FireEye HX

This pack includes Cortex XSIAM content.

Configuration on Server Side

Raw syslog audit messages

In order to configure FireEye HX to send syslog audit logs, refer to FireEye HX Endpoint Security Server System Administration Guide (Configuring a Syslog Server Using the CLI).
Make sure to configure the syslog timestamp format to be RFC-3339 UTC.

CEF format logs

In order to configure FireEye HX to send CEF logs, refer to FireEye HX Endpoint Security Server System Administration Guide.

For further assistant, contact the tech support of FireEye HX.

Collect Events from Vendor

In order to use the collector, use the Broker VM option.

Broker VM

To create or configure the Broker VM, use the information described here.

You can configure the specific vendor and product for this instance.

Navigate to Settings > Configuration > Data Broker > Broker VMs.
Go to the apps tab and add the Syslog app. If it already exists, click the Syslog app and then click Configure.
Click Add New.
When configuring the Syslog Collector, set the following values:
- vendor as fireeye
- product as hx_audit
- format as Auto-Detect
- protocol as UDP

Name	Description
FireEye HX Alert
FireEye HX - Incoming Mapper

Name

Description

FireEye HX Alert

FireEye HX - Incoming Mapper

Name	Description
FireEye HX Event Info
FireEye HX Agent Containment State

Name

Description

FireEye HX Event Info

FireEye HX Agent Containment State

Name	Description
FireEye HX Alert

Name

Description

FireEye HX Alert

Name	Description
FireEye HX (Deprecated)	Deprecated. Use FireEyeHX v2 instead.
FireEye Endpoint Security (HX) v2	FireEye Endpoint Security is an integrated solution that detects and protects endpoints against known and unknown threats. This integration provides access to information about endpoints, acquisitions, alerts, indicators, and containment. You can extract critical data and effectively operate the security operations automated playbook.

Name

Description

FireEye HX (Deprecated)

Deprecated. Use FireEyeHX v2 instead.

FireEye Endpoint Security (HX) v2

FireEye Endpoint Security is an integrated solution that detects and protects endpoints against known and unknown threats. This integration provides access to information about endpoints, acquisitions, alerts, indicators, and containment. You can extract critical data and effectively operate the security operations automated playbook.

Name	Description
FireEye HX - Traffic Indicators Hunting	This playbook queries FireEye Endpoint Security (HX) for traffic indicators, including IP addresses, URLs, domains, and ports. Note that multiple search values should be separated by commas only (without spaces or any special characters).
FireEye HX - Execution Flow Indicators Hunting	This playbook queries FireEye Endpoint Security (HX) for execution flow indicators, including processes name, registry keys, registry values, and applications. Note that multiple search values should be separated by commas only (without spaces or any special characters).
FireEye HX - Unisolate Endpoint	This playbook unisolates endpoints according to the hostname/endpoint ID that is provided by the playbook input.
FireEye HX - File Indicators Hunting	This playbook queries FireEye Endpoint Security (HX) for file indicators, including MD5 hashes, SHA256 hashes, SHA1 hashes, file names, file paths, and file types. Note that multiple search values should be separated by commas only (without spaces or any special characters).
FireEye HX - Isolate Endpoint	This playbook will auto isolate endpoints by the endpoint ID that was provided in the playbook.
FireEye HX - Indicators Hunting	This playbook facilitates threat hunting and detection of IOCs within FireEye Endpoint Security (HX) utilizing three sub-playbooks. The sub-playbooks query FireEye HX for different indicators including files, traffic, and execution flow indicators. Note that multiple search values should be separated by commas only (without spaces or any special characters). Supported IOCs for this playbook: MD5 SHA1 SHA256 IP Address URLDomain Registry Value Registry Key File Name Process Name Port Number File Path FileType

Name

Description

FireEye HX - Traffic Indicators Hunting

This playbook queries FireEye Endpoint Security (HX) for traffic indicators, including IP addresses, URLs, domains, and ports.

Note that multiple search values should be separated by commas only (without spaces or any special characters).

FireEye HX - Execution Flow Indicators Hunting

This playbook queries FireEye Endpoint Security (HX) for execution flow indicators, including processes name, registry keys, registry values, and applications.

