FireEye Endpoint Security (HX)
App Vendor: FireEye
App Category: Endpoint
Connector Version: 2.0.0
API Version: 3.0
About App
FireEye Endpoint Security is an integrated solution that detects what others miss and protects endpoint against known and unknown threats.
The FireEye Endpoint Security (HX) app is configured with Cyware Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Approve Request of Host Containment | This action approves the request for host containment. |
Cancel Host Containment | This action cancels host containment. |
Fetch Agent System Info | This action retrieves the agent system info. |
Fetch Host Set Details | This action retrieves the endpoints in a host set. |
Fetch Hosts Set Details | This action retrieves a list of host sets in HX, optionally filtered by name. |
Fetch Hosts From Host Set | This action retrieves linked hosts with a host set. |
Fetch List of Acquisition | This action retrieves a list of all acquisitions with optional filters. |
Fetch System Version | This action retrieves the system version. |
Generic Action | This is a generic action used to make requests to any FireEye Endpoint Security (HX) endpoint. |
Get Alert Details | This action retrieves the alert details using alert ID. |
Get Alerts | This action retrieves alert details using filters. |
Get Computers Installed with FireEye HX | This action retrieves the list of computers installed at endpoint security. |
Get Status of File Acquisition | This action retrieves the status of file acquisition using acquisition ID. |
List Triage Acquisitions | This action retrieves a list of triage acquisitions for a specific agent. |
Query About States of Host Containment | This action queries about states of host containment using host agent ID. |
Request File Acquired | This action requests a file to be acquired into endpoint security. |
Requesting Host for Containment | This action requests host for containment using host agent ID. |
Request Triage Package | This action requests endpoint host triage package using host agent ID. |
Suppress Alert | This action suppresses an alert using alert ID. |
Configuration Parameters
The following configuration parameters are required for the FireEye Endpoint Security (HX) app to communicate with the FireEye Endpoint Security (HX) enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain | Enter the base domain. Example: host.tld | Text | Required | |
Username | Enter the username to access FireEye Endpoint Security (HX) | Text | Required | |
Password | Enter the password to access FireEye Endpoint Security (HX). | Password | Required | |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with FireEye Endpoint Security (HX). | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, verification is disabled. |
Action: Approve Request of Host Containment
This action approves the request for host containment.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the host agent ID. Example: DLm3RzyIyCkgrTiErbbK1G | Any | Required |
Action: Cancel Host Containment
This action cancels host containment.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the host agent ID. Example: DLm3RzyIyCkgrTiErbbK1G | Any | Required |
Action: Fetch Agent System Info
This action retrieves the agent system info.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the agent ID. | Text | Required |
Action: Fetch Containment State
This action fetches the containment state of a host.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the host agent ID. | Text | Required |
Action: Fetch Host Set Details
This action retrieves details of a particular host set.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host Set ID | Enter the host set ID. | Text | Optional | You can retrieve this using the action Fetch Hosts Set. |
Action: Fetch Hosts Set Details
This action retrieves a list of hosts from host sets in HX.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Params | Enter the input parameters for retrieving the host set details. | Text | Required |
Action: Fetch List of Acquisition
This action retrieves a list of all acquisitions with optional filters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the agent ID. | Text | Optional | |
Filename | Enter the filename. Example: IP list | Text | Optional |
Action: Fetch System Version
This action retrieves the system version.
Action Input Parameters
This action does not require any input parameters.
Action: Get Alert Details
This action retrieves alert details using the alert ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID. | Text | Required | You can retrieve this using the action Get Alerts. |
Action: Get Alerts
This action retrieves alerts using filters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Params | Enter the parameters. | Text | Optional | Allowed values: offset (offset_value): Specifies which record to start within the response. The offset_value must be an unsigned 32-bit integer. By default, the value is 0, limit (limit_value): Specifies how many records are returned. The limit_value must be an unsigned 32-bit integer. By default, the value is 50, filter: Valid filters include - has_fp_disposition (Boolean), _id (String), sort (_id): Sorts the results by filter ID in ascending or descending order. |
Example Request
[
{
"params":
{
"offset_value": 0,
"limit": 50,
"has_fp_disposition ": "true",
"sort": "ascending"
}
}
]Action: Get Computers Installed with FireEye HX
This action retrieves a list of computers installed at endpoint security.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query Search | Enter the search for endpoint. | Text | Optional | Allowed filter: endpoint name |
Limit | Enter the limit on the number of hosts returned. Example: 20 | Text | Optional | By default, the value is 50. |
Action: Get Status of File Acquisition
This action retrieves the status of a file acquisition using the acquisition ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Acquisition ID | Enter the acquisition ID. | Text | Required |
Action: List Triage Acquisitions
This action retrieves a list of triage acquisitions for a specific agent.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the ID of the agent running on the host. Example: DLm3RzyIyCkgrTiErbbK1G | Text | Required | |
Query Params | Enter the query parameters to filter the response. | Key Value | Optional | Allowed keys: search (search_term): Searches the names of all host sets connected to the specified endpoint security server. offset (offset_value): Specifies which record to start with in the response. The offset_value must be an unsigned 32-bit integer. By default, the value is 0. limit (limit_value): Specifies how many records are returned. The limit_value must be an unsigned 32-bit integer. By default, the value is 50, sort (sort_value): Sorts the results by the specified field in ascending or descending order. The default is sorting by name in ascending order. Sortable fields are _id (host set ID) and name (host set name), "filter_field"="filter_value": Lists only results with the specified field value. Available filters are name (host set name) and type (type of host set, such as static or dynamic) |
Action: Query about States of Host Containment
This action queries about states of host containment using the host agent ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the host agent ID. | Text | Required |
Action: Request File Acquired
This action requests a file to be acquired into endpoint security.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the agent ID. | Text | Required | |
File path | Enter the file path. | Text | Required | |
Filename | Enter the file name. | Text | Required | |
Comment | Enter the comment. Example: Acquire file | Text | Optional | |
External ID | Enter the external ID. | Text | Optional |
Action: Requesting Host for Containment
This action requests the host for containment using the host agent ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the host agent ID. | Text | Required |
Action: Request Triage Package
This action requests the endpoint host triage package using the host agent ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the host agent ID. | Text | Required | |
Required Timestamp | Enter the required timestamp. Example: 2017-02-22T17:00:48.861Z | Text | Optional | Allowed format: ISO-8601_DATE |
External ID | Enter an external ID as an external correlation ID. | Text | Optional |
Action: Suppress Alert
This action suppresses an alert using alert ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID. | Text | Required | You can retrieve this using the action Get Alerts. |
Action: Generic Action
This is a generic action used to make requests to any FireEye Endpoint Security endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make the request. | Text | Required | Allowed values: GET, PUT, POST, PATCH, DELETE |
Endpoint | Enter the endpoint to make the request. | Text | Required | |
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Payload | Enter the payload to pass to the API. | Any | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional | Allowed keys: payload_json, custom_output, download, filename, files, retry_wait, retry_count, and response_type. |