FireEye Endpoint Security (HX)
App Vendor: FireEye
App Category: Endpoint
Connector Version: 3.0.0
API Version: 3.0
About App
FireEye Endpoint Security (HX) is an advanced threat detection and response solution designed to protect endpoints from cyber-attacks. it enables real-time threat identification, live memory analysis, and automated response, integrating seamlessly with other security systems for efficient incident handling.
The FireEye Endpoint Security (HX) app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Add Condition to an Indicator | This action adds a condition to an indicator. |
Approve Request of Host Containment | This action approves pending host containment requests made by other components or users |
Create File Acquisition | This action creates a new file acquisition. |
Create a Live Response | This action creates a new live response. |
Create an Indicator | This action creates an indicator. |
Create Dynamic Host Sets | This action creates dynamic host sets. |
Create Static Host Set | This action creates a static host set. |
Create Triage Acquisition | This action creates a new triage acquisition. |
Delete a File Acquisition | This action deletes a particular file acquisition by ID. |
Delete a Host Set Policy | This action deletes the host set policy. |
Delete an Indicator | This action deletes an indicator. |
Delete a Particular Bulk Acquisition | This action deletes a particular bulk acquisition. |
Delete a Policy | This action deletes a policy using its ID. |
Delete Data Acquisition | This action deletes a particular data acquisition by ID. |
Delete Enterprise Search | This action cancels the specified search and deletes all results from disk. |
Delete Indicator Condition | This action deletes an indicator condition. |
Delete Search | This action cancels the specified search and deletes all results from disk. |
Fetch Containment State | This action retrieves the containment state for a particular agent ID. |
Fetch Host Set Details | This action retrieves details of a particular host set. |
Fetch Hosts from Host Set | This action retrieves linked hosts with a host set. |
Fetch Hosts Set | This action retrieves a list of all host sets known to your endpoint security server. |
Fetch List of File Acquisition | This action retrieves a list of file acquisitions known to the system. |
Fetch List of Hosts | This action retrieves a list of hosts connected to endpoint server. |
Fetch List of Indicators | This action retrieves a list of indicators connected to endpoint server. |
Fetch Result for Specific Enterprise Search | This action fetches the results for a specific enterprise search. |
Fetch System Information | This action retrieves the full system information for a particular host. |
Fetch System Version | This action used to fetch appliance ID and software and hardware version of your HX series appliance. |
Get alert Details | This action retrieves the details of a particular alert. |
Get Alert Details | This action retrieves the details of a specific alert using its ID. |
Get Alerts | This action retrieves alerts details using filters. |
Get Details of Indicator | This action gets details of an indicator in a specified category. |
Get Host by ID | This action retrieves the summary information for a particular host connected to your endpoint security server. |
Get status of File Acquisition | This action retrieves file acquisition by ID. |
Insert Host Set Policy | This action inserts a new host set policy on your endpoint security server. |
List Host Set Policies | This action retrieves a list of all host set policies known to your endpoint security server. |
List Indicator Categories | This action retrieves a list of indicator categories. |
List Indicators in a Category | This actions lists indicators in a specified category. |
List Policies | This action lists policies. |
List Searches | This action is used to get a list of searches. |
List Triage Acquisitions | This action is used to get a list of triage acquisitions for a specific agent. |
Release Host From Containment | This action releases a specific host from containment. |
Request Host for Containtment | This action is used to request host for containment using host agent ID. The request must be approved before the host is contained. |
Suppress Alert | This action is used to suppress alert using alert ID. |
Update an Indicator | This action updates an indicator in specified category. |
Update Dynamic Host Sets | This action updates a dynamic host set |
Update Static Host Sets | This action updates a static host set. |
Generic Action | This is a generic action used to make requests to any FireEye Endpoint Security endpoint. |
Configuration Parameters
The following configuration parameters are required for the FireEye Endpoint Security (HX) app to communicate with the FireEye Endpoint Security (HX) enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain URL | Enter the base URL to access FireEye Endpoint Security (HX). Example: https://<host>.<tld> | Text | Required | |
