Skip to main content

Cyware Orchestrate

FireEye HX 1.0.0

App Vendor: FireEye

Connector Category: Endpoint

Connector Version: 1.0.0

API Version: 3.0.0

Product Version: 1.0.0

Default Port: 443

About App

The FireEye HX app allows security teams to detect missed threats and protect endpoints against known and unknown threats.

The FireEye HX app is configured with Orchestrate to perform the below-listed actions:

Action Name

Description

Suppress an alert

This action can be used to suppress an alert using alert ID.

Request a triage package

This action can be used to request an endpoint host triage package using host agent ID.

Request a file to be acquired

This action can be used to request a file to be acquired into endpoint security.

Get status of a file acquisition

This action can be used to fetch the status of a file acquisition using acquisition ID.

Get details of alerts

This action can be used to retrieve details of alerts using filters.

Get details of an alert

This action can be used to retrieve the details of an alert using alert ID.

Get system version

This action can be used to retrieve the system version.

Get a list of acquisitions

This action can be used to retrieve a list of all acquisitions with optional filters.

Get details of host sets

This action can be used to retrieve a list of host sets optionally filtered by name.

Get details of a host set

This action can be used to retrieve a list of endpoints in a host set.

Get agent system info

This action can be used to fetch agent system information.

Requesting a host for containment

This action can be used to request a host for containment using host agent ID.

Query about states of host containment

This action can be used to query about states of host containment using host agent ID.

Get computers installed with FireEye HX

This action can be used to retrieve a list of computers installed at endpoint security.

Cancel a host containment

This action can be used to cancel a host containment.

Approve request of host containment

This action can be used to approve a request of host containment.

Get the status of the FireEye HX installed in the system

This action can be used to get the status of FireEye HX installed in the system.

Configuration parameters

Below is the list of configuration parameters that are required for the FireEye HX app to communicate with the FireEye HX application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required / Optional

Comments

Base URL

Enter the base URL. For example, <https://<host>.<tld>>

Text

Required

Username

Enter the endpoint username for access.

Text

Required

Password

Enter the endpoint password for access.

Password

Required

TLS verification

Optional preference to either verify or skip the TLS certificate verification.

Boolean

Optional

Allowed values:

  • true

  • false

By default, the value is set to false.

Action: Suppress an alert

This action can be used to suppress an alert using alert ID.

Input parameters

Parameter

Description

Field Type

Required / Optional

Comments

Alert ID

Enter an alert ID.

Text

Required

Example Request
[
 {
  "alert_id": "<Sample Alert ID>"
 }
]
Action: Request a triage package

This action can be used to request an endpoint host triage package using host agent ID.

Input parameters

Parameter

Description

Field Type

Required / Optional

Comments

Agent ID

Enter the host agent ID. For example, <Sample Agent ID>

Text

Required

Required timestamp

Enter the required timestamp. The triage collection time in ISO-8601_DATE format. For example, 2017-02-22T17:00:48.861Z

Text

Optional

External ID

Enter an external ID as external correlation ID. For example, <Sample external ID>.

Text

Optional

Example Request
[
 {
  "agent_id": "<Sample Agent ID>",
  "req_timestamp": "2017-02-22T17:00:48.861Z",
  "external_id": "<Sample external ID>"
 }
]
Action: Request a file to be acquired

This action can be used to request a file to be acquired into endpoint security.

Input parameters

Parameter

Description

Field Type

Required / Optional

Comments

Agent ID

Enter an agent ID.

Text

Required

File path

Enter the file path.

Text

Required

File name

Enter the file name. For example, "IP list".

Text

Required

Comment

Enter the comment. For example, "Acquire file".

Text

Optional

External ID

Enter the external ID.

Text

Optional

Example Request
[
 {
  "agent_id": "<Sample Agent ID>",
  "req_path": "<Sample file path>",
  "req_filename": "IP list",
  "comment": "Acquire file",
  "external_id": "<Sample external ID>"
 }
]
Action: Get status of a file acquisition

This action can be used to fetch the status of a file acquisition using acquisition ID.

Input parameters

Parameter

Description

Field Type

Required / Optional

Comments

Acquisition ID

Enter the acquisition ID.

Text

Required

Example Request
[
 {
  "acquisition_id": "<Sample acquisition ID>"
 }
]
Action: Get details of alerts

This action can be used to retrieve details of alerts using filters.

Input parameters

Parameter

Description

Field Type

Required / Optional

Comments

Parameters

Enter the parameters to filter the results.

Text

Optional

Allowed values:

  • offset (offset_value): Specifies which record to start with in the response. The offset_value must be an unsigned 32-bit integer. By default, the value is 0.

  • limit (limit_value): Specifies how many records are returned. The limit_value must be an unsigned 32-bit integer. By default, the value is 50.

  • filter: Valid filters include - has_fp_disposition (Boolean), _id (String).

