Pack Contributors:
- Ryan McVicar
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
FireEye HX
- Details
- Content
- Dependencies
- Version History
FireEye Endpoint Security is an integrated solution that detects and protects endpoints against known and unknown threats. The FireEye HX Cortex XSOAR integration provides access to information about endpoints, acquisitions, alerts, indicators, and containment. Customers can extract critical data and effectively operate the security operations automated playbooks.
FireEye HX
This pack includes Cortex XSIAM content.
Configuration on Server Side
Raw syslog audit messages
In order to configure FireEye HX to send syslog audit logs, refer to FireEye HX Endpoint Security Server System Administration Guide (Configuring a Syslog Server Using the CLI).
Make sure to configure the syslog timestamp format to be RFC-3339 UTC.
CEF format logs
In order to configure FireEye HX to send CEF logs, refer to FireEye HX Endpoint Security Server System Administration Guide.
For further assistant, contact the tech support of FireEye HX.
Collect Events from Vendor
In order to use the collector, use the Broker VM option.
Broker VM
To create or configure the Broker VM, use the information described here.
You can configure the specific vendor and product for this instance.
- Navigate to Settings > Configuration > Data Broker > Broker VMs.
- Go to the apps tab and add the Syslog app. If it already exists, click the Syslog app and then click Configure.
- Click Add New.
- When configuring the Syslog Collector, set the following values:
- vendor as fireeye
- product as hx_audit
- format as Auto-Detect
- protocol as UDP
Pack Contributors:
- Ryan McVicar
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Classifiers
| Name | Description |
|---|---|
FireEye HX Alert | |
FireEye HX - Incoming Mapper |
Incident Fields
| Name | Description |
|---|---|
FireEye HX Event Info | |
FireEye HX Agent Containment State |
Incident Types
| Name | Description |
|---|---|
FireEye HX Alert |
Integrations
| Name | Description |
|---|---|
| FireEye Endpoint Security (HX) v2 | FireEye Endpoint Security is an integrated solution that detects and protects endpoints against known and unknown threats. This integration provides access to information about endpoints, acquisitions, alerts, indicators, and containment. You can extract critical data and effectively operate the security operations automated playbook. |
| FireEye HX (Deprecated) | Deprecated. Use FireEyeHX v2 instead. |
Playbooks
| Name | Description |
|---|---|
| FireEye HX - Indicators Hunting | This playbook facilitates threat hunting and detection of IOCs within FireEye Endpoint Security (HX) utilizing three sub-playbooks. The sub-playbooks query FireEye HX for different indicators including files, traffic, and execution flow indicators. Note that multiple search values should be separated by commas only (without spaces or any special characters). Supported IOCs for this playbook:
|
| FireEye HX - Isolate Endpoint | This playbook will auto isolate endpoints by the endpoint ID that was provided in the playbook. |
| FireEye HX - File Indicators Hunting | This playbook queries FireEye Endpoint Security (HX) for file indicators, including MD5 hashes, SHA256 hashes, SHA1 hashes, file names, file paths, and file types. Note that multiple search values should be separated by commas only (without spaces or any special characters). |
| FireEye HX - Unisolate Endpoint | This playbook unisolates endpoints according to the hostname/endpoint ID that is provided by the playbook input. |
| FireEye HX - Traffic Indicators Hunting | This playbook queries FireEye Endpoint Security (HX) for traffic indicators, including IP addresses, URLs, domains, and ports. Note that multiple search values should be separated by commas only (without spaces or any special characters). |
| FireEye HX - Execution Flow Indicators Hunting | This playbook queries FireEye Endpoint Security (HX) for execution flow indicators, including processes name, registry keys, registry values, and applications. Note that multiple search values should be separated by commas only (without spaces or any special characters). |
Classifiers
| Name | Description |
|---|---|
FireEye HX Alert | |
FireEye HX - Incoming Mapper |
Incident Fields
| Name | Description |
|---|---|
FireEye HX Event Info | |
FireEye HX Agent Containment State |
Incident Types
| Name | Description |
|---|---|
FireEye HX Alert |
Integrations
| Name | Description |
|---|---|
| FireEye HX Event Collector | Palo Alto Networks FireEye HX Event Collector integration for XSIAM. |
| FireEye Endpoint Security (HX) v2 | FireEye Endpoint Security is an integrated solution that detects and protects endpoints against known and unknown threats. This integration provides access to information about endpoints, acquisitions, alerts, indicators, and containment. You can extract critical data and effectively operate the security operations automated playbook. |
