Fidelis EDR

Overview


Use the Fidelis Endpoint integration for advanced endpoint detection and response (EDR) across Windows, Mac and Linux OSes for faster threat remediation. This integration was integrated and tested with version 9.2 of Fidelis EDR.

The account must have appropriate permissions to execute API calls. While you could use an administrator account, use an account designated for executing API calls.

To Get the appropriate permissions navigate to Configuration > Roles > Create a role > Permissions

Use Cases


  • Fetch Alerts
  • Get Alert Details
  • Download File to Demisto
  • Execute Script on Endpoint
  • query / search the Logs on Fidelis Console
  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Fidelis EDR.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Server URL (e.g. https://abcde.fideliscloud.com/ )
    • Username
    • Incident type
    • Fetch incidents
    • First fetch timestamp ("number time unit", e.g., 12 hours, 7 days, 3 months, 1 year)
    • Fetch limit (minimum 5)
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. fidelis-endpoint-list-alerts
  2. fidelis-endpoint-host-info
  3. fidelis-endpoint-file-search
  4. fidelis-endpoint-file-search-status
  5. fidelis-endpoint-file-search-result-metadata
  6. fidelis-endpoint-get-file
  7. fidelis-endpoint-delete-file-search-job
  8. fidelis-endpoint-list-scripts
  9. fidelis-endpoint-get-script-manifest
  10. fidelis-endpoint-list-processes
  11. fidelis-endpoint-get-script-result
  12. fidelis-endpoint-kill-process
  13. fidelis-endpoint-delete-file
  14. fidelis-endpoint-isolate-network
  15. fidelis-endpoint-remove-network-isolation
  16. fidelis-endpoint-script-job-status
  17. fidelis-endpoint-execute-script
  18. fidelis-endpoint-query-file
  19. fidelis-endpoint-query-process
  20. fidelis-endpoint-query-connection-by-remote-ip
  21. fidelis-endpoint-query-by-dns
  22. fidelis-endpoint-query-dns-by-server-ip
  23. fidelis-endpoint-query-dns-by-source-ip
  24. fidelis-endpoint-query-events

1. fidelis-endpoint-list-alerts


Returns all alerts in the system.

Required Permissions

The required permissions: View Alerts

Base Command

fidelis-endpoint-list-alerts

Input
Argument NameDescriptionRequired
limitThe maximum number of alerts to return.Optional
sortSorts the result before applying take and skip. Can be any property name of the alert object.
For example: "insertionDate Descending"
Optional
start_dateThe start of the time range of returned values in UTC format. For example: 0001-01-01T00:00:00ZOptional
end_dateThe end of the time range of returned values in UTC format. For example: 0001-01-01T00:00:00ZOptional
Context Output
PathTypeDescription
FidelisEndpoint.Alert.EndpointNameStringEndpoint name.
FidelisEndpoint.Alert.IntelNameStringIntel name.
FidelisEndpoint.Alert.HasJobBooleanWhether the alert has an open job.
FidelisEndpoint.Alert.EventTimeDateAlert event time.
FidelisEndpoint.Alert.ActionsTakenStringThe actions taken for this alert.
FidelisEndpoint.Alert.CreateDateDateAlert creation date.
FidelisEndpoint.Alert.ParentEventIDStringParent event ID.
FidelisEndpoint.Alert.NameStringAlert name.
FidelisEndpoint.Alert.ReportIDStringReport ID.
FidelisEndpoint.Alert.EndpointIDStringEndpoint ID.
FidelisEndpoint.Alert.IntelIDStringIntel ID.
FidelisEndpoint.Alert.NameStringAlert Name.
FidelisEndpoint.Alert.EventTypeNumberEvent Type.
FidelisEndpoint.Alert.EventIDStringEvent ID.
FidelisEndpoint.Alert.SourceTypeNumberSource type.
FidelisEndpoint.Alert.AgentTagStringAgent tag.
FidelisEndpoint.Alert.EventIndexNumberEvent index.
FidelisEndpoint.Alert.TelemetryStringTelemetry data.
FidelisEndpoint.Alert.SourceStringAlert source.
FidelisEndpoint.Alert.IDNumberAlert ID.
FidelisEndpoint.Alert.ValidatedDateDateValidation date.
FidelisEndpoint.Alert.DescriptionStringAlert description.
FidelisEndpoint.Alert.InsertionDateDateAlert insertion date.
FidelisEndpoint.Alert.SeverityNumberAlert severity.
FidelisEndpoint.Alert.ArtifactNameStringArtifact name.
Command Example

!fidelis-endpoint-list-alerts limit="5"

Context Example
{
"FidelisEndpoint.Alert": [
{
"Severity": 2,
"IntelName": null,
"Telemetry": null,
"Source": "Installed Software CVE",
"InsertionDate": "2020-03-21T00:06:38.940Z",
"IntelID": null,
"HasJob": false,
"Description": "2 new vulnerable software installed today:\n\n[[!0::rsyslog:8.24.0:]]\r\nHighest Severity: High\r\nEndpoints: 1\r\n\u2022 [[!0::rsyslog:8.24.0:CVE-2017-12588]] - High\r\nThe zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.\r\n\u2022 [[!0::rsyslog:8.24.0:CVE-2018-16881]] - Medium\r\nA denial of service vulnerability was found in rsyslog in the imptcp module. An attacker could send a specially crafted message to the imptcp socket, which would cause rsyslog to crash. Versions before 8.27.0 are vulnerable.\r\n\r\n[[!0::binutils:2.27:]]\r\nHighest Severity: Medium\r\nEndpoints: 1\r\n\u2022 [[!0::binutils:2.27:CVE-2017-12448]] - Medium\r\nThe bfd_cache_close function in bfd/cache.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a heap use after free and possibly achieve code execution via a crafted nested archive file. This issue occurs...\r\n\u2022 [[!0::binutils:2.27:CVE-2017-12449]] - Medium\r\nThe _bfd_vms_save_sized_string function in vms-misc.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms file.\r\n\u2022 [[!0::binutils:2.27:CVE-2017-12450]] - Medium\r\nThe alpha_vms_object_p function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap write and possibly achieve code execution via a crafted vms alpha file.\r\n\u2022 [[!0::binutils:2.27:CVE-2017-12451]] - Medium\r\nThe _bfd_xcoff_read_ar_hdr function in bfd/coff-rs6000.c and bfd/coff64-rs6000.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds stack read via a crafted COFF image file.\r\n\u2022 [[!0::binutils:2.27:CVE-2017-12452]] - Medium\r\nThe bfd_mach_o_i386_canonicalize_one_reloc function in bfd/mach-o-i386.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted mach-o file.\r\n\u2022 [[!0::binutils:2.27:CVE-2017-12453]] - Medium\r\nThe _bfd_vms_slurp_eeom function in libbfd.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.\r\n\u2022 [[!0::binutils:2.27:CVE-2017-12454]] - Medium\r\nThe _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an arbitrary memory read via a crafted vms alpha file.\r\n\u2022 [[!0::binutils:2.27:CVE-2017-12455]] - Medium\r\nThe evax_bfd_print_emh function in vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.\r\n\u2022 [[!0::binutils:2.27:CVE-2017-12456]] - Medium\r\nThe read_symbol_stabs_debugging_info function in rddbg.c in GNU Binutils 2.29 and earlier allows remote attackers to cause an out of bounds heap read via a crafted binary file.\r\n\u2022 [[!0::binutils:2.27:CVE-2017-12457]] - Medium\r\nThe bfd_make_section_with_flags function in section.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a NULL dereference via a crafted file.\r\n\u2022 [[!0::binutils:2.27:CVE-2017-12458]] - Medium\r\nThe nlm_swap_auxiliary_headers_in function in bfd/nlmcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted nlm file.\r\n\u2022 [[!0::binutils:2.27:CVE-2017-12459]] - Medium\r\nThe bfd_mach_o_read_symtab_strtab function in bfd/mach-o.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap write and possibly achieve code execution via a crafted mach-o file.\r\n\u2022 [[!0::binutils:2.27:CVE-2018-19931]] - Medium\r\nAn issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h because the number of program headers is not restricted.\r\n\u2022 [[!0::binutils:2.27:CVE-2018-1000876]] - Medium\r\nbinutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow trigger heap overflow. Successful exploitation allows execution of arbitrary code.. This attack appear to be...\r\n\u2022 [[!0::binutils:2.27:CVE-2018-19932]] - Medium\r\nAn issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA macro in elf.c.\r\n\u2022 [[!0::binutils:2.27:CVE-2018-20671]] - Medium\r\nload_specific_debug_section in objdump.c in GNU Binutils through 2.31.1 contains an integer overflow vulnerability that can trigger a heap-based buffer overflow via a crafted section size.\r\n\u2022 [[!0::binutils:2.27:CVE-2019-1010204]] - Medium\r\nGNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an...\r\n\r\n",
"EventType": null,
"EventIndex": null,
"ArtifactName": null,
"CreateDate": "2020-03-19T23:59:59.999Z",
"EventTime": null,
"Name": "Vulnerable Software Installed - 3/19/2020",
"ParentEventID": null,
"EndpointName": "fidelis-endpoint.windows",
"ReportID": null,
"ActionsTaken": null,
"ID": 437,
"EventID": null,
"ValidatedDate": null,
"SourceType": 19,
"AgentTag": null,
"EndpointID": "70815600-2b9c-4cbe-971f-ab5601ed1ce1"
},
{
"Severity": 3,
"IntelName": "CVE-2013-1753",
"Telemetry": null,
"Source": "Installed Software CVE",
"InsertionDate": "2020-03-12T09:21:27.021Z",
"IntelID": null,
"HasJob": false,
"Description": "python - 2.7.5\n\nThe gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.",
"EventType": null,
"EventIndex": null,
"ArtifactName": null,
"CreateDate": "2020-03-12T09:21:27.021Z",
"EventTime": null,
"Name": "Vulnerable Software - CVE-2013-1777",
"ParentEventID": null,
"EndpointName": "fidelis-endpoint.windows",
"ReportID": null,
"ActionsTaken": null,
"ID": 436,
"EventID": null,
"ValidatedDate": null,
"SourceType": 19,
"AgentTag": null,
"EndpointID": "70815600-2b9c-4cbe-971f-ab5601ed1ce1"
},
{
"Severity": 4,
"IntelName": "CVE-2020-10029",
"Telemetry": null,
"Source": "Installed Software CVE",
"InsertionDate": "2020-03-07T09:21:24.356Z",
"IntelID": null,
"HasJob": false,
"Description": "glibc - 2.17\n\nThe GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.",
"EventType": null,
"EventIndex": null,
"ArtifactName": null,
"CreateDate": "2020-03-07T09:21:24.356Z",
"EventTime": null,
"Name": "Vulnerable Software - CVE-2020-10029",
"ParentEventID": null,
"EndpointName": "fidelis-endpoint.windows",
"ReportID": null,
"ActionsTaken": null,
"ID": 435,
"EventID": null,
"ValidatedDate": null,
"SourceType": 19,
"AgentTag": null,
"EndpointID": "70815600-2b9c-4cbe-971f-ab5601ed1ce1"
},
{
"Severity": 2,
"IntelName": "CVE-2015-8710",
"Telemetry": null,
"Source": "Installed Software CVE",
"InsertionDate": "2020-02-27T09:21:03.253Z",
"IntelID": null,
"HasJob": false,
"Description": "libxml2 - 2.9.1\n\nThe htmlParseComment function in HTMLparser.c in libxml2 allows attackers to obtain sensitive information, cause a denial of service (out-of-bounds heap memory access and application crash), or possibly have unspecified other impact via an unclosed HTML comment.",
"EventType": null,
"EventIndex": null,
"ArtifactName": null,
"CreateDate": "2020-02-27T09:21:03.253Z",
"EventTime": null,
"Name": "Vulnerable Software - CVE-2015-8710",
"ParentEventID": null,
"EndpointName": "fidelis-endpoint.windows",
"ReportID": null,
"ActionsTaken": null,
"ID": 434,
"EventID": null,
"ValidatedDate": null,
"SourceType": 19,
"AgentTag": null,
"EndpointID": "70815600-2b9c-4cbe-971f-ab5601ed1ce1"
},
{
"Severity": 2,
"IntelName": "CVE-2014-4650",
"Telemetry": null,
"Source": "Installed Software CVE",
"InsertionDate": "2020-02-27T09:21:03.253Z",
"IntelID": null,
"HasJob": false,
"Description": "python - 2.7.5\n\nThe CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.",
"EventType": null,
"EventIndex": null,
"ArtifactName": null,
"CreateDate": "2020-02-27T09:21:03.253Z",
"EventTime": null,
"Name": "Vulnerable Software - CVE-2014-4444",
"ParentEventID": null,
"EndpointName": "fidelis-endpoint.windows",
"ReportID": null,
"ActionsTaken": null,
"ID": 433,
"EventID": null,
"ValidatedDate": null,
"SourceType": 19,
"AgentTag": null,
"EndpointID": "70815600-2b9c-4cbe-971f-ab5601ed1ce1"
}
]
}
Human Readable Output

Fidelis Endpoint Alerts

IDNameEndpointNameEndpointIDSourceIntelNameSeverityCreateDate
437Vulnerable Software Installed - 3/19/2020fidelis-endpoint.windows70815600-2b9c-4cbe-971f-ab5601ed1ce1Installed Software CVE22020-03-19T23:59:59.999Z
436Vulnerable Software - CVE-2013-1777fidelis-endpoint.windows70815600-2b9c-4cbe-971f-ab5601ed1ce1Installed Software CVECVE-2013-175332020-03-12T09:21:27.021Z
435Vulnerable Software - CVE-2020-10029fidelis-endpoint.windows70815600-2b9c-4cbe-971f-ab5601ed1ce1Installed Software CVECVE-2020-1002942020-03-07T09:21:24.356Z
434Vulnerable Software - CVE-2015-8710fidelis-endpoint.windows70815600-2b9c-4cbe-971f-ab5601ed1ce1Installed Software CVECVE-2015-871022020-02-27T09:21:03.253Z
433Vulnerable Software - CVE-2014-4444fidelis-endpoint.windows70815600-2b9c-4cbe-971f-ab5601ed1ce1Installed Software CVECVE-2014-465022020-02-27T09:21:03.253Z

2. fidelis-endpoint-host-info


Searches for endpoints based on an IP address or hostname.

