or "List" format on which you want to execute the task. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": ""
}
| Parameter | Description |
|---|---|
| Endpoint ID | Specify the ID of an endpoint that you want to delete from Fidelis EDR. |
| Search String | (Optional) Specify a filter that you want to apply to the results of this operation. By default, this is set to an "empty" string |
| Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records. By default, this is set as "0". |
| Limit | (Optional) Limit the number of records to return in response. default is set to 1000 |
| Sort | (Optional) Specify the property name and order (Ascending or Descending) to sort the results retrieved by this operation, before applying take and skip. By default, this is set to "id Descending". You can specify the name of any property of the data object. |
The output contains the following populated JSON schema:
{
"entities": [
{
"installSource": "",
"installLocation": "",
"installDate": "",
"uninstallString": "",
"canUninstall": "",
"installedSoftwareKey": "",
"name": "",
"publisher": "",
"version": "",
"hasCVE": "",
"cveCount": "",
"cveHighestScore": "",
"cveList": "",
"highestCVESeverity": "",
"cveSeverity": ""
}
],
"totalCount": ""
}
| Parameter | Description |
|---|---|
| Search | (Optional) Specify a filter to apply to the results of this operation. By default, this is set to an empty string |
| Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say alerts starting from the 10th alert. By default, this is set as 0. |
| Columns | (Optional) Specify the columns alerts. |
| Limit | (Optional) Specify the maximum number of alerts that you want this operation to return in the response. By default, this is set to all alerts. |
| Sort | (Optional) Specify the property name and order (Ascending or Descending) to sort the results retrieved by this operation, before applying take and skip. By default, this is set to id Descending. You can specify the name of any property of the alert object. |
The output contains the following populated JSON schema:
{
"alertResponseInfos": [],
"totalCount": ""
}
| Parameter | Description |
|---|---|
| Start Range | Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records |
| Count | Specify the maximum number of endpoints that you want this operation to return in the response. |
| Search | Specify a filter that you want to apply to the results of this operation. By default, this is set to an empty string. |
| Sort | Specify the property name and order (Ascending or Descending) to sort the results retrieved by this operation, before applying take and skip. By default, this is set to id Descending. You can specify the name of any property of the data object. |
| Access Type | (Optional) Specify an access type that you want to apply to the results of this operation. By default, this is set to "0" string. |
The output contains the following populated JSON schema:
{
"entities": [
{
"id": "",
"hostName": "",
"ipAddress": "",
"externalAddress": "",
"description": "",
"lastContactDate": "",
"agentInstalled": "",
"agentVersion": "",
"os": "",
"macAddress": "",
"aV_Enabled": "",
"eventsStopped": "",
"locality": "",
"groupList": "",
"isGroupMember": "",
"agentConnected": "",
"isolated": "",
"osType": "",
"osArch": "",
"agentTag": "",
"createdDate": "",
"avSigVersion": "",
"advMalwareVersion": "",
"aR_Enabled": "",
"events_Enabled": "",
"agentId": "",
"groups": "",
"processorName": "",
"processorCount": "",
"processorSpeedInMhz": "",
"processorNumOfCores": "",
"processorNumOfLogicalProcessors": "",
"ramSize": "",
"flag": "",
"createdByType": "",
"interfaceIPs": "",
"agentScoreboardHash": "",
"investigativeModeEnabled": "",
"investigativeModeDuration": "",
"investigativeModeStartTime": "",
"eventsVersion": "",
"activeDirectoryId": "",
"lastAvScanDate": "",
"motherboardSerial": "",
"assetTag": "",
"manufacturer": "",
"model": "",
"protectStatus": "",
"hasAllAuthCerts": "",
"hasAllCommCerts": ""
}
],
"totalCount": ""
}
| Parameter | Description |
|---|---|
| Job Result ID | Specify the ID of the job whose result details you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"jobID": "",
"resultID": "",
"name": "",
"startDate": "",
"endDate": "",
"createdDate": "",
"hasSchedule": "",
"fromScheduledTask": "",
"status": "",
"statusCode": "",
"scriptPackage": "",
"scriptPackageId": "",
"playbookId": "",
"createdBy": "",
"createdById": "",
"hasAlert": "",
"alertName": "",
"alertId": "",
"fromPlaybook": "",
"playbook": "",
"order": ""
}
| Parameter | Description |
|---|---|
| Package ID | Specify the ID of the script package/playbook you want to execute on Fidelis EDR. |
| Is Playbook Or Script | Select whether you want to run a script package or a playbook on Fidelis EDR. |
| Endpoint IDs | Specify the IDs of the endpoints, as comma-separated values or as a list, on which to execute the task. |
| Integration Output Format | Specify the format for the integration output. |
| Script ID | Specify the script ID to be executed. |
| Questions | Specify the questions for the task. |
| Json Questions | (Optional) Specify questions as a JSON. |
| Timeout In Seconds | Specify the timeout duration in seconds. |
| Queue Expiration In Hours | (Optional) Specify the queue expiration duration in hours. |
The output contains the following populated JSON schema:
The output contains a non-dictionary value.
