Fidelis Elevate Network
Automate Detection and Response to Network Threats and data leakage in your organization with Fidelis Elevate Network Integration. This integration was integrated and tested with version 9.2.4 of Fidelis Elevate Network
Configure Fidelis Elevate Network on Demisto
- Navigate to Settings > Integrations > Servers & Services.
- Search for Fidelis Elevate Network.
- Click Add instance to create and configure a new integration instance.
| Parameter | Description | Required |
|---|---|---|
| server_url | Server URL | True |
| credentials | Credentials | True |
| unsecure | Trust any certificate (not secure) | False |
| proxy | Use system proxy settings | False |
| isFetch | Fetch incidents | False |
| incidentType | Incident type | False |
| fetch_time | First fetch timestamp (\<number> \<time unit>, e.g., 12 hours, 7 days, 3 months, 1 year) | False |
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
fidelis-get-alert
Gets alert details from Fidelis Elevate.
Base Command
fidelis-get-alert
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_id | Alert ID | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Fidelis.Alert.ID | string | Alert ID. |
| Fidelis.Alert.ThreatScore | number | Alert threat score. |
| Fidelis.Alert.Time | date | Alert time. |
| Fidelis.Alert.RuleID | string | Related rule ID. |
| Fidelis.Alert.RuleName | string | Related rule name. |
| Fidelis.Alert.Summary | string | Alert summary. |
| Fidelis.Alert.PolicyName | string | Related policy name. |
| Fidelis.Alert.Severity | string | Alert severity. |
| Fidelis.Alert.Protocol | string | Protocol involved in the alert. |
| Fidelis.Alert.Type | string | Alert type. |
| Fidelis.Alert.AssignedUser | string | Assigned user ID. |
Command Example
!fidelis-get-alert alert_id=1
Context Example
{
"Fidelis": {
"Alert": {
"AlertUUID": "80d0ccf5-5879-11ea-b430-0eb174ee0947",
"AssignedUser": 0,
"ID": 1,
"PolicyName": "Endpoint Alerts",
"Protocol": "",
"RuleID": 227,
"RuleName": null,
"Severity": "Medium",
"Summary": "Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact: ",
"ThreatScore": 100,
"Time": "2020-02-26 09:21:02",
"Type": "ENDPOINT"
}
}
}
Human Readable Output
Alert 1
| Alert UUID | Assigned User | ID | Policy Name | Rule ID | Severity | Summary | Threat Score | Time | Type |
|---|---|---|---|---|---|---|---|---|---|
| 80d0ccf5-5879-11ea-b430-0eb174ee0947 | 0 | 1 | Endpoint Alerts | 227 | Medium | Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact: | 100 | 2020-02-26 09:21:02 | ENDPOINT |
fidelis-delete-alert
Deletes an alert from Fidelis Elevate.
Base Command
fidelis-delete-alert
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_id | ID of the alert to delete. | Required |
Context Output
There is no context output for this command.
Command Example
!fidelis-delete-alert alert_id=3
Human Readable Output
Alert (3) deleted successfully!
fidelis-get-malware-data
Retrieves malware data related to a "Malware" type alert.
Base Command
fidelis-get-malware-data
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_id | Alert ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Fidelis.Alert.ID | string | Alert ID. |
| Fidelis.Alert.Malware.Name | string | Malware name. |
| Fidelis.Alert.Malware.Type | string | Malware type. |
| Fidelis.Alert.Malware.Behavior | string | Malware behavior. |
| Fidelis.Alert.Malware.Platform | string | Malware platform. |
| Fidelis.Alert.Malware.DetailName | string | Malware detail name from Fidelis Elevate. |
| Fidelis.Alert.Malware.Variant | string | Malware variant. |
| Fidelis.Alert.Malware.Description | string | Malware description from Fidelis Elevate. |
Command Example
!fidelis-get-malware-data alert_id=6
Context Example
{
"Fidelis": {
"Alert": {
"ID": "6",
"Malware": {
"Behavior": null,
"Description": null,
"DetailName": null,
"Name": "",
"Platform": null,
"Type": "",
"Variant": null
}
}
}
}
Human Readable Output
Alert 6 Malware:
| Malware Behavior | Malware Description | Malware Detail Name | Malware Name | Malware Platform | Malware Type | Malware Variant |
|---|---|---|---|---|---|---|
fidelis-get-alert-report
Downloads a PDF report for a specified alert.
Base Command
fidelis-get-alert-report
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_id | Alert ID of the alert for which to download a PDF report. | Required |
Context Output
There is no context output for this command.