Base Command

fidelis-endpoint-host-info

Input
Argument NameDescriptionRequired
ip_addressThe IP address to search for.Optional
hostThe host name to search for.Optional
Context Output
PathTypeDescription
FidelisEndpoint.Host.AgentVersionStringThe agent version.
FidelisEndpoint.Host.MacAddressStringHost MAC address.
FidelisEndpoint.Host.OSStringEndpoint OS.
FidelisEndpoint.Host.IPAddressStringEndpoint IP address.
FidelisEndpoint.Host.IsolatedBooleanWhether the endpoint is isolated.
FidelisEndpoint.Host.AV_EnabledBooleanWhether AV is enabled.
FidelisEndpoint.Host.HostnameStringHost name.
FidelisEndpoint.Host.AgentInstalledBooleanWhether an agent was installed.
FidelisEndpoint.Host.GroupsStringEndpoint groups.
FidelisEndpoint.Host.LastContactDateDateHost last contact date.
FidelisEndpoint.Host.IDStringHost ID.
FidelisEndpoint.Host.ProcessorNameStringProcessor name.
FidelisEndpoint.Host.OnNetworkBooleanWhether the host is on the network.
Command Example

!fidelis-endpoint-host-info ip_address="2.2.2.2"

Context Example
{
"Endpoint": [
{
"MACAddress": "23:01:0a:50:00:02",
"IPAddress": "2.2.2.2",
"Hostname": "fidelis-endpoint.windows",
"Processor": "Intel(R) Xeon(R) CPU @ 2.30GHz",
"OS": "CentOS Linux 7 (Core) Linux x64",
"ID": "70815600-2b9c-4cbe-971f-ab5601ed1ce1"
}
],
"FidelisEndpoint.Host": [
{
"AV_Enabled": true,
"LastContactDate": "2020-03-26T04:35:02.2887847",
"OS": "CentOS Linux 7 (Core) Linux x64",
"Hostname": "fidelis-endpoint.windows",
"Isolated": false,
"MacAddress": "23:01:0a:50:00:02",
"AgentVersion": "9.2.4.31",
"Groups": null,
"AgentInstalled": true,
"OnNetwork": true,
"ProcessorName": "Intel(R) Xeon(R) CPU @ 2.30GHz",
"IPAddress": "2.2.2.2",
"ID": "70815600-2b9c-4cbe-971f-ab5601ed1ce1"
}
]
}
Human Readable Output

Fidelis Endpoint Host Info

IDOSMacAddressIsolatedLastContactDateAgentInstalledAgentVersionOnNetworkAV_EnabledProcessorName
70815600-2b9c-4cbe-971f-ab5601ed1ce1CentOS Linux 7 (Core) Linux x6423:01:0a:50:00:02false2020-03-26T04:35:02.2887847true9.2.4.31truetrueIntel(R) Xeon(R) CPU @ 2.30GHz

3. fidelis-endpoint-file-search


Searches for files on multiple hosts, using file hash, file extension, file size, and other search criteria.

Required Permissions

The required permissions: Scripts, View Executables

Base Command

fidelis-endpoint-file-search

Input
Argument NameDescriptionRequired
hostA comma-separated list of hosts in which to search for the specified file.Optional
md5A comma-separated list MD5 hashes to search for. Get the hashes from the queries commands.Required
file_extensionThe file extension.Optional
file_pathThe file path (recommended to lower the search time).Optional
file_sizeThe file size greater than. The default is 100.Optional
Context Output
PathTypeDescription
FidelisEndpoint.FileSearch.JobIDStringThe job ID.
FidelisEndpoint.FileSearch.JobResultIDStringThe job result ID.
Command Example

!fidelis-endpoint-file-search host="2.2.2.2" md5="098f6bcd4621d373cade4e832347b4f6" file_extension=".txt" file_size="0"

Context Example
{
"FidelisEndpoint.FileSearch": {
"JobResultID": "e93e848a-2462-4933-b442-ab8a02118111",
"JobID": "fcb3b94c-7344-4c30-a47b-93f90bd2385e"
}
}
Human Readable Output

Fidelis Endpoint file search

JobIDJobResultID
fcb3b94c-7344-4c30-a47b-93f90bd2385ee93e848a-2462-4933-b442-ab8a02118111

4. fidelis-endpoint-file-search-status


Gets the file search job status.

Required Permissions

The required permissions: View Executables

Base Command

fidelis-endpoint-file-search-status

Input
Argument NameDescriptionRequired
job_idThe job ID. Get the ID from the file-search command.Required
job_result_idThe job result ID. Get the ID from the file-search command.Required
Context Output
PathTypeDescription
FidelisEndpoint.FileSearch.JobIDStringThe file search job ID.
FidelisEndpoint.FileSearch.JobResultIDStringJob result ID.
FidelisEndpoint.FileSearch.StatusStringJob status.
Command Example

!fidelis-endpoint-file-search-status job_id=a345056b-b290-4746-b953-0822dab381ae job_result_id=0b7161ed-ffe9-4b87-b009-ab8a02034e0e

Context Example
{
"FidelisEndpoint.FileSearch": {
"Status": "Completed",
"JobResultID": "0b7161ed-ffe9-4b87-b009-ab8a02034e0e",
"JobID": "a345056b-b290-4746-b953-0822dab381ae"
}
}
Human Readable Output

Fidelis Endpoint file search status is: Completed

5. fidelis-endpoint-file-search-result-metadata


Gets the job results metadata. The maximum is 50 results.

Required Permissions

The required permissions: View Executables

Base Command

fidelis-endpoint-file-search-result-metadata

Input
Argument NameDescriptionRequired
job_idThe job ID. Get the job ID from the file-search command.Required
job_result_idThe job result ID. Get the job result ID from the file-search command.Required
Context Output
PathTypeDescription
FidelisEndpoint.File.AgentIDStringAgent ID.
FidelisEndpoint.File.FileNameStringFile name.
FidelisEndpoint.File.FilePathStringFile path.
FidelisEndpoint.File.FileSizeNumberFile size.
FidelisEndpoint.File.HostIPStringHost IP address.
FidelisEndpoint.File.HostNameStringHost name.
FidelisEndpoint.File.IDStringFile ID.
FidelisEndpoint.File.MD5HashStringFile MD5 hash.
File.PathStringThe file path.
File.HostnameStringThe name of the host where the file was found.
File.MD5StringThe MD5 hash of the file.
File.NameStringThe full file name (including file extension).
File.SizeNumberThe size of the file in bytes.
Command Example

!fidelis-endpoint-file-search-result-metadata job_id=a345056b-b290-4746-b953-0822dab381ae job_result_id=0b7161ed-ffe9-4b87-b009-ab8a02034e0e

Context Example
{
"FidelisEndpoint.File": {
"MD5Hash": "098f6bcd4621d373cade4e832347b4f6",
"FilePath": "Users\\admin\\Documents\\test.txt",
"HostName": "fidelis-endpoint-winserver2019",
"FileName": "test.txt",
"FileSize": 4,
"HostIP": "2.2.2.2",
"AgentID": "4088e5f0-0d18-4daa-a1a3-e0becc34c803",
"ID": "eyJOYW1lIjoidGVzdC50eHQiLCJQYXRoIjoiL3Jlc3VsdHMvMGI3MTYxZWQtZmZlOS00Yjg3LWIwMDktYWI4YTAyMDM0ZTBlL2IyUnZPVFl5YjFSUGNqRnZSRTkwYlU1aWQxQnJUemRUZDJkTUwzUmFNbUZWY21wMlJrRjFhRXRwTUQwPSJ90"
},
"File": {
"Size": 4,
"Path": "Users\\admin\\Documents\\test.txt",
"Hostname": "fidelis-endpoint-winserver2019",
"Name": "test.txt",
"MD5": "098f6bcd4621d373cade4e832347b4f6"
}
}
Human Readable Output

Fidelis Endpoint file results metadata

IDFileNameFilePathMD5HashFileSizeHostNameHostIPAgentID
eyJOYW1lIjoidGVzdC50eHQiLCJQYXRoIjoiL3Jlc3VsdHMvMGI3MTYxZWQtZmZlOS00Yjg3LWIwMDktYWI4YTAyMDM0ZTBlL2IyUnZPVFl5YjFSUGNqRnZSRTkwYlU1aWQxQnJUemRUZDJkTUwzUmFNbUZWY21wMlJrRjFhRXRwTUQwPSJ90test.txtUsers\admin\Documents\test.txt098f6bcd4621d373cade4e832347b4f64fidelis-endpoint-winserver20192.2.2.24088e5f0-0d18-4daa-a1a3-e0becc34c803

6. fidelis-endpoint-get-file


Gets the file stream and download the file.

Required Permissions

The required permissions: Scripts, View Executables

Base Command

fidelis-endpoint-get-file

Input
Argument NameDescriptionRequired
file_idThe file ID. Get the ID from the file-search-result-metadata command.Required
file_nameThe file name to download (including extension). Get the file name from the file-search-result-metadata command. command).Required
Context Output
PathTypeDescription
File.SizeNumberThe size of the file in bytes.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.NameStringThe full file name (including file extension).
File.SSDeepStringThe ssdeep hash of the file (same as displayed in file entries).
File.EntryIDStringThe ID for locating the file in the War Room.
File.InfoStringThe file information.
File.TypeStringThe file type, as determined by libmagic (same as displayed in file entries).
File.MD5StringThe MD5 hash of the file.
Command Example

!fidelis-endpoint-get-file file_id=eyJOYW1lIjoidGVzdC50eHQiLCJQYXRoIjoiL3Jlc3VsdHMvMGI3MTYxZWQtZmZlOS00Yjg3LWIwMDktYWI4YTAyMDM0ZTBlL2IyUnZPVFl5YjFSUGNqRnZSRTkwYlU1aWQxQnJUemRUZDJkTUwzUmFNbUZWY21wMlJrRjFhRXRwTUQwPSJ90 file_name=test.txt

Human Readable Output

Return the file to download

7. fidelis-endpoint-delete-file-search-job


Removes the job to free up space on the server.

Required Permissions

The required permissions: Scripts, View Executables, Delete Executables

Base Command

fidelis-endpoint-delete-file-search-job

Input
Argument NameDescriptionRequired
job_idThe job ID. Get the job ID from the file-search command.Required
Context Output

There is no context output for this command.

Command Example

!fidelis-endpoint-delete-file-search-job job_id=a345056b-b290-4746-b953-0822dab381ae

Human Readable Output

The job was successfully deleted

8. fidelis-endpoint-list-scripts


Gets a list of all script packages.

Required Permissions

The required permissions: Read groups, View Behaviors

Base Command

fidelis-endpoint-list-scripts

Input
Argument NameDescriptionRequired
Context Output
PathTypeDescription
FidelisEndpoint.Script.DescriptionStringThe script description.
FidelisEndpoint.Script.IDStringScript ID.
FidelisEndpoint.Script.NameStringScript name.
Command Example

!fidelis-endpoint-list-scripts

Context Example
{
"FidelisEndpoint.Script": [
{
"Name": "Administrators",
"Description": "Lists all users with Administrator rights. Use the optional parameter to filter the results to usernames that contain the supplied text.",
"ID": "8d379688-dde1-451d-8fa2-4f29c84baf97"
},
{
"Name": "Administrators",
"Description": "Lists all users with Administrator rights. Use the optional parameter to filter the results to usernames that contain the supplied text.",
"ID": "c533cf90-f015-4616-84fb-8836b32aa74b"
},
{
"Name": "Agent Log",
"Description": "Returns log entries from the Fidelis Agent.",
"ID": "e73ffbba-14c1-4dd4-bb45-60d6906031c9"
},
{
"Name": "Agent Log",
"Description": "Returns log entries from the Fidelis Agent.",
"ID": "f0572f26-4272-4d2c-8f6f-4a8dfa307904"
},
{
"Name": "All User Accounts",
"Description": "Displays information about any created users on an endpoint. Use the Optional Question box to filter the results by the specified text--results returned include data containing that value in any column.",
"ID": "42787aa7-f721-49ad-ab2d-308f905986f3"
},
{
"Name": "All User Accounts",
"Description": "Displays information about any created users on an endpoint. Use the Optional Question box to filter the results by the specified text--results returned include data containing that value in any column.",
"ID": "b44f4b11-2e76-44c8-9484-238fd3063aea"
},
{
"Name": "All User Accounts",
"Description": "Displays information about any created users on an endpoint. Use the Optional Question box to filter the results by the specified text--results returned include data containing that value in any column.",
"ID": "3fe1ec01-b095-4a6a-8fcf-7d9e1df95284"
},
{
"Name": "Services (WMI)",
"Description": "Obtain the list of services from the Windows Management Instrumentation (WMI).\r\nThe Service Name or Account Filter limits the results to services that have the matching name or account.",
"ID": "9622541e-2bca-46f5-b2a6-ef406babf9cd"
},
]
}
Human Readable Output

Fidelis Endpoint scripts

IDNameDescription
8d379688-dde1-451d-8fa2-4f29c84baf97AdministratorsLists all users with Administrator rights. Use the optional parameter to filter the results to usernames that contain the supplied text.
c533cf90-f015-4616-84fb-8836b32aa74bAdministratorsLists all users with Administrator rights. Use the optional parameter to filter the results to usernames that contain the supplied text.
e73ffbba-14c1-4dd4-bb45-60d6906031c9Agent LogReturns log entries from the Fidelis Agent.
f0572f26-4272-4d2c-8f6f-4a8dfa307904Agent LogReturns log entries from the Fidelis Agent.
42787aa7-f721-49ad-ab2d-308f905986f3All User AccountsDisplays information about any created users on an endpoint. Use the Optional Question box to filter the results by the specified text--results returned include data containing that value in any column.
b44f4b11-2e76-44c8-9484-238fd3063aeaAll User AccountsDisplays information about any created users on an endpoint. Use the Optional Question box to filter the results by the specified text--results returned include data containing that value in any column.
3fe1ec01-b095-4a6a-8fcf-7d9e1df95284All User AccountsDisplays information about any created users on an endpoint. Use the Optional Question box to filter the results by the specified text--results returned include data containing that value in any column.
1a57a6ad-4dd7-4055-8def-8e423d949f3fAll User Accounts (WMI)Lists all the user accounts. Use the optional parameter to filter the results to those that have a username that contains the supplied text
c8adc3bc-6345-473d-a8cc-c45a76f9d62cAntiVirus InformationShows the AntiVirus and AntiSpyware products installed on client computer and whether they are enabled and up-to-date. Provide the optional filter to only return products that contain the filter text. This script does not work on server class operating systems.
c9b37e1e-3ec6-49a3-9426-b90a90b55071ARP CacheDisplays information from the Address Resolution Protocol Cache. Use the Optional Question box to filter the results by the specified text--results returned include data containing that value in any column.
f3eb6edf-5764-4e11-8833-6da6b067e54eARP CacheDisplays information from the Address Resolution Protocol Cache. Use the Optional Question box to filter the results by the specified text--results returned include data containing that value in any column.

9. fidelis-endpoint-get-script-manifest


Gets the script manifest.