  • sort (_id): Sorts the results by filter ID in ascending or descending order.

Example Request
[
 {
  "params": 
  {
   "offset_value": 0,
   "limit": 50,
   "has_fp_disposition ": "true",
   "sort": "ascending"
  }
 }
]
Action: Get details of an alert

This action can be used to retrieve the details of an alert using alert ID.

Input parameters

Parameter

Description

Field Type

Required / Optional

Comments

Alert ID

Enter an alert ID.

Text

Required

Example Request
[
 {   "alert_id": "<Sample Alert ID>"
 }
]
Action: Get system version

This action can be used to retrieve the system version.

Input parameters

No input parameters are require for this Action.

Action: Get a list of acquisitions

This action can be used to retrieve a list of all acquisitions with optional filters.

Input parameters

Parameter

Description

Field Type

Required / Optional

Comments

Agent ID

Enter an agent ID.

Text

Optional

File name

Enter the file name. For example, "IP list".

Text

Optional

Example Request
[
 {   "agent_id": "<Sample Agent ID>",
     "req_filename": "IP list" }
]
Action: Get details of host sets

This action can be used to retrieve a list of host sets optionally filtered by name.

Input parameters

Parameter

Description

Field Type

Required / Optional

Comments

Parameters

Enter the parameters.

Text

Optional

Allowed values:

  • search (search_term): Searches the names of all host sets connected to the specified endpoint security server.

  • offset (offset_value): Specifies which record to start with in the response. The offset_value must be an unsigned 32-bit integer. By default, the value is 0.

  • limit (limit_value): Specifies how many records are returned. The limit_value must be an unsigned 32-bit integer. By default, the value is 50.

  • sort (sort_value): Sorts the results by the specified field in ascending or descending order. The default is sorting by name in ascending order. Sortable fields are _id (host set ID) and name (host set name).

  • "filter_field"="filter_value": Lists only results with the specified field value. Available filters are name (host set name) and type (type of host set, such as static or dynamic).

Example Request
[
  { 
    "parms": 
    {
       "search_term": "name",
       "offset_value": 20,
       "limit_value": 50,
       "sort_value": "name",
       "type": "static"
     }
  }
]
Action: Get details of a host set

This action can be used to retrieve a list of endpoints in a host set.

Input parameters

Parameter

Description

Field Type

Required / Optional

Comments

Host set ID

Enter the host set ID.

Text

Optional

Example Request
[
 {   "host_set_id": "<Sample host set ID>"
 }
]
Action: Requesting a host for containment

This action can be used to request a host for containment using host agent ID.

Input parameters

Parameter

Description

Field Type

Required / Optional

Comments

Agent ID

Enter a host agent ID.

Text

Required

Example Request
[
 {   "agent_id": "<Sample Alert ID>"
 }
]
Action: Get agent system info

This action can be used to fetch agent system information.

Input parameters

Parameter

Description

Field Type

Required / Optional

Comments

Agent ID

Enter an agent ID.

Text

Required

Example Request
[
 {   "agent_id": "<Sample Alert ID>"
 }
]
Action: Query about states of host containment

This action can be used to query about states of host containment using host agent ID.

Input parameters

Parameter

Description

Field Type

Required / Optional

Comments

Agent ID

Enter an agent ID.

Text

Required

Example Request
[
 {   "agent_id": "<Sample Alert ID>"
 }
]
Action: Get computers installed with FireEye HX

This action can be used to retrieve a list of computers installed at endpoint security.

Input parameters

Parameter

Description

Field Type

Required / Optional

Comments

Query search

Enter the search for endpoint.

Text

Optional

Filter: endpoint name

Limit

Enter the limit on number of hosts returned. For example, 20.

Text

Optional

By default, the value is 50.

Example Request
[
 {   "search": "<Sample search term>",
     "limit": "20" }
]
Action: Cancel a host containment

This action can be used to cancel a host containment.

Input parameters

Parameter

Description

Field Type

Required / Optional

Comments

Agent ID

Enter the host agent ID. For example, <Sample agent ID>.

Any

Required

Example Request
[
 {   "agent_id": "<Sample Alert ID>"
 }
]
Action: Approve request of host containment

This action can be used to approve a request of host containment.

Input parameters

Parameter

Description

Field Type

Required / Optional

Comments

Agent ID

Enter the host agent ID. For example, <Sample agent ID>.

Any

Required

Example Request
[
 {   "agent_id": "<Sample Alert ID>"
 }
]
Action: Get the status of the FireEye HX installed in the system

This action can be used to get the status of FireEye HX installed in the system.

Input parameters

Parameter

Description

Field Type

Required / Optional

Comments

Hostname

Enter the hostname. For example, random_164_1.

Text

Required

Example Request
[
 {   "hostname": "random_164_1"
 }
]