The Sample - Fidelis EDR - 1.1.0 playbook collection comes bundled with the Fidelis EDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fidelis EDR connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Fidelis Endpoint EDR detects endpoint activity in real time and retrospectively so you can accelerate your response and stop adversaries at the point of entry. This connector supports following actions Get Alerts, Get Endpoints, Detete Endpoints, etc
This document provides information about the Fidelis EDR connector, which facilitates automated interactions, with a Fidelis EDR server using FortiSOAR™ playbooks. Add the Fidelis EDR connector as a step in FortiSOAR™ playbooks and perform automated operations with Fidelis EDR.
Connector Version: 1.1.0
Authored By: spryIQ.co
Certified: No
Following enhancements have been made to the Fidelis EDR connector in version 1.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-fidelis-edr
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Fidelis EDR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Specify the URL or IP address of the Fidelis EDR server to which you will connect and perform automated operations. |
| Username | Specify the username that is configured for your account to access the Fidelis EDR server to which you will connect and perform automated operations. |
| Password | Specify the password that is configured for your account to access the Fidelis EDR server to which you will connect and perform automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is selected, i.e., set to true. |
You can use the following automated operations in playbooks and also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Alerts | Retrieves a list of all alerts or specific alerts from Fidelis EDR based on the input parameters you have specified. | get_alerts Investigation |
| Get Endpoints | Retrieves information for specific endpoints from Fidelis EDR based on the offset, limit, and other input parameters you have specified. | get_endpoints Investigation |
| Get Endpoint By Name | Retrieves theIDs of specific endpoints from Fidelis EDR based on the endpoint names you have specified. | get_endpoints_by_name Investigation |
| Delete Endpoint | Deletes specific endpoints from Fidelis EDR based on the endpoint IDs you have specified. | delete_endpoint Investigation |
| Get Playbooks | Retrieves a list of playbooks and their details from Fidelis EDR. | get_playbooks Investigation |
| Get Playbooks And Scripts | Retrieves details of all Fidelis playbooks and scripts or specific Fidelis playbooks and scripts from the Fidelis EDR based on the input parameters you have specified. | get_playbooks_scripts Investigation |
| Get Playbooks Details | Retrieves details for a specific playbook from Fidelis EDR based on the playbook ID you have specified. | get_playbooks_detail Investigation |
| Get API version Information | Retrieves information on the API version from Fidelis EDR. | get_api_info Investigation |
| Get Script Packages | Retrieves a list of all script packages from Fidelis EDR. | get_script_packages Investigation |
| Get Script Packages File | Retrieves the specific script packages file from Fidelis EDR and adds this script file to the "Attachment Module" in FortiSOAR based on the script package ID you have specified. | get_script_packages_file Investigation |
| Get Script Packages Manifest | Retrieves the manifest for a specific script package from Fidelis EDR based on the script package ID you have specified. | get_script_packages_manifest Investigation |
| Get Script Packages Metadata | Retrieves the metadata for a specific script package from Fidelis EDR based on the script package ID you have specified. | get_script_packages_metadata Investigation |
| Get Script Packages Template | Retrieves the template for a specific script package from Fidelis EDR based on the script package ID you have specified. | get_script_packages_template Investigation |
| Execute Script Package | Executes a specific script package on Fidelis EDR based on the script package ID, timeout value, host information, and other input parameters you have specified. | execute_script_package Investigation |