| FireEye HX (Deprecated) | Deprecated. Use FireEyeHX v2 instead. |
Modeling Rules
| Name | Description |
|---|---|
FireEye HX Modeling Rule |
Parsing Rules
| Name | Description |
|---|---|
FireEye HX Parsing Rule |
Playbooks
| Name | Description |
|---|---|
| FireEye HX - Traffic Indicators Hunting | This playbook queries FireEye Endpoint Security (HX) for traffic indicators, including IP addresses, URLs, domains, and ports. Note that multiple search values should be separated by commas only (without spaces or any special characters). |
| FireEye HX - Unisolate Endpoint | This playbook unisolates endpoints according to the hostname/endpoint ID that is provided by the playbook input. |
| FireEye HX - File Indicators Hunting | This playbook queries FireEye Endpoint Security (HX) for file indicators, including MD5 hashes, SHA256 hashes, SHA1 hashes, file names, file paths, and file types. Note that multiple search values should be separated by commas only (without spaces or any special characters). |
| FireEye HX - Indicators Hunting | This playbook facilitates threat hunting and detection of IOCs within FireEye Endpoint Security (HX) utilizing three sub-playbooks. The sub-playbooks query FireEye HX for different indicators including files, traffic, and execution flow indicators. Note that multiple search values should be separated by commas only (without spaces or any special characters). Supported IOCs for this playbook:
|
| FireEye HX - Execution Flow Indicators Hunting | This playbook queries FireEye Endpoint Security (HX) for execution flow indicators, including processes name, registry keys, registry values, and applications. Note that multiple search values should be separated by commas only (without spaces or any special characters). |
| FireEye HX - Isolate Endpoint | This playbook will auto isolate endpoints by the endpoint ID that was provided in the playbook. |
Required Content Packs (2)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
Optional Content Packs (2)
| Pack Name | Pack By |
|---|---|
| Common Types | By: Cortex XSOAR |
| FireEye Common Fields | By: Cortex XSOAR |
All level dependencies (4)
| Pack Name | Pack By |
|---|---|
| Aggregated Scripts | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
| Base | By: Cortex XSOAR |
| Cortex REST API | By: Cortex XSOAR |
2.4.0 - 8121169 (April 6, 2026)
- 43728
- 43427
Download
Integrations
FireEye Endpoint Security (HX) v2
- Added support for the fireeye-hx-triage-acquisition-delete command that deletes a specified triage acquisition.
- Added support for the fireeye-hx-triage-acquisition-package-get command that downloads the specified triage acquisition as a ".mans" file.
- Added support for the fireeye-hx-triage-acquisition-get command that gets information about a triage acquisition.
- Added support for the fireeye-hx-triage-acquisition-start command that submits a triage request to the HX server.
- Added support for the fireeye-hx-host-acquisitions-list command that gets all known acquisitions for a host.
- Updated the Docker image to: demisto/python3:3.12.13.7444307.
- 43728
- 43427
Download
2.3.21 - R4077103 (July 6, 2025)
- 40192
Download
Integrations
FireEye Endpoint Security (HX) v2
- Added support for the 'Preference Center' feature for selected commands.
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
FireEye HX (Deprecated)
- Added support for the 'Preference Center' feature for selected commands.
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
- 40192
Download
2.4.0 - 8121169 (April 6, 2026)
- 43728
- 43427
Download
Integrations
FireEye Endpoint Security (HX) v2
- Added support for the fireeye-hx-triage-acquisition-delete command that deletes a specified triage acquisition.
- Added support for the fireeye-hx-triage-acquisition-package-get command that downloads the specified triage acquisition as a ".mans" file.
- Added support for the fireeye-hx-triage-acquisition-get command that gets information about a triage acquisition.
- Added support for the fireeye-hx-triage-acquisition-start command that submits a triage request to the HX server.
- Added support for the fireeye-hx-host-acquisitions-list command that gets all known acquisitions for a host.
- Updated the Docker image to: demisto/python3:3.12.13.7444307.
- 43728
- 43427
Download
2.3.21 - R4077103 (July 6, 2025)
- 40192
Download
Integrations
FireEye Endpoint Security (HX) v2
- Added support for the 'Preference Center' feature for selected commands.
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
FireEye HX (Deprecated)
- Added support for the 'Preference Center' feature for selected commands.
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
- 40192
Download
PUBLISHER
PLATFORMS
Cortex XSOARCortex XSIAM
INFO
| Certification | Certified | Read more |
| Supported By | Cortex | |
| Created | June 30, 2020 | |
| Last Release | April 13, 2026 |
WORKS WITH THE FOLLOWING INTEGRATIONS:
