Skip to main content

Cyware Orchestrate

FireEye Endpoint Security (HX)

App Vendor: FireEye 

App Category: Endpoint

Connector Version: 2.0.0

API Version: 3.0

About App

FireEye Endpoint Security is an integrated solution that detects what others miss and protects endpoint against known and unknown threats.

The FireEye Endpoint Security (HX) app is configured with Cyware Orchestrate to perform the following actions:

Action Name

Description

Approve Request of Host Containment 

This action approves the request for host containment.

Cancel Host Containment 

This action cancels host containment.

Fetch Agent System Info 

This action retrieves the agent system info.

Fetch Host Set Details 

This action retrieves the endpoints in a host set.

Fetch Hosts Set Details 

This action retrieves a list of host sets in HX, optionally filtered by name.

Fetch Hosts From Host Set

This action retrieves linked hosts with a host set.

Fetch List of Acquisition 

This action retrieves a list of all acquisitions with optional filters.

Fetch System Version 

This action retrieves the system version.

Generic Action 

This is a generic action used to make requests to any FireEye Endpoint Security (HX) endpoint.

Get Alert Details 

This action retrieves the alert details using alert ID.

Get Alerts 

This action retrieves alert details using filters.

Get Computers Installed with FireEye HX 

This action retrieves the list of computers installed at endpoint security.

Get Status of File Acquisition 

This action retrieves the status of file acquisition using acquisition ID.

List Triage Acquisitions 

This action retrieves a list of triage acquisitions for a specific agent.

Query About States of Host Containment 

This action queries about states of host containment using host agent ID.

Request File Acquired 

This action requests a file to be acquired into endpoint security.

Requesting Host for Containment 

This action requests host for containment using host agent ID.

Request Triage Package 

This action requests endpoint host triage package using host agent ID.

Suppress Alert 

This action suppresses an alert using alert ID.

Configuration Parameters

The following configuration parameters are required for the FireEye Endpoint Security (HX) app to communicate with the FireEye Endpoint Security (HX) enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

Domain 

Enter the base domain. 

Example: 

host.tld

Text

Required

Username 

Enter the username to access FireEye Endpoint Security (HX)

Text

Required

Password 

Enter the password to access FireEye Endpoint Security (HX).

Password

Required

Timeout 

Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with FireEye Endpoint Security (HX).

Integer

Optional

Allowed range:

15-120

Default value:

15

Verify 

Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection.

Boolean

Optional

By default, verification is disabled.

Action: Approve Request of Host Containment

This action approves the request for host containment.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID 

Enter the host agent ID.

Example:

DLm3RzyIyCkgrTiErbbK1G

Any

Required

Action: Cancel Host Containment

This action cancels host containment.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID 

Enter the host agent ID.

Example:

DLm3RzyIyCkgrTiErbbK1G

Any

Required

Action: Fetch Agent System Info

This action retrieves the agent system info.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID

Enter the agent ID.

Text

Required

Action: Fetch Containment State

This action fetches the containment state of a host.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID

Enter the host agent ID.

Text

Required

Action: Fetch Host Set Details

This action retrieves details of a particular host set.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Host Set ID 

Enter the host set ID.

Text

Optional

You can retrieve this using the action Fetch Hosts Set.

Action: Fetch Hosts Set Details

This action retrieves a list of hosts from host sets in HX.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Params

Enter the input parameters for retrieving the host set details.

Text

Required

Action: Fetch List of Acquisition

This action retrieves a list of all acquisitions with optional filters.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID 

Enter the agent ID.

Text

Optional

Filename 

Enter the filename.

Example: 

IP list

Text

Optional

Action: Fetch System Version

This action retrieves the system version.

Action Input Parameters 

This action does not require any input parameters.

Action: Get Alert Details

This action retrieves alert details using the alert ID.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Alert ID 

Enter the alert ID.

Text

Required

You can retrieve this using the action Get Alerts.

