Fidelis Elevate Network

Automate Detection and Response to Network Threats and data leakage in your organization with Fidelis Elevate Network Integration. This integration was integrated and tested with version 9.2.4 of Fidelis Elevate Network

Configure Fidelis Elevate Network on Demisto

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Fidelis Elevate Network.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
server_urlServer URLTrue
credentialsCredentialsTrue
unsecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
fetch_timeFirst fetch timestamp (\<number> \<time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)False
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

fidelis-get-alert


Gets alert details from Fidelis Elevate.

Base Command

fidelis-get-alert

Input
Argument NameDescriptionRequired
alert_idAlert IDRequired
Context Output
PathTypeDescription
Fidelis.Alert.IDstringAlert ID.
Fidelis.Alert.ThreatScorenumberAlert threat score.
Fidelis.Alert.TimedateAlert time.
Fidelis.Alert.RuleIDstringRelated rule ID.
Fidelis.Alert.RuleNamestringRelated rule name.
Fidelis.Alert.SummarystringAlert summary.
Fidelis.Alert.PolicyNamestringRelated policy name.
Fidelis.Alert.SeveritystringAlert severity.
Fidelis.Alert.ProtocolstringProtocol involved in the alert.
Fidelis.Alert.TypestringAlert type.
Fidelis.Alert.AssignedUserstringAssigned user ID.
Command Example

!fidelis-get-alert alert_id=1

Context Example
{
"Fidelis": {
"Alert": {
"AlertUUID": "80d0ccf5-5879-11ea-b430-0eb174ee0947",
"AssignedUser": 0,
"ID": 1,
"PolicyName": "Endpoint Alerts",
"Protocol": "",
"RuleID": 227,
"RuleName": null,
"Severity": "Medium",
"Summary": "Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact: ",
"ThreatScore": 100,
"Time": "2020-02-26 09:21:02",
"Type": "ENDPOINT"
}
}
}
Human Readable Output

Alert 1

Alert UUIDAssigned UserIDPolicy NameRule IDSeveritySummaryThreat ScoreTimeType
80d0ccf5-5879-11ea-b430-0eb174ee094701Endpoint Alerts227MediumEndpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact:1002020-02-26 09:21:02ENDPOINT

fidelis-delete-alert


Deletes an alert from Fidelis Elevate.

Base Command

fidelis-delete-alert

Input
Argument NameDescriptionRequired
alert_idID of the alert to delete.Required
Context Output

There is no context output for this command.

Command Example

!fidelis-delete-alert alert_id=3

Human Readable Output

Alert (3) deleted successfully!

fidelis-get-malware-data


Retrieves malware data related to a "Malware" type alert.

Base Command

fidelis-get-malware-data

Input
Argument NameDescriptionRequired
alert_idAlert ID.Required
Context Output
PathTypeDescription
Fidelis.Alert.IDstringAlert ID.
Fidelis.Alert.Malware.NamestringMalware name.
Fidelis.Alert.Malware.TypestringMalware type.
Fidelis.Alert.Malware.BehaviorstringMalware behavior.
Fidelis.Alert.Malware.PlatformstringMalware platform.
Fidelis.Alert.Malware.DetailNamestringMalware detail name from Fidelis Elevate.
Fidelis.Alert.Malware.VariantstringMalware variant.
Fidelis.Alert.Malware.DescriptionstringMalware description from Fidelis Elevate.
Command Example

!fidelis-get-malware-data alert_id=6

Context Example
{
"Fidelis": {
"Alert": {
"ID": "6",
"Malware": {
"Behavior": null,
"Description": null,
"DetailName": null,
"Name": "",
"Platform": null,
"Type": "",
"Variant": null
}
}
}
}
Human Readable Output

Alert 6 Malware:

Malware BehaviorMalware DescriptionMalware Detail NameMalware NameMalware PlatformMalware TypeMalware Variant

fidelis-get-alert-report


Downloads a PDF report for a specified alert.

Base Command

fidelis-get-alert-report

Input
Argument NameDescriptionRequired
alert_idAlert ID of the alert for which to download a PDF report.Required
Context Output

There is no context output for this command.

Command Example

!fidelis-get-alert-report alert_id=5

Context Example
{
"InfoFile": {
"EntryID": "7382@99f96547-c492-48d1-84bc-070759449a5d",
"Extension": "pdf",
"Info": "application/pdf",
"Name": "Alert_Details_5.pdf",
"Size": 69507,
"Type": "PDF document, version 1.4"
}
}

fidelis-list-alerts


Returns a list of open alerts from Fidelis Elevate.