Required Permissions

The required permissions: View Behaviors

Base Command

fidelis-endpoint-get-script-manifest

Input
Argument NameDescriptionRequired
script_idThe script ID. Get the script ID from the list-scripts command.Required
Context Output
PathTypeDescription
FidelisEndpoint.Script.ResultColumnsStringThe script results columns.
FidelisEndpoint.Script.PriorityStringScript priority.
FidelisEndpoint.Script.ImpersonationUserStringImpersonation user.
FidelisEndpoint.Script.NameStringScript name.
FidelisEndpoint.Script.CommandStringThe script commands.
FidelisEndpoint.Script.QuestionsStringScript questions.
FidelisEndpoint.Script.WizardOverridePasswordBooleanWizard override password.
FidelisEndpoint.Script.PlatformStringScripts platforms (only true).
FidelisEndpoint.Script.ImpersonationPasswordStringImpersonation password.
FidelisEndpoint.Script.IDStringScript ID.
FidelisEndpoint.Script.DescriptionStringThe script description.
FidelisEndpoint.Script.TimeoutSecondsNumberScript timeout in seconds.
Command Example

!fidelis-endpoint-get-script-manifest script_id="2d32a530-0716-4542-afdc-8da3bd47d8bf"

Context Example
{
"FidelisEndpoint.Script": {
"Description": "Obtain the list of currently running processes.\r\nOptionally, information about open sockets, handles and loaded DLLs can be included.\r\nCerberus Stage One analysis verifies digital signatures of the processes and performs a risk assessment of known system calls assigning an aggregate score.\r\nThe filter field limits the results to processes that match the given text in any column.",
"TimeoutSeconds": 0,
"WizardOverridePassword": false,
"ImpersonationUser": null,
"ResultColumns": [
"__detail",
"PID",
"Parent PID",
"Name",
"User",
"MD5",
"SHA1",
"Path",
"Start Time",
"Working Directory",
"Command Line",
"Is Hidden"
],
"Priority": null,
"Platform": [
"windows32",
"windows64"
],
"ImpersonationPassword": null,
"Command": "Volatile.bat sockets {[T:B,V:true]Include Sockets} handles {[T:B,V:true]Include Handles} dlls {[T:B,V:true]Include DLLs} injected {[T:B,?]Check for injected DLLs} jam {[T:B,?]Perform Cerberus Stage 1 Analysis (approximately 5 seconds per process)} filter {[T:T,?] Filter}",
"Questions": [
{
"answer": "true",
"question": "Include Sockets",
"inputType": "checkbox",
"isOptional": false,
"paramNumber": 1
},
{
"answer": "true",
"question": "Include Handles",
"inputType": "checkbox",
"isOptional": false,
"paramNumber": 2
},
{
"answer": "true",
"question": "Include DLLs",
"inputType": "checkbox",
"isOptional": false,
"paramNumber": 3
},
{
"answer": "false",
"question": "Check for injected DLLs",
"inputType": "checkbox",
"isOptional": true,
"paramNumber": 4
},
{
"answer": "false",
"question": "Perform Cerberus Stage 1 Analysis (approximately 5 seconds per process)",
"inputType": "checkbox",
"isOptional": true,
"paramNumber": 5
},
{
"answer": null,
"question": " Filter",
"inputType": "text",
"isOptional": true,
"paramNumber": 6
}
],
"ID": "2d32a530-0716-4542-afdc-8da3bd47d8bf",
"Name": "Process List"
}
}
Human Readable Output

Fidelis Endpoint script manifest

IDNameDescriptionPlatformCommandQuestionsTimeoutSecondsResultColumnsWizardOverridePassword
2d32a530-0716-4542-afdc-8da3bd47d8bfProcess ListObtain the list of currently running processes.
Optionally, information about open sockets, handles and loaded DLLs can be included. Cerberus Stage One analysis verifies digital signatures of the processes and performs a risk assessment of known system calls assigning an aggregate score.The filter field limits the results to processes that match the given text in any column.
windows32,windows64Volatile.bat sockets {[T:B,V:true]Include Sockets} handles {[T:B,V:true]Include Handles} dlls {[T:B,V:true]Include DLLs} injected {[T:B,?]Check for injected DLLs} jam {[T:B,?]Perform Cerberus Stage 1 Analysis (approximately 5 seconds per process)} filter {[T:T,?] Filter}{'paramNumber': 1, 'question': 'Include Sockets', 'answer': 'true', 'isOptional': False, 'inputType': 'checkbox'},
{'paramNumber': 2, 'question': 'Include Handles', 'answer': 'true', 'isOptional': False, 'inputType': 'checkbox'},
{'paramNumber': 3, 'question': 'Include DLLs', 'answer': 'true', 'isOptional': False, 'inputType': 'checkbox'},
{'paramNumber': 4, 'question': 'Check for injected DLLs', 'answer': 'false', 'isOptional': True, 'inputType': 'checkbox'},
{'paramNumber': 5, 'question': 'Perform Cerberus Stage 1 Analysis (approximately 5 seconds per process)', 'answer': 'false', 'isOptional': True, 'inputType': 'checkbox'},
{'paramNumber': 6, 'question': ' Filter', 'answer': None, 'isOptional': True, 'inputType': 'text'}
0__detail,
PID,
Parent PID,
Name,
User,
MD5,
SHA1,
Path,
Start Time,
Working Directory,
Command Line,
Is Hidden
false

10. fidelis-endpoint-list-processes


Gets a list all processes according to the OS system.

Required Permissions

The required permissions: Read groups, View Behaviors, View Task Results

Base Command

fidelis-endpoint-list-processes

Input
Argument NameDescriptionRequired
endpoint_ipThe endpoint IP. Get the endpoint IP from the host-info command.Optional
operating_systemThs system OS. Can be "Windows", "Linux", or "macOS".Required
time_outScript time out in seconds. The default is 300.Optional
endpoint_nameThe endpoint name.Optional
Context Output
PathTypeDescription
FidelisEndpoint.Process.JobIDStringJob ID.
FidelisEndpoint.Process.IDStringScript ID.
Command Example

!fidelis-endpoint-list-processes operating_system=Windows endpoint_ip=2.2.2.2

Context Example
{
"FidelisEndpoint.Process": {
"ID": "2d32a530-0716-4542-afdc-8da3bd47d8bf",
"JobID": "71c6be70-fa49-40ba-8d0a-ab8a02118a19"
}
}
Human Readable Output

The job has been executed successfully. Job ID: 71c6be70-fa49-40ba-8d0a-ab8a02118a19

11. fidelis-endpoint-get-script-result


Gets script job results.

Required Permissions

The required permissions: Read groups, View Behaviors, View Task Results

Base Command

fidelis-endpoint-get-script-result

Input
Argument NameDescriptionRequired
job_idThe script execution job ID. Get the ID the following commands: script-execution, file-search, list-processes, kill-process-by-pid, delete-file, network-isolation, remove-network-isolation.Required
Context Output
PathTypeDescription
FidelisEndpoint.ScriptResult.EndpointNameStringEndpoint name.
FidelisEndpoint.ScriptResult.ParentPIDStringParent process ID.
FidelisEndpoint.ScriptResult.PathStringFile path.
FidelisEndpoint.ScriptResult.SHA1StringFile SHA1 hash.
FidelisEndpoint.ScriptResult.PIDStringProcess ID.
FidelisEndpoint.ScriptResult.NameStringProcess name.
FidelisEndpoint.ScriptResult.UserStringScript user.
FidelisEndpoint.ScriptResult.StartTimeDateScript start time.
FidelisEndpoint.ScriptResult.EndpointIDStringEndpoint ID.
FidelisEndpoint.ScriptResult.MatchesNumberScript matches.
FidelisEndpoint.ScriptResult.IsHiddenStringWhether the endpoint is hidden.
FidelisEndpoint.ScriptResult.GroupIDStringGroup ID.
FidelisEndpoint.ScriptResult.TagsStringScript tags.
FidelisEndpoint.ScriptResult.IDStringScript result ID.
FidelisEndpoint.ScriptResult.WorkingDirectoryStringWorking directory.
FidelisEndpoint.ScriptResult.MD5StringFile MD5 hash.
FidelisEndpoint.ScriptResult.CommandLineStringCommand line.
Command Example

!fidelis-endpoint-get-script-result job_id=fc94568c-9a15-4fa2-af08-ab8a01f5e86c

Context Example
{
"FidelisEndpoint.ScriptResult": [
{
"SHA1": "0000000000000000000000000000000000000000",
"Name": "System",
"ParentPID": "0",
"Tags": [],
"Matches": 0,
"CommandLine": "",
"PID": "4",
"GroupID": "9F4354C1CEB3B925ADC6A6286FF5A23F7CF9D7B0",
"StartTime": "N/A",
"EndpointName": "fidelis-endpoint-winserver2019",
"User": "",
"EndpointID": "3494cb0f-67ba-41bc-9190-ab5d015dd57c",
"WorkingDirectory": "",
"Path": "",
"IsHidden": "false",
"ID": "7086ab52f0725e547095ff779e30153ae6088ccc",
"MD5": "00000000000000000000000000000000"
},
{
"SHA1": "0000000000000000000000000000000000000000",
"Name": "registry.exe",
"ParentPID": "4",
"Tags": [],
"Matches": 0,
"CommandLine": "",
"PID": "84",
"GroupID": "CE47F839D8D87C334A503491A4D60CDA15295071",
"StartTime": "N/A",
"EndpointName": "fidelis-endpoint-winserver2019",
"User": "",
"EndpointID": "3494cb0f-67ba-41bc-9190-ab5d015dd57c",
"WorkingDirectory": "",
"Path": "",
"IsHidden": "false",
"ID": "11ea7715d36598d0bc0aaa97ee3e95c26d293f4b",
"MD5": "00000000000000000000000000000000"
},
{
"SHA1": "0FA1562A56219B1FC005E24AC1D866F6E1AE7902",
"Name": "smss.exe",
"ParentPID": "4",
"Tags": [],
"Matches": 0,
"CommandLine": "",
"PID": "264",
"GroupID": "82D6263B1B8CDA7C62591267E414CA9E56BF603A",
"StartTime": "N/A",
"EndpointName": "fidelis-endpoint-winserver2019",
"User": "",
"EndpointID": "3494cb0f-67ba-41bc-9190-ab5d015dd57c",
"WorkingDirectory": "",
"Path": "C:\\Windows\\System32\\smss.exe",
"IsHidden": "false",
"ID": "863637a177dee43dfbcb0b479db1e5ec885d70e8",
"MD5": "2855A7D96CF37DF1960A6D8828A614CB"
},
{
"SHA1": "A04607D0B11D30B0CDB36739077E7F1B6C7D1FAE",
"Name": "protect.exe",
"ParentPID": "576",
"Tags": [],
"Matches": 0,
"CommandLine": "\"C:\\Program Files\\Fidelis\\Endpoint\\Platform\\services\\protect\\protect.exe\" -s",
"PID": "272",
"GroupID": "5D5334D2A0405C72C967B4D784E27AD222E7BDD9",
"StartTime": "2020-03-26T04:04:22.855396",
"EndpointName": "fidelis-endpoint-winserver2019",
"User": "SYSTEM",
"EndpointID": "3494cb0f-67ba-41bc-9190-ab5d015dd57c",
"WorkingDirectory": "C:\\Windows\\system32\\",
"Path": "C:\\Program Files\\Fidelis\\Endpoint\\Platform\\services\\protect\\protect.exe",
"IsHidden": "false",
"ID": "4a598df8817b12552d3a485e23dac7f911536a5a",
"MD5": "40A35E6DC3ADE3F5CAA79A4C15CCF37C"
},
{
"SHA1": "A1385CE20AD79F55DF235EFFD9780C31442AA123",
"Name": "svchost.exe",
"ParentPID": "576",
"Tags": [],
"Matches": 0,
"CommandLine": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService",
"PID": "304",
"GroupID": "8C6F410CBCE4C937FC8ED920462AD47CA49FCE0C",
"StartTime": "2020-03-12T03:58:08.237101",
"EndpointName": "fidelis-endpoint-winserver2019",
"User": "SYSTEM",
"EndpointID": "3494cb0f-67ba-41bc-9190-ab5d015dd57c",
"WorkingDirectory": "C:\\Windows\\system32\\",
"Path": "C:\\Windows\\System32\\svchost.exe",
"IsHidden": "false",
"ID": "1d807600d7deef1f26d16ddc28ae6ca4ca656202",
"MD5": "3A0A29438052FAED8A2532DA50455876"
}
]
}
Human Readable Output

Fidelis Endpoint script job results

IDNameEndpointIDEndpointNamePIDUserSHA1MD5PathWorkingDirectoryStartTime
7086ab52f0725e547095ff779e30153ae6088cccSystem3494cb0f-67ba-41bc-9190-ab5d015dd57cfidelis-endpoint-winserver20194000000000000000000000000000000000000000000000000000000000000000000000000N/A
11ea7715d36598d0bc0aaa97ee3e95c26d293f4bregistry.exe3494cb0f-67ba-41bc-9190-ab5d015dd57cfidelis-endpoint-winserver201984000000000000000000000000000000000000000000000000000000000000000000000000N/A
863637a177dee43dfbcb0b479db1e5ec885d70e8smss.exe3494cb0f-67ba-41bc-9190-ab5d015dd57cfidelis-endpoint-winserver20192640FA1562A56219B1FC002E24AC8D866F6E1AE79022755A7D96CF37DF1960A6D8828A614CBC:\Windows\System32\smss.exeN/A
4a598df8817b12552d3a485e23dac7f911536a5aprotect.exe3494cb0f-67ba-41bc-9190-ab5d015dd57cfidelis-endpoint-winserver2019272SYSTEMA04607D0B11D30B0CDB36739088E8F1B6C7D1FAE40A35E6DC3ADE3F5CAA79A4C15CCF37CC:\Program Files\Fidelis\Endpoint\Platform\services\protect\protect.exeC:\Windows\system32\ 2020-03-26T04:04:22.855396
1d807600d7deef1f26d16ddc28ae6ca4ca656202svchost.exe3494cb0f-67ba-41bc-9190-ab5d015dd57cfidelis-endpoint-winserver2019304SYSTEMA1385CE20AD79F55DF235EFFD9780C31442AA2348a0a29438052faed8a2532da50451234C:\Windows\System32\svchost.exeC:\Windows\system32\ 2020-03-12T03:58:08.237101
b52743f524304f61a076feb040426c2931921adfsvchost.exe3494cb0f-67ba-41bc-9190-ab5d015dd57cfidelis-endpoint-winserver2019364LOCAL SERVICEA1385CE20AD79F55DF235EFFD9780C31442AA2348a0a29438052faed8a2532da50451234C:\Windows\System32\svchost.exeC:\Windows\system32\ 2020-03-12T03:58:08.526584
63cf4746e5a634fdb2ae8c9f4feca6b49377f1afcsrss.exe3494cb0f-67ba-41bc-9190-ab5d015dd57cfidelis-endpoint-winserver2019372779B8AFC3FA2528B090F400EF3D592E0E27759557D64128BC1EECE41196858897596EBC8C:\Windows\System32\csrss.exeN/A
27e4f8301c0ce8d0dbe449561c0aae59a2fece82svchost.exe3494cb0f-67ba-41bc-9190-ab5d015dd57cfidelis-endpoint-winserver2019440LOCAL SERVICEA1385CE20AD79F55DF235EFFD9780C31442AA2348a0a29438052faed8a2532da50451234C:\Windows\system32\svchost.exeC:\Windows\system32\ 2020-03-12T03:58:08.540947
d81492c785d46ab06e001d5fed4f8d5e491b02b5svchost.exe3494cb0f-67ba-41bc-9190-ab5d015dd57cfidelis-endpoint-winserver2019444LOCAL SERVICEA1385CE20AD79F55DF235EFFD9780C31442AA2348a0a29438052faed8a2532da50451234C:\Windows\system32\svchost.exeC:\Windows\system32\ 2020-03-12T03:58:08.526589
f211cdabce3ea5a029ad2a63b803a9962e63af96wininit.exe3494cb0f-67ba-41bc-9190-ab5d015dd57cfidelis-endpoint-winserver2019448389E257A924EA521E830C31712494D33B38841A84E20895E641F2C3E68AB3DB91A1A16F1C:\Windows\System32\wininit.exeN/A
395b84b288830e96cf91fa20f7c399d8a21f2d8fcsrss.exe3494cb0f-67ba-41bc-9190-ab5d015dd57cfidelis-endpoint-winserver2019456779B8AFC3FA2528B090F400EF3D592E0E27759557D64128BC1EECE41196858897596EBC8C:\Windows\System32\csrss.exeN/A

12. fidelis-endpoint-kill-process


Terminates the process that matches the required parameter's process ID.

Required Permissions

The required permissions: Read groups, View Behaviors, View Task Results

Base Command

fidelis-endpoint-kill-process

Input
Argument NameDescriptionRequired
endpoint_ipThe endpoint IP address.Optional
time_outScript time out (in seconds). The default is 300.Optional
operating_systemSystem OS. Can be "Windows", "Linux", or "macOS".Required
pidProcess ID. Get the PID from the script-manifest command.Required
endpoint_nameThe name of the endpoint.Optional
Context Output
PathTypeDescription
FidelisEndpoint.Process.JobIDStringScript job ID.
FidelisEndpoint.Process.IDStringScript ID.
Command Example

!fidelis-endpoint-kill-process operating_system=Windows pid=516 endpoint_ip=2.2.2.2

Context Example
{
"FidelisEndpoint.Process": {
"ID": "8d379688-dde1-451d-8fa2-4f29c84baf97",
"JobID": "25548787-e75c-4c55-96d5-ab8a0211a820"
}
}
Human Readable Output

The job has been executed successfully. Job ID: 25548787-e75c-4c55-96d5-ab8a0211a820

13. fidelis-endpoint-delete-file


Deletes a file at the specified path.