Username | Enter the username. | Text | Required | |
Password | Enter the password. | Password | Required | |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with FireEye Endpoint Security (HX). | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, verification is disabled. |
Action: Add Condition to an Indicator
This action adds a condition to an indicator.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator URI Name | Enter the indicator URI name. | Text | Required | |
Category Name | Enter the indicator category URI name. | Text | Required | |
Payload | Enter the condition to be patched. | Text | Required |
Example Request
[
{
"request_body": "8e3c2a8e658b3c7f093728fd2d07be1b",
"category_name": "Custom",
"indicator_uri_name": "f32581a5-8e12-485b-9e0d-d57960e162c3"
}
]Action: Approve Request of Host Containment
This action approves pending host containment requests made by other components or users.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the host agent ID. Example: DLm3RzyIyCkgrTiErbbK1G | Text | Required |
Example Request
[
{
agent_id:"DLm3RzyIyCkgrTiErbbK1G"
}
]Action: Create a Live Response
This action used to create a new live response.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the agent ID. | Text | Required | |
Name | Enter the name of the script. | Text | Required | |
Script | Enter the script. | Key Value | Required |
Example Request
[
{
"name": "Test",
"script": {
"b64": "PHNjcmlwdD5sbyBhbmQgYmVob2xkLi4uIGF3ZXNvbWVuZXNzISEhPC9zY3JpcHQ+Cg=="
},
"agent_id": "mkVRuA6eC8fe31op1LP4Ho"
}
]Action: Create an Indicator
This action creates an indicator.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Category Name | Enter the indicator category URI name. | Text | Required | |
Payload | Enter the payload containing details of new indicators to be created. | Any | Required |
Example Request
[
{
"payload": {
"display_name": "Cool display 1219 name",
"description": "desc",
"created_by": "me",
"create_text": "me",
"signature": null,
"meta": {
"test": "testing"
},
"platforms": [
"win"
]
},
"category_name": "Custom"
}
]Action: Create Dynamic Host Sets
This action creates dynamic host sets.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host Set Name | Enter the name of host set to be created. | Text | Required | |
Query | Enter the query payload. Example: {"key": "agentversion","value": "31.28.17","operator": "gte"} | Key Value | Required |
Example Request
[
{
"name": "Sample Name",
"query": {
"key": "domain",
"value": "sampledomain",
"operator": "matches"
}
}
]Action: Create File Acquisition
This action used to create a new file acquisition.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the agent ID. | Text | Required | |
File Path | Enter the file path | Text | Required | |
Filename | Enter the filename. | Text | Required | |
Comment | Enter a comment associated with the file acquisition. | Text | Optional | |
External ID | Enter external correlation ID from a SIEM solution. | Text | Optional |
Action: Create Static Host Set
This action creates a static host set.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host Set Name | Enter the name of host set to be created. | Text | Required | |
Changes | Enter the changes to be made to the host set. | List | Required | Allowed keys: command, add, remove |
Example Request
[
{
"name": "Cyware 9891",
"changes": [
{
"command": "change",
"add": [
"HruMRhCCGokdA8ZJdEt3Qh"
]
}
]
}
]Action: Create Triage Acquisition
This action creates a new triage acquisition.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the agent ID. | Text | Required | |
Required Timestamp | Enter the required timestamp of the triage collection time. | Text | Optional | Allowed format: ISO 8601 format |
External ID | Enter external correlation ID from a SIEM solution. | Text | Optional |
Example Request
[
{
"agent_id": "pti9f35V70jbbcMjP963qc"
}
]Action: Delete a File Acquisition
This action deletes a particular file acquisition by ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Acquisition ID | Enter the Acquisition ID. | Integer | Required |
Example Request
[
{
"acquisition_id": "22"
}
]Action: Delete a Host Set Policy
This action deletes the host set policy.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Policy ID | Enter the policy ID. | Text | Required | |
Host Set ID | Enter the host set ID. | Integer | Required |
Example Request
[
{
"policy_id": "e9dfc066-479b-4198-9da3-a135f09b706b",
"host_set_id": "1034"
}
]Action: Delete an Indicator
This action deletes an indicator.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator URI Name | Enter the indicator URI name. | Text | Required | |
Category Name | Enter the indicator category URI name. | Text | Required |
Example Request
[
{
"category_name": "Custom",
"indicator_uri_name": "test 12345"
