Skip to main content

Cyware Orchestrate

FireEye Endpoint Security (HX) 3.0.0

App Vendor: FireEye

App Category: Endpoint

Connector Version: 3.0.1

API Version: 3.0

About App

FireEye Endpoint Security (HX) is an advanced threat detection and response solution designed to protect endpoints from cyber-attacks. it enables real-time threat identification, live memory analysis, and automated response, integrating seamlessly with other security systems for efficient incident handling.

The FireEye Endpoint Security (HX) app is configured with Orchestrate to perform the following actions:

Action Name

Description

Add Condition to an Indicator

This action adds a condition to an indicator.

Approve Request of Host Containment

This action approves pending host containment requests made by other components or users

Create File Acquisition

This action creates a new file acquisition.

Create a Live Response

This action creates a new live response.

Create an Indicator

This action creates an indicator.

Create Dynamic Host Sets

This action creates dynamic host sets.

Create Static Host Set

This action creates a static host set.

Create Triage Acquisition

This action creates a new triage acquisition.

Delete a File Acquisition

This action deletes a particular file acquisition by ID.

Delete a Host Set Policy

This action deletes the host set policy.

Delete an Indicator

This action deletes an indicator.

Delete a Particular Bulk Acquisition

This action deletes a particular bulk acquisition.

Delete a Policy

This action deletes a policy using its ID.

Delete Data Acquisition

This action deletes a particular data acquisition by ID.

Delete Enterprise Search

This action cancels the specified search and deletes all results from disk.

Delete Indicator Condition

This action deletes an indicator condition.

Delete Search

This action cancels the specified search and deletes all results from disk.

Fetch Containment State

This action retrieves the containment state for a particular agent ID.

Fetch Host Set Details

This action retrieves details of a particular host set.

Fetch Hosts from Host Set

This action retrieves linked hosts with a host set.

Fetch Hosts Set

This action retrieves a list of all host sets known to your endpoint security server.

Fetch List of File Acquisition

This action retrieves a list of file acquisitions known to the system.

Fetch List of Hosts

This action retrieves a list of hosts connected to endpoint server.

Fetch List of Indicators

This action retrieves a list of indicators connected to endpoint server.

Fetch Result for Specific Enterprise Search

This action fetches the results for a specific enterprise search.

Fetch System Information

This action retrieves the full system information for a particular host.

Fetch System Version

This action used to fetch appliance ID and software and hardware version of your HX series appliance.

Get alert Details

This action retrieves the details of a particular alert.

Get Alert Details

This action retrieves the details of a specific alert using its ID.

Get Alerts

This action retrieves alerts details using filters.

Get Details of Indicator

This action gets details of an indicator in a specified category.

Get Host by ID

This action retrieves the summary information for a particular host connected to your endpoint security server.

Get status of File Acquisition

This action retrieves file acquisition by ID.

Insert Host Set Policy

This action inserts a new host set policy on your endpoint security server.

List Host Set Policies

This action retrieves a list of all host set policies known to your endpoint security server.

List Indicator Categories

This action retrieves a list of indicator categories.

List Indicators in a Category

This actions lists indicators in a specified category.

List Policies

This action lists policies.

List Searches

This action is used to get a list of searches.

List Triage Acquisitions

This action is used to get a list of triage acquisitions for a specific agent.

Release Host From Containment

This action releases a specific host from containment.

Request Host for Containtment

This action is used to request host for containment using host agent ID. The request must be approved before the host is contained.

Suppress Alert

This action is used to suppress alert using alert ID.

Update an Indicator

This action updates an indicator in specified category.

Update Dynamic Host Sets

This action updates a dynamic host set

Update Static Host Sets

This action updates a static host set.

Generic Action

This is a generic action used to make requests to any FireEye Endpoint Security endpoint.

Configuration Parameters

The following configuration parameters are required for the FireEye Endpoint Security (HX) app to communicate with the FireEye Endpoint Security (HX) enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

Domain URL

Enter the base URL to access FireEye Endpoint Security (HX).

Example:

https://<host>.<tld>

Text

Required

Username

Enter the username.

Text

Required

Password

Enter the password.

Password

Required

Timeout

Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with FireEye Endpoint Security (HX).

Integer

Optional

Allowed range:

15-120

Default value:

15

Verify

Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection.

Boolean

Optional

By default, verification is disabled.

Action: Add Condition to an Indicator

This action adds a condition to an indicator.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Indicator URI Name

Enter the indicator URI name.

Text

Required

Category Name

Enter the indicator category URI name.

Text

Required

Payload

Enter the condition to be patched.

Text

Required

Example Request

[
  {
    "request_body": "8e3c2a8e658b3c7f093728fd2d07be1b",
    "category_name": "Custom",
    "indicator_uri_name": "f32581a5-8e12-485b-9e0d-d57960e162c3"
  }
]
Action: Approve Request of Host Containment

This action approves pending host containment requests made by other components or users.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID

Enter the host agent ID.

