FireEye HX

Cyware Orchestrate

FireEye HX

App Vendor: FireEye
Connector Category: Endpoint
Connector Version: 1.0.0
API Version: 3.0.0
Product Version: 1.0.0
Default Port: 443

About App

The FireEye HX app allows security teams to detect missed threats and protect endpoints against known and unknown threats.

The FireEye HX app is configured with Orchestrate to perform the below-listed actions:

Action Name	Description
Suppress an alert	This action can be used to suppress an alert using alert ID.
Request a triage package	This action can be used to request an endpoint host triage package using host agent ID.
Request a file to be acquired	This action can be used to request a file to be acquired into endpoint security.
Get status of a file acquisition	This action can be used to fetch the status of a file acquisition using acquisition ID.
Get details of alerts	This action can be used to retrieve details of alerts using filters.
Get details of an alert	This action can be used to retrieve the details of an alert using alert ID.
Get system version	This action can be used to retrieve the system version.
Get a list of acquisitions	This action can be used to retrieve a list of all acquisitions with optional filters.
Get details of host sets	This action can be used to retrieve a list of host sets optionally filtered by name.
Get details of a host set	This action can be used to retrieve a list of endpoints in a host set.
Get agent system info	This action can be used to fetch agent system information.
Requesting a host for containment	This action can be used to request a host for containment using host agent ID.
Query about states of host containment	This action can be used to query about states of host containment using host agent ID.
Get computers installed with FireEye HX	This action can be used to retrieve a list of computers installed at endpoint security.
Cancel a host containment	This action can be used to cancel a host containment.
Approve request of host containment	This action can be used to approve a request of host containment.
Get the status of the FireEye HX installed in the system	This action can be used to get the status of FireEye HX installed in the system.

Configuration parameters

Below is the list of configuration parameters that are required for the FireEye HX app to communicate with the FireEye HX application. The parameters can be configured by creating instances in the app.

Parameter	Description	Field Type	Required / Optional	Comments
Base URL	Enter the base URL. For example, <https://<host>.<tld>>	Text	Required
Username	Enter the endpoint username for access.	Text	Required
Password	Enter the endpoint password for access.	Password	Required
TLS verification	Optional preference to either verify or skip the TLS certificate verification.	Boolean	Optional	Allowed values: true false By default, the value is set to false.

Action: Suppress an alert

This action can be used to suppress an alert using alert ID.

Input parameters

Parameter	Description	Field Type	Required / Optional	Comments
Alert ID	Enter an alert ID.	Text	Required

Example Request

[
 {
  "alert_id": "<Sample Alert ID>"
 }
]

Action: Request a triage package

This action can be used to request an endpoint host triage package using host agent ID.

Input parameters

Parameter	Description	Field Type	Required / Optional
Agent ID	Enter the host agent ID. For example, <Sample Agent ID>	Text	Required
Required timestamp	Enter the required timestamp. The triage collection time in ISO-8601_DATE format. For example, 2017-02-22T17:00:48.861Z	Text	Optional
External ID	Enter an external ID as external correlation ID. For example, <Sample external ID>.	Text	Optional

Example Request

[
 {
  "agent_id": "<Sample Agent ID>",
  "req_timestamp": "2017-02-22T17:00:48.861Z",
  "external_id": "<Sample external ID>"
 }
]

Action: Request a file to be acquired

This action can be used to request a file to be acquired into endpoint security.

Input parameters

Parameter	Description	Field Type	Required / Optional
Agent ID	Enter an agent ID.	Text	Required
File path	Enter the file path.	Text	Required
File name	Enter the file name. For example, "IP list".	Text	Required
Comment	Enter the comment. For example, "Acquire file".	Text	Optional
External ID	Enter the external ID.	Text	Optional

Example Request

[
 {
  "agent_id": "<Sample Agent ID>",
  "req_path": "<Sample file path>",
  "req_filename": "IP list",
  "comment": "Acquire file",
  "external_id": "<Sample external ID>"
 }
]

Action: Get status of a file acquisition

This action can be used to fetch the status of a file acquisition using acquisition ID.

Input parameters

Parameter	Description	Field Type	Required / Optional	Comments
Acquisition ID	Enter the acquisition ID.	Text	Required

Example Request

[
 {
  "acquisition_id": "<Sample acquisition ID>"
 }
]

Action: Get details of alerts

This action can be used to retrieve details of alerts using filters.

Input parameters

Parameter	Description	Field Type	Required / Optional	Comments
Parameters	Enter the parameters to filter the results.	Text	Optional	Allowed values: offset (offset_value): Specifies which record to start with in the response. The offset_value must be an unsigned 32-bit integer. By default, the value is 0. limit (limit_value): Specifies how many records are returned. The limit_value must be an unsigned 32-bit integer. By default, the value is 50. filter: Valid filters include - has_fp_disposition (Boolean), _id (String). sort (_id): Sorts the results by filter ID in ascending or descending order.

Example Request

[
 {
  "params": 
  {
   "offset_value": 0,
   "limit": 50,
   "has_fp_disposition ": "true",
   "sort": "ascending"
  }
 }
]

Action: Get details of an alert

This action can be used to retrieve the details of an alert using alert ID.

Input parameters

Parameter	Description	Field Type	Required / Optional	Comments
Alert ID	Enter an alert ID.	Text	Required

Example Request

[
 {   "alert_id": "<Sample Alert ID>"
 }
]

Action: Get system version

This action can be used to retrieve the system version.

Input parameters

No input parameters are require for this Action.

Action: Get a list of acquisitions

This action can be used to retrieve a list of all acquisitions with optional filters.

Input parameters

Parameter	Description	Field Type	Required / Optional	Comments
Agent ID	Enter an agent ID.	Text	Optional
File name	Enter the file name. For example, "IP list".	Text	Optional

Example Request

[
 {   "agent_id": "<Sample Agent ID>",
     "req_filename": "IP list" }
]

Action: Get details of host sets

This action can be used to retrieve a list of host sets optionally filtered by name.

Input parameters

Parameter	Description	Field Type	Required / Optional	Comments
Parameters	Enter the parameters.	Text	Optional	Allowed values: search (search_term): Searches the names of all host sets connected to the specified endpoint security server. offset (offset_value): Specifies which record to start with in the response. The offset_value must be an unsigned 32-bit integer. By default, the value is 0. limit (limit_value): Specifies how many records are returned. The limit_value must be an unsigned 32-bit integer. By default, the value is 50. sort (sort_value): Sorts the results by the specified field in ascending or descending order. The default is sorting by name in ascending order. Sortable fields are _id (host set ID) and name (host set name). "filter_field"="filter_value": Lists only results with the specified field value. Available filters are name (host set name) and type (type of host set, such as static or dynamic).

Example Request

[
  { 
    "parms": 
    {
       "search_term": "name",
       "offset_value": 20,
       "limit_value": 50,
       "sort_value": "name",
       "type": "static"
     }
  }
]

Action: Get details of a host set

This action can be used to retrieve a list of endpoints in a host set.

Input parameters

Parameter	Description	Field Type	Required / Optional	Comments
Host set ID	Enter the host set ID.	Text	Optional

Example Request

[
 {   "host_set_id": "<Sample host set ID>"
 }
]

Action: Requesting a host for containment

This action can be used to request a host for containment using host agent ID.

Input parameters

Parameter	Description	Field Type	Required / Optional	Comments
Agent ID	Enter a host agent ID.	Text	Required

Example Request

[
 {   "agent_id": "<Sample Alert ID>"
 }
]

Action: Get agent system info

This action can be used to fetch agent system information.

Input parameters

Parameter	Description	Field Type	Required / Optional	Comments
Agent ID	Enter an agent ID.	Text	Required

Example Request

[
 {   "agent_id": "<Sample Alert ID>"
 }
]

Action: Query about states of host containment

This action can be used to query about states of host containment using host agent ID.

Input parameters

Parameter	Description	Field Type	Required / Optional	Comments
Agent ID	Enter an agent ID.	Text	Required

Example Request

[
 {   "agent_id": "<Sample Alert ID>"
 }
]

Action: Get computers installed with FireEye HX

This action can be used to retrieve a list of computers installed at endpoint security.

Input parameters

Parameter	Description	Field Type	Required / Optional	Comments
Query search	Enter the search for endpoint.	Text	Optional	Filter: endpoint name
Limit	Enter the limit on number of hosts returned. For example, 20.	Text	Optional	By default, the value is 50.

Example Request

[
 {   "search": "<Sample search term>",
     "limit": "20" }
]

Action: Cancel a host containment

This action can be used to cancel a host containment.

Input parameters

Parameter	Description	Field Type	Required / Optional	Comments
Agent ID	Enter the host agent ID. For example, <Sample agent ID>.	Any	Required

Example Request

[
 {   "agent_id": "<Sample Alert ID>"
 }
]

Action: Approve request of host containment

This action can be used to approve a request of host containment.

Input parameters

Parameter	Description	Field Type	Required / Optional	Comments
Agent ID	Enter the host agent ID. For example, <Sample agent ID>.	Any	Required

Example Request

[
 {   "agent_id": "<Sample Alert ID>"
 }
]

Action: Get the status of the FireEye HX installed in the system

This action can be used to get the status of FireEye HX installed in the system.

Input parameters

Parameter	Description	Field Type	Required / Optional	Comments
Hostname	Enter the hostname. For example, random_164_1.	Text	Required

Example Request

[
 {   "hostname": "random_164_1"
 }
]

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.

Cyware Orchestrate

FireEye HX

About App

Configuration parameters

Action: Suppress an alert

Input parameters

Example Request

Action: Request a triage package

Input parameters

Example Request

Action: Request a file to be acquired

Input parameters

Example Request

Action: Get status of a file acquisition

Input parameters

Example Request

Action: Get details of alerts

Input parameters

Example Request

Action: Get details of an alert

Input parameters

Example Request

Action: Get system version

Input parameters

Action: Get a list of acquisitions

Input parameters

Example Request

Action: Get details of host sets

Input parameters

Example Request

Action: Get details of a host set

Input parameters

Example Request

Action: Requesting a host for containment

Input parameters

Example Request

Action: Get agent system info

Input parameters

Example Request

Action: Query about states of host containment

Input parameters

Example Request

Action: Get computers installed with FireEye HX

Input parameters

Example Request

Action: Cancel a host containment

Input parameters

Example Request

Action: Approve request of host containment

Input parameters

Example Request

Action: Get the status of the FireEye HX installed in the system

Input parameters

Example Request

Search results