Base Command

fidelis-list-alerts

Input
Argument NameDescriptionRequired
time_frameFilter alerts by time frame, for example, Last 48 Hours.Optional
start_timeIf the time_frame value is Custom, specify the start time for the time range, for example, 2017-06-01T12:48:16.734.Optional
end_timeIf the time_frame value is Custom, specify the end time for the time range, for example, 2017-06-01T12:48:16.734.Optional
severityFilter alerts by alert severity.Optional
typeFilter alerts by alert type.Optional
threat_scoreFilter alerts by alert threat score threshold (higher than).Optional
iocFilter alerts that are related to a specified IOC.Optional
Context Output
PathTypeDescription
Fidelis.Alert.IDstringAlert ID.
Fidelis.Alert.TimedateAlert time.
Fidelis.Alert.SummarystringAlert summary.
Fidelis.Alert.SeveritystringAlert severity.
Fidelis.Alert.TypestringAlert type.
Command Example

!fidelis-list-alerts

Context Example
{
"Fidelis": {
"Alert": [
{
"ID": "6",
"Severity": "High",
"Summary": "Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown",
"Time": "2020-03-19 23:59:59",
"Type": "Endpoint"
},
{
"ID": "5",
"Severity": "Medium",
"Summary": "Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact: ",
"Time": "2020-03-12 09:21:27",
"Type": "Endpoint"
}
]
}
}
Human Readable Output

Found 6 Alerts:

IDSeveritySummaryTimeType
6HighEndpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown2020-03-19 23:59:59Endpoint
5MediumEndpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact:2020-03-12 09:21:27Endpoint
4LowEndpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact:2020-03-07 09:21:24Endpoint
2HighEndpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact:2020-02-27 09:21:03Endpoint
3HighEndpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact:2020-02-27 09:21:03Endpoint
1MediumEndpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact:2020-02-26 09:21:02Endpoint

fidelis-upload-pcap


Uploads a PCAP file to Fidelis Elevate for analysis.

Base Command

fidelis-upload-pcap

Input
Argument NameDescriptionRequired
component_ipComponent IP address.Required
entry_idWar Room entry ID of the PCAP file, for example, "3245@6".Required
Context Output

There is no context output for this command.

Command Example

!fidelis-upload-pcap component_ip=1.1.1.1 entry_id=7317@99

Human Readable Output

Pcap file uploaded successfully.

fidelis-list-pcap-components


Gets PCAP components.

Base Command

fidelis-list-pcap-components

Input

There are no input arguments for this command.

Context Output
PathTypeDescription
Fidelis.Component.NamestringComponent name.
Fidelis.Component.IPstringComponent IP address.
Command Example

!fidelis-list-pcap-components

Context Example
{
"Fidelis": {
"Component": {
"IP": "1.1.1.1",
"Name": "Sensor"
}
}
}
Human Readable Output

PCAP Components

NameIP
Sensor1.1.1.1

fidelis-run-pcap


Runs PCAP file analysis in Fidelis Elevate.

Base Command

fidelis-run-pcap

Input
Argument NameDescriptionRequired
component_ipComponent IP address. Run the 'fidelis-list-pcap-components' command to get this value.Required
filesCSV list of PCAP file names in Fidelis Elevate.Required
Context Output

There is no context output for this command.

Command Example

!fidelis-run-pcap component_ip=1.1.1.1 files=file.pcap

Human Readable Output

Pcap file run submitted.

fidelis-get-alert-by-uuid


Returns an alert, by UUID.

Base Command

fidelis-get-alert-by-uuid

Input
Argument NameDescriptionRequired
alert_uuidThe UUID of the alert.Required
Context Output
PathTypeDescription
Fidelis.Alert.IDNumberAlert ID.
Fidelis.Alert.SeverityStringAlert severity.
Fidelis.Alert.SummaryStringAlert summary.
Fidelis.Alert.TimeDateAlert time.
Fidelis.Alert.TypeStringAlert type.
Fidelis.Alert.UUIDStringAlert UUID.
Command Example

!fidelis-get-alert-by-uuid alert_uuid=80d0ccf5-5879-11ea-b430-0eb174ee0947

Context Example
{
"Fidelis": {
"Alert": {
"ID": "1",
"Severity": "Medium",
"Summary": "Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact: ",
"Time": "2020-02-26 09:21:02",
"Type": "Endpoint"
}
}
}
Human Readable Output

Found 1 Alerts:

IDSeveritySummaryTimeType
1MediumEndpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact:2020-02-26 09:21:02Endpoint

fidelis-list-metadata


Returns a metadata list.