Example:

DLm3RzyIyCkgrTiErbbK1G

Text

Required

Example Request

[
 {
   agent_id:"DLm3RzyIyCkgrTiErbbK1G"
 }
]
Action: Create a Live Response

This action used to create a new live response.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID

Enter the agent ID.

Text

Required

Name

Enter the name of the script.

Text

Required

Script

Enter the script.

Key Value

Required

Example Request

[
  {
    "name": "Test",
    "script": {
      "b64": "PHNjcmlwdD5sbyBhbmQgYmVob2xkLi4uIGF3ZXNvbWVuZXNzISEhPC9zY3JpcHQ+Cg=="
    },
    "agent_id": "mkVRuA6eC8fe31op1LP4Ho"
  }
]
Action: Create an Indicator

This action creates an indicator.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Category Name

Enter the indicator category URI name.

Text

Required

Payload

Enter the payload containing details of new indicators to be created.

Any

Required

Example Request

[
  {
    "payload": {
      "display_name": "Cool display 1219 name",
      "description": "desc",
      "created_by": "me",
      "create_text": "me",
      "signature": null,
      "meta": {
        "test": "testing"
      },
      "platforms": [
        "win"
      ]
    },
    "category_name": "Custom"
  }
]
Action: Create Dynamic Host Sets

This action creates dynamic host sets.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Host Set Name

Enter the name of host set to be created.

Text

Required

Query

Enter the query payload.

Example:

{"key": "agentversion","value": "31.28.17","operator": "gte"}

Key Value

Required

Example Request

[
  {
    "name": "Sample Name",
    "query": {
      "key": "domain",
      "value": "sampledomain",
      "operator": "matches"
    }
  }
]
Action: Create File Acquisition

This action used to create a new file acquisition.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID

Enter the agent ID.

Text

Required

File Path

Enter the file path

Text

Required

Filename

Enter the filename.

Text

Required

Comment

Enter a comment associated with the file acquisition.

Text

Optional

External ID

Enter external correlation ID from a SIEM solution.

Text

Optional

Action: Create Static Host Set

This action creates a static host set.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Host Set Name

Enter the name of host set to be created.

Text

Required

Changes

Enter the changes to be made to the host set.

List

Required

Allowed keys:

command, add, remove

Example Request

[
  {
    "name": "Cyware 9891",
    "changes": [
      {
        "command": "change",
        "add": [
          "HruMRhCCGokdA8ZJdEt3Qh"
        ]
      }
    ]
  }
]
Action: Create Triage Acquisition

This action creates a new triage acquisition.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID

Enter the agent ID.

Text

Required

Required Timestamp

Enter the required timestamp of the triage collection time.

Text

Optional

Allowed format:

ISO 8601 format

External ID

Enter external correlation ID from a SIEM solution.

Text

Optional

Example Request

[
  {
    "agent_id": "pti9f35V70jbbcMjP963qc"
  }
]
Action: Delete a File Acquisition

This action deletes a particular file acquisition by ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Acquisition ID

Enter the Acquisition ID.

Integer

Required

Example Request

[
  {
    "acquisition_id": "22"
  }
]
Action: Delete a Host Set Policy

This action deletes the host set policy.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Policy ID

Enter the policy ID.

Text

Required

Host Set ID

Enter the host set ID.

Integer

Required

Example Request

[
  {
    "policy_id": "e9dfc066-479b-4198-9da3-a135f09b706b",
    "host_set_id": "1034"
  }
]
Action: Delete an Indicator

This action deletes an indicator.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Indicator URI Name

Enter the indicator URI name.

Text

Required

Category Name

Enter the indicator category URI name.

Text

Required

Example Request

[
  {
    "category_name": "Custom",
    "indicator_uri_name": "test 12345"
  }
]
Action: Delete a Particular Bulk Acquisition

This action deletes a particular bulk acquisition.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Acquisition ID

Enter the acquisition ID.

Integer

Required

Example Request

[
  {
    "acquisition_id": "22"
  }
]
Action: Delete a Policy

This action deletes a policy using its ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Policy ID

Enter the policy ID.

Text

Required

Action: Delete Data Acquisition

This action deletes a particular data acquisition by ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Acquisition ID

Enter the acquisition ID.

Integer

Required

Example Request

[
  {
    "acquisition_id": "23"
  }
]
Action: Delete Indicator Condition

This action deletes an indicator condition.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Indicator URI Name

Enter the indicator URI name.

Text

Required

Category Name

Enter the indicator category URI name.

Text

Required

Condition Type

Enter the type of condition.

Text

Required

Allowed values:

presence, execution

Condition ID

Enter the condition ID to be deleted.