| Get Script Job Results | Retrieves the results of a script job from Fidelis EDR based on the job result ID you have specified. | script_job_results Investigation |
| Execute Task | Executes a task (run a script job or a playbook) on Fidelis Endpoint EDR based on the script package IDs and endpoint IDs you have specified. | create_task Investigation |
| Get Installed Software | Retrieves a list of all installed Software from Fidelis EDR based on the input parameters you have specified. | get_installed_software Investigation |
| Get Alert Responses | Retrieves a list of all alerts responses from Fidelis EDR based on the input parameters you have specified. | get_alert_responses Investigation |
| Get Endpoints By Search Query | Retrieves information for specific endpoints from Fidelis EDR based on the offset, limit, and other input parameters you have specified. | get_endpoints_by_search_query Investigation |
| Get Job Status By Job ID | Retrieves the results of a script job from Fidelis EDR based on the job ID you have specified. | get_job_status_by_job_id Investigation |
| Create Custom Task | Executes a task (run a script job or a playbook) on Fidelis Endpoint EDR based on the script package IDs and endpoint IDs you have specified. | create_custom_task Investigation |
| Parameter | Description |
|---|---|
| Search String | (Optional) Specify a filter that you want to apply to the results of this operation. By default, this is set to an "empty" string |
| Start Date | (Optional) Select the start time of the time range from when you want to retrieve alerts from Fidelis Endpoint EDR. |
| End Date | (Optional) Select the end time of the time range till when you want to retrieve alerts from Fidelis Endpoint EDR. |
| Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say alerts starting from the 10th alert. By default, this is set as "0". |
| Limit | (Optional) Specify the maximum number of alerts that you want this operation to return in the response.By default, this is set to "all" alerts. |
| Sort Alerts | (Optional) Specify the property name and order (Ascending or Descending) to sort the results retrieved by this operation, before applying take and skip. By default, this is set to "id Descending". You can specify the name of any property of the alert object. |
The output contains the following populated JSON schema:
{
"entities": [
{
"id": "",
"createDate": "",
"endpointName": "",
"endpointId": "",
"name": "",
"description": "",
"artifactName": "",
"source": "",
"sourceType": "",
"severity": "",
"intelId": "",
"intelName": "",
"validatedDate": "",
"actionsTaken": "",
"eventId": "",
"eventTime": "",
"parentEventId": "",
"eventType": "",
"eventIndex": "",
"reportId": "",
"telemetry": "",
"insertionDate": "",
"hasJob": "",
"osType": "",
"agentTag": "",
"enrichments": []
}
],
"totalCount": ""
}
| Parameter | Description |
|---|---|
| Offset | Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say endpoints starting from the 10th endpoint. By default, this is set as "0". |
| Limit | Specify the maximum number of endpoints that you want this operation to return in the response. |
| Sort | Specify the property name (and optionally the order) to sort the results retrieved by this operation, before applying the limit and offset. Examples of properties that can be specified are hostname, hostname descending, createdDate, createdDate descending, etc. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"entities": [
{
"id": "",
"hostName": "",
"ipAddress": "",
"externalAddress": "",
"description": "",
"lastContactDate": "",
"agentInstalled": "",
"agentVersion": "",
"os": "",
"macAddress": "",
"aV_Enabled": "",
"eventsStopped": "",
"locality": "",
"groupList": "",
"isGroupMember": "",
"agentConnected": "",
"isolated": "",
"osType": "",
"osArch": "",
"agentTag": "",
"createdDate": "",
"avSigVersion": "",
"advMalwareVersion": "",
"aR_Enabled": "",
"events_Enabled": "",
"agentId": "",
"groups": "",
"processorName": "",
"processorCount": "",
"processorSpeedInMhz": "",
"processorNumOfCores": "",
"processorNumOfLogicalProcessors": "",
"ramSize": "",
"flag": "",
"createdByType": "",
"interfaceIPs": "",
"agentScoreboardHash": "",
"investigativeModeEnabled": "",
"investigativeModeDuration": "",
"investigativeModeStartTime": "",