Command Example
!fidelis-get-alert-report alert_id=5
Context Example
{
"InfoFile": {
"EntryID": "7382@99f96547-c492-48d1-84bc-070759449a5d",
"Extension": "pdf",
"Info": "application/pdf",
"Name": "Alert_Details_5.pdf",
"Size": 69507,
"Type": "PDF document, version 1.4"
}
}
fidelis-list-alerts
Returns a list of open alerts from Fidelis Elevate.
Base Command
fidelis-list-alerts
Input
| Argument Name | Description | Required |
|---|---|---|
| time_frame | Filter alerts by time frame, for example, Last 48 Hours. | Optional |
| start_time | If the time_frame value is Custom, specify the start time for the time range, for example, 2017-06-01T12:48:16.734. | Optional |
| end_time | If the time_frame value is Custom, specify the end time for the time range, for example, 2017-06-01T12:48:16.734. | Optional |
| severity | Filter alerts by alert severity. | Optional |
| type | Filter alerts by alert type. | Optional |
| threat_score | Filter alerts by alert threat score threshold (higher than). | Optional |
| ioc | Filter alerts that are related to a specified IOC. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Fidelis.Alert.ID | string | Alert ID. |
| Fidelis.Alert.Time | date | Alert time. |
| Fidelis.Alert.Summary | string | Alert summary. |
| Fidelis.Alert.Severity | string | Alert severity. |
| Fidelis.Alert.Type | string | Alert type. |
Command Example
!fidelis-list-alerts
Context Example
{
"Fidelis": {
"Alert": [
{
"ID": "6",
"Severity": "High",
"Summary": "Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown",
"Time": "2020-03-19 23:59:59",
"Type": "Endpoint"
},
{
"ID": "5",
"Severity": "Medium",
"Summary": "Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact: ",
"Time": "2020-03-12 09:21:27",
"Type": "Endpoint"
}
]
}
}
Human Readable Output
Found 6 Alerts:
| ID | Severity | Summary | Time | Type |
|---|---|---|---|---|
| 6 | High | Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown | 2020-03-19 23:59:59 | Endpoint |
| 5 | Medium | Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact: | 2020-03-12 09:21:27 | Endpoint |
| 4 | Low | Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact: | 2020-03-07 09:21:24 | Endpoint |
| 2 | High | Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact: | 2020-02-27 09:21:03 | Endpoint |
| 3 | High | Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact: | 2020-02-27 09:21:03 | Endpoint |
| 1 | Medium | Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact: | 2020-02-26 09:21:02 | Endpoint |
fidelis-upload-pcap
Uploads a PCAP file to Fidelis Elevate for analysis.
Base Command
fidelis-upload-pcap
Input
| Argument Name | Description | Required |
|---|---|---|
| component_ip | Component IP address. | Required |
| entry_id | War Room entry ID of the PCAP file, for example, "3245@6". | Required |
Context Output
There is no context output for this command.
Command Example
!fidelis-upload-pcap component_ip=1.1.1.1 entry_id=7317@99
Human Readable Output
Pcap file uploaded successfully.
fidelis-list-pcap-components
Gets PCAP components.
Base Command
fidelis-list-pcap-components
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| Fidelis.Component.Name | string | Component name. |
| Fidelis.Component.IP | string | Component IP address. |
Command Example
!fidelis-list-pcap-components
Context Example
{
"Fidelis": {
"Component": {
"IP": "1.1.1.1",
"Name": "Sensor"
}
}
}
Human Readable Output
PCAP Components
| Name | IP |
|---|---|
| Sensor | 1.1.1.1 |
fidelis-run-pcap
Runs PCAP file analysis in Fidelis Elevate.
Base Command
fidelis-run-pcap
Input
| Argument Name | Description | Required |
|---|---|---|
| component_ip | Component IP address. Run the 'fidelis-list-pcap-components' command to get this value. | Required |
| files | CSV list of PCAP file names in Fidelis Elevate. | Required |
Context Output
There is no context output for this command.
Command Example
!fidelis-run-pcap component_ip=1.1.1.1 files=file.pcap
Human Readable Output
Pcap file run submitted.
fidelis-get-alert-by-uuid
Returns an alert, by UUID.