Text

Required

Example Request

[
  {
    "condition_id": "5102",
    "category_name": "Custom",
    "condition_type": "execution",
    "indicator_uri_name": "f32581a5-8e12-485b-9e0d-d57960e162c3"
  }
]
Action: Fetch Containment State

This action used to fetch the containment state for a particular agent ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID

Enter the host agent ID.

Text

Required

Example Request

[
  {
    "agent_id": "pti9f35V70jbbcMjP963qc"
  }
]
Action: Fetch Host Set Details

This action retrieves details of a particular host set.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Host Set ID

Enter host set ID.

Text

Required

Example Request

[
  {
    "host_set_id": 1002
  }
]
Action: Fetch Hosts from Host Set

This action retrieves linked hosts with a host set.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Host Set ID

Enter host set ID.

Text

Required

Example Request

[
  {
    "host_set_id": 1002
  }
]
Action: Fetch Hosts Set

This action retrieves a list of all host sets known to your endpoint security server.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Extra Params

Enter parameters to apply filters.

Example:

{'type':'venn'}

Key Value

Optional

Example Request

[
  {
  "extra_params":
     {
        "type":"venn"
     }
  }
]
Action: Fetch List of File Acquisition

This action is retrieves a list of file acquisitions known to the system.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Host ID

Enter the host ID to filter file acquisitions.

Text

Optional

Search

Enter the global search value.

Text

Optional

Extra Params

Enter parameters to apply filters.

Example:

{'limit':20}

Key Value

Optional

Example Request

[
  {
    "extra_fields": {}
  }
]
Action: Fetch List of Hosts

This action retrieves a list of hosts connected to endpoint server.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Filter Query Search

Enter search for endpoint.

Text

Optional

This must be a URL encoded JSON object.

Limit

Enter the number of hosts returned.

Integer

Optional

Default value:

50

Extra Fields

Enter the extra fields to pass to the API.

Key Value

Optional

Example Request

[
  {
    "limit": "13",
    "extra_fields": {}
  }
]
Action: Fetch List of Indicators

This action retrieves a list of indicators connected to endpoint server.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Filter Query Search

Enter search criteria for indicators.

Text

Optional

Limit

Enter the number of indicators returned.

Integer

Optional

Default value:

50

Extra Fields

Enter the extra fields to pass to the API.

Key Value

Optional

Example Request

[
  {
    "limit": "10",
    "extra_fields": {}
  }
]
Action: Fetch System Information

This action retrieves the full system information for a particular host.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID

Enter the agent ID.

Text

Required

Example Request

[
  {
    "agent_id": "pti9f35V70jbbcMjP963qc"
  }
]
Action: Fetch System Version

This action retrieves appliance ID and software and hardware version of your HX series appliance.

Action Input Parameters

No input parameters are required for this action.

Action: Get Alert Details

This action retrieves the details of a specific alert using its ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Alert ID

Enter the alert ID to retrieve its details.

Text

Required

Action: Get Alerts

This action retrieves alerts using filters.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Extra Params

Enter extra params to filter the response.

Example:

{'limit':20}

Key Value

Optional

Example Request

[
  {
    "extra_fields": 
       {     
          "limit":20
       }
  }
]
Action: Get Details of Indicator

This action retrieves details of an indicator in a specified category.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Indicator URI Name

Enter the indicator URI name.

Text

Required

Category Name

Enter the indicator category URI name.

Text

Required

Example Request

[
  {
    "category_name": "Custom",
    "indicator_uri_name": "Sample Name"
  }
]
Action: Get Host by ID

This action retrieves the summary information for a particular host connected to your endpoint security server.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID

Enter the agent ID.

Text

Required

Example Request

[
  {
    "agent_id": "MbQok3zz5mhgmNRyNf39FV"
  }
]
Action: Get status of File Acquisition

This action retrieves the file acquisition by ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Acquisition ID

Enter the acquisition ID.

Integer

Required

Example Request

[
  {
    "acquisition_id": "23"
  }
]
Action: Insert Host Set Policy

This action inserts a new host set policy on your endpoint security server.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Host Set ID

Enter the host set ID.

Integer

Required

Policy ID

Enter the unique policy ID.

Text

Required

Example Request

[
  {
    "policy_id": "e9dfc066-479b-4198-9da3-a135f09b706b",
    "host_set_id": "1034"
  }
]
Action: List Host Set Policies

This action retrieves a list of all host set policies known to your endpoint security server.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Limit

Enter the number of host set policies to be returned.

Integer

Optional

Default value:

50

Extra Fields

Enter the extra fields to pass to the API.

Key Value

Optional

Example Request

[
  {
    "limit": "12",
    "extra_fields": {}
  }
]
Action: List Indicator Categories

This action retrieves a list of indicator categories.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Filter Query Search

Enter search criteria for indicator categories.