Base Command

fidelis-list-metadata

Input
Argument NameDescriptionRequired
time_frameFilter alerts by time frame, for example, Last 48 Hours.Optional
start_timeIf the time_frame value is Custom, specify the start time for the time range, for example, 2017-06-01T12:48:16.734.Optional
end_timeIf the time_frame value is Custom, specify the end time for the time range, for example,2017-06-01T12:48:16.734.Optional
client_ipFilter alerts by client IP.Optional
server_ipFilter alerts by server IP address.Optional
request_directionDirection of the request. Can be "s2c" (server to client) or "c2s" (client to server).Optional
Context Output
PathTypeDescription
Fidelis.Metadata.MalwareNameStringMalware name.
Fidelis.Metadata.ServerPortNumberServer port number.
Fidelis.Metadata.SHA256StringSHA256 hash of the file.
Fidelis.Metadata.FileNameStringFile name.
Fidelis.Metadata.PcapFilenameStringPCAP file name.
Fidelis.Metadata.SessionDurationStringThe event session duration.
Fidelis.Metadata.ServerIPStringThe server IP address.
Fidelis.Metadata.ClientCountryStringThe client country.
Fidelis.Metadata.ClientPortNumberThe client port number.
Fidelis.Metadata.SessionStartDateThe date/time that the session started.
Fidelis.Metadata.MalwareTypeStringThe malware type.
Fidelis.Metadata.URLStringRequest URL.
Fidelis.Metadata.RequestDirectionStringRequest direction (s2c or c2s).
Fidelis.Metadata.MalwareSeverityStringThe severity of the malware.
Fidelis.Metadata.ClientIPStringThe client IP address.
Fidelis.Metadata.ServerCountryStringThe country of the server.
Fidelis.Metadata.PcapTimestampDatePCAP timestamp.
Fidelis.Metadata.SensorUUIDStringSensor UUID.
Fidelis.Metadata.TimestampDateTimestamp of the event.
Fidelis.Metadata.FileTypeStringFile type.
Fidelis.Metadata.ProtocolStringEvent protocol.
Fidelis.Metadata.UserAgentStringUser agent of the request.
Fidelis.Metadata.TypeStringType of the event.
Fidelis.Metadata.FileSizeNumberThe size of the file.
Fidelis.Metadata.MD5StringMD5 hash of the file.
Command Example

!fidelis-list-metadata

Context Example
{
"Fidelis": {
"Metadata": null
}
}
Human Readable Output

Found 0 Metadata:

No entries.

fidelis-list-alerts-by-ip


Returns a list of alerts, by source IP address or destination IP address.

Base Command

fidelis-list-alerts-by-ip

Input
Argument NameDescriptionRequired
time_frameToday,Yesterday,Last 7 Days,Last Hour,Last 24 Hours,Last 48 Hours,Last 30 Days,CustomOptional
start_timeIf the time_frame value is Custom, specify the start time for the time range, for example, 2017-06-01T12:48:16.734.Optional
end_timeIf the time_frame value is Custom, specify the start time for the time range, for example, 2017-06-01T12:48:16.734.Optional
src_ipFilter alerts by the source IP.Optional
dest_ipFilter alerts by the destination IP address.Optional
Context Output
PathTypeDescription
Fidelis.Alert.SourceIPStringThe alert source IP address.
Fidelis.Alert.UserRatingStringUser rating.
Fidelis.Alert.DestinationCountryStringDestination country of the alert.
Fidelis.Alert.AssetIDNumberThe ID of the asset.
Fidelis.Alert.TimeDateDate/time that the alert started.
Fidelis.Alert.HostIPStringThe host IP address of the alert.
Fidelis.Alert.DistributedAlertIDStringAlert distributed ID.
Fidelis.Alert.DestinationIPStringAlert destination IP address.
Fidelis.Alert.AlertUUIDStringThe alert UUID.
Fidelis.Alert.TypeStringThe alert type.
Fidelis.Alert.IDNumberAlert ID.
Fidelis.Alert.SourceCountryStringAlert source country
Command Example

!fidelis-list-alerts-by-ip

Context Example
{
"Fidelis": {
"Alert": [
{
"AlertUUID": "151fa61c-6b08-11ea-85b0-0eb174ee0947",
"AssetID": "2",
"DestinationCountry": "",
"DestinationIP": "::",
"DistributedAlertID": "Console-6",
"HostIP": "2.2.2.2",
"ID": "6",
"SourceCountry": "",
"SourceIP": "::",
"Time": "2020-03-19 23:59:59",
"Type": "Endpoint",
"UserRating": "No Rating"
},
{
"AlertUUID": "1dee426f-6443-11ea-83d9-0eb174ee0947",
"AssetID": "2",
"DestinationCountry": "",
"DestinationIP": "::",
"DistributedAlertID": "Console-5",
"HostIP": "2.2.2.2",
"ID": "5",
"SourceCountry": "",
"SourceIP": "::",
"Time": "2020-03-12 09:21:27",
"Type": "Endpoint",
"UserRating": "No Rating"
}
]
}
}
Human Readable Output