Base Command
fidelis-get-alert-by-uuid
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_uuid | The UUID of the alert. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Fidelis.Alert.ID | Number | Alert ID. |
| Fidelis.Alert.Severity | String | Alert severity. |
| Fidelis.Alert.Summary | String | Alert summary. |
| Fidelis.Alert.Time | Date | Alert time. |
| Fidelis.Alert.Type | String | Alert type. |
| Fidelis.Alert.UUID | String | Alert UUID. |
Command Example
!fidelis-get-alert-by-uuid alert_uuid=80d0ccf5-5879-11ea-b430-0eb174ee0947
Context Example
{
"Fidelis": {
"Alert": {
"ID": "1",
"Severity": "Medium",
"Summary": "Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact: ",
"Time": "2020-02-26 09:21:02",
"Type": "Endpoint"
}
}
}
Human Readable Output
Found 1 Alerts:
| ID | Severity | Summary | Time | Type |
|---|---|---|---|---|
| 1 | Medium | Endpoint alert on fidelis-endpoint.c.dmst-integrations.internal: , Intel Source: Unknown, Artifact: | 2020-02-26 09:21:02 | Endpoint |
fidelis-list-metadata
Returns a metadata list.
Base Command
fidelis-list-metadata
Input
| Argument Name | Description | Required |
|---|---|---|
| time_frame | Filter alerts by time frame, for example, Last 48 Hours. | Optional |
| start_time | If the time_frame value is Custom, specify the start time for the time range, for example, 2017-06-01T12:48:16.734. | Optional |
| end_time | If the time_frame value is Custom, specify the end time for the time range, for example,2017-06-01T12:48:16.734. | Optional |
| client_ip | Filter alerts by client IP. | Optional |
| server_ip | Filter alerts by server IP address. | Optional |
| request_direction | Direction of the request. Can be "s2c" (server to client) or "c2s" (client to server). | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Fidelis.Metadata.MalwareName | String | Malware name. |
| Fidelis.Metadata.ServerPort | Number | Server port number. |
| Fidelis.Metadata.SHA256 | String | SHA256 hash of the file. |
| Fidelis.Metadata.FileName | String | File name. |
| Fidelis.Metadata.PcapFilename | String | PCAP file name. |
| Fidelis.Metadata.SessionDuration | String | The event session duration. |
| Fidelis.Metadata.ServerIP | String | The server IP address. |
| Fidelis.Metadata.ClientCountry | String | The client country. |
| Fidelis.Metadata.ClientPort | Number | The client port number. |
| Fidelis.Metadata.SessionStart | Date | The date/time that the session started. |
| Fidelis.Metadata.MalwareType | String | The malware type. |
| Fidelis.Metadata.URL | String | Request URL. |
| Fidelis.Metadata.RequestDirection | String | Request direction (s2c or c2s). |
| Fidelis.Metadata.MalwareSeverity | String | The severity of the malware. |
| Fidelis.Metadata.ClientIP | String | The client IP address. |
| Fidelis.Metadata.ServerCountry | String | The country of the server. |
| Fidelis.Metadata.PcapTimestamp | Date | PCAP timestamp. |
| Fidelis.Metadata.SensorUUID | String | Sensor UUID. |
| Fidelis.Metadata.Timestamp | Date | Timestamp of the event. |
| Fidelis.Metadata.FileType | String | File type. |
| Fidelis.Metadata.Protocol | String | Event protocol. |
| Fidelis.Metadata.UserAgent | String | User agent of the request. |
| Fidelis.Metadata.Type | String | Type of the event. |
| Fidelis.Metadata.FileSize | Number | The size of the file. |
| Fidelis.Metadata.MD5 | String | MD5 hash of the file. |
Command Example
!fidelis-list-metadata
Context Example
{
"Fidelis": {
"Metadata": null
}
}
Human Readable Output
Found 0 Metadata:
No entries.
fidelis-list-alerts-by-ip
Returns a list of alerts, by source IP address or destination IP address.