Required Permissions

The required permissions: Read groups, View Behaviors, View Task Results

Base Command

fidelis-endpoint-delete-file

Input
Argument NameDescriptionRequired
endpoint_ipEndpoint IP address.Optional
time_outScript time out (in seconds). The default is 300.Optional
operating_systemSystem OS. Can be "Windows", "Linux", or "macOS".Required
file_pathThe path of the file to delete.Required
endpoint_nameThe name of the endpoint.Optional
Context Output
PathTypeDescription
FidelisEndpoint.Script.IDStringScript ID.
FidelisEndpoint.Script.JobIDStringScript job ID.
Command Example

!fidelis-endpoint-delete-file file_path=c:\\Users\\admin\\Documents\\test.txt operating_system=Windows endpoint_ip=2.2.2.2

Human Readable Output

The job has been executed successfully. Job ID: 4317e979-81df-46d8-8eb1-ab8a023ef4d8

14. fidelis-endpoint-isolate-network


Quarantines an endpoint. While isolated, the endpoint's network communication is restricted to only the allowed servers.

Required Permissions

The required permissions: Read groups, View Behaviors, View Task Results

Base Command

fidelis-endpoint-isolate-network

Input
Argument NameDescriptionRequired
endpoint_ipThe endpoint IP address to isolate.Optional
time_outScript timeout (in seconds). The default is 300.Optional
operating_systemThe system OS. Can be "Windows", "Linux", or "macOS".Required
allowed_serverThe server IP address that can communicate with the isolated endpoint. For example: 2.2.2.2.Required
endpoint_nameThe name of the endpoint.Optional
Context Output
PathTypeDescription
FidelisEndpoint.Isolation.IDStringScript ID.
FidelisEndpoint.Isolation.JobIDStringScript job ID.
Command Example

!fidelis-endpoint-isolate-network operating_system=Windows allowed_server=10.10.10.10 endpoint_ip=10.10.0.1

Human Readable Output

The job has been executed successfully. Job ID: f25691bd-ba78-4f40-9a25-ab8a02420abc

15. fidelis-endpoint-remove-network-isolation


Removes the endpoint from isolation.

Required Permissions

The required permissions: Read groups, View Behaviors, View Task Results

Base Command

fidelis-endpoint-remove-network-isolation

Input
Argument NameDescriptionRequired
endpoint_ipThe isolated endpoint IP address.Optional
time_outScript timeout (in seconds). The default is 300.Optional
operating_systemSystem OS. Can be "Windows", "Linux", or "macOS".Required
endpoint_nameThe name of the endpoint.Optional
Context Output
PathTypeDescription
FidelisEndpoint.Isolation.IDStringScript ID.
FidelisEndpoint.Isolation.JobIDStringScript job ID.
Command Example

!fidelis-endpoint-remove-network-isolation operating_system=Windows endpoint_ip=10.128.0.1

Human Readable Output

The job has been executed successfully. Job ID: 7a0a3179-3bce-43d1-80c0-ab8a0242d147

16. fidelis-endpoint-script-job-status


Gets the script execution status.

Required Permissions

The required permissions: Scripts, View Executables, View Task Results

Base Command

fidelis-endpoint-script-job-status

Input
Argument NameDescriptionRequired
job_result_idThe script execution job result ID. Get the ID from the following commands: script-execution, file-search, list-processes, kill-process-by-pid, delete-file, network-isolation, remove-network-isolation.Required
Context Output
PathTypeDescription
FidelisEndpoint.ScriptResult.JobNameStringThe job name.
FidelisEndpoint.ScriptResult.JobResultIDStringJob result ID.
FidelisEndpoint.ScriptResult.NameStringTarget name.
FidelisEndpoint.ScriptResult.StatusStringScript execution status.
Command Example

!fidelis-endpoint-script-job-status job_result_id=fc94568c-9a15-4fa2-af08-ab8a01f5e86c

Context Example
{
"FidelisEndpoint.ScriptResult": [
{
"Status": "Completed",
"Name": "fidelis-endpoint-winserver2019",
"JobResultID": "fc94568c-9a15-4fa2-af08-ab8a01f5e86c",
"JobName": "Process List-03-26-2020 9.08.12"
}
]
}
Human Readable Output

Fidelis Endpoint script job status

JobNameJobResultIDNameStatus
Process List-03-26-2020 9.08.12fc94568c-9a15-4fa2-af08-ab8a01f5e86cfidelis-endpoint-winserver2019Completed

17. fidelis-endpoint-execute-script


Executes a script package from Fidelis endpoint packages.

Required Permissions

The required permissions: Scripts, View Executables

Base Command

fidelis-endpoint-execute-script

Input
Argument NameDescriptionRequired
script_idScript ID. Get the script ID from the list-scripts command.Required
time_outScript time out (in seconds). The default is 300.Optional
endpoint_ipEndpoint IP address on which to run the script.Optional
answerThe script to run. Get the answer from the script-manifest command.Required
endpoint_nameThe name of the endpoint.Optional
Context Output
PathTypeDescription
FidelisEndpoint.Script.IDStringScript ID.
FidelisEndpoint.Script.JobIDStringScript job ID.
Command Example

!fidelis-endpoint-execute-script script_id="2d32a530-0716-4542-afdc-8da3bd47d8bf" time_out="300" endpoint_ip="2.2.2.2" answer="true"

Context Example
{
"FidelisEndpoint.Script": {
"ID": "2d32a530-0716-4542-afdc-8da3bd47d8bf",
"JobID": "8ac08ab1-e6f4-4aa1-9784-ab8a02115483"
}
}
Human Readable Output

The job has been executed successfully. Job ID: 8ac08ab1-e6f4-4aa1-9784-ab8a02115483

18. fidelis-endpoint-query-file


Queries a file by file hash.

Required Permissions

The required permissions: Read groups, View Behaviors, View Task Results.

Base Command

fidelis-endpoint-query-file

Input
Argument NameDescriptionRequired
start_timeThe start time of the event in the system in UTC format.
Supported values: "2019-10-21T23:45:00" (date).
Optional
end_timeThe end time of the event in the system in UTC format.
Supported values:"2019-10-21T23:45:00" (date).
Optional
logicThe logic of the query. Can be "and" or "or".Required
file_hashThe MD5 file hash to search for.Required
limitThe maximum number of results to return. The default is 50.Optional
Context Output
PathTypeDescription
FidelisEndpoint.Query.ProcessStartTimeDateThe process start time.
FidelisEndpoint.Query.EndpointNameStringEndpoint name.
FidelisEndpoint.Query.CertificateSubjectNameStringCertificate subject name.
FidelisEndpoint.Query.SizeNumberFile size.
FidelisEndpoint.Query.FileExtensionStringFile extension.
FidelisEndpoint.Query.PathStringFile path.
FidelisEndpoint.Query.CertificatePublisherStringCertificate publisher.
FidelisEndpoint.Query.ParentIDStringProcess parent ID.
FidelisEndpoint.Query.EventTimeDateEvent time.
FidelisEndpoint.Query.SignedTimeDateSigned time.
FidelisEndpoint.Query.NameStringFile name.
FidelisEndpoint.Query.TargetIDStringTarget ID.
FidelisEndpoint.Query.HashStringFile hash.
FidelisEndpoint.Query.StartTimeDateEvent start time.
FidelisEndpoint.Query.HashSHA1StringFile SHA1 hash.
FidelisEndpoint.Query.EventTypeNumberEvent type.
FidelisEndpoint.Query.HashSHA256StringFile SHA256 hash.
FidelisEndpoint.Query.ParentNameStringProcess parent name.
FidelisEndpoint.Query.FileTypeNumberFile type.
FidelisEndpoint.Query.SignatureNumberFile signature.
FidelisEndpoint.Query.EventIndexNumberEvent index.
FidelisEndpoint.Query.FileCategoryNumberFile category.
FidelisEndpoint.Query.CertificateIssuerNameStringCertificate issuer name.
FidelisEndpoint.Query.FileVersionStringFile version.
FidelisEndpoint.Query.IndexingTimeDateIndexing time.
FidelisEndpoint.Query.EntityTypeNumberEntity type.
File.NameStringThe full file name (including file extension).
File.SizeNumberThe size of the file in bytes.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe file extension, for example: "txt".
File.TypeNumberThe file type, as determined by libmagic (same as displayed in file entries).
File.PathStringThe path where the file is located.
File.HostnameStringThe name of the host where the file was found.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.FileVersionStringThe file version.
Command Example

!fidelis-endpoint-query-file logic="and" file_hash="8a0a29438052faed8a2532da50451234"

Context Example
{
"FidelisEndpoint.Query": [
{
"EntityType": 1,
"TargetID": "aW9qfAMZ5a3",
"StartTime": "2020-03-26T09:02:26.511Z",
"FileExtension": "exe",
"FileVersion": "10.0.17763.1 (WinBuild.160101.0800)",
"ProcessStartTime": "2020-03-26T09:02:26.511Z",
"IndexingTime": "2020-03-26T09:06:31.958Z",
"CertificateSubjectName": "Microsoft Windows Publisher",
"EventType": 2,
"ParentName": "svchost.exe",
"HashSHA1": "a1385ce20ad79f55df235effd9780c31442aa456",
"SignedTime": "1:29 9/15/2018",
"EventIndex": 1,
"Path": "C:\\Windows\\System32\\svchost.exe",
"EventTime": "2020-03-26T09:02:26.511Z",
"Name": "svchost.exe",
"CertificatePublisher": "Microsoft Corporation",
"FileType": "8",
"HashSHA256": "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020565ab6",
"EndpointName": "fidelis-endpoint-winserver2019",
"Signature": "16",
"Hash": "8a0a29438052faed8a2532da50455456",
"FileCategory": "776",
"ParentID": "rSdnlXD7OX6",
"CertificateIssuerName": "Microsoft Windows Production PCA 2011",
"Size": 51696
},
{
"EntityType": 1,
"TargetID": "aW9qfAMZ5a3",
"StartTime": "2020-03-26T08:02:26.197Z",
"FileExtension": "exe",
"FileVersion": "10.0.17763.1 (WinBuild.160101.0800)",
"ProcessStartTime": "2020-03-26T08:02:26.197Z",
"IndexingTime": "2020-03-26T08:05:00.035Z",
"CertificateSubjectName": "Microsoft Windows Publisher",
"EventType": 2,
"ParentName": "svchost.exe",
"HashSHA1": "a1385ce20ad79f55df235effd9780c31442aa456",
"SignedTime": "1:29 9/15/2018",
"EventIndex": 1,
"Path": "C:\\Windows\\System32\\svchost.exe",
"EventTime": "2020-03-26T08:02:26.197Z",
"Name": "svchost.exe",
"CertificatePublisher": "Microsoft Corporation",
"FileType": "8",
"HashSHA256": "7fd065bac18c1234777ae44908101cdfed72d26fa741367f0ad4d02020787ab6",
"EndpointName": "fidelis-endpoint-winserver2019",
"Signature": "16",
"Hash": "8a0a29438052faed8a2532da12355756",
"FileCategory": "776",
"ParentID": "m31v1MqQ6",
"CertificateIssuerName": "Microsoft Windows Production PCA 2011",
"Size": 51696
},
{
"EntityType": 1,
"TargetID": "aW9qfAMZ5a3",
"StartTime": "2020-03-26T07:02:25.887Z",
"FileExtension": "exe",
"FileVersion": "10.0.17763.1 (WinBuild.160101.0800)",
"ProcessStartTime": "2020-03-26T07:02:25.887Z",
"IndexingTime": "2020-03-26T07:08:28.331Z",
"CertificateSubjectName": "Microsoft Windows Publisher",
"EventType": 2,
"ParentName": "svchost.exe",
"HashSHA1": "a1385ce20ad79f55df235effd9780c31442aa456",
"SignedTime": "1:29 9/15/2018",
"EventIndex": 1,
"Path": "C:\\Windows\\System32\\svchost.exe",
"EventTime": "2020-03-26T07:02:25.887Z",
"Name": "svchost.exe",
"CertificatePublisher": "Microsoft Corporation",
"FileType": "8",
"HashSHA256": "7fd065bac18c5123777ae44908101cdfed72d26fa741367f0ad4d02020787ab6",
"EndpointName": "fidelis-endpoint-winserver2019",
"Signature": "16",
"Hash": "8a0a29438052faed8a2532da50455123",
"FileCategory": "776",
"ParentID": "fmz4un6Qzfd",
"CertificateIssuerName": "Microsoft Windows Production PCA 2011",
"Size": 51696
},
{
"EntityType": 1,
"TargetID": "aW9qfAMZ5a3",
"StartTime": "2020-03-26T06:15:07.125Z",
"FileExtension": "exe",
"FileVersion": "10.0.17763.1 (WinBuild.160101.0800)",
"ProcessStartTime": "2020-03-26T06:15:07.125Z",
"IndexingTime": "2020-03-26T06:20:26.814Z",
"CertificateSubjectName": "Microsoft Windows Publisher",
"EventType": 2,
"ParentName": "svchost.exe",
"HashSHA1": "a1385ce20ad79f55df235effd9780c31442aa456",
"SignedTime": "1:29 9/15/2018",
"EventIndex": 1,
"Path": "C:\\Windows\\System32\\svchost.exe",
"EventTime": "2020-03-26T06:15:07.125Z",
"Name": "svchost.exe",
"CertificatePublisher": "Microsoft Corporation",
"FileType": "8",
"HashSHA256": "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6",
"EndpointName": "fidelis-endpoint-winserver2019",
"Signature": "16",
"Hash": "8a0a29438052faed8a2532da50455123",
"FileCategory": "776",
"ParentID": "fS3SPnQU5Xe",
"CertificateIssuerName": "Microsoft Windows Production PCA 2011",
"Size": 51696
},
{
"EntityType": 1,
"TargetID": "aW9qfAMZ5a3",
"StartTime": "2020-03-26T06:02:25.581Z",
"FileExtension": "exe",
"FileVersion": "10.0.17763.1 (WinBuild.160101.0800)",
"ProcessStartTime": "2020-03-26T06:02:25.581Z",
"IndexingTime": "2020-03-26T06:05:26.740Z",
"CertificateSubjectName": "Microsoft Windows Publisher",
"EventType": 2,
"ParentName": "svchost.exe",
"HashSHA1": "a1385ce20ad79f55df235effd9780c31442aa456",
"SignedTime": "1:29 9/15/2018",
"EventIndex": 1,
"Path": "C:\\Windows\\System32\\svchost.exe",
"EventTime": "2020-03-26T06:02:25.581Z",
"Name": "svchost.exe",
"CertificatePublisher": "Microsoft Corporation",
"FileType": "8",
"HashSHA256": "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020232cb6",
"EndpointName": "fidelis-endpoint-winserver2019",
"Signature": "16",
"Hash": "8a0a29438052faed8a2532da50455123",
"FileCategory": "776",
"ParentID": "s8Iu12ulYKh",
"CertificateIssuerName": "Microsoft Windows Production PCA 2011",
"Size": 51696
}
],
"File": [
{
"SHA1": "a1385ce20ad79f55df235effd9780c31442aa456",
"SHA256": "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020232cb6",
"Name": "svchost.exe",
"Extension": "exe",
"Hostname": "fidelis-endpoint-winserver2019",
"Size": 51696,
"Path": "C:\\Windows\\System32\\svchost.exe",
"MD5": "8a0a29438052faed8a2532da50451234",
"Type": "8",
"FileVersion": "10.0.17763.1 (WinBuild.160101.0800)"
},
{
"SHA1": "a1385ce20ad79f55df235effd9780c31442aa234",
"SHA256": "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6",
"Name": "svchost.exe",
"Extension": "exe",
"Hostname": "fidelis-endpoint-winserver2019",
"Size": 51696,
"Path": "C:\\Windows\\System32\\svchost.exe",
"MD5": "8a0a23438052faed8a2532da50455756",
"Type": "8",
"FileVersion": "10.0.17763.1 (WinBuild.160101.0800)"
},
{
"SHA1": "a1385ce20ad79f55df235effd9780c31442aa234",
"SHA256": "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6",
"Name": "svchost.exe",
"Extension": "exe",
"Hostname": "fidelis-endpoint-winserver2019",
"Size": 51696,
"Path": "C:\\Windows\\System32\\svchost.exe",
"MD5": "8a0a29438052faed8a2532da50451234",
"Type": "8",
"FileVersion": "10.0.17763.1 (WinBuild.160101.0800)"
},
{
"SHA1": "a1385ce20ad79f55df235effd9780c31442aa234",
"SHA256": "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6",
"Name": "svchost.exe",
"Extension": "exe",
"Hostname": "fidelis-endpoint-winserver2019",
"Size": 51696,
"Path": "C:\\Windows\\System32\\svchost.exe",
"MD5": "8a0a29438052faed8a2532da50451234",
"Type": "8",
"FileVersion": "10.0.17763.1 (WinBuild.160101.0800)"
},
{
"SHA1": "a1385ce20ad79f55df235effd9780c31442aa234",
"SHA256": "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6",
"Name": "svchost.exe",
"Extension": "exe",
"Hostname": "fidelis-endpoint-winserver2019",
"Size": 51696,
"Path": "C:\\Windows\\System32\\svchost.exe",
"MD5": "8a0a29438052faed8a2532da50451234",
"Type": "8",
"FileVersion": "10.0.17763.1 (WinBuild.160101.0800)"
},
]
}
Human Readable Output