Found 6 Alerts:

TimeAlertUUIDIDDistributedAlertIDUserRatingHostIPAssetIDTypeDestinationCountrySourceCountryDestinationIPSourceIP
2020-03-19 23:59:59151fa61c-6b08-11ea-85b0-0eb174ee09476Console-6No Rating2.2.2.22Endpoint::::
2020-03-12 09:21:271dee426f-6443-11ea-83d9-0eb174ee09475Console-5No Rating2.2.2.22Endpoint::::
2020-03-07 09:21:24244267da-6055-11ea-b430-0eb174ee09474Console-4No Rating2.2.2.22Endpoint::::
2020-02-27 09:21:03a2d7fa21-5942-11ea-b430-0eb174ee09472Console-2No Rating2.2.2.22Endpoint::::
2020-02-27 09:21:03a2d8eec9-5942-11ea-b430-0eb174ee09473Console-3False Positive2.2.2.22Endpoint::::
2020-02-26 09:21:0280d0ccf5-5879-11ea-b430-0eb174ee09471Console-1Actionable2.2.2.22Endpoint::::

fidelis-download-malware-file


Downloads a malware file from a specified alert.

Base Command

fidelis-download-malware-file

Input
Argument NameDescriptionRequired
alert_idID of the alert from which to download the file.Required
Context Output
PathTypeDescription
File.SizeNumberThe size of the file.
File.ExtensionStringThe file extension.
File.InfoStringInformation about the file.
File.NameStringThe name of the file.
File.SHA1StringSHA1 hash of the file.
File.TypeStringThe file type.
File.SHA256StringSHA256 hash of the file.
File.SSDeepStringSSDeep hash of the file.
File.EntryIDStringFile entry ID.
File.MD5StringMD5 hash of the file.
Command Example

!fidelis-download-malware-file alert_id=9

Context Example
{
"File": {
"EntryID": "7640@99f96547-c492-48d1-84bc-070759449a5d",
"Extension": "zip",
"Info": "application/zip",
"MD5": "d41d8cd98f00b204e9800998ecf8427e",
"Name": ":HTTP(file.pcap).zip",
"SHA1": "52483514f07eb14570142f6927b77deb7b4da99f",
"SHA256": "42a5e275559a1651b3df8e15d3f5912499f0f2d3d1523959c56fc5aea6371e59",
"SHA512": "3fbdc4195b66297eaa4168ad6ded010c47eaea57496b6cc1ccfa34c9579d21562451d1269c7412e31e926cbb7c50ffc160a6493f4a8df0235ecd3ea2c9bfddb5",
"SSDeep": "3::",
"Size": 0,
"Type": "empty"
}
}
Human Readable Output

No File Found

fidelis-download-pcap-file


Downloads the PCAP file from a specified alert.

Base Command

fidelis-download-pcap-file

Input
Argument NameDescriptionRequired
alert_idThe ID of the alert from which to download the file.Required
Context Output
PathTypeDescription
File.EntryIDStringThe entry ID of the file.
File.InfoStringFile information.
File.NameStringName of the file.
File.SizeNumberFile size
File.TypeStringFile type.
File.SHA1StringSHA1 hash of the file.
File.SHA256StringSHA256 hash of the file.
File.SSDeepStringSSDeep hash of the file.
File.MD5StringMD5 hash of the file.
Command Example

!fidelis-download-pcap-file alert_id=5

Context Example
{
"File": {
"EntryID": "7378@99f96547-c492-48d1-84bc-070759449a5d",
"Extension": "pcap",
"Info": "application/vnd.tcpdump.pcap",
"MD5": "e8a496ed6be700ed61b8b758df3248ef",
"Name": "Alert ID_5.pcap",
"SHA1": "86a3069583b027eac8cc519c09cff1f7e18ab9c5",
"SHA256": "c7911278b27d93e1a5c6998eaca0c75348284caaba9d58ba9951be7d325279a6",
"SHA512": "3fbdc4195b66297eaa4168ad6ded010c47eaea57496b6cc1ccfa34c9579d21562451d1269c7412e31e926cbb7c50ffc160a6493f4a8df0235ecd3ea2c9bfddb5",
"SSDeep": "48:uuHYx6sS1bioEX7gyLatSqAc8kHRgd5peJB80t9qeM:uuHYx6sS1bUJBqus8v9",
"Size": 2036,
"Type": "HTML document text, ASCII text, with very long lines, with no line terminators"
}
}
Human Readable Output

fidelis-get-alert-session-data


Return the session information related to an alert.