Base Command
fidelis-list-alerts-by-ip
Input
| Argument Name | Description | Required |
|---|---|---|
| time_frame | Today,Yesterday,Last 7 Days,Last Hour,Last 24 Hours,Last 48 Hours,Last 30 Days,Custom | Optional |
| start_time | If the time_frame value is Custom, specify the start time for the time range, for example, 2017-06-01T12:48:16.734. | Optional |
| end_time | If the time_frame value is Custom, specify the start time for the time range, for example, 2017-06-01T12:48:16.734. | Optional |
| src_ip | Filter alerts by the source IP. | Optional |
| dest_ip | Filter alerts by the destination IP address. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Fidelis.Alert.SourceIP | String | The alert source IP address. |
| Fidelis.Alert.UserRating | String | User rating. |
| Fidelis.Alert.DestinationCountry | String | Destination country of the alert. |
| Fidelis.Alert.AssetID | Number | The ID of the asset. |
| Fidelis.Alert.Time | Date | Date/time that the alert started. |
| Fidelis.Alert.HostIP | String | The host IP address of the alert. |
| Fidelis.Alert.DistributedAlertID | String | Alert distributed ID. |
| Fidelis.Alert.DestinationIP | String | Alert destination IP address. |
| Fidelis.Alert.AlertUUID | String | The alert UUID. |
| Fidelis.Alert.Type | String | The alert type. |
| Fidelis.Alert.ID | Number | Alert ID. |
| Fidelis.Alert.SourceCountry | String | Alert source country |
Command Example
!fidelis-list-alerts-by-ip
Context Example
{
"Fidelis": {
"Alert": [
{
"AlertUUID": "151fa61c-6b08-11ea-85b0-0eb174ee0947",
"AssetID": "2",
"DestinationCountry": "",
"DestinationIP": "::",
"DistributedAlertID": "Console-6",
"HostIP": "2.2.2.2",
"ID": "6",
"SourceCountry": "",
"SourceIP": "::",
"Time": "2020-03-19 23:59:59",
"Type": "Endpoint",
"UserRating": "No Rating"
},
{
"AlertUUID": "1dee426f-6443-11ea-83d9-0eb174ee0947",
"AssetID": "2",
"DestinationCountry": "",
"DestinationIP": "::",
"DistributedAlertID": "Console-5",
"HostIP": "2.2.2.2",
"ID": "5",
"SourceCountry": "",
"SourceIP": "::",
"Time": "2020-03-12 09:21:27",
"Type": "Endpoint",
"UserRating": "No Rating"
}
]
}
}
Human Readable Output
Found 6 Alerts:
| Time | AlertUUID | ID | DistributedAlertID | UserRating | HostIP | AssetID | Type | DestinationCountry | SourceCountry | DestinationIP | SourceIP |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 2020-03-19 23:59:59 | 151fa61c-6b08-11ea-85b0-0eb174ee0947 | 6 | Console-6 | No Rating | 2.2.2.2 | 2 | Endpoint | :: | :: | ||
| 2020-03-12 09:21:27 | 1dee426f-6443-11ea-83d9-0eb174ee0947 | 5 | Console-5 | No Rating | 2.2.2.2 | 2 | Endpoint | :: | :: | ||
| 2020-03-07 09:21:24 | 244267da-6055-11ea-b430-0eb174ee0947 | 4 | Console-4 | No Rating | 2.2.2.2 | 2 | Endpoint | :: | :: | ||
| 2020-02-27 09:21:03 | a2d7fa21-5942-11ea-b430-0eb174ee0947 | 2 | Console-2 | No Rating | 2.2.2.2 | 2 | Endpoint | :: | :: | ||
| 2020-02-27 09:21:03 | a2d8eec9-5942-11ea-b430-0eb174ee0947 | 3 | Console-3 | False Positive | 2.2.2.2 | 2 | Endpoint | :: | :: | ||
| 2020-02-26 09:21:02 | 80d0ccf5-5879-11ea-b430-0eb174ee0947 | 1 | Console-1 | Actionable | 2.2.2.2 | 2 | Endpoint | :: | :: |
fidelis-download-malware-file
Downloads a malware file from a specified alert.
Base Command
fidelis-download-malware-file
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_id | ID of the alert from which to download the file. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| File.Size | Number | The size of the file. |
| File.Extension | String | The file extension. |
| File.Info | String | Information about the file. |
| File.Name | String | The name of the file. |
| File.SHA1 | String | SHA1 hash of the file. |
| File.Type | String | The file type. |
| File.SHA256 | String | SHA256 hash of the file. |
| File.SSDeep | String | SSDeep hash of the file. |
| File.EntryID | String | File entry ID. |
| File.MD5 | String | MD5 hash of the file. |
Command Example
!fidelis-download-malware-file alert_id=9
Context Example
{
"File": {
"EntryID": "7640@99f96547-c492-48d1-84bc-070759449a5d",
"Extension": "zip",
"Info": "application/zip",
"MD5": "d41d8cd98f00b204e9800998ecf8427e",
"Name": ":HTTP(file.pcap).zip",
"SHA1": "52483514f07eb14570142f6927b77deb7b4da99f",
"SHA256": "42a5e275559a1651b3df8e15d3f5912499f0f2d3d1523959c56fc5aea6371e59",
"SHA512": "3fbdc4195b66297eaa4168ad6ded010c47eaea57496b6cc1ccfa34c9579d21562451d1269c7412e31e926cbb7c50ffc160a6493f4a8df0235ecd3ea2c9bfddb5",
"SSDeep": "3::",
"Size": 0,
"Type": "empty"
}
}
Human Readable Output
No File Found
fidelis-download-pcap-file
Downloads the PCAP file from a specified alert.