Action: Get Alerts

This action retrieves alerts using filters.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Params 

Enter the parameters.

Text

Optional

Allowed values:

offset (offset_value): Specifies which record to start within the response. The offset_value must be an unsigned 32-bit integer. By default, the value is 0, limit (limit_value): Specifies how many records are returned. The limit_value must be an unsigned 32-bit integer. By default, the value is 50, filter: Valid filters include - has_fp_disposition (Boolean), _id (String), sort (_id): Sorts the results by filter ID in ascending or descending order.

Example Request 

[
 {
  "params": 
  {
   "offset_value": 0,
   "limit": 50,
   "has_fp_disposition ": "true",
   "sort": "ascending"
  }
 }
]
Action: Get Computers Installed with FireEye HX

This action retrieves a list of computers installed at endpoint security.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Query Search 

Enter the search for endpoint.

Text

Optional

Allowed filter:

endpoint name

Limit 

Enter the limit on the number of hosts returned. 

Example: 

20

Text

Optional

By default, the value is 50.

Action: Get Status of File Acquisition

This action retrieves the status of a file acquisition using the acquisition ID.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Acquisition ID 

Enter the acquisition ID.

Text

Required

Action: List Triage Acquisitions

This action retrieves a list of triage acquisitions for a specific agent.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID 

Enter the ID of the agent running on the host. 

Example: 

DLm3RzyIyCkgrTiErbbK1G

Text

Required

Query Params 

Enter the query parameters to filter the response. 

Key Value

Optional

Allowed keys:

search (search_term): Searches the names of all host sets connected to the specified endpoint security server.

offset (offset_value): Specifies which record to start with in the response. The offset_value must be an unsigned 32-bit integer. By default, the value is 0.

limit (limit_value): Specifies how many records are returned. The limit_value must be an unsigned 32-bit integer. By default, the value is 50, 

sort (sort_value): Sorts the results by the specified field in ascending or descending order. The default is sorting by name in ascending order. Sortable fields are _id (host set ID) and name (host set name), 

"filter_field"="filter_value": Lists only results with the specified field value. Available filters are name (host set name) and type (type of host set, such as static or dynamic)

Action: Query about States of Host Containment

This action queries about states of host containment using the host agent ID.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID

Enter the host agent ID.

Text

Required

Action: Request File Acquired

This action requests a file to be acquired into endpoint security.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID

Enter the agent ID.

Text

Required

File path 

Enter the file path.

Text

Required

Filename 

Enter the file name.

Text

Required

Comment 

Enter the comment. 

Example:

Acquire file

Text

Optional

External ID

Enter the external ID.

Text

Optional

Action: Requesting Host for Containment

This action requests the host for containment using the host agent ID.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID

Enter the host agent ID.

Text

Required

Action: Request Triage Package

This action requests the endpoint host triage package using the host agent ID.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID

Enter the host agent ID.

Text

Required

Required Timestamp 

Enter the required timestamp. 

Example: 

2017-02-22T17:00:48.861Z

Text

Optional

Allowed format:

ISO-8601_DATE 

External ID

Enter an external ID as an external correlation ID.

Text

Optional

Action: Suppress Alert

This action suppresses an alert using alert ID.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Alert ID 

Enter the alert ID.

Text

Required

You can retrieve this using the action Get Alerts.

Action: Generic Action

This is a generic action used to make requests to any FireEye Endpoint Security endpoint.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Method 

Enter the HTTP method to make the request. 

Text

Required

Allowed values:

GET, PUT, POST, PATCH, DELETE

Endpoint 

Enter the endpoint to make the request.

Text

Required

Query Params 

Enter the query parameters to pass to the API.

Key Value

Optional

Payload 

Enter the payload to pass to the API.

Any

Optional

Extra Fields 

Enter the extra fields to pass to the API.

Key Value

Optional

Allowed keys:

payload_json, custom_output, download, filename, files, retry_wait, retry_count, and response_type.