Base Command

fidelis-get-alert-session-data

Input
Argument NameDescriptionRequired
alert_idAlert IDRequired
Context Output
PathTypeDescription
Fidelis.Alert.IDNumberAlert ID.
Fidelis.Alert.SessionData.RecordingStateStringThe alert's recording state.
Fidelis.Alert.SessionData.ClientPacketsStringThe client packets.
Fidelis.Alert.SessionData.ServerSizeStringThe server size.
Fidelis.Alert.SessionData.ServerPortNumberThe server port.
Fidelis.Alert.SessionData.ServerDataCompleteBooleanIs the server data complete.
Fidelis.Alert.SessionData.ServerPacketsStringThe server packets.
Fidelis.Alert.SessionData.EndTimeStringThe end time.
Fidelis.Alert.SessionData.ServerIpStringThe server IP.
Fidelis.Alert.SessionData.ClientSizeStringThe client size.
Fidelis.Alert.SessionData.ClientPortNumberThe client port.
Fidelis.Alert.SessionData.ServerDataStringThe server data.
Fidelis.Alert.SessionData.BinaryServerDataUnknownThe binary server data.
Fidelis.Alert.SessionData.ClientDataCompleteBooleanIs the client data complete.
Fidelis.Alert.SessionData.ServerDataSizeNumberThe server data size.
Fidelis.Alert.SessionData.RecordedObjectBooleanThe recorded object.
Fidelis.Alert.SessionData.StartTimeStringThe start time.
Fidelis.Alert.SessionData.ClientDomainNameStringThe client domain name.
Fidelis.Alert.SessionData.TcpStateStringThe TCP state.
Fidelis.Alert.SessionData.ShowingDataSizeNumberShowing the data size.
Fidelis.Alert.SessionData.ClientIpStringThe client IP.
Fidelis.Alert.SessionData.DurationNumberThe session data duration.
Fidelis.Alert.SessionData.ClientDataStringThe client data.
Fidelis.Alert.SessionData.BinaryClientDataUnknownThe binary client data.
Fidelis.Alert.SessionData.ClientDataSizeNumberThe client data size.
Fidelis.Alert.SessionData.NoForensicsBooleanAre there no forensics.
Fidelis.Alert.SessionData.ExistBooleanDoes the sesison data exist.
Fidelis.Alert.SessionData.TimeZoneStringThe time zone.
Fidelis.Alert.SessionData.HighlightsUnknownHighlights in the session data.
Fidelis.Alert.SessionData.ServerDomainNameStringThe server domain name.
Command Example

!fidelis-get-alert-session-data alert_id=9

Context Example
{
"Fidelis": {
"Alert": {
"ID": "9",
"SessionData": {
"BinaryClientData": {file binary data},
"BinaryServerData": null,
"ClientData": {file client data},
"ClientDataComplete": true,
"ClientDataSize": 2990,
"ClientDomainName": null,
"ClientDomaniName": "",
"ClientIp": "0.0.0.0",
"ClientPackets": null,
"ClientPort": 0,
"ClientSize": null,
"Duration": 0,
"EndTime": "2020-03-30 09:07:33",
"Exist": true,
"Highlights": [],
"NoForensics": false,
"RecordedObject": true,
"RecordingState": null,
"ServerData": null,
"ServerDataComplete": true,
"ServerDataSize": null,
"ServerDomainName": null,
"ServerDomaniName": "",
"ServerIp": "0.0.0.0",
"ServerPackets": null,
"ServerPort": 0,
"ServerSize": null,
"ShowingDataSize": 4,
"StartTime": "2020-03-30 09:07:33",
"TcpState": null,
"TimeZone": "UTC"
}
}
}
}
Human Readable Output

Alert 9

Binary Client DataClient DataClient Data CompleteClient Data SizeClient IpClient PortDurationEnd TimeExistNo ForensicsRecorded ObjectServer Data CompleteServer IpServer PortShowing Data SizeStart TimeTime Zone
{file binary data}{file client data}true29900.0.0.0002020-03-30 09:07:33truefalsetruetrue0.0.0.0042020-03-30 09:07:33UTC

fidelis-get-alert-execution-forensics


Get the exectution forensics for an alert.