Base Command
fidelis-download-pcap-file
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_id | The ID of the alert from which to download the file. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| File.EntryID | String | The entry ID of the file. |
| File.Info | String | File information. |
| File.Name | String | Name of the file. |
| File.Size | Number | File size |
| File.Type | String | File type. |
| File.SHA1 | String | SHA1 hash of the file. |
| File.SHA256 | String | SHA256 hash of the file. |
| File.SSDeep | String | SSDeep hash of the file. |
| File.MD5 | String | MD5 hash of the file. |
Command Example
!fidelis-download-pcap-file alert_id=5
Context Example
{
"File": {
"EntryID": "7378@99f96547-c492-48d1-84bc-070759449a5d",
"Extension": "pcap",
"Info": "application/vnd.tcpdump.pcap",
"MD5": "e8a496ed6be700ed61b8b758df3248ef",
"Name": "Alert ID_5.pcap",
"SHA1": "86a3069583b027eac8cc519c09cff1f7e18ab9c5",
"SHA256": "c7911278b27d93e1a5c6998eaca0c75348284caaba9d58ba9951be7d325279a6",
"SHA512": "3fbdc4195b66297eaa4168ad6ded010c47eaea57496b6cc1ccfa34c9579d21562451d1269c7412e31e926cbb7c50ffc160a6493f4a8df0235ecd3ea2c9bfddb5",
"SSDeep": "48:uuHYx6sS1bioEX7gyLatSqAc8kHRgd5peJB80t9qeM:uuHYx6sS1bUJBqus8v9",
"Size": 2036,
"Type": "HTML document text, ASCII text, with very long lines, with no line terminators"
}
}
Human Readable Output
fidelis-get-alert-session-data
Return the session information related to an alert.
Base Command
fidelis-get-alert-session-data
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_id | Alert ID | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Fidelis.Alert.ID | Number | Alert ID. |
| Fidelis.Alert.SessionData.RecordingState | String | The alert's recording state. |
| Fidelis.Alert.SessionData.ClientPackets | String | The client packets. |
| Fidelis.Alert.SessionData.ServerSize | String | The server size. |
| Fidelis.Alert.SessionData.ServerPort | Number | The server port. |
| Fidelis.Alert.SessionData.ServerDataComplete | Boolean | Is the server data complete. |
| Fidelis.Alert.SessionData.ServerPackets | String | The server packets. |
| Fidelis.Alert.SessionData.EndTime | String | The end time. |
| Fidelis.Alert.SessionData.ServerIp | String | The server IP. |
| Fidelis.Alert.SessionData.ClientSize | String | The client size. |
| Fidelis.Alert.SessionData.ClientPort | Number | The client port. |
| Fidelis.Alert.SessionData.ServerData | String | The server data. |
| Fidelis.Alert.SessionData.BinaryServerData | Unknown | The binary server data. |
| Fidelis.Alert.SessionData.ClientDataComplete | Boolean | Is the client data complete. |
| Fidelis.Alert.SessionData.ServerDataSize | Number | The server data size. |
| Fidelis.Alert.SessionData.RecordedObject | Boolean | The recorded object. |
| Fidelis.Alert.SessionData.StartTime | String | The start time. |
| Fidelis.Alert.SessionData.ClientDomainName | String | The client domain name. |
| Fidelis.Alert.SessionData.TcpState | String | The TCP state. |
| Fidelis.Alert.SessionData.ShowingDataSize | Number | Showing the data size. |
| Fidelis.Alert.SessionData.ClientIp | String | The client IP. |
| Fidelis.Alert.SessionData.Duration | Number | The session data duration. |
| Fidelis.Alert.SessionData.ClientData | String | The client data. |
| Fidelis.Alert.SessionData.BinaryClientData | Unknown | The binary client data. |
| Fidelis.Alert.SessionData.ClientDataSize | Number | The client data size. |
| Fidelis.Alert.SessionData.NoForensics | Boolean | Are there no forensics. |
| Fidelis.Alert.SessionData.Exist | Boolean | Does the sesison data exist. |
| Fidelis.Alert.SessionData.TimeZone | String | The time zone. |
| Fidelis.Alert.SessionData.Highlights | Unknown | Highlights in the session data. |
| Fidelis.Alert.SessionData.ServerDomainName | String | The server domain name. |
Command Example
!fidelis-get-alert-session-data alert_id=9
Context Example
{
"Fidelis": {
"Alert": {
"ID": "9",
"SessionData": {
"BinaryClientData": {file binary data},