Note that multiple search values should be separated by commas only (without spaces or any special characters).

FireEye HX - Unisolate Endpoint

This playbook unisolates endpoints according to the hostname/endpoint ID that is provided by the playbook input.

FireEye HX - File Indicators Hunting

This playbook queries FireEye Endpoint Security (HX) for file indicators, including MD5 hashes, SHA256 hashes, SHA1 hashes, file names, file paths, and file types.

Note that multiple search values should be separated by commas only (without spaces or any special characters).

FireEye HX - Isolate Endpoint

This playbook will auto isolate endpoints by the endpoint ID that was provided in the playbook.

FireEye HX - Indicators Hunting

This playbook facilitates threat hunting and detection of IOCs within FireEye Endpoint Security (HX) utilizing three sub-playbooks. The sub-playbooks query FireEye HX for different indicators including files, traffic, and execution flow indicators.

Note that multiple search values should be separated by commas only (without spaces or any special characters).

Supported IOCs for this playbook:

MD5
SHA1
SHA256
IP Address
URLDomain
Registry Value
Registry Key
File Name
Process Name
Port Number
File Path
FileType

Name	Description
FireEye HX Alert
FireEye HX - Incoming Mapper

Name

Description

FireEye HX Alert

FireEye HX - Incoming Mapper

Name	Description
FireEye HX Event Info
FireEye HX Agent Containment State

Name

Description

FireEye HX Event Info

FireEye HX Agent Containment State

Name	Description
FireEye HX Alert

Name

Description

FireEye HX Alert

Name	Description
FireEye HX Event Collector	Palo Alto Networks FireEye HX Event Collector integration for XSIAM.
FireEye HX (Deprecated)	Deprecated. Use FireEyeHX v2 instead.
FireEye Endpoint Security (HX) v2	FireEye Endpoint Security is an integrated solution that detects and protects endpoints against known and unknown threats. This integration provides access to information about endpoints, acquisitions, alerts, indicators, and containment. You can extract critical data and effectively operate the security operations automated playbook.

Name

Description

FireEye HX Event Collector

Palo Alto Networks FireEye HX Event Collector integration for XSIAM.

FireEye HX (Deprecated)

Deprecated. Use FireEyeHX v2 instead.

FireEye Endpoint Security (HX) v2

Name	Description
FireEye HX Modeling Rule

Name

Description

FireEye HX Modeling Rule

Name	Description
FireEye HX Parsing Rule

Name

Description

FireEye HX Parsing Rule

Name	Description
FireEye HX - Execution Flow Indicators Hunting	This playbook queries FireEye Endpoint Security (HX) for execution flow indicators, including processes name, registry keys, registry values, and applications. Note that multiple search values should be separated by commas only (without spaces or any special characters).
FireEye HX - File Indicators Hunting	This playbook queries FireEye Endpoint Security (HX) for file indicators, including MD5 hashes, SHA256 hashes, SHA1 hashes, file names, file paths, and file types. Note that multiple search values should be separated by commas only (without spaces or any special characters).
FireEye HX - Isolate Endpoint	This playbook will auto isolate endpoints by the endpoint ID that was provided in the playbook.
FireEye HX - Unisolate Endpoint	This playbook unisolates endpoints according to the hostname/endpoint ID that is provided by the playbook input.
FireEye HX - Indicators Hunting	This playbook facilitates threat hunting and detection of IOCs within FireEye Endpoint Security (HX) utilizing three sub-playbooks. The sub-playbooks query FireEye HX for different indicators including files, traffic, and execution flow indicators. Note that multiple search values should be separated by commas only (without spaces or any special characters). Supported IOCs for this playbook: MD5 SHA1 SHA256 IP Address URLDomain Registry Value Registry Key File Name Process Name Port Number File Path FileType
FireEye HX - Traffic Indicators Hunting	This playbook queries FireEye Endpoint Security (HX) for traffic indicators, including IP addresses, URLs, domains, and ports. Note that multiple search values should be separated by commas only (without spaces or any special characters).