Base Command

fidelis-get-alert-execution-forensics

Input
Argument NameDescriptionRequired
alert_idAlert IDRequired
Context Output
PathTypeDescription
Fidelis.Alert.IDNumberThe alert ID.
Fidelis.Alert.ExecutionForensics.EFEnabledBooleanIs the alert execution forensics enabled.
Fidelis.Alert.ExecutionForensics.SizeNumberThe execution forensics size.
Fidelis.Alert.ExecutionForensics.SubmitTimeNumberThe submission time.
Fidelis.Alert.ExecutionForensics.SandBoxOnBooleanIs the sandbox on.
Fidelis.Alert.ExecutionForensics.TgReportBooleanThe TG report.
Fidelis.Alert.ExecutionForensics.FileNameStringThe file name.
Fidelis.Alert.ExecutionForensics.DnsFeedBooleanIs there a DNS feed.
Fidelis.Alert.ExecutionForensics.RecordingCompleteBooleanIs the recording complete.
Fidelis.Alert.ExecutionForensics.PcapUrlStringThe PCAP URL.
Fidelis.Alert.ExecutionForensics.AlertFlagsXeNonsubmitBooleanThe alert flag xe-nonsubmit.
Fidelis.Alert.ExecutionForensics.Bit9ServerStringThe bit 9 server.
Fidelis.Alert.ExecutionForensics.DecodingPathStringThe execution forensics decoding path.
Fidelis.Alert.ExecutionForensics.FileCheckAlertBooleanThe file check alert.
Fidelis.Alert.ExecutionForensics.StatusStringThe execution forensics status.
Fidelis.Alert.ExecutionForensics.SubmitableBooleanIs the execution forensics submitable.
Fidelis.Alert.ExecutionForensics.ScoreNumberThe execution forensics score.
Fidelis.Alert.ExecutionForensics.SubmitIdStringThe execution forensics submit ID.
Fidelis.Alert.ExecutionForensics.VideoUrlStringThe video URL.
Fidelis.Alert.ExecutionForensics.StatusMessageStringThe execution forensics status message.
Fidelis.Alert.ExecutionForensics.FileTypeStringThe file type.
Fidelis.Alert.ExecutionForensics.AlertIdNumberThe alert ID.
Fidelis.Alert.ExecutionForensics.TypeStringThe type.
Fidelis.Alert.ExecutionForensics.ReportUrlStringThe report URL.
Fidelis.Alert.ExecutionForensics.JsSubmitableBooleanIs the execution forensics JS submitable.
Fidelis.Alert.ExecutionForensics.UuidStringThe UUID.
Fidelis.Alert.ExecutionForensics.JsonReportUnknownThe JSON report.
Fidelis.Alert.ExecutionForensics.FileSizeNumberThe file size.
Fidelis.Alert.ExecutionForensics.Md5StringThe file's MD5 hash.
Fidelis.Alert.ExecutionForensics.ThreatGridOnBooleanIs the threat grid on.
Command Example

!fidelis-get-alert-execution-forensics alert_id=9

Context Example
{
"Fidelis": {
"Alert": {
"ExecutionForensics": {
"AlertFlagsXeNonsubmit": false,
"AlertId": 9,
"Bit9Server": null,
"DecodingPath": null,
"DnsFeed": false,
"EFEnabled": true,
"FileCheckAlert": true,
"FileName": null,
"FileSize": 2990,
"FileType": "",
"JsSubmitable": true,
"JsonReport": null,
"Md5": null,
"PcapUrl": "",
"RecordingComplete": true,
"ReportUrl": "",
"SandBoxOn": true,
"Score": null,
"Size": 0,
"Status": "Submitted",
"StatusMessage": null,
"SubmitId": "0",
"SubmitTime": 1585559253000,
"Submitable": true,
"TgReport": false,
"ThreatGridOn": false,
"Type": "alert",
"Uuid": null,
"VideoUrl": ""
},
"ID": "9"
}
}
}
Human Readable Output

Alert 9

Alert Flags Xe NonsubmitAlert IdDns FeedEF EnabledFile Check AlertFile SizeJs SubmitableRecording CompleteSand Box OnSizeStatusSubmit IdSubmit TimeSubmitableTg ReportThreat Grid OnType
false9falsetruetrue2990truetruetrue0Submitted01585559253000truefalsefalsealert

fidelis-get-alert-forensic-text


Get the text of the forensic data.

Base Command

fidelis-get-alert-forensic-text

Input
Argument NameDescriptionRequired
alert_idThe alert ID.Required
Context Output
PathTypeDescription
Fidelis.Alert.IDNumberThe alert ID.
Fidelis.Alert.ForensicTextStringThe alert's forensic text.
Command Example

!fidelis-get-alert-forensic-text alert_id=9

Context Example
{
"Fidelis": {
"Alert": {
"ForensicText": {file forensic text},
"ID": "9"
}
}
}
Human Readable Output

Alert 9 Forensic Text: {file forensic text}

fidelis-get-alert-decoding-path


Get the alert's decoding path.