"BinaryServerData": null,
"ClientData": {file client data},
"ClientDataComplete": true,
"ClientDataSize": 2990,
"ClientDomainName": null,
"ClientDomaniName": "",
"ClientIp": "0.0.0.0",
"ClientPackets": null,
"ClientPort": 0,
"ClientSize": null,
"Duration": 0,
"EndTime": "2020-03-30 09:07:33",
"Exist": true,
"Highlights": [],
"NoForensics": false,
"RecordedObject": true,
"RecordingState": null,
"ServerData": null,
"ServerDataComplete": true,
"ServerDataSize": null,
"ServerDomainName": null,
"ServerDomaniName": "",
"ServerIp": "0.0.0.0",
"ServerPackets": null,
"ServerPort": 0,
"ServerSize": null,
"ShowingDataSize": 4,
"StartTime": "2020-03-30 09:07:33",
"TcpState": null,
"TimeZone": "UTC"
}
}
}
}
Human Readable Output
Alert 9
| Binary Client Data | Client Data | Client Data Complete | Client Data Size | Client Ip | Client Port | Duration | End Time | Exist | No Forensics | Recorded Object | Server Data Complete | Server Ip | Server Port | Showing Data Size | Start Time | Time Zone |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| {file binary data} | {file client data} | true | 2990 | 0.0.0.0 | 0 | 0 | 2020-03-30 09:07:33 | true | false | true | true | 0.0.0.0 | 0 | 4 | 2020-03-30 09:07:33 | UTC |
fidelis-get-alert-execution-forensics
Get the exectution forensics for an alert.
Base Command
fidelis-get-alert-execution-forensics
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_id | Alert ID | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Fidelis.Alert.ID | Number | The alert ID. |
| Fidelis.Alert.ExecutionForensics.EFEnabled | Boolean | Is the alert execution forensics enabled. |
| Fidelis.Alert.ExecutionForensics.Size | Number | The execution forensics size. |
| Fidelis.Alert.ExecutionForensics.SubmitTime | Number | The submission time. |
| Fidelis.Alert.ExecutionForensics.SandBoxOn | Boolean | Is the sandbox on. |
| Fidelis.Alert.ExecutionForensics.TgReport | Boolean | The TG report. |
| Fidelis.Alert.ExecutionForensics.FileName | String | The file name. |
| Fidelis.Alert.ExecutionForensics.DnsFeed | Boolean | Is there a DNS feed. |
| Fidelis.Alert.ExecutionForensics.RecordingComplete | Boolean | Is the recording complete. |
| Fidelis.Alert.ExecutionForensics.PcapUrl | String | The PCAP URL. |
| Fidelis.Alert.ExecutionForensics.AlertFlagsXeNonsubmit | Boolean | The alert flag xe-nonsubmit. |
| Fidelis.Alert.ExecutionForensics.Bit9Server | String | The bit 9 server. |
| Fidelis.Alert.ExecutionForensics.DecodingPath | String | The execution forensics decoding path. |
| Fidelis.Alert.ExecutionForensics.FileCheckAlert | Boolean | The file check alert. |
| Fidelis.Alert.ExecutionForensics.Status | String | The execution forensics status. |
| Fidelis.Alert.ExecutionForensics.Submitable | Boolean | Is the execution forensics submitable. |
| Fidelis.Alert.ExecutionForensics.Score | Number | The execution forensics score. |
| Fidelis.Alert.ExecutionForensics.SubmitId | String | The execution forensics submit ID. |
| Fidelis.Alert.ExecutionForensics.VideoUrl | String | The video URL. |
| Fidelis.Alert.ExecutionForensics.StatusMessage | String | The execution forensics status message. |
| Fidelis.Alert.ExecutionForensics.FileType | String | The file type. |
| Fidelis.Alert.ExecutionForensics.AlertId | Number | The alert ID. |
| Fidelis.Alert.ExecutionForensics.Type | String | The type. |
| Fidelis.Alert.ExecutionForensics.ReportUrl | String | The report URL. |
| Fidelis.Alert.ExecutionForensics.JsSubmitable | Boolean | Is the execution forensics JS submitable. |
| Fidelis.Alert.ExecutionForensics.Uuid | String | The UUID. |
| Fidelis.Alert.ExecutionForensics.JsonReport | Unknown | The JSON report. |
| Fidelis.Alert.ExecutionForensics.FileSize | Number | The file size. |
| Fidelis.Alert.ExecutionForensics.Md5 | String | The file's MD5 hash. |
| Fidelis.Alert.ExecutionForensics.ThreatGridOn | Boolean | Is the threat grid on. |
Command Example
!fidelis-get-alert-execution-forensics alert_id=9
Context Example
{
"Fidelis": {
"Alert": {
"ExecutionForensics": {
"AlertFlagsXeNonsubmit": false,
"AlertId": 9,
"Bit9Server": null,
"DecodingPath": null,
"DnsFeed": false,
"EFEnabled": true,
"FileCheckAlert": true,
"FileName": null,
"FileSize": 2990,
"FileType": "",
"JsSubmitable": true,
"JsonReport": null,
"Md5": null,
"PcapUrl": "",
"RecordingComplete": true,
"ReportUrl": "",
"SandBoxOn": true,
"Score": null,
"Size": 0,
"Status": "Submitted",
"StatusMessage": null,
"SubmitId": "0",
"SubmitTime": 1585559253000,
"Submitable": true,
"TgReport": false,
"ThreatGridOn": false,
"Type": "alert",
"Uuid": null,
"VideoUrl": ""
},
"ID": "9"
}
}
}
Human Readable Output
Alert 9
| Alert Flags Xe Nonsubmit | Alert Id | Dns Feed | EF Enabled | File Check Alert | File Size | Js Submitable | Recording Complete | Sand Box On | Size | Status | Submit Id | Submit Time | Submitable | Tg Report | Threat Grid On | Type |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| false | 9 | false | true | true | 2990 | true | true | true | 0 | Submitted | 0 | 1585559253000 | true | false | false | alert |
fidelis-get-alert-forensic-text
Get the text of the forensic data.
Base Command
fidelis-get-alert-forensic-text
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_id | The alert ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Fidelis.Alert.ID | Number | The alert ID. |
| Fidelis.Alert.ForensicText | String | The alert's forensic text. |
Command Example
!fidelis-get-alert-forensic-text alert_id=9
Context Example
{
"Fidelis": {
"Alert": {
"ForensicText": {file forensic text},
"ID": "9"
}
}
}
Human Readable Output
Alert 9 Forensic Text: {file forensic text}
fidelis-get-alert-decoding-path
Get the alert's decoding path.
Base Command
fidelis-get-alert-decoding-path
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_id | Alert ID | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Fidelis.Alert.ID | Number | The alert ID. |
| Fidelis.Alert.DecodingPath.ClickableDpaths | Unknown | The clickable decoding paths |
| Fidelis.Alert.DecodingPath.CommandpostIp | String | The command post IP. |
| Fidelis.Alert.DecodingPath.DecodingPaths | Unknown | The decoding path info. |
| Fidelis.Alert.DecodingPath.OriginalAttributes | String | The original attribute. |
| Fidelis.Alert.DecodingPath.OriginalDPath | String | The original path. |
| Fidelis.Alert.DecodingPath.AttributeMap | Unknown | The attribute map. |
| Fidelis.Alert.DecodingPath.AttributeMapHighLights | Unknown | The attribute map highlights. |
Command Example
!fidelis-get-alert-decoding-path alert_id=9
Context Example
{
"Fidelis": {
"Alert": {
"DecodingPath": {
"AttributeMap": {
"HTTP": [
{
"endIndex": 29,
"highLights": [],
"link": false,
"name": "Filename",
"partialAttr": "HTTP\fFilename\tfile.pcap\n",
"startIndex": 0,
"value": "file.pcap",
"valueFirst255": "file.pcap"
}
]
},
"AttributeMapHighLights": [],
"ClickableDpaths": [
"HTTP(file.pcap)"
],
"CommandpostIp": null,
"DecodingPaths": [
{
"clickable": true,
"highLights": [],
"linkPath": ":HTTP(file.pcap)",
"path": "HTTP(file.pcap)"
}
],
"OriginalAttributes": "HTTP\fFilename\tfile.pcap\n",
"OriginalDPath": ":HTTP(file.pcap)"
},
"ID": "9"
}
}
}
Human Readable Output
Alert 9
| Attribute Map | Clickable Dpaths | Decoding Paths | Original Attributes | Original D Path |
|---|---|---|---|---|
| HTTP: {u'endIndex': 29, u'name': u'Filename', u'valueFirst255': u'file.pcap', u'highLights': [], u'value': u'file.pcap', u'startIndex': 0, u'link': False, u'partialAttr': u'HTTP\x0cFilename\tfile.pcap\n'} | HTTP(file.pcap) | {u'clickable': True, u'highLights': [], u'linkPath': u':HTTP(file.pcap)', u'path': u'HTTP(file.pcap)'} | HTTPFilename file.pcap | :HTTP(file.pcap) |
fidelis-update-alert-status
Update alert status
Base Command
fidelis-update-alert-status
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_id | Alert ID | Required |
| status | The new alert status. | Required |
Context Output
There is no context output for this command.