Name

Description

FireEye HX - Execution Flow Indicators Hunting

This playbook queries FireEye Endpoint Security (HX) for execution flow indicators, including processes name, registry keys, registry values, and applications.

Note that multiple search values should be separated by commas only (without spaces or any special characters).

FireEye HX - File Indicators Hunting

This playbook queries FireEye Endpoint Security (HX) for file indicators, including MD5 hashes, SHA256 hashes, SHA1 hashes, file names, file paths, and file types.

Note that multiple search values should be separated by commas only (without spaces or any special characters).

FireEye HX - Isolate Endpoint

This playbook will auto isolate endpoints by the endpoint ID that was provided in the playbook.

FireEye HX - Unisolate Endpoint

This playbook unisolates endpoints according to the hostname/endpoint ID that is provided by the playbook input.

FireEye HX - Indicators Hunting

Note that multiple search values should be separated by commas only (without spaces or any special characters).

Supported IOCs for this playbook:

MD5
SHA1
SHA256
IP Address
URLDomain
Registry Value
Registry Key
File Name
Process Name
Port Number
File Path
FileType

FireEye HX - Traffic Indicators Hunting

This playbook queries FireEye Endpoint Security (HX) for traffic indicators, including IP addresses, URLs, domains, and ports.

Note that multiple search values should be separated by commas only (without spaces or any special characters).

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Pack Name	Pack By
Common Types	By: Cortex XSOAR
FireEye Common Fields	By: Cortex XSOAR

Pack Name	Pack By
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Certification	Certified	Read more
Supported By	Cortex
Created	June 30, 2020
Last Release	May 13, 2025

FireEye HX

FireEye HX

Configuration on Server Side

Raw syslog audit messages

CEF format logs

Collect Events from Vendor

Broker VM

Integrations

FireEye Endpoint Security (HX) v2

FireEye HX

Integrations

FireEye Endpoint Security (HX) v2

Integrations

FireEye Endpoint Security (HX) v2

Playbooks

FireEye HX - Execution Flow Indicators Hunting

FireEye HX - File Indicators Hunting

FireEye HX - Traffic Indicators Hunting

Integrations

FireEye Endpoint Security (HX) v2

Integrations

FireEye Endpoint Security (HX) v2

Playbooks

FireEye HX - Execution Flow Indicators Hunting

FireEye HX - Traffic Indicators Hunting

FireEye HX - File Indicators Hunting

Integrations

FireEye Endpoint Security (HX) v2

Integrations

FireEye Endpoint Security (HX) v2

Integrations

FireEye Endpoint Security (HX) v2

Playbooks

FireEye HX - Execution Flow Indicators Hunting

FireEye HX - File Indicators Hunting

FireEye HX - Traffic Indicators Hunting

Integrations

FireEye Endpoint Security (HX) v2

Integrations

FireEye Endpoint Security (HX) v2

Integrations

FireEye Endpoint Security (HX) v2

Playbooks

New: FireEye HX - Indicators Hunting

New: FireEye HX - Execution Flow Indicators Hunting

New: FireEye HX - File Indicators Hunting

New: FireEye HX - Traffic Indicators Hunting

Integrations

FireEye Endpoint Security (HX) v2

Integrations

FireEye HX Event Collector

FireEye Endpoint Security (HX) v2

FireEye HX

Integrations

FireEye Endpoint Security (HX) v2

Integrations

FireEye Endpoint Security (HX) v2

Playbooks

FireEye HX - Execution Flow Indicators Hunting

FireEye HX - File Indicators Hunting

FireEye HX - Traffic Indicators Hunting

Integrations

FireEye HX Event Collector

FireEye Endpoint Security (HX) v2

Integrations

FireEye Endpoint Security (HX) v2

Playbooks

FireEye HX - Execution Flow Indicators Hunting

FireEye HX - Traffic Indicators Hunting

FireEye HX - File Indicators Hunting

Integrations

FireEye Endpoint Security (HX) v2

Integrations

FireEye HX Event Collector

FireEye Endpoint Security (HX) v2

Modeling Rules

FireEye HX Modeling Rule

Parsing Rules

FireEye HX Parsing Rule

Integrations