FireEye HX 1.0.0
App Vendor: FireEye
Connector Category: Endpoint
Connector Version: 1.0.0
API Version: 3.0.0
Product Version: 1.0.0
Default Port: 443
About App
The FireEye HX app allows security teams to detect missed threats and protect endpoints against known and unknown threats.
The FireEye HX app is configured with Orchestrate to perform the below-listed actions:
Action Name | Description |
---|---|
Suppress an alert | This action can be used to suppress an alert using alert ID. |
Request a triage package | This action can be used to request an endpoint host triage package using host agent ID. |
Request a file to be acquired | This action can be used to request a file to be acquired into endpoint security. |
Get status of a file acquisition | This action can be used to fetch the status of a file acquisition using acquisition ID. |
Get details of alerts | This action can be used to retrieve details of alerts using filters. |
Get details of an alert | This action can be used to retrieve the details of an alert using alert ID. |
Get system version | This action can be used to retrieve the system version. |
Get a list of acquisitions | This action can be used to retrieve a list of all acquisitions with optional filters. |
Get details of host sets | This action can be used to retrieve a list of host sets optionally filtered by name. |
Get details of a host set | This action can be used to retrieve a list of endpoints in a host set. |
Get agent system info | This action can be used to fetch agent system information. |
Requesting a host for containment | This action can be used to request a host for containment using host agent ID. |
Query about states of host containment | This action can be used to query about states of host containment using host agent ID. |
Get computers installed with FireEye HX | This action can be used to retrieve a list of computers installed at endpoint security. |
Cancel a host containment | This action can be used to cancel a host containment. |
Approve request of host containment | This action can be used to approve a request of host containment. |
Get the status of the FireEye HX installed in the system | This action can be used to get the status of FireEye HX installed in the system. |
Configuration parameters
Below is the list of configuration parameters that are required for the FireEye HX app to communicate with the FireEye HX application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Base URL | Enter the base URL. For example, <https://<host>.<tld>> | Text | Required | |
Username | Enter the endpoint username for access. | Text | Required | |
Password | Enter the endpoint password for access. | Password | Required | |
TLS verification | Optional preference to either verify or skip the TLS certificate verification. | Boolean | Optional | Allowed values:
By default, the value is set to false. |
Action: Suppress an alert
This action can be used to suppress an alert using alert ID.
Input parameters
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Alert ID | Enter an alert ID. | Text | Required |
Example Request
[ { "alert_id": "<Sample Alert ID>" } ]
Action: Request a triage package
This action can be used to request an endpoint host triage package using host agent ID.
Input parameters
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Agent ID | Enter the host agent ID. For example, <Sample Agent ID> | Text | Required | |
Required timestamp | Enter the required timestamp. The triage collection time in ISO-8601_DATE format. For example, 2017-02-22T17:00:48.861Z | Text | Optional | |
External ID | Enter an external ID as external correlation ID. For example, <Sample external ID>. | Text | Optional |
Example Request
[ { "agent_id": "<Sample Agent ID>", "req_timestamp": "2017-02-22T17:00:48.861Z", "external_id": "<Sample external ID>" } ]
Action: Request a file to be acquired
This action can be used to request a file to be acquired into endpoint security.
Input parameters
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Agent ID | Enter an agent ID. | Text | Required | |
File path | Enter the file path. | Text | Required | |
File name | Enter the file name. For example, "IP list". | Text | Required | |
Comment | Enter the comment. For example, "Acquire file". | Text | Optional | |
External ID | Enter the external ID. | Text | Optional |
Example Request
[ { "agent_id": "<Sample Agent ID>", "req_path": "<Sample file path>", "req_filename": "IP list", "comment": "Acquire file", "external_id": "<Sample external ID>" } ]
Action: Get status of a file acquisition
This action can be used to fetch the status of a file acquisition using acquisition ID.
Input parameters
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Acquisition ID | Enter the acquisition ID. | Text | Required |
Example Request
[ { "acquisition_id": "<Sample acquisition ID>" } ]
Action: Get details of alerts
This action can be used to retrieve details of alerts using filters.
Input parameters
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Parameters | Enter the parameters to filter the results. | Text | Optional | Allowed values:
|
Example Request
[ { "params": { "offset_value": 0, "limit": 50, "has_fp_disposition ": "true", "sort": "ascending" } } ]
Action: Get details of an alert
This action can be used to retrieve the details of an alert using alert ID.
Input parameters
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Alert ID | Enter an alert ID. | Text | Required |
Example Request
[ { "alert_id": "<Sample Alert ID>" } ]
Action: Get system version
This action can be used to retrieve the system version.
Input parameters
No input parameters are require for this Action.
Action: Get a list of acquisitions
This action can be used to retrieve a list of all acquisitions with optional filters.
Input parameters
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Agent ID | Enter an agent ID. | Text | Optional | |
File name | Enter the file name. For example, "IP list". | Text | Optional |
Example Request
[ { "agent_id": "<Sample Agent ID>", "req_filename": "IP list" } ]
Action: Get details of host sets
This action can be used to retrieve a list of host sets optionally filtered by name.
Input parameters
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Parameters | Enter the parameters. | Text | Optional | Allowed values:
|
Example Request
[ { "parms": { "search_term": "name", "offset_value": 20, "limit_value": 50, "sort_value": "name", "type": "static" } } ]
Action: Get details of a host set
This action can be used to retrieve a list of endpoints in a host set.
Input parameters
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Host set ID | Enter the host set ID. | Text | Optional |
Example Request
[ { "host_set_id": "<Sample host set ID>" } ]
Action: Requesting a host for containment
This action can be used to request a host for containment using host agent ID.
Input parameters
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Agent ID | Enter a host agent ID. | Text | Required |
Example Request
[ { "agent_id": "<Sample Alert ID>" } ]
Action: Get agent system info
This action can be used to fetch agent system information.
Input parameters
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Agent ID | Enter an agent ID. | Text | Required |
Example Request
[ { "agent_id": "<Sample Alert ID>" } ]
Action: Query about states of host containment
This action can be used to query about states of host containment using host agent ID.
Input parameters
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Agent ID | Enter an agent ID. | Text | Required |
Example Request
[ { "agent_id": "<Sample Alert ID>" } ]
Action: Get computers installed with FireEye HX
This action can be used to retrieve a list of computers installed at endpoint security.
Input parameters
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Query search | Enter the search for endpoint. | Text | Optional | Filter: endpoint name |
Limit | Enter the limit on number of hosts returned. For example, 20. | Text | Optional | By default, the value is 50. |
Example Request
[ { "search": "<Sample search term>", "limit": "20" } ]
Action: Cancel a host containment
This action can be used to cancel a host containment.
Input parameters
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Agent ID | Enter the host agent ID. For example, <Sample agent ID>. | Any | Required |
Example Request
[ { "agent_id": "<Sample Alert ID>" } ]
Action: Approve request of host containment
This action can be used to approve a request of host containment.
Input parameters
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Agent ID | Enter the host agent ID. For example, <Sample agent ID>. | Any | Required |
Example Request
[ { "agent_id": "<Sample Alert ID>" } ]
Action: Get the status of the FireEye HX installed in the system
This action can be used to get the status of FireEye HX installed in the system.
Input parameters
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Hostname | Enter the hostname. For example, random_164_1. | Text | Required |
Example Request
[ { "hostname": "random_164_1" } ]