Text

Optional

Limit

Enter the number of indicator categories to be returned.

Integer

Optional

Default value:

50

Extra Fields

Enter the extra fields to pass to the API.

Key Value

Optional

Example Request

[
  {
    "limit": "12",
    "extra_fields": {}
  }
]
Action: List Indicators in a Category

This actions lists indicators in a specified category.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Search Term

Enter any name, category, signature, source, or condition value to narrow the search.

Text

Optional

Category

Enter the category of the indicator.

Text

Required

Limit

Enter the number of indicators to be returned.

Integer

Optional

Default value:

50

Extra Fields

Enter the extra fields to pass to the API.

Key Value

Optional

Example Request

[
  {
    "extra_fields": {},
    "category_name": "Custom"
  }
]
Action: List Policies

This action retrieves a list of policies.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Limit

Enter the number of policies to be returned.

Integer

Optional

Default value:

50

Extra Fields

Enter the extra fields to pass to the API.

Key Value

Optional

Example Request

[
  {
    "limit": "12",
    "extra_fields": {}
  }
]
Action: List Searches

This action can be used to get a list of searches.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Limit

Enter the number of searches to be returned.

Integer

Optional

Default value:

50

Extra Fields

Enter the extra fields to pass to the API.

Key Value

Optional

Example Request

[
  {
    "limit": "12",
    "extra_fields": {}
  }
]
Action: List Triage Acquisitions

This action retrieves a list of triage acquisitions for a specific agent.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID

Enter the ID of the agent running on the host.

Example:

dlm3rzyiyckgrtierbbk1g

Text

Required

Query Params

Enter the query parameters to filter the response.

Key Value

Optional

Allowed keys:

search, offset, limit, sort, and filter_field

Action: Release Host From Containment

This action releases a specific host from containment.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID

Enter the host agent ID.

Text

Required

Example Request

[
  {
    "agent_id": "pti9f35V70jbbcMjP963qc"
  }
]
Action: Request Host for Containment

This action is used to request host for containment using host agent ID. The request must be approved before the host is contained.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Agent ID

Enter the host agent ID.

Text

Required

Example Request

[
  {
    "agent_id": "pti9f35V70jbbcMjP963qc"
  }
]
Action: Suppress Alert

This action is used to suppress alert using alert ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Alert ID

Enter the alert ID.

Text

Required

Action: Update an Indicator

This action updates an existing indicator.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Indicator URI Name

Enter the indicator URI name.

Text

Required

Category Name

Enter the indicator category URI name.

Text

Required

Payload

Enter the payload containing details of the indicator to be created.

Any

Required

Example Request

[
  {
    "request_body": {
      "display_name": "Cool display 12 name",
      "description": "desc",
      "created_by": "me",
      "create_text": "me",
      "signature": null,
      "meta": {
        "test": "testing"
      },
      "platforms": [
        "win"
      ]
    },
    "category_name": "Custom",
    "indicator_uri_name": "f32581a5-8e12-485b-9e0d-d57960e162c3"
  }
]
Action: Update Dynamic Host Sets

This action updates a dynamic host set.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Host Set ID

Enter the ID of host set to be updated.

Integer

Required

Host Set Name

Enter the name of host.

Text

Required

Query

Enter the query payload.

Example:

{"key": "agentversion","value": "31.28.17","operator": "gte"}

Key Value

Required

Example Request

[
  {
    "name": "Sample Host Name",
    "query": {
      "key": "timezone",
      "value": "testing",
      "operator": "matches"
    },
    "hostset_id": 1034
  }
]
Action: Update Static Host Sets

This action updates a static host set.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Host Set ID

Enter the ID of host set to be updated.

Example:

1036

Integer

Required

Host Set Name

Enter the name of host set.

Text

Required

Changes

Enter the changes to be made to the host set.

List

Required

Example Request

[
  {
    "name": "Sample Host Name",
    "changes": [
      {
        "command": "change",
        "remove": [
          "HruMRhCCGokdA8ZJdEt3Qh"
        ]
      }
    ],
    "hostset_id": "1035"
  }
]
Action: Generic Action

This is a generic action used to make requests to any FireEye Endpoint Security endpoint.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Method

Enter the HTTP method to make the request.

Text

Required

Allowed values:

GET, PUT, POST, PATCH, DELETE

Endpoint

Enter the endpoint to make the request.

Example:

hosts/{agent_id}/triages

Text

Required

Query Params

Enter the query parameters to pass to the API.

Key Value

Optional

Payload

Enter the payload to pass to the API.

Any

Optional

Extra Fields

Enter the extra fields to pass to the API.

Key Value

Optional

Example Request

[
  {
    "method": "GET",
    "endpoint": "hosts",
    "extra_fields": {},
    "query_params": {}
  }
]