Fidelis Endpoint file hash query results

EndpointNameNamePathHashProcessStartTimeParentNameEventType
fidelis-endpoint-winserver2019svchost.exeC:\Windows\System32\svchost.exe8a0a29438052faed8a2532da504512342020-03-26T09:02:26.511Zsvchost.exe2
fidelis-endpoint-winserver2019svchost.exeC:\Windows\System32\svchost.exe8a0a29438052faed8a2532da504512342020-03-26T08:02:26.197Zsvchost.exe2
fidelis-endpoint-winserver2019svchost.exeC:\Windows\System32\svchost.exe8a0a29438052faed8a2532da504512342020-03-26T07:02:25.887Zsvchost.exe2
fidelis-endpoint-winserver2019svchost.exeC:\Windows\System32\svchost.exe8a0a29438052faed8a2532da504512342020-03-26T06:15:07.125Zsvchost.exe2
fidelis-endpoint-winserver2019svchost.exeC:\Windows\System32\svchost.exe8a0a29438052faed8a2532da504512342020-03-26T06:02:25.581Zsvchost.exe2
fidelis-endpoint-winserver2019svchost.exeC:\Windows\System32\svchost.exe8a0a29438052faed8a2532da504512342020-03-26T05:02:25.266Zsvchost.exe2
fidelis-endpoint-winserver2019svchost.exeC:\Windows\System32\svchost.exe8a0a29438052faed8a2532da504512342020-03-26T04:54:08.244Zsvchost.exe2

19. fidelis-endpoint-query-process


Query process.

Required Permissions

The required permissions: Read groups, View Behaviors, View Task Results

Base Command

fidelis-endpoint-query-process

Input
Argument NameDescriptionRequired
start_timeThe start time of the event in the system in UTC format.
Supported values: "2019-10-21T23:45:00" (date).
Optional
end_timeThe end time of the event in the system in UTC format.
Supported values:"2019-10-21T23:45:00" (date).
Optional
logicThe logic of the query. Can be "and" or "or".Required
process_nameThe process name to query.Required
limitThe maximum number of results to return. The default is 50.Optional
Context Output
PathTypeDescription
FidelisEndpoint.Query.ProcessStartTimeStringProcess start time.
FidelisEndpoint.Query.EndpointNameStringEndpoint name.
FidelisEndpoint.Query.PathStringThe path of the process.
FidelisEndpoint.Query.ParentIDStringProcess parent ID.
FidelisEndpoint.Query.EventTimeDateEvent time.
FidelisEndpoint.Query.PIDStringProcess ID.
FidelisEndpoint.Query.NameStringProcess name.
FidelisEndpoint.Query.UserStringThe user of the system.
FidelisEndpoint.Query.TargetIDStringProcess target ID.
FidelisEndpoint.Query.HashStringFile hash.
FidelisEndpoint.Query.StartTimeDateProcess start time.
FidelisEndpoint.Query.EventTypeNumberEvent type.
FidelisEndpoint.Query.ParentNameStringProcess parent name.
FidelisEndpoint.Query.IndexingTimeDateIndexing time.
FidelisEndpoint.Query.EntityTypeNumberEntity type.
Command Example

!fidelis-endpoint-query-process logic="and" process_name="svchost.exe"

Context Example
{
"FidelisEndpoint.Query": [
{
"EsDocumentType": "processlog",
"EventTime": "2020-03-26T09:02:26.511Z",
"IndexingTime": "2020-03-26T09:06:31.958Z",
"Hash": "8a0a29438052faed8a2532da50451234",
"Name": "svchost.exe",
"ParentName": "services.exe",
"EsIndex": "eh_20200326_1585180800000_0",
"EventType": 0,
"TargetID": "rSdnlXD7OX6",
"EntityType": 0,
"PID": 4432,
"ProcessStartTime": "2020-03-26T09:02:26.511Z",
"EndpointName": "fidelis-endpoint-winserver2019",
"User": "NT AUTHORITY\\SYSTEM",
"StartTime": "2020-03-26T09:02:26.511Z",
"ParentID": "TG9An342Ym8",
"Path": "C:\\Windows\\System32\\svchost.exe"
},
{
"EsDocumentType": "processlog",
"EventTime": "2020-03-26T08:02:26.197Z",
"IndexingTime": "2020-03-26T08:05:00.035Z",
"Hash": "8a0a29438052faed8a2532da50451234",
"Name": "svchost.exe",
"ParentName": "services.exe",
"EsIndex": "eh_20200326_1585180800000_0",
"EventType": 0,
"TargetID": "m31v1MqQ6",
"EntityType": 0,
"PID": 2084,
"ProcessStartTime": "2020-03-26T08:02:26.197Z",
"EndpointName": "fidelis-endpoint-winserver2019",
"User": "NT AUTHORITY\\SYSTEM",
"StartTime": "2020-03-26T08:02:26.197Z",
"ParentID": "TG9An342Ym8",
"Path": "C:\\Windows\\System32\\svchost.exe"
},
{
"EsDocumentType": "processlog",
"EventTime": "2020-03-26T07:02:25.887Z",
"IndexingTime": "2020-03-26T07:08:28.331Z",
"Hash": "8a0a29438052faed8a2532da50451234",
"Name": "svchost.exe",
"ParentName": "services.exe",
"EsIndex": "eh_20200326_1585180800000_0",
"EventType": 0,
"TargetID": "fmz4un6Qzfd",
"EntityType": 0,
"PID": 1972,
"ProcessStartTime": "2020-03-26T07:02:25.887Z",
"EndpointName": "fidelis-endpoint-winserver2019",
"User": "NT AUTHORITY\\SYSTEM",
"StartTime": "2020-03-26T07:02:25.887Z",
"ParentID": "TG9An342Ym8",
"Path": "C:\\Windows\\System32\\svchost.exe"
},
{
"EsDocumentType": "processlog",
"EventTime": "2020-03-26T06:15:07.125Z",
"IndexingTime": "2020-03-26T06:20:26.814Z",
"Hash": "8a0a29438052faed8a2532da50451234",
"Name": "svchost.exe",
"ParentName": "services.exe",
"EsIndex": "eh_20200326_1585180800000_0",
"EventType": 0,
"TargetID": "fS3SPnQU5Xe",
"EntityType": 0,
"PID": 656,
"ProcessStartTime": "2020-03-26T06:15:07.125Z",
"EndpointName": "fidelis-endpoint-winserver2019",
"User": "NT AUTHORITY\\NETWORK SERVICE",
"StartTime": "2020-03-26T06:15:07.125Z",
"ParentID": "TG9An342Ym8",
"Path": "C:\\Windows\\System32\\svchost.exe"
},
{
"EsDocumentType": "processlog",
"EventTime": "2020-03-25T19:02:22.160Z",
"IndexingTime": "2020-03-25T19:06:37.610Z",
"Hash": "8a0a29438052faed8a2532da50451234",
"Name": "svchost.exe",
"ParentName": "services.exe",
"EsIndex": "eh_20200325_1585094400000_0",
"EventType": 0,
"TargetID": "byvPk5D9Mdd",
"EntityType": 0,
"PID": 2692,
"ProcessStartTime": "2020-03-25T19:02:22.160Z",
"EndpointName": "fidelis-endpoint-winserver2019",
"User": "NT AUTHORITY\\SYSTEM",
"StartTime": "2020-03-25T19:02:22.160Z",
"ParentID": "TG9An342Ym8",
"Path": "C:\\Windows\\System32\\svchost.exe"
}
]
}
Human Readable Output

Fidelis Endpoint process results

PIDEndpointNameNamePathUserHashProcessStartTimeParametersParentNameEventType
4432fidelis-endpoint-winserver2019svchost.exeC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEM8a0a29438052faed8a2532da504512342020-03-26T09:02:26.511ZC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvcservices.exe0
2084fidelis-endpoint-winserver2019svchost.exeC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEM8a0a29438052faed8a2532da504512342020-03-26T08:02:26.197ZC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvcservices.exe0
1972fidelis-endpoint-winserver2019svchost.exeC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEM8a0a29438052faed8a2532da504512342020-03-26T07:02:25.887ZC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvcservices.exe0
656fidelis-endpoint-winserver2019svchost.exeC:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE8a0a29438052faed8a2532da504512342020-03-26T06:15:07.125ZC:\Windows\System32\svchost.exe -k NetworkService -p -s DoSvcservices.exe0
1400fidelis-endpoint-winserver2019svchost.exeC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEM8a0a29438052faed8a2532da504512342020-03-26T06:02:25.581ZC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvcservices.exe0
2800fidelis-endpoint-winserver2019svchost.exeC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEM8a0a29438052faed8a2532da504512342020-03-26T05:02:25.266ZC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvcservices.exe0

20. fidelis-endpoint-query-connection-by-remote-ip


Queries a connection by remote IP address.

Required Permissions

The required permissions: Read groups, View Behaviors, View Task Results

Base Command

fidelis-endpoint-query-connection-by-remote-ip

Input
Argument NameDescriptionRequired
start_timeThe start time of the event in the system in UTC format.
Supported values: "2019-10-21T23:45:00" (date).
Optional
end_timeThe end time of the event in the system in UTC format.
Supported values:"2019-10-21T23:45:00" (date).
Optional
logicThe logic of the query. Can be "and" or "or".Required
remote_ipThe remote IP address on which to query.Required
limitThe maximum number of results to return. The default is 50.Optional
Context Output
PathTypeDescription
FidelisEndpoint.Query.ProcessStartTimeDateProcess start time.
FidelisEndpoint.Query.EndpointNameStringEndpoint name.
FidelisEndpoint.Query.ParentIDStringProcess parent ID.
FidelisEndpoint.Query.EventTimeDateEvent time.
FidelisEndpoint.Query.RemotePortNumberRemote port.
FidelisEndpoint.Query.LocalPortNumberLocal port.
FidelisEndpoint.Query.TargetIDStringTarget ID.
FidelisEndpoint.Query.RemoteIPStringRemote IP address.
FidelisEndpoint.Query.StartTimeDateEvent start time.
FidelisEndpoint.Query.EndpointIDStringEndpoint ID.
FidelisEndpoint.Query.NetworkDirectionNumberNetwork direction.
FidelisEndpoint.Query.LastEventTimeDateLast event time.
FidelisEndpoint.Query.LocalIPStringLocal IP address.
FidelisEndpoint.Query.EventTypeNumberEvent type.
FidelisEndpoint.Query.ParentNameStringParent name.
FidelisEndpoint.Query.FirstEventTimeDateFirst event time.
FidelisEndpoint.Query.EventIndexNumberEvent Index.
FidelisEndpoint.Query.ProtocolStringProtocol.
FidelisEndpoint.Query.PPIDNumberProcess parent ID.
FidelisEndpoint.Query.EntityTypeNumberEntity type.
FidelisEndpoint.Query.ParentHashSHA1StringParent SHA1 hash.
Command Example

!fidelis-endpoint-query-connection-by-remote-ip logic=and remote_ip=10.10.0.1 limit=5

Context Example
{
"FidelisEndpoint.Query": [
{
"RemotePort": "53",
"EventTime": "2020-03-26T09:32:31.172Z",
"ParentName": "svchost.exe",
"Protocol": "UDP",
"EndpointID": "3494cb0f-67ba-41bc-9190-ab5d015dd57c",
"LastEventTime": "2020-03-26T09:32:31.172Z",
"FirstEventTime": "2020-03-26T09:28:31.148Z",
"EventType": 3,
"EntityType": 3,
"TargetID": "O6ZdOEYU2z8",
"ProcessStartTime": "2020-03-12T03:58:09.962Z",
"LocalIP": "2.2.2.2",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-03-12T03:58:09.962Z",
"RemoteIP": "10.10.0.1",
"EventIndex": 10,
"ParentID": "jE4aX1xPk1i",
"NetworkDirection": "0",
"PPID": 1196,
"parentHashSHA1": "a1385ce20ad79f55df235effd9780c31442aa234",
"LocalPort": "64669"
},
{
"RemotePort": "53",
"EventTime": "2020-03-26T09:32:31.169Z",
"ParentName": "svchost.exe",
"Protocol": "UDP",
"EndpointID": "3494cb0f-67ba-41bc-9190-ab5d015dd57c",
"LastEventTime": "2020-03-26T09:32:31.172Z",
"FirstEventTime": "2020-03-26T09:28:31.148Z",
"EventType": 3,
"EntityType": 3,
"TargetID": "Do8ec6zGCEi",
"ProcessStartTime": "2020-03-12T03:58:09.962Z",
"LocalIP": "2.2.2.2",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-03-12T03:58:09.962Z",
"RemoteIP": "10.10.0.1",
"EventIndex": 9,
"ParentID": "jE4aX1xPk1i",
"NetworkDirection": "2",
"PPID": 1196,
"parentHashSHA1": "a1385ce20ad79f55df235effd9780c31442aa234",
"LocalPort": "64669"
},
{
"RemotePort": "53",
"EventTime": "2020-03-26T09:32:14.522Z",
"ParentName": "svchost.exe",
"Protocol": "UDP",
"EndpointID": "3494cb0f-67ba-41bc-9190-ab5d015dd57c",
"LastEventTime": "2020-03-26T09:32:31.172Z",
"FirstEventTime": "2020-03-26T09:28:31.148Z",
"EventType": 3,
"EntityType": 3,
"TargetID": "8825LGOTGzf",
"ProcessStartTime": "2020-03-12T03:58:09.962Z",
"LocalIP": "2.2.2.2",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-03-12T03:58:09.962Z",
"RemoteIP": "10.10.0.1",
"EventIndex": 8,
"ParentID": "jE4aX1xPk1i",
"NetworkDirection": "0",
"PPID": 1196,
"parentHashSHA1": "a1385ce20ad79f55df235effd9780c31442aa234",
"LocalPort": "53557"
}
]
}
Human Readable Output