"eventsVersion": "",
"activeDirectoryId": "",
"lastAvScanDate": "",
"motherboardSerial": "",
"assetTag": "",
"manufacturer": "",
"model": "",
"protectStatus": "",
"hasAllAuthCerts": "",
"hasAllCommCerts": ""
}
],
"totalCount": ""
}
}
| Parameter | Description |
|---|---|
| Endpoint Names | Specify the names of the endpoints in the "CSV" or "List" format whose IDs you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": []
}
| Parameter | Description |
|---|---|
| Endpoint ID | Specify the ID of an endpoint that you want to delete from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"error": "",
"success": ""
}
| Parameter | Description |
|---|---|
| Limit Playbooks | Specify the maximum number of playbooks that you want this operation to return in the response. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"entities": [
{
"id": "",
"name": "",
"description": "",
"createdByName": "",
"createdById": "",
"createdDate": "",
"scriptCount": "",
"tags": "",
"hasEndpointAction": "",
"endpointActionText": ""
}
],
"totalCount": ""
}
}
| Parameter | Description |
|---|---|
| Type | (Optional) Select whether you want to retrieve script packages or playbooks from Fidelis EDR. By default, this is set as "2 - Script Packages". |
| OS Platform | (Optional) Select the OS Platform for which you want to retrieve script packages or playbooks from Fidelis EDR. You can choose between All, Windows, Mac, or Linux. |
| Sorting Order | (Optional) Specify the property name and order (Ascending or Descending) to sort the results retrieved by this operation, before applying take and skip. By default, this is set to "name ascending". |
| Limit | (Optional) Specify the maximum number of alerts that you want this operation to return in the response. By default, this is set to "all" playbooks or scripts |
| Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say playbooks or scripts starting from the 10th playbook or script. By default, this is set as "0". |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"entities": [
{
"id": "",
"name": "",
"description": "",
"createdByName": "",
"createdById": "",
"createdDate": "",
"tags": "",
"platforms": {
"windows32": "",
"windows64": "",
"linux32": "",
"linux64": "",
"solaris": "",
"aix": "",
"osx": ""
},
"platformsStringList": "",
"packageType": ""
}
],
"totalCount": ""
}
}
| Parameter | Description |
|---|---|
| Playbook ID | Specify the unique ID of the playbook whose details you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"scripts": [
{
"hash": "",
"executionOrder": "",
"scriptId": "",
"scriptName": "",
"questions": [
{
"paramNumber": "",
"question": "",
"answer": "",
"isOptional": "",
"inputType": ""
}
],
"details": {
"id": "",
"name": "",
"platforms": {
"windows32": "",
"windows64": "",
"linux32": "",
"linux64": "",
"solaris": "",
"aix": "",
"osx": ""
},
"tags": "",
"createdBy": "",
"createdByName": "",
"createdDate": "",
"fileCount": "",
"scriptPackageFiles": [
{
"fileName": "",
"fileId": ""
}
],
"platformsStringList": "",
"platformsLocalizedStringList": "",
"description": "",
"priority": "",
"resultColumns": [],
"timeoutSeconds": "",
"impersonationUser": "",
"impersonationPassword": "",
"command": "",
"wizardOverridePassword": "",
"questions": [
{
"paramNumber": "",
"question": "",
"answer": "",
"isOptional": "",
"inputType": ""
}
],
"jsonQuestions": "",
"questionsHaveLoadError": "",
"resultDelimiter": "",
"dataDependencies": [],
"hasEndpointAction": "",
"endpointActionText": "",
"tenants": "",
"hash": ""
},
"queueExpirationEnabled": "",
"queueExpirationInhours": "",
"wizardOverridePassword": "",
"impersonationUser": "",
"impersonationPassword": "",
"impersonationPasswordEnc": "",
"integrationOutputFormat": "",
"priority": "",
"filter": "",
"basicOptions": "",
"volatileDetail": "",
"processDetail": "",
"iocDetail": "",
"yaraDetail": "",
"timeoutInSeconds": "",
"jsonAnswers": "",
"jsonQuestions": "",
"isPlaybook": ""
}
],
"tenants": "",
"baseTenantId": "",
"hash": "",
"id": "",
"name": "",
"description": "",
"createdByName": "",
"createdById": "",
"createdDate": "",
"scriptCount": "",
"tags": "",
"hasEndpointAction": "",
"endpointActionText": ""
}
}
None.
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"version": ""
}
}
None.