Base Command

fidelis-get-alert-decoding-path

Input
Argument NameDescriptionRequired
alert_idAlert IDRequired
Context Output
PathTypeDescription
Fidelis.Alert.IDNumberThe alert ID.
Fidelis.Alert.DecodingPath.ClickableDpathsUnknownThe clickable decoding paths
Fidelis.Alert.DecodingPath.CommandpostIpStringThe command post IP.
Fidelis.Alert.DecodingPath.DecodingPathsUnknownThe decoding path info.
Fidelis.Alert.DecodingPath.OriginalAttributesStringThe original attribute.
Fidelis.Alert.DecodingPath.OriginalDPathStringThe original path.
Fidelis.Alert.DecodingPath.AttributeMapUnknownThe attribute map.
Fidelis.Alert.DecodingPath.AttributeMapHighLightsUnknownThe attribute map highlights.
Command Example

!fidelis-get-alert-decoding-path alert_id=9

Context Example
{
"Fidelis": {
"Alert": {
"DecodingPath": {
"AttributeMap": {
"HTTP": [
{
"endIndex": 29,
"highLights": [],
"link": false,
"name": "Filename",
"partialAttr": "HTTP\fFilename\tfile.pcap\n",
"startIndex": 0,
"value": "file.pcap",
"valueFirst255": "file.pcap"
}
]
},
"AttributeMapHighLights": [],
"ClickableDpaths": [
"HTTP(file.pcap)"
],
"CommandpostIp": null,
"DecodingPaths": [
{
"clickable": true,
"highLights": [],
"linkPath": ":HTTP(file.pcap)",
"path": "HTTP(file.pcap)"
}
],
"OriginalAttributes": "HTTP\fFilename\tfile.pcap\n",
"OriginalDPath": ":HTTP(file.pcap)"
},
"ID": "9"
}
}
}
Human Readable Output

Alert 9

Attribute MapClickable DpathsDecoding PathsOriginal AttributesOriginal D Path
HTTP: {u'endIndex': 29, u'name': u'Filename', u'valueFirst255': u'file.pcap', u'highLights': [], u'value': u'file.pcap', u'startIndex': 0, u'link': False, u'partialAttr': u'HTTP\x0cFilename\tfile.pcap\n'}HTTP(file.pcap){u'clickable': True, u'highLights': [], u'linkPath': u':HTTP(file.pcap)', u'path': u'HTTP(file.pcap)'}HTTPFilename file.pcap
:HTTP(file.pcap)

fidelis-update-alert-status


Update alert status

Base Command

fidelis-update-alert-status

Input
Argument NameDescriptionRequired
alert_idAlert IDRequired
statusThe new alert status.Required
Context Output

There is no context output for this command.

Command Example

!fidelis-update-alert-status alert_id=1 status=Actionable

Human Readable Output

Alert 1 has been updated to Actionable status

fidelis-alert-execution-forensics-submission


Submit an excutable file to the fidelis sandbox.

Base Command

fidelis-alert-execution-forensics-submission

Input
Argument NameDescriptionRequired
alert_idThe alert ID.Required
Context Output
PathTypeDescription
Fidelis.Alert.ExecutionForensics.EFEnabledNumberIs the alert execution forensics enabled.
Fidelis.Alert.ExecutionForensics.SizeNumberThe execution forensics size.
Fidelis.Alert.ExecutionForensics.SubmitTimeNumberThe submission time.
Fidelis.Alert.ExecutionForensics.SandBoxOnBooleanIs the sandbox on.
Fidelis.Alert.ExecutionForensics.TgReportBooleanThe TG report.
Fidelis.Alert.ExecutionForensics.FileNameStringThe file name.
Fidelis.Alert.ExecutionForensics.DnsFeedBooleanIs there a DNS feed.
Fidelis.Alert.ExecutionForensics.RecordingCompleteBooleanIs the recording complete.
Fidelis.Alert.ExecutionForensics.PcapUrlStringThe PCAP URL.
Fidelis.Alert.ExecutionForensics.AlertFlagsXeNonsubmitBooleanThe alert flag xe-nonsubmit.
Fidelis.Alert.ExecutionForensics.Bit9ServerStringThe bit 9 server.
Fidelis.Alert.ExecutionForensics.DecodingPathStringThe execution forensics decoding path.
Fidelis.Alert.ExecutionForensics.FileCheckAlertBooleanThe file check alert.
Fidelis.Alert.ExecutionForensics.StatusStringThe execution forensics status.
Fidelis.Alert.ExecutionForensics.SubmitableBooleanIs the execution forensics submitable.
Fidelis.Alert.ExecutionForensics.ScoreNumberThe execution forensics score.
Fidelis.Alert.ExecutionForensics.SubmitIdStringThe execution forensics submit ID.
Fidelis.Alert.ExecutionForensics.VideoUrlStringThe video URL.
Fidelis.Alert.ExecutionForensics.StatusMessageStringThe execution forensics status message.
Fidelis.Alert.ExecutionForensics.FileTypeStringThe file type.
Fidelis.Alert.ExecutionForensics.AlertIdNumberThe alert ID.
Fidelis.Alert.ExecutionForensics.TypeStringThe type.
Fidelis.Alert.ExecutionForensics.ReportUrlStringThe report URL.
Fidelis.Alert.ExecutionForensics.JsSubmitableBooleanIs the execution forensics JS submitable.
Fidelis.Alert.ExecutionForensics.UuidStringThe UUID.
Fidelis.Alert.ExecutionForensics.JsonReportUnknownThe JSON report.
Fidelis.Alert.ExecutionForensics.FileSizeUnknownThe file size.
Fidelis.Alert.ExecutionForensics.Md5StringThe file's MD5 hash.
Fidelis.Alert.ExecutionForensics.ThreatGridOnUnknownIs the threat grid on.
Fidelis.Alert.IDNumberThe alert ID.
Command Example