Fidelis Endpoint query results for connection by remote IP

EndpointIDEndpointNamePPIDLocalIPLocalPortRemoteIPRemotePortProcessStartTimeFirstEventTimeLastEventTimeProtocolParentHashSHA1ParentNameEventType
3494cb0f-67ba-41bc-9190-ab5d015dd57cfidelis-endpoint-winserver201911962.2.2.26466910.10.0.1532020-03-12T03:58:09.962Z2020-03-26T09:28:31.148Z2020-03-26T09:32:31.172ZUDPa1385ce20ad79f55df235effd9780c31442aa234svchost.exe3
3494cb0f-67ba-41bc-9190-ab5d015dd57cfidelis-endpoint-winserver201911962.2.2.26466910.10.0.1532020-03-12T03:58:09.962Z2020-03-26T09:28:31.148Z2020-03-26T09:32:31.172ZUDPa1385ce20ad79f55df235effd9780c31442aa234svchost.exe3
3494cb0f-67ba-41bc-9190-ab5d015dd57cfidelis-endpoint-winserver201911962.2.2.25355710.10.0.1532020-03-12T03:58:09.962Z2020-03-26T09:28:31.148Z2020-03-26T09:32:31.172ZUDPa1385ce20ad79f55df235effd9780c31442aa234svchost.exe3
3494cb0f-67ba-41bc-9190-ab5d015dd57cfidelis-endpoint-winserver201911962.2.2.25355710.10.0.1532020-03-12T03:58:09.962Z2020-03-26T09:28:31.148Z2020-03-26T09:32:31.172ZUDPa1385ce20ad79f55df235effd9780c31442aa234svchost.exe3
3494cb0f-67ba-41bc-9190-ab5d015dd57cfidelis-endpoint-winserver201911962.2.2.26042710.10.0.1532020-03-12T03:58:09.962Z2020-03-26T09:28:31.148Z2020-03-26T09:32:31.172ZUDPa1385ce20ad79f55df235effd9780c31442aa234svchost.exe3
3494cb0f-67ba-41bc-9190-ab5d015dd57cfidelis-endpoint-winserver201911962.2.2.26042710.10.0.1532020-03-12T03:58:09.962Z2020-03-26T09:28:31.148Z2020-03-26T09:32:31.172ZUDPa1385ce20ad79f55df235effd9780c31442aa234svchost.exe3

21. fidelis-endpoint-query-by-dns


Queries by DNS request.

Required Permissions

The required permissions: Read groups, View Behaviors, View Task Results

Base Command

fidelis-endpoint-query-by-dns

Input
Argument NameDescriptionRequired
start_timeThe start time of the event in the system in UTC format.
Supported values: "2019-10-21T23:45:00" (date).
Optional
end_timeThe end time of the event in the system in UTC format.
Supported values:"2019-10-21T23:45:00" (date).
Optional
logicThe logic of the query. Can be "and" or "or".Required
urlURL or domain on which to query.Required
limitThe maximum number of results to return. The default is 50.Optional
Context Output
PathTypeDescription
FidelisEndpoint.Query.ProcessStartTimeDateProcess start time.
FidelisEndpoint.Query.EndpointNameStringEndpoint name.
FidelisEndpoint.Query.ParentIDStringParent ID.
FidelisEndpoint.Query.EventTimeDateEvent time.
FidelisEndpoint.Query.RemotePortNumberRemote port.
FidelisEndpoint.Query.DnsAnswerStringThe DNS answer.
FidelisEndpoint.Query.LocalPortNumberLocal port.
FidelisEndpoint.Query.TargetIDStringThe target ID.
FidelisEndpoint.Query.RemoteIPStringRemote IP address.
FidelisEndpoint.Query.DnsQuestionStringThe DNS question.
FidelisEndpoint.Query.StartTimeDateEvent start time.
FidelisEndpoint.Query.NetworkDirectionNumberNetwork direction.
FidelisEndpoint.Query.LocalIPStringLocal IP address.
FidelisEndpoint.Query.EventTypeNumberEvent type.
FidelisEndpoint.Query.EventIndexNumberEvent index.
FidelisEndpoint.Query.IndexingTimeDateIndexing time.
FidelisEndpoint.Query.EntityTypeNumberEntity type.
Command Example

!fidelis-endpoint-query-by-dns start_time="2019-10-02T00:00:00.842Z" end_time="2020-03-08T15:50:05.552Z" logic="and" url="login.live.com"

Context Example
{
"FidelisEndpoint.Query": [
{
"RemotePort": "53",
"EventTime": "2020-03-08T06:13:14.009Z",
"IndexingTime": "2020-03-08T06:21:15.635Z",
"LocalPort": "49862",
"EventType": 17,
"EntityType": 6,
"TargetID": "UmDG80sJNc6",
"DnsQuestion": "{\"dns_questions\":[{\"name\":\"login.live.com\",\"class\":\"IN\",\"type\":\"A\"}]}",
"LocalIP": "2.2.2.2",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-02-13T03:50:45.515Z",
"RemoteIP": "10.10.0.1",
"EventIndex": 6,
"ParentID": "VuFd4n1aut7",
"NetworkDirection": "0",
"DnsAnswer": "{\"dns_answers\":[{\"name\":\"login.live.com\",\"class\":\"IN\",\"type\":\"CNAME\",\"alias\":\"login.msa.msidentity.com\",\"IP\":\"\",\"TTL\":\"299\"},{\"name\":\"login.msa.msidentity.com\",\"class\":\"IN\",\"type\":\"CNAME\",\"alias\":\"login.msa.akadns6.net\",\"IP\":\"\",\"TTL\":\"299\"},{\"name\":\"login.msa.akadns6.net\",\"class\":\"IN\",\"type\":\"CNAME\",\"alias\":\"ipv4.login.msa.akadns6.net\",\"IP\":\"\",\"TTL\":\"299\"},{\"name\":\"ipv4.login.msa.akadns6.net\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"3.3.3.3\",\"TTL\":\"299\"}]}",
"ProcessStartTime": "2020-02-13T03:50:45.515Z"
},
{
"RemotePort": "53",
"EventTime": "2020-03-08T03:55:54.514Z",
"IndexingTime": "2020-03-08T04:03:12.475Z",
"LocalPort": "53712",
"EventType": 17,
"EntityType": 6,
"TargetID": "UmDG80sJNc6",
"DnsQuestion": "{\"dns_questions\":[{\"name\":\"login.live.com\",\"class\":\"IN\",\"type\":\"A\"}]}",
"LocalIP": "2.2.2.2",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-02-13T03:50:45.515Z",
"RemoteIP": "10.10.0.1",
"EventIndex": 2,
"ParentID": "VuFd4n1aut7",
"NetworkDirection": "0",
"DnsAnswer": "{\"dns_answers\":[{\"name\":\"login.live.com\",\"class\":\"IN\",\"type\":\"CNAME\",\"alias\":\"login.msa.msidentity.com\",\"IP\":\"\",\"TTL\":\"51\"},{\"name\":\"login.msa.msidentity.com\",\"class\":\"IN\",\"type\":\"CNAME\",\"alias\":\"lgin.msa.trafficmanager.net\",\"IP\":\"\",\"TTL\":\"51\"},{\"name\":\"lgin.msa.trafficmanager.net\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"2.2.2.2\",\"TTL\":\"59\"},{\"name\":\"lgin.msa.trafficmanager.net\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"3.3.3.3\",\"TTL\":\"59\"},{\"name\":\"lgin.msa.trafficmanager.net\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"4.4.4.4\",\"TTL\":\"59\"}]}",
"ProcessStartTime": "2020-02-13T03:50:45.515Z"
},
{
"RemotePort": "53",
"EventTime": "2020-03-08T03:11:13.833Z",
"IndexingTime": "2020-03-08T03:17:38.628Z",
"LocalPort": "61574",
"EventType": 17,
"EntityType": 6,
"TargetID": "UmDG80sJNc6",
"DnsQuestion": "{\"dns_questions\":[{\"name\":\"login.live.com\",\"class\":\"IN\",\"type\":\"A\"}]}",
"LocalIP": "2.2.2.2",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-02-13T03:50:45.515Z",
"RemoteIP": "10.10.0.1",
"EventIndex": 5,
"ParentID": "VuFd4n1aut7",
"NetworkDirection": "0",
"DnsAnswer": "{\"dns_answers\":[{\"name\":\"login.live.com\",\"class\":\"IN\",\"type\":\"CNAME\",\"alias\":\"login.msa.msidentity.com\",\"IP\":\"\",\"TTL\":\"230\"},{\"name\":\"login.msa.msidentity.com\",\"class\":\"IN\",\"type\":\"CNAME\",\"alias\":\"lgin.msa.trafficmanager.net\",\"IP\":\"\",\"TTL\":\"235\"},{\"name\":\"lgin.msa.trafficmanager.net\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"3.3.3.3\",\"TTL\":\"56\"},{\"name\":\"lgin.msa.trafficmanager.net\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"2.2.2.2\",\"TTL\":\"56\"},{\"name\":\"lgin.msa.trafficmanager.net\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"7.7.7.7\",\"TTL\":\"56\"}]}",
"ProcessStartTime": "2020-02-13T03:50:45.515Z"
},
{
"RemotePort": "53",
"EventTime": "2020-03-07T21:53:12.298Z",
"IndexingTime": "2020-03-07T21:57:29.402Z",
"LocalPort": "57803",
"EventType": 17,
"EntityType": 6,
"TargetID": "UmDG80sJNc6",
"DnsQuestion": "{\"dns_questions\":[{\"name\":\"login.live.com\",\"class\":\"IN\",\"type\":\"A\"}]}",
"LocalIP": "2.2.2.2",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-02-13T03:50:45.515Z",
"RemoteIP": "10.10.0.1",
"EventIndex": 4,
"ParentID": "VuFd4n1aut7",
"NetworkDirection": "0",
"DnsAnswer": "{\"dns_answers\":[{\"name\":\"login.live.com\",\"class\":\"IN\",\"type\":\"CNAME\",\"alias\":\"login.msa.msidentity.com\",\"IP\":\"\",\"TTL\":\"16\"},{\"name\":\"login.msa.msidentity.com\",\"class\":\"IN\",\"type\":\"CNAME\",\"alias\":\"lgin.msa.trafficmanager.net\",\"IP\":\"\",\"TTL\":\"197\"},{\"name\":\"lgin.msa.trafficmanager.net\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"3.3.3.3\",\"TTL\":\"59\"},{\"name\":\"lgin.msa.trafficmanager.net\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"2.2.2.2\",\"TTL\":\"59\"},{\"name\":\"lgin.msa.trafficmanager.net\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"7.7.7.7\",\"TTL\":\"59\"}]}",
"ProcessStartTime": "2020-02-13T03:50:45.515Z"
}
]
}
Human Readable Output

Fidelis Endpoint query results for the DNS request

EndpointNameLocalIPLocalPortRemoteIPRemotePortProcessStartTimeDnsAnswerEventType
fidelis-endpoint-winserver20192.2.2.24986210.10.0.1532020-02-13T03:50:45.515Z{"dns_answers":[{"name":"login.live.com","class":"IN","type":"CNAME","alias":"login.msa.msidentity.com","IP":"","TTL":"299"},{"name":"login.msa.msidentity.com","class":"IN","type":"CNAME","alias":"login.msa.akadns6.net","IP":"","TTL":"299"},{"name":"login.msa.akadns6.net","class":"IN","type":"CNAME","alias":"ipv4.login.msa.akadns6.net","IP":"","TTL":"299"},{"name":"ipv4.login.msa.akadns6.net","class":"IN","type":"A","alias":"","IP":"3.3.3.3","TTL":"299"}]}17
fidelis-endpoint-winserver20192.2.2.25371210.10.0.1532020-02-13T03:50:45.515Z{"dns_answers":[{"name":"login.live.com","class":"IN","type":"CNAME","alias":"login.msa.msidentity.com","IP":"","TTL":"51"},{"name":"login.msa.msidentity.com","class":"IN","type":"CNAME","alias":"lgin.msa.trafficmanager.net","IP":"","TTL":"51"},{"name":"lgin.msa.trafficmanager.net","class":"IN","type":"A","alias":"","IP":"2.2.2.2","TTL":"59"},{"name":"lgin.msa.trafficmanager.net","class":"IN","type":"A","alias":"","IP":"3.3.3.3","TTL":"59"},{"name":"lgin.msa.trafficmanager.net","class":"IN","type":"A","alias":"","IP":"4.4.4.4","TTL":"59"}]}17
fidelis-endpoint-winserver20192.2.2.26157410.10.0.1532020-02-13T03:50:45.515Z{"dns_answers":[{"name":"login.live.com","class":"IN","type":"CNAME","alias":"login.msa.msidentity.com","IP":"","TTL":"230"},{"name":"login.msa.msidentity.com","class":"IN","type":"CNAME","alias":"lgin.msa.trafficmanager.net","IP":"","TTL":"235"},{"name":"lgin.msa.trafficmanager.net","class":"IN","type":"A","alias":"","IP":"3.3.3.3","TTL":"56"},{"name":"lgin.msa.trafficmanager.net","class":"IN","type":"A","alias":"","IP":"2.2.2.2","TTL":"56"},{"name":"lgin.msa.trafficmanager.net","class":"IN","type":"A","alias":"","IP":"7.7.7.7","TTL":"56"}]}17
fidelis-endpoint-winserver20192.2.2.25780310.10.0.1532020-02-13T03:50:45.515Z{"dns_answers":[{"name":"login.live.com","class":"IN","type":"CNAME","alias":"login.msa.msidentity.com","IP":"","TTL":"16"},{"name":"login.msa.msidentity.com","class":"IN","type":"CNAME","alias":"lgin.msa.trafficmanager.net","IP":"","TTL":"197"},{"name":"lgin.msa.trafficmanager.net","class":"IN","type":"A","alias":"","IP":"3.3.3.3","TTL":"59"},{"name":"lgin.msa.trafficmanager.net","class":"IN","type":"A","alias":"","IP":"3.3.3.3","TTL":"59"},{"name":"lgin.msa.trafficmanager.net","class":"IN","type":"A","alias":"","IP":"7.7.7.7","TTL":"59"}]}17
fidelis-endpoint-winserver20192.2.2.25865610.10.0.1532020-02-13T03:50:45.515Z{"dns_answers":[{"name":"login.live.com","class":"IN","type":"CNAME","alias":"login.msa.msidentity.com","IP":"","TTL":"288"},{"name":"login.msa.msidentity.com","class":"IN","type":"CNAME","alias":"login.msa.akadns6.net","IP":"","TTL":"288"},{"name":"login.msa.akadns6.net","class":"IN","type":"CNAME","alias":"ipv4.login.msa.akadns6.net","IP":"","TTL":"288"},{"name":"ipv4.login.msa.akadns6.net","class":"IN","type":"A","alias":"","IP":"2.2.2.20","TTL":"123"},{"name":"ipv4.login.msa.akadns6.net","class":"IN","type":"A","alias":"","IP":"7.7.7.7","TTL":"123"},{"name":"ipv4.login.msa.akadns6.net","class":"IN","type":"A","alias":"","IP":"10.10.10.10","TTL":"123"}]}17
fidelis-endpoint-winserver20192.2.2.25956410.10.0.1532020-02-13T03:50:45.515Z{"dns_answers":[{"name":"login.live.com","class":"IN","type":"CNAME","alias":"login.msa.msidentity.com","IP":"","TTL":"238"},{"name":"login.msa.msidentity.com","class":"IN","type":"CNAME","alias":"login.msa.akadns6.net","IP":"","TTL":"238"},{"name":"login.msa.akadns6.net","class":"IN","type":"CNAME","alias":"ipv4.login.msa.akadns6.net","IP":"","TTL":"238"},{"name":"ipv4.login.msa.akadns6.net","class":"IN","type":"A","alias":"","IP":"3.3.3.3","TTL":"238"},{"name":"ipv4.login.msa.akadns6.net","class":"IN","type":"A","alias":"","IP":"7.7.7.7","TTL":"238"},{"name":"ipv4.login.msa.akadns6.net","class":"IN","type":"A","alias":"","IP":"10.10.10.10","TTL":"238"}]}17

22. fidelis-endpoint-query-dns-by-server-ip


Queries DNS by server IP address.