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"scripts": [
{
"id": "",
"name": "",
"description": ""
}
],
"totalCount": ""
}
}
| Parameter | Description |
|---|---|
| Script Package ID | Specify the ID of the script package that you want to retrieve from Fidelis EDR. This operation also adds the retrieved script file to the "Attachment Module" in FortiSOAR. |
The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": ""
}
| Parameter | Description |
|---|---|
| Script Package ID | Specify the ID of the script package whose package manifest you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"id": "",
"name": "",
"platforms": {
"windows32": "",
"windows64": "",
"linux32": "",
"linux64": "",
"solaris": "",
"aix": "",
"osx": ""
},
"tags": "",
"createdBy": "",
"createdByName": "",
"createdDate": "",
"fileCount": "",
"scriptPackageFiles": [
{
"fileName": "",
"fileId": ""
}
],
"platformsStringList": "",
"platformsLocalizedStringList": "",
"description": "",
"priority": "",
"resultColumns": [
"Not Before",
"Serial Number"
],
"timeoutSeconds": "",
"impersonationUser": "",
"impersonationPassword": "",
"command": "",
"wizardOverridePassword": "",
"questions": [],
"jsonQuestions": "",
"questionsHaveLoadError": "",
"resultDelimiter": "",
"dataDependencies": [],
"hasEndpointAction": "",
"endpointActionText": "",
"tenants": "",
"hash": ""
}
}
| Parameter | Description |
|---|---|
| Script Package ID | Specify the ID of the script package whose package metadata you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"integrationOutputs": "",
"scriptPackageId": "",
"useImpersonation": "",
"impersonationUser": "",
"impersonationPassword": "",
"timeoutInSeconds": "",
"hosts": "",
"endpointIds": [
{}
],
"questions": {},
"useSchedule": "",
"schedule": {
"initialDateTime": "",
"recurrenceRange": "",
"maxRecurrenceCount": "",
"endDateTime": "",
"timeUnit": "",
"period": "",
"ordinalUnit": "",
"ordinal": "",
"ordinalDayOfWeek": "",
"ordinalMonth": "",
"weekday": "",
"timeZoneName": "",
"isIncremental": ""
}
}
}
| Parameter | Description |
|---|---|
| Script Package ID | Specify the ID of the script package whose package template you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"integrationOutputs": [],
"scriptPackageId": "",
"useImpersonation": "",
"impersonationUser": "",
"impersonationPassword": "",
"timeoutInSeconds": "",
"hosts": [],
"endpointIds": [],
"questions": {},
"useSchedule": "",
"schedule": {
"initialDateTime": "",
"recurrenceRange": "",
"maxRecurrenceCount": "",
"endDateTime": "",
"timeUnit": "",
"period": "",
"ordinalUnit": "",
"ordinal": "",
"ordinalDayOfWeek": "",
"ordinalMonth": "",
"weekday": [],
"timeZoneName": "",
"isIncremental": ""
}
}
}
| Parameter | Description |
|---|---|
| Script Package ID | Specify the ID of the script package you want to execute on Fidelis EDR. |
| Timeout In Seconds | Specify the timeout value, in seconds, after which this operation will timeout. |
| Hosts | You can specify multiple endpoint IP addresses in the "hosts" key using the following format: ["10.91.96.110","10.91.96.216"] |
| Integration Outputs | (Optional) You can specify the export format, for use with integrated products, using the integration Outputskey, The value of the integration Outputskey is the name of the export type as specified in the configuration file. For example, "integrationOutputs":["CEFOutput","LEEFOutput"]. For more information, see the SIEM Integrations Guide. |
| Questions | (Optional) Specify the key-value pair of question data. For example, {"paramNumber": 1,"question": "Type","answer": "","isOptional": "false","inputType": "text"} |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"jobId": "",
"jobResultId": ""
}
}
| Parameter | Description |
|---|---|
| Job Result ID | Specify the ID of the job whose result details you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": {
"hits": {
"total": {
"value": "",
"relation": ""
},
"hits": [],
"useNonDeterministicPaging": "",
"nonDeterministicPagingInfo": ""
},
"columns": [],
"pendingMigration": ""
}
}
| Parameter | Description |
|---|---|
| Package ID | Specify the ID of the script package/playbook you want to execute on Fidelis EDR. |
| IS Playbook Or Script | Select whether you want to run a script package or playbook onFidelis EDR. |
| Endpoint IDs | Specify the IDs of the endpoints in the "CSV" or "List" format on which you want to execute the task. |
The output contains the following populated JSON schema:
{
"success": "",
"error": "",
"data": ""
}
| Parameter | Description |
|---|---|
| Endpoint ID | Specify the ID of an endpoint that you want to delete from Fidelis EDR. |
| Search String | (Optional) Specify a filter that you want to apply to the results of this operation. By default, this is set to an "empty" string |
| Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records. By default, this is set as "0". |
| Limit | (Optional) Limit the number of records to return in response. default is set to 1000 |