!fidelis-alert-execution-forensics-submission alert_id=9

Context Example
{
"Fidelis": {
"Alert": {
"ExecutionForensics": {
"AlertFlagsXeNonsubmit": false,
"AlertId": 9,
"Bit9Server": null,
"DecodingPath": null,
"DnsFeed": false,
"EFEnabled": true,
"FileCheckAlert": true,
"FileName": null,
"FileSize": 2990,
"FileType": "",
"JsSubmitable": true,
"JsonReport": null,
"Md5": null,
"PcapUrl": "",
"RecordingComplete": true,
"ReportUrl": "",
"SandBoxOn": true,
"Score": null,
"Size": 0,
"Status": "Submitted",
"StatusMessage": null,
"SubmitId": "0",
"SubmitTime": 1585559253000,
"Submitable": true,
"TgReport": false,
"ThreatGridOn": false,
"Type": "alert",
"Uuid": null,
"VideoUrl": ""
},
"ID": "9"
}
}
}
Human Readable Output

Alert 9

Alert Flags Xe NonsubmitAlert IdDns FeedEF EnabledFile Check AlertFile SizeJs SubmitableRecording CompleteSand Box OnSizeStatusSubmit IdSubmit TimeSubmitableTg ReportThreat Grid OnType
false9falsetruetrue2990truetruetrue0Submitted01585559253000truefalsefalsealert

fidelis-add-alert-comment


Adds a comment to an alert.

Base Command

fidelis-add-alert-comment

Input
Argument NameDescriptionRequired
alert_idAlert IDRequired
commentcommentRequired
Context Output

There is no context output for this command.

Command Example

!fidelis-add-alert-comment alert_id=1 comment="my new comment"

Human Readable Output

Added this comment: my new comment To alert ID: 1

fidelis-assign-user-to-alert


Assign a user to an alert.

Base Command

fidelis-assign-user-to-alert

Input
Argument NameDescriptionRequired
conclusion_idThe alert conclusion ID.Required
commentAdd a comment to the alertOptional
assign_userThe user to assign.Required
Context Output
PathTypeDescription
Fidelis.Alert.AssignedUserStringAssigned user ID.
Fidelis.Alert.ConclusionIDNumberThe alert conclusion ID.
Command Example

!fidelis-assign-user-to-alert assign_user=cloud-user conclusion_id=2

Context Example
{
"Fidelis": {
"Alert": {
"AssignedUser": "cloud-user",
"ConclusionID": "2"
}
}
}
Human Readable Output

Assigned User: cloud-user to alert with conclusion ID 2

fidelis-close-alert


Closes a fidelis alert and can assign a user.

Base Command

fidelis-close-alert

Input
Argument NameDescriptionRequired
conclusion_idThe conclusion ID.Required
resolutionThe alert resolution.Required
commentAdd a comment to the alert.Optional
Context Output
PathTypeDescription
Fidelis.Alert.ConclusionIDNumberThe conclusion ID.
Command Example

!fidelis-close-alert conclusion_id=2 resolution="False Positive"

Human Readable Output

Closed alert conclusion ID 2

fidelis-manage-alert-label


Adds a label to an alert.

Base Command

fidelis-manage-alert-label

Input
Argument NameDescriptionRequired
alert_idAlert ID.Required
labelThe label to add.Required
actionWhat action should be taken.Required
Context Output

There is no context output for this command.

Command Example

!fidelis-manage-alert-label action=Add alert_id=3 label="example-label"

Human Readable Output

Assigned label: example-label to alert 3