Required Permissions

The required permissions: Read groups, View Behaviors, View Task Results

Base Command

fidelis-endpoint-query-dns-by-server-ip

Input
Argument NameDescriptionRequired
start_timeThe start time of the event in the system in UTC format.
Supported values: "2019-10-21T23:45:00" (date).
Optional
end_timeThe end time of the event in the system in UTC format.
Supported values:"2019-10-21T23:45:00" (date).
Optional
logicThe logic of the query. Can be "and" or "or".Required
remote_ipThe remote IP on which to query.Required
limitThe maximum number of results to return. The default is 50.Optional
Context Output
PathTypeDescription
FidelisEndpoint.Query.ProcessStartTimeDateProcess start time.
FidelisEndpoint.Query.EndpointNameStringEndpoint name.
FidelisEndpoint.Query.ParentIDStringParent ID.
FidelisEndpoint.Query.EventTimeDateEvent time.
FidelisEndpoint.Query.RemotePortNumberRemote port.
FidelisEndpoint.Query.DnsAnswerStringThe DNS answer.
FidelisEndpoint.Query.LocalPortNumberLocal port.
FidelisEndpoint.Query.TargetIDStringThe target ID.
FidelisEndpoint.Query.RemoteIPStringRemote IP address.
FidelisEndpoint.Query.DnsQuestionStringThe DNS question.
FidelisEndpoint.Query.StartTimeDateEvent start time.
FidelisEndpoint.Query.NetworkDirectionNumberNetwork direction.
FidelisEndpoint.Query.LocalIPStringLocal IP address.
FidelisEndpoint.Query.EventTypeNumberEvent type.
FidelisEndpoint.Query.EventIndexNumberEvent index.
FidelisEndpoint.Query.IndexingTimeDateIndexing time.
FidelisEndpoint.Query.EntityTypeNumberEntity type.
Command Example

!fidelis-endpoint-query-dns-by-server-ip logic="or" remote_ip="10.10.0.1"

Context Example
{
"FidelisEndpoint.Query": [
{
"RemotePort": "53",
"EventTime": "2020-03-26T09:29:07.671Z",
"IndexingTime": "2020-03-26T09:36:32.819Z",
"LocalPort": "61597",
"EventType": 17,
"EntityType": 6,
"TargetID": "9anFqxCrJ3h",
"DnsQuestion": "{\"dns_questions\":[{\"name\":\"v10.events.data.microsoft.com\",\"class\":\"IN\",\"type\":\"A\"}]}",
"LocalIP": "2.2.2.2",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-03-12T03:58:09.962Z",
"RemoteIP": "10.10.0.1",
"EventIndex": 4,
"ParentID": "jE4aX1xPk1i",
"NetworkDirection": "0",
"DnsAnswer": "{\"dns_answers\":[{\"name\":\"v10.events.data.microsoft.com\",\"class\":\"IN\",\"type\":\"CNAME\",\"alias\":\"global.events.data.trafficmanager.net\",\"IP\":\"\",\"TTL\":\"1425\"},{\"name\":\"global.events.data.trafficmanager.net\",\"class\":\"IN\",\"type\":\"CNAME\",\"alias\":\"skypedataprdcoleus06.cloudapp.net\",\"IP\":\"\",\"TTL\":\"45\"},{\"name\":\"skypedataprdcoleus06.cloudapp.net\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"10.10.10.10\",\"TTL\":\"5\"}]}",
"ProcessStartTime": "2020-03-12T03:58:09.962Z"
},
{
"RemotePort": "53",
"EventTime": "2020-03-26T09:14:07.314Z",
"IndexingTime": "2020-03-26T09:18:31.967Z",
"LocalPort": "55911",
"EventType": 17,
"EntityType": 6,
"TargetID": "9anFqxCrJ3h",
"DnsQuestion": "{\"dns_questions\":[{\"name\":\"v10.events.data.microsoft.com\",\"class\":\"IN\",\"type\":\"A\"}]}",
"LocalIP": "2.2.2.2",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-03-12T03:58:09.962Z",
"RemoteIP": "10.10.0.1",
"EventIndex": 2,
"ParentID": "jE4aX1xPk1i",
"NetworkDirection": "0",
"DnsAnswer": "{\"dns_answers\":[{\"name\":\"v10.events.data.microsoft.com\",\"class\":\"IN\",\"type\":\"CNAME\",\"alias\":\"global.events.data.trafficmanager.net\",\"IP\":\"\",\"TTL\":\"1390\"},{\"name\":\"global.events.data.trafficmanager.net\",\"class\":\"IN\",\"type\":\"CNAME\",\"alias\":\"skypedataprdcolcus00.cloudapp.net\",\"IP\":\"\",\"TTL\":\"25\"},{\"name\":\"skypedataprdcolcus00.cloudapp.net\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"2.2.2.2\",\"TTL\":\"9\"}]}",
"ProcessStartTime": "2020-03-12T03:58:09.962Z"
},
{
"RemotePort": "53",
"EventTime": "2020-03-26T09:01:55.586Z",
"IndexingTime": "2020-03-26T09:06:31.755Z",
"LocalPort": "56095",
"EventType": 17,
"EntityType": 6,
"TargetID": "VqzBXZZVzjd",
"DnsQuestion": "{\"dns_questions\":[{\"name\":\"logging.googleapis.com\",\"class\":\"IN\",\"type\":\"A\"}]}",
"LocalIP": "2.2.2.2",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-03-12T03:58:09.962Z",
"RemoteIP": "10.10.0.1",
"EventIndex": 4,
"ParentID": "jE4aX1xPk1i",
"NetworkDirection": "0",
"DnsAnswer": "{\"dns_answers\":[{\"name\":\"logging.googleapis.com\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"6.6.6.6\",\"TTL\":\"144\"}]}",
"ProcessStartTime": "2020-03-12T03:58:09.962Z"
},
{
"RemotePort": "53",
"EventTime": "2020-03-26T08:59:06.523Z",
"IndexingTime": "2020-03-26T09:02:31.650Z",
"LocalPort": "61769",
"EventType": 17,
"EntityType": 6,
"TargetID": "9anFqxCrJ3h",
"DnsQuestion": "{\"dns_questions\":[{\"name\":\"v10.events.data.microsoft.com\",\"class\":\"IN\",\"type\":\"A\"}]}",
"LocalIP": "2.2.2.2",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-03-12T03:58:09.962Z",
"RemoteIP": "10.10.0.1",
"EventIndex": 2,
"ParentID": "jE4aX1xPk1i",
"NetworkDirection": "0",
"DnsAnswer": "{\"dns_answers\":[{\"name\":\"v10.events.data.microsoft.com\",\"class\":\"IN\",\"type\":\"CNAME\",\"alias\":\"global.events.data.trafficmanager.net\",\"IP\":\"\",\"TTL\":\"862\"},{\"name\":\"global.events.data.trafficmanager.net\",\"class\":\"IN\",\"type\":\"CNAME\",\"alias\":\"skypedataprdc.cloudapp.net\",\"IP\":\"\",\"TTL\":\"19\"},{\"name\":\"skypedataprdcolase00.cloudapp.net\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"3.3.3.3\",\"TTL\":\"9\"}]}",
"ProcessStartTime": "2020-03-12T03:58:09.962Z"
},
{
"RemotePort": "53",
"EventTime": "2020-03-26T08:44:30.882Z",
"IndexingTime": "2020-03-26T08:50:31.264Z",
"LocalPort": "53940",
"EventType": 17,
"EntityType": 6,
"TargetID": "VqzBXZZVzjd",
"DnsQuestion": "{\"dns_questions\":[{\"name\":\"logging.googleapis.com\",\"class\":\"IN\",\"type\":\"A\"}]}",
"LocalIP": "2.2.2.2",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-03-12T03:58:09.962Z",
"RemoteIP": "10.10.0.1",
"EventIndex": 5,
"ParentID": "jE4aX1xPk1i",
"NetworkDirection": "0",
"DnsAnswer": "{\"dns_answers\":[{\"name\":\"logging.googleapis.com\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"6.6.6.6\",\"TTL\":\"274\"}]}",
"ProcessStartTime": "2020-03-12T03:58:09.962Z"
}
]
}
Human Readable Output

Fidelis Endpoint query results for the DNS request by server IP

EndpointNameLocalIPLocalPortRemoteIPRemotePortProcessStartTimeDnsAnswerEventType
fidelis-endpoint-winserver20192.2.2.26159710.10.0.1532020-03-12T03:58:09.962Z{"dns_answers":[{"name":"v10.events.data.microsoft.com","class":"IN","type":"CNAME","alias":"global.events.data.trafficmanager.net","IP":"","TTL":"1425"},{"name":"global.events.data.trafficmanager.net","class":"IN","type":"CNAME","alias":"skypedataprdcoleus06.cloudapp.net","IP":"","TTL":"45"},{"name":"skypedataprdcoleus06.cloudapp.net","class":"IN","type":"A","alias":"","IP":"2.2.2.2","TTL":"5"}]}17
fidelis-endpoint-winserver20192.2.2.25591110.10.0.1532020-03-12T03:58:09.962Z{"dns_answers":[{"name":"v10.events.data.microsoft.com","class":"IN","type":"CNAME","alias":"global.events.data.trafficmanager.net","IP":"","TTL":"1390"},{"name":"global.events.data.trafficmanager.net","class":"IN","type":"CNAME","alias":"skypedataprdcolcus00.cloudapp.net","IP":"","TTL":"25"},{"name":"skypedataprdcolcus00.cloudapp.net","class":"IN","type":"A","alias":"","IP":"3.3.3.3","TTL":"9"}]}17
fidelis-endpoint-winserver20192.2.2.25609510.10.0.1532020-03-12T03:58:09.962Z{"dns_answers":[{"name":"logging.googleapis.com","class":"IN","type":"A","alias":"","IP":"3.3.3.3","TTL":"144"}]}17
fidelis-endpoint-winserver20192.2.2.26176910.10.0.1532020-03-12T03:58:09.962Z{"dns_answers":[{"name":"v10.events.data.microsoft.com","class":"IN","type":"CNAME","alias":"global.events.data.trafficmanager.net","IP":"","TTL":"862"},{"name":"global.events.data.trafficmanager.net","class":"IN","type":"CNAME","alias":"skypedataprdcolase00.cloudapp.net","IP":"","TTL":"19"},{"name":"skypedataprdcolase00.cloudapp.net","class":"IN","type":"A","alias":"","IP":"4.4.4.4","TTL":"9"}]}17
fidelis-endpoint-winserver20192.2.2.25394010.10.0.1532020-03-12T03:58:09.962Z{"dns_answers":[{"name":"logging.googleapis.com","class":"IN","type":"A","alias":"","IP":"3.3.3.3","TTL":"274"}]}17
fidelis-endpoint-winserver20192.2.2.25726010.10.0.1532020-03-12T03:58:09.962Z{"dns_answers":[{"name":"v10.events.data.microsoft.com","class":"IN","type":"CNAME","alias":"global.events.data.trafficmanager.net","IP":"","TTL":"1698"},{"name":"global.events.data.trafficmanager.net","class":"IN","type":"CNAME","alias":"skypedataprdcolneu00.cloudapp.net","IP":"","TTL":"21"},{"name":"skypedataprdcolneu00.cloudapp.net","class":"IN","type":"A","alias":"","IP":"7.7.7.7","TTL":"9"}]}17
fidelis-endpoint-winserver20192.2.2.25883210.10.0.1532020-03-12T03:58:09.962Z{"dns_answers":[{"name":"logging.googleapis.com","class":"IN","type":"A","alias":"","IP":"3.3.3.3","TTL":"206"}]}17
fidelis-endpoint-winserver20192.2.2.26047210.10.0.1532020-03-12T03:58:09.962Z{"dns_answers":[{"name":"v10.events.data.microsoft.com","class":"IN","type":"CNAME","alias":"global.events.data.trafficmanager.net","IP":"","TTL":"3334"},{"name":"global.events.data.trafficmanager.net","class":"IN","type":"CNAME","alias":"skypedataprdcolweu05.cloudapp.net","IP":"","TTL":"58"},{"name":"skypedataprdcolweu05.cloudapp.net","class":"IN","type":"A","alias":"","IP":"10.10.0.1","TTL":"8"}]}17
fidelis-endpoint-winserver20192.2.2.25430910.10.0.1532020-03-12T03:58:09.962Z{"dns_answers":[{"name":"v10.events.data.microsoft.com","class":"IN","type":"CNAME","alias":"global.events.data.trafficmanager.net","IP":"","TTL":"2327"},{"name":"global.events.data.trafficmanager.net","class":"IN","type":"CNAME","alias":"skypedataprdcoluks05.cloudapp.net","IP":"","TTL":"44"},{"name":"skypedataprdcoluks05.cloudapp.net","class":"IN","type":"A","alias":"","IP":"10.10.0.1","TTL":"7"}]}17
fidelis-endpoint-winserver20192.2.2.26175710.10.0.1532020-03-12T03:58:09.962Z{"dns_answers":[{"name":"logging.googleapis.com","class":"IN","type":"A","alias":"","IP":"3.3.3.3","TTL":"273"}]}17
fidelis-endpoint-winserver20192.2.2.24968110.10.0.1532020-03-12T03:58:09.962Z{"dns_answers":[{"name":"v10.events.data.microsoft.com","class":"IN","type":"CNAME","alias":"global.events.data.trafficmanager.net","IP":"","TTL":"798"},{"name":"global.events.data.trafficmanager.net","class":"IN","type":"CNAME","alias":"skypedataprdcolwus08.cloudapp.net","IP":"","TTL":"40"},{"name":"fe2.update.microsoft.com.nsatc.net","class":"IN","type":"A","alias":"","IP":"10.10.0.1","TTL":"175"}]}17

23. fidelis-endpoint-query-dns-by-source-ip


Queries DNS by source IP address.