| Sort | (Optional) Specify the property name and order (Ascending or Descending) to sort the results retrieved by this operation, before applying take and skip. By default, this is set to "id Descending". You can specify the name of any property of the data object. |
The output contains the following populated JSON schema:
{
"entities": [
{
"installSource": "",
"installLocation": "",
"installDate": "",
"uninstallString": "",
"canUninstall": "",
"installedSoftwareKey": "",
"name": "",
"publisher": "",
"version": "",
"hasCVE": "",
"cveCount": "",
"cveHighestScore": "",
"cveList": "",
"highestCVESeverity": "",
"cveSeverity": ""
}
],
"totalCount": ""
}
| Parameter | Description |
|---|---|
| Search | (Optional) Specify a filter to apply to the results of this operation. By default, this is set to an empty string |
| Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say alerts starting from the 10th alert. By default, this is set as 0. |
| Columns | (Optional) Specify the columns alerts. |
| Limit | (Optional) Specify the maximum number of alerts that you want this operation to return in the response. By default, this is set to all alerts. |
| Sort | (Optional) Specify the property name and order (Ascending or Descending) to sort the results retrieved by this operation, before applying take and skip. By default, this is set to id Descending. You can specify the name of any property of the alert object. |
The output contains the following populated JSON schema:
{
"alertResponseInfos": [],
"totalCount": ""
}
| Parameter | Description |
|---|---|
| Start Range | Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records |
| Count | Specify the maximum number of endpoints that you want this operation to return in the response. |
| Search | Specify a filter that you want to apply to the results of this operation. By default, this is set to an empty string. |
| Sort | Specify the property name and order (Ascending or Descending) to sort the results retrieved by this operation, before applying take and skip. By default, this is set to id Descending. You can specify the name of any property of the data object. |
| Access Type | (Optional) Specify an access type that you want to apply to the results of this operation. By default, this is set to "0" string. |
The output contains the following populated JSON schema:
{
"entities": [
{
"id": "",
"hostName": "",
"ipAddress": "",
"externalAddress": "",
"description": "",
"lastContactDate": "",
"agentInstalled": "",
"agentVersion": "",
"os": "",
"macAddress": "",
"aV_Enabled": "",
"eventsStopped": "",
"locality": "",
"groupList": "",
"isGroupMember": "",
"agentConnected": "",
"isolated": "",
"osType": "",
"osArch": "",
"agentTag": "",
"createdDate": "",
"avSigVersion": "",
"advMalwareVersion": "",
"aR_Enabled": "",
"events_Enabled": "",
"agentId": "",
"groups": "",
"processorName": "",
"processorCount": "",
"processorSpeedInMhz": "",
"processorNumOfCores": "",
"processorNumOfLogicalProcessors": "",
"ramSize": "",
"flag": "",
"createdByType": "",
"interfaceIPs": "",
"agentScoreboardHash": "",
"investigativeModeEnabled": "",
"investigativeModeDuration": "",
"investigativeModeStartTime": "",
"eventsVersion": "",
"activeDirectoryId": "",
"lastAvScanDate": "",
"motherboardSerial": "",
"assetTag": "",
"manufacturer": "",
"model": "",
"protectStatus": "",
"hasAllAuthCerts": "",
"hasAllCommCerts": ""
}
],
"totalCount": ""
}
| Parameter | Description |
|---|---|
| Job Result ID | Specify the ID of the job whose result details you want to retrieve from Fidelis EDR. |
The output contains the following populated JSON schema:
{
"jobID": "",
"resultID": "",
"name": "",
"startDate": "",
"endDate": "",
"createdDate": "",
"hasSchedule": "",
"fromScheduledTask": "",
"status": "",
"statusCode": "",
"scriptPackage": "",
"scriptPackageId": "",
"playbookId": "",
"createdBy": "",
"createdById": "",
"hasAlert": "",
"alertName": "",
"alertId": "",
"fromPlaybook": "",
"playbook": "",
"order": ""
}
| Parameter | Description |
|---|---|
| Package ID | Specify the ID of the script package/playbook you want to execute on Fidelis EDR. |
| Is Playbook Or Script | Select whether you want to run a script package or a playbook on Fidelis EDR. |
| Endpoint IDs | Specify the IDs of the endpoints, as comma-separated values or as a list, on which to execute the task. |
| Integration Output Format | Specify the format for the integration output. |
| Script ID | Specify the script ID to be executed. |
| Questions | Specify the questions for the task. |
| Json Questions | (Optional) Specify questions as a JSON. |
| Timeout In Seconds | Specify the timeout duration in seconds. |
| Queue Expiration In Hours | (Optional) Specify the queue expiration duration in hours. |
The output contains the following populated JSON schema:
The output contains a non-dictionary value.
The Sample - Fidelis EDR - 1.1.0 playbook collection comes bundled with the Fidelis EDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fidelis EDR connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.