}
]Action: Delete a Particular Bulk Acquisition
This action deletes a particular bulk acquisition.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Acquisition ID | Enter the acquisition ID. | Integer | Required |
Example Request
[
{
"acquisition_id": "22"
}
]Action: Delete a Policy
This action deletes a policy using its ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Policy ID | Enter the policy ID. | Text | Required |
Action: Delete Data Acquisition
This action deletes a particular data acquisition by ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Acquisition ID | Enter the acquisition ID. | Integer | Required |
Example Request
[
{
"acquisition_id": "23"
}
]Action: Delete Enterprise Search
This action cancels the specified search and deletes all results from disk.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search ID | Enter the search ID. | Integer | Required |
Example Request
[
{
"search_id": "1"
}
]Action: Delete Indicator Condition
This action deletes an indicator condition.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator URI Name | Enter the indicator URI name. | Text | Required | |
Category Name | Enter the indicator category URI name. | Text | Required | |
Condition Type | Enter the type of condition. | Text | Required | Allowed values: presence, execution |
Condition ID | Enter the condition ID to be deleted. | Text | Required |
Example Request
[
{
"condition_id": "5102",
"category_name": "Custom",
"condition_type": "execution",
"indicator_uri_name": "f32581a5-8e12-485b-9e0d-d57960e162c3"
}
]Action: Delete Search
This action cancels the specified search and deletes all results from disk.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search ID | Enter the search ID. | Integer | Required |
Example Request
[
{
"search_id": 1
}
]Action: Fetch Containment State
This action used to fetch the containment state for a particular agent ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the host agent ID. | Text | Required |
Example Request
[
{
"agent_id": "pti9f35V70jbbcMjP963qc"
}
]Action: Fetch Host Set Details
This action retrieves details of a particular host set.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host Set ID | Enter host set ID. | Text | Required |
Example Request
[
{
"host_set_id": 1002
}
]Action: Fetch Hosts from Host Set
This action retrieves linked hosts with a host set.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host Set ID | Enter host set ID. | Text | Required |
Example Request
[
{
"host_set_id": 1002
}
]Action: Fetch Hosts Set
This action retrieves a list of all host sets known to your endpoint security server.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Enter parameters to apply filters. Example: {'type':'venn'} | Key Value | Optional |
Example Request
[
{
"extra_params":
{
"type":"venn"
}
}
]Action: Fetch List of File Acquisition
This action is retrieves a list of file acquisitions known to the system.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host ID | Enter the host ID to filter file acquisitions. | Text | Optional | |
Search | Enter the global search value. | Text | Optional | |
Extra Params | Enter parameters to apply filters. Example: {'limit':20} | Key Value | Optional |
Example Request
[
{
"extra_fields": {}
}
]Action: Fetch List of Hosts
This action retrieves a list of hosts connected to endpoint server.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filter Query Search | Enter search for endpoint. | Text | Optional | This must be a URL encoded JSON object. |
Limit | Enter the number of hosts returned. | Integer | Optional | Default value: 50 |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional |
Example Request
[
{
"limit": "13",
"extra_fields": {}
}
]Action: Fetch List of Indicators
This action retrieves a list of indicators connected to endpoint server.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filter Query Search | Enter search criteria for indicators. | Text | Optional | |
Limit | Enter the number of indicators returned. | Integer | Optional | Default value: 50 |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional |
Example Request
[
{
"limit": "10",
"extra_fields": {}
}
]Action: Fetch Result for Specific Enterprise Search
This action fetches the results for a specific enterprise search.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search ID | Enter the search ID. Example: 141 | Integer | Required |
Example Request
[
{
"search_id": "141"
}
]Action: Fetch System Information
This action retrieves the full system information for a particular host.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the agent ID. | Text | Required |
Example Request
[
{
"agent_id": "pti9f35V70jbbcMjP963qc"
}
]Action: Fetch System Version
This action retrieves appliance ID and software and hardware version of your HX series appliance.
Action Input Parameters
No input parameters are required for this action.