Required Permissions

The required permissions: Read groups, View Behaviors, View Task Results

Base Command

fidelis-endpoint-query-dns-by-source-ip

Input
Argument NameDescriptionRequired
start_timeThe start time of the event in the system in UTC format.
Supported values: "2019-10-21T23:45:00" (date).
Optional
end_timeThe end time of the event in the system in UTC format.
Supported values: "2019-10-21T23:45:00" (date).
Optional
logicThe logic of the query. Can be "and" or "or".Required
source_ipThe source IP address to query.Required
domainThe domain to query.Optional
limitThe maximum number of results to return. The default is 50.Optional
Context Output
PathTypeDescription
FidelisEndpoint.Query.ProcessStartTimeDateProcess start time.
FidelisEndpoint.Query.EndpointNameStringEndpoint name.
FidelisEndpoint.Query.ParentIDStringParent ID.
FidelisEndpoint.Query.EventTimeDateEvent time.
FidelisEndpoint.Query.RemotePortNumberRemote port.
FidelisEndpoint.Query.DnsAnswerStringThe DNS answer.
FidelisEndpoint.Query.LocalPortNumberLocal port.
FidelisEndpoint.Query.TargetIDStringThe target ID.
FidelisEndpoint.Query.RemoteIPStringRemote IP address.
FidelisEndpoint.Query.DnsQuestionStringThe DNS question.
FidelisEndpoint.Query.StartTimeDateEvent start time.
FidelisEndpoint.Query.NetworkDirectionNumberNetwork direction.
FidelisEndpoint.Query.LocalIPStringLocal IP address.
FidelisEndpoint.Query.EventTypeNumberEvent type.
FidelisEndpoint.Query.EventIndexNumberEvent index.
FidelisEndpoint.Query.IndexingTimeDateIndexing time.
FidelisEndpoint.Query.EntityTypeNumberEntity type.
Command Example

!fidelis-endpoint-query-dns-by-source-ip start_time="2020-01-01T00:00:00.842Z" end_time="2020-03-08T15:50:05.552Z" logic="or" source_ip="10.128.0.4" domain="logging.googleapis.com" limit=5

Context Example
{
"FidelisEndpoint.Query": [
{
"RemotePort": "53",
"EventTime": "2020-03-08T12:21:34.260Z",
"IndexingTime": "2020-03-08T12:26:25.293Z",
"LocalPort": "51663",
"EventType": 17,
"EntityType": 6,
"TargetID": "VqzBXZZVzjd",
"DnsQuestion": "{\"dns_questions\":[{\"name\":\"logging.googleapis.com\",\"class\":\"IN\",\"type\":\"A\"}]}",
"LocalIP": "2.2.2.2",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-02-13T03:50:45.515Z",
"RemoteIP": "10.10.0.1",
"EventIndex": 2,
"ParentID": "VuFd4n1aut7",
"NetworkDirection": "0",
"DnsAnswer": "{\"dns_answers\":[{\"name\":\"logging.googleapis.com\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"6.6.6.6\",\"TTL\":\"87\"}]}",
"ProcessStartTime": "2020-02-13T03:50:45.515Z"
},
{
"RemotePort": "53",
"EventTime": "2020-03-08T12:18:33.199Z",
"IndexingTime": "2020-03-08T12:23:25.135Z",
"LocalPort": "65002",
"EventType": 17,
"EntityType": 6,
"TargetID": "VqzBXZZVzjd",
"DnsQuestion": "{\"dns_questions\":[{\"name\":\"logging.googleapis.com\",\"class\":\"IN\",\"type\":\"A\"}]}",
"LocalIP": "2.2.2.2",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-02-13T03:50:45.515Z",
"RemoteIP": "10.10.0.1",
"EventIndex": 2,
"ParentID": "VuFd4n1aut7",
"NetworkDirection": "0",
"DnsAnswer": "{\"dns_answers\":[{\"name\":\"logging.googleapis.com\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"6.6.6.6\",\"TTL\":\"105\"}]}",
"ProcessStartTime": "2020-02-13T03:50:45.515Z"
},
{
"RemotePort": "53",
"EventTime": "2020-03-08T11:17:33.908Z",
"IndexingTime": "2020-03-08T11:25:23.700Z",
"LocalPort": "49412",
"EventType": 17,
"EntityType": 6,
"TargetID": "VqzBXZZVzjd",
"DnsQuestion": "{\"dns_questions\":[{\"name\":\"logging.googleapis.com\",\"class\":\"IN\",\"type\":\"A\"}]}",
"LocalIP": "2.2.2.2",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-02-13T03:50:45.515Z",
"RemoteIP": "10.10.0.1",
"EventIndex": 2,
"ParentID": "VuFd4n1aut7",
"NetworkDirection": "0",
"DnsAnswer": "{\"dns_answers\":[{\"name\":\"logging.googleapis.com\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"6.6.6.6\",\"TTL\":\"253\"}]}",
"ProcessStartTime": "2020-02-13T03:50:45.515Z"
},
{
"RemotePort": "53",
"EventTime": "2020-03-08T11:05:33.831Z",
"IndexingTime": "2020-03-08T11:11:23.189Z",
"LocalPort": "63755",
"EventType": 17,
"EntityType": 6,
"TargetID": "VqzBXZZVzjd",
"DnsQuestion": "{\"dns_questions\":[{\"name\":\"logging.googleapis.com\",\"class\":\"IN\",\"type\":\"A\"}]}",
"LocalIP": "2.2.2.2",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-02-13T03:50:45.515Z",
"RemoteIP": "10.10.0.1",
"EventIndex": 2,
"ParentID": "VuFd4n1aut7",
"NetworkDirection": "0",
"DnsAnswer": "{\"dns_answers\":[{\"name\":\"logging.googleapis.com\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"6.6.6.6\",\"TTL\":\"282\"}]}",
"ProcessStartTime": "2020-02-13T03:50:45.515Z"
},
{
"RemotePort": "53",
"EventTime": "2020-03-08T09:54:32.087Z",
"IndexingTime": "2020-03-08T09:59:21.585Z",
"LocalPort": "60331",
"EventType": 17,
"EntityType": 6,
"TargetID": "VqzBXZZVzjd",
"DnsQuestion": "{\"dns_questions\":[{\"name\":\"logging.googleapis.com\",\"class\":\"IN\",\"type\":\"A\"}]}",
"LocalIP": "2.2.2.2",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-02-13T03:50:45.515Z",
"RemoteIP": "10.10.0.1",
"EventIndex": 5,
"ParentID": "VuFd4n1aut7",
"NetworkDirection": "0",
"DnsAnswer": "{\"dns_answers\":[{\"name\":\"logging.googleapis.com\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"6.6.6.6\",\"TTL\":\"61\"}]}",
"ProcessStartTime": "2020-02-13T03:50:45.515Z"
},
{
"RemotePort": "53",
"EventTime": "2020-03-08T09:53:33.246Z",
"IndexingTime": "2020-03-08T09:59:21.585Z",
"LocalPort": "58452",
"EventType": 17,
"EntityType": 6,
"TargetID": "VqzBXZZVzjd",
"DnsQuestion": "{\"dns_questions\":[{\"name\":\"logging.googleapis.com\",\"class\":\"IN\",\"type\":\"A\"}]}",
"LocalIP": "2.2.2.2",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-02-13T03:50:45.515Z",
"RemoteIP": "10.10.0.1",
"EventIndex": 2,
"ParentID": "VuFd4n1aut7",
"NetworkDirection": "0",
"DnsAnswer": "{\"dns_answers\":[{\"name\":\"logging.googleapis.com\",\"class\":\"IN\",\"type\":\"A\",\"alias\":\"\",\"IP\":\"6.6.6.6\",\"TTL\":\"12\"}]}",
"ProcessStartTime": "2020-02-13T03:50:45.515Z"
}
]
}
Human Readable Output

Fidelis Endpoint query results for the DNS request by source IP

EndpointNameLocalIPLocalPortRemoteIPRemotePortProcessStartTimeDnsQuestionDnsAnswer
fidelis-endpoint-winserver20192.2.2.25166310.10.0.1532020-02-13T03:50:45.515Z{"dns_questions":[{"name":"logging.googleapis.com","class":"IN","type":"A"}]}{"dns_answers":[{"name":"logging.googleapis.com","class":"IN","type":"A","alias":"","IP":"6.6.6.6","TTL":"87"}]}
fidelis-endpoint-winserver20192.2.2.26500210.10.0.1532020-02-13T03:50:45.515Z{"dns_questions":[{"name":"logging.googleapis.com","class":"IN","type":"A"}]}{"dns_answers":[{"name":"logging.googleapis.com","class":"IN","type":"A","alias":"","IP":"6.6.6.6","TTL":"105"}]}
fidelis-endpoint-winserver20192.2.2.24941210.10.0.1532020-02-13T03:50:45.515Z{"dns_questions":[{"name":"logging.googleapis.com","class":"IN","type":"A"}]}{"dns_answers":[{"name":"logging.googleapis.com","class":"IN","type":"A","alias":"","IP":"6.6.6.6","TTL":"253"}]}
fidelis-endpoint-winserver20192.2.2.26375510.10.0.1532020-02-13T03:50:45.515Z{"dns_questions":[{"name":"logging.googleapis.com","class":"IN","type":"A"}]}{"dns_answers":[{"name":"logging.googleapis.com","class":"IN","type":"A","alias":"","IP":"6.6.6.6","TTL":"282"}]}
fidelis-endpoint-winserver20192.2.2.26033110.10.0.1532020-02-13T03:50:45.515Z{"dns_questions":[{"name":"logging.googleapis.com","class":"IN","type":"A"}]}{"dns_answers":[{"name":"logging.googleapis.com","class":"IN","type":"A","alias":"","IP":"6.6.6.6","TTL":"61"}]}
fidelis-endpoint-winserver20192.2.2.25845210.10.0.1532020-02-13T03:50:45.515Z{"dns_questions":[{"name":"logging.googleapis.com","class":"IN","type":"A"}]}{"dns_answers":[{"name":"logging.googleapis.com","class":"IN","type":"A","alias":"","IP":"6.6.6.6","TTL":"12"}]}

24. fidelis-endpoint-query-events


Queries events.

Required Permissions

The required permissions: Read groups, View Behaviors, View Task Results

Base Command

fidelis-endpoint-query-events

Input
Argument NameDescriptionRequired
start_timeThe start time of the event in the system in UTC format.
Supported values: "2019-10-21T23:45:00" (date).
Optional
end_timeThe end time of the event in the system in UTC format.
Supported values:"2019-10-21T23:45:00" (date).
Optional
logicThe logic of the query. Can be "and" or "or".Required
entity_typeQuery entity type. Can be "antiMalware", "dns", "file", "network", "process", "registry", "remoteThread", "script", "usb", or "windowsevent".Required
columnColumn to query. For example: hash, name, remoteIP, dnsQuestion, localIP.Required
valueThe value to query. Can be an IP address, file hash, file path, and so on.Required
operatorThe operator, which describes how the "value" relates to the "field" (for example: "=", "!=", ">", "<").Required
limitThe maximum number of results to return. The default is 50.Optional
additional_filterAn additional filter to use in the query. For example: pid = 1234, pid > 1233.Optional
Context Output
PathTypeDescription
FidelisEndpoint.Query.ProcessStartTimeDateProcess start time.
FidelisEndpoint.Query.EndpointNameStringEndpoint name.
FidelisEndpoint.Query.PathStringFile path.
FidelisEndpoint.Query.ParentIDStringParent ID.
FidelisEndpoint.Query.EventTimeDateEvent time.
FidelisEndpoint.Query..RemotePortNumberRemote port.
FidelisEndpoint.Query.DnsAnswerStringDNS answer.
FidelisEndpoint.Query.PIDNumberProcess ID.
FidelisEndpoint.Query.NameStringProcess name.
FidelisEndpoint.Query.UserStringEndpoint user.
FidelisEndpoint.Query.LocalPortNumberLocal port.
FidelisEndpoint.Query.TargetIDStringTarget ID.
FidelisEndpoint.Query.RemoteIPStringRemote IP address.
FidelisEndpoint.Query.HashStringFile hash.
FidelisEndpoint.Query.DnsQuestionStringDNS question.
FidelisEndpoint.Query.StartTimeDateStart time of the event.
FidelisEndpoint.Query.EntropyNumberEntropy.
FidelisEndpoint.Query.LocalIPStringLocal IP address.
FidelisEndpoint.Query.EventTypeNumberEvent type.
FidelisEndpoint.Query.ParentNameStringParent name.
FidelisEndpoint.Query.EventIndexNumberEvent index.
FidelisEndpoint.Query.IndexingTimeDateIndexing time.
FidelisEndpoint.Query.EntityTypeNumberEntity type.
Command Example

!fidelis-endpoint-query-events column=name entity_type=process logic=or value=cmd.exe additional_filter="pid = 3276" operator="="

Context Example
{
"FidelisEndpoint.Query": [
{
"EntityType": 0,
"TargetID": "qgOl6OBq7v8",
"LocalIP": null,
"RemotePort": null,
"ProcessStartTime": "2020-03-26T09:25:53.122Z",
"IndexingTime": "2020-03-26T09:30:32.434Z",
"Hash": "975b45b669930b0cc773eaf2b412345f",
"LocalPort": null,
"EventType": 0,
"ParentName": "endpoint.exe",
"PID": 908,
"DnsQuestion": null,
"User": "NT AUTHORITY\\SYSTEM",
"EventIndex": null,
"Path": "C:\\Windows\\System32\\cmd.exe",
"DnsAnswer": null,
"RemoteIP": null,
"EventTime": "2020-03-26T09:25:53.122Z",
"Name": "cmd.exe",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-03-26T09:25:53.122Z",
"ParentID": "MKH6hK7yr75"
},
{
"EntityType": 0,
"TargetID": "w8qh7ogIf8l",
"LocalIP": null,
"RemotePort": null,
"ProcessStartTime": "2020-03-26T09:25:39.883Z",
"IndexingTime": "2020-03-26T09:30:32.878Z",
"Hash": "975b45b669930b0cc773eaf2b412345f",
"LocalPort": null,
"EventType": 0,
"ParentName": "endpoint.exe",
"PID": 3376,
"DnsQuestion": null,
"User": "NT AUTHORITY\\SYSTEM",
"EventIndex": null,
"Path": "C:\\Windows\\System32\\cmd.exe",
"DnsAnswer": null,
"RemoteIP": null,
"EventTime": "2020-03-26T09:25:39.883Z",
"Name": "cmd.exe",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-03-26T09:25:39.883Z",
"ParentID": "MKH6hK7yr75"
},
{
"EntityType": 0,
"TargetID": "SSDiQFEHvNg",
"LocalIP": null,
"RemotePort": null,
"ProcessStartTime": "2020-03-26T09:08:23.233Z",
"IndexingTime": "2020-03-26T09:12:32.225Z",
"Hash": "975b45b669930b0cc773eaf2b412345f",
"LocalPort": null,
"EventType": 0,
"ParentName": "endpoint.exe",
"PID": 2804,
"DnsQuestion": null,
"User": "NT AUTHORITY\\SYSTEM",
"EventIndex": null,
"Path": "C:\\Windows\\System32\\cmd.exe",
"DnsAnswer": null,
"RemoteIP": null,
"EventTime": "2020-03-26T09:08:23.233Z",
"Name": "cmd.exe",
"EndpointName": "fidelis-endpoint-winserver2019",
"StartTime": "2020-03-26T09:08:23.233Z",
"ParentID": "MKH6hK7yr75"
}
]
}
Human Readable Output

Fidelis Endpoint query events result

PIDEndpointNameUserProcessStartTimeParentIDEventType
908fidelis-endpoint-winserver2019NT AUTHORITY\SYSTEM2020-03-26T09:25:53.122ZMKH6hK7yr750
3376fidelis-endpoint-winserver2019NT AUTHORITY\SYSTEM2020-03-26T09:25:39.883ZMKH6hK7yr750
2804fidelis-endpoint-winserver2019NT AUTHORITY\SYSTEM2020-03-26T09:08:23.233ZMKH6hK7yr750

24 Packs/FidelisEndpoint/pack_metadata.json