Action: Get Alert Details
This action retrieves the details of a specific alert using its ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to retrieve its details. | Text | Required |
Action: Get Alerts
This action retrieves alerts using filters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Enter extra params to filter the response. Example: {'limit':20} | Key Value | Optional |
Example Request
[
{
"extra_fields":
{
"limit":20
}
}
]Action: Get Details of Indicator
This action retrieves details of an indicator in a specified category.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator URI Name | Enter the indicator URI name. | Text | Required | |
Category Name | Enter the indicator category URI name. | Text | Required |
Example Request
[
{
"category_name": "Custom",
"indicator_uri_name": "Sample Name"
}
]Action: Get Host by ID
This action retrieves the summary information for a particular host connected to your endpoint security server.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the agent ID. | Text | Required |
Example Request
[
{
"agent_id": "MbQok3zz5mhgmNRyNf39FV"
}
]Action: Get status of File Acquisition
This action retrieves the file acquisition by ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Acquisition ID | Enter the acquisition ID. | Integer | Required |
Example Request
[
{
"acquisition_id": "23"
}
]Action: Insert Host Set Policy
This action inserts a new host set policy on your endpoint security server.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host Set ID | Enter the host set ID. | Integer | Required | |
Policy ID | Enter the unique policy ID. | Text | Required |
Example Request
[
{
"policy_id": "e9dfc066-479b-4198-9da3-a135f09b706b",
"host_set_id": "1034"
}
]Action: List Host Set Policies
This action retrieves a list of all host set policies known to your endpoint security server.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Enter the number of host set policies to be returned. | Integer | Optional | Default value: 50 |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional |
Example Request
[
{
"limit": "12",
"extra_fields": {}
}
]Action: List Indicator Categories
This action retrieves a list of indicator categories.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filter Query Search | Enter search criteria for indicator categories. | Text | Optional | |
Limit | Enter the number of indicator categories to be returned. | Integer | Optional | Default value: 50 |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional |
Example Request
[
{
"limit": "12",
"extra_fields": {}
}
]Action: List Indicators in a Category
This actions lists indicators in a specified category.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search Term | Enter any name, category, signature, source, or condition value to narrow the search. | Text | Optional | |
Category | Enter the category of the indicator. | Text | Required | |
Limit | Enter the number of indicators to be returned. | Integer | Optional | Default value: 50 |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional |
Example Request
[
{
"extra_fields": {},
"category_name": "Custom"
}
]Action: List Policies
This action retrieves a list of policies.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Enter the number of policies to be returned. | Integer | Optional | Default value: 50 |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional |
Example Request
[
{
"limit": "12",
"extra_fields": {}
}
]Action: List Searches
This action can be used to get a list of searches.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Enter the number of searches to be returned. | Integer | Optional | Default value: 50 |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional |
Example Request
[
{
"limit": "12",
"extra_fields": {}
}
]Action: List Triage Acquisitions
This action retrieves a list of triage acquisitions for a specific agent.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the ID of the agent running on the host. Example: dlm3rzyiyckgrtierbbk1g | Text | Required | |
Query Params | Enter the query parameters to filter the response. | Key Value | Optional | Allowed keys: search, offset, limit, sort, and filter_field |
Action: Release Host From Containment
This action releases a specific host from containment.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the host agent ID. | Text | Required |
Example Request
[
{
"agent_id": "pti9f35V70jbbcMjP963qc"
}
]Action: Request Host for Containment
This action is used to request host for containment using host agent ID. The request must be approved before the host is contained.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the host agent ID. | Text | Required |
Example Request
[
{
"agent_id": "pti9f35V70jbbcMjP963qc"
}
]Action: Suppress Alert
This action is used to suppress alert using alert ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID. | Text | Required |
Action: Update an Indicator
This action updates an existing indicator.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator URI Name | Enter the indicator URI name. | Text | Required | |
Category Name | Enter the indicator category URI name. | Text | Required | |
Payload | Enter the payload containing details of the indicator to be created. | Any | Required |
Example Request
[
{
"request_body": {
"display_name": "Cool display 12 name",
"description": "desc",
"created_by": "me",
"create_text": "me",
"signature": null,
"meta": {
"test": "testing"
},
"platforms": [
"win"
]
},
"category_name": "Custom",
"indicator_uri_name": "f32581a5-8e12-485b-9e0d-d57960e162c3"
}
]Action: Update Dynamic Host Sets
This action updates a dynamic host set.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host Set ID | Enter the ID of host set to be updated. | Integer | Required | |
Host Set Name | Enter the name of host. | Text | Required | |
Query | Enter the query payload. Example: {"key": "agentversion","value": "31.28.17","operator": "gte"} | Key Value | Required |
Example Request
[
{
"name": "Sample Host Name",
"query": {
"key": "timezone",
"value": "testing",
"operator": "matches"
},
"hostset_id": 1034
}
]Action: Update Static Host Sets
This action updates a static host set.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host Set ID | Enter the ID of host set to be updated. Example: 1036 | Integer | Required | |
Host Set Name | Enter the name of host set. | Text | Required | |
Changes | Enter the changes to be made to the host set. | List | Required |
Example Request
[
{
"name": "Sample Host Name",
"changes": [
{
"command": "change",
"remove": [
"HruMRhCCGokdA8ZJdEt3Qh"
]
}
],
"hostset_id": "1035"
}
]Action: Generic Action
This is a generic action used to make requests to any FireEye Endpoint Security endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make the request. | Text | Required | Allowed values: GET, PUT, POST, PATCH, DELETE |
Endpoint | Enter the endpoint to make the request. Example: hosts/{agent_id}/triages | Text | Required | |
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Payload | Enter the payload to pass to the API. | Any | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional |
Example Request
[
{
"method": "GET",
"endpoint": "hosts",
"extra_fields": {},
"query_params": {}
}
]