Command Example
!fidelis-update-alert-status alert_id=1 status=Actionable
Human Readable Output
Alert 1 has been updated to Actionable status
fidelis-alert-execution-forensics-submission
Submit an excutable file to the fidelis sandbox.
Base Command
fidelis-alert-execution-forensics-submission
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_id | The alert ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Fidelis.Alert.ExecutionForensics.EFEnabled | Number | Is the alert execution forensics enabled. |
| Fidelis.Alert.ExecutionForensics.Size | Number | The execution forensics size. |
| Fidelis.Alert.ExecutionForensics.SubmitTime | Number | The submission time. |
| Fidelis.Alert.ExecutionForensics.SandBoxOn | Boolean | Is the sandbox on. |
| Fidelis.Alert.ExecutionForensics.TgReport | Boolean | The TG report. |
| Fidelis.Alert.ExecutionForensics.FileName | String | The file name. |
| Fidelis.Alert.ExecutionForensics.DnsFeed | Boolean | Is there a DNS feed. |
| Fidelis.Alert.ExecutionForensics.RecordingComplete | Boolean | Is the recording complete. |
| Fidelis.Alert.ExecutionForensics.PcapUrl | String | The PCAP URL. |
| Fidelis.Alert.ExecutionForensics.AlertFlagsXeNonsubmit | Boolean | The alert flag xe-nonsubmit. |
| Fidelis.Alert.ExecutionForensics.Bit9Server | String | The bit 9 server. |
| Fidelis.Alert.ExecutionForensics.DecodingPath | String | The execution forensics decoding path. |
| Fidelis.Alert.ExecutionForensics.FileCheckAlert | Boolean | The file check alert. |
| Fidelis.Alert.ExecutionForensics.Status | String | The execution forensics status. |
| Fidelis.Alert.ExecutionForensics.Submitable | Boolean | Is the execution forensics submitable. |
| Fidelis.Alert.ExecutionForensics.Score | Number | The execution forensics score. |
| Fidelis.Alert.ExecutionForensics.SubmitId | String | The execution forensics submit ID. |
| Fidelis.Alert.ExecutionForensics.VideoUrl | String | The video URL. |
| Fidelis.Alert.ExecutionForensics.StatusMessage | String | The execution forensics status message. |
| Fidelis.Alert.ExecutionForensics.FileType | String | The file type. |
| Fidelis.Alert.ExecutionForensics.AlertId | Number | The alert ID. |
| Fidelis.Alert.ExecutionForensics.Type | String | The type. |
| Fidelis.Alert.ExecutionForensics.ReportUrl | String | The report URL. |
| Fidelis.Alert.ExecutionForensics.JsSubmitable | Boolean | Is the execution forensics JS submitable. |
| Fidelis.Alert.ExecutionForensics.Uuid | String | The UUID. |
| Fidelis.Alert.ExecutionForensics.JsonReport | Unknown | The JSON report. |
| Fidelis.Alert.ExecutionForensics.FileSize | Unknown | The file size. |
| Fidelis.Alert.ExecutionForensics.Md5 | String | The file's MD5 hash. |
| Fidelis.Alert.ExecutionForensics.ThreatGridOn | Unknown | Is the threat grid on. |
| Fidelis.Alert.ID | Number | The alert ID. |
Command Example
!fidelis-alert-execution-forensics-submission alert_id=9
Context Example
{
"Fidelis": {
"Alert": {
"ExecutionForensics": {
"AlertFlagsXeNonsubmit": false,
"AlertId": 9,
"Bit9Server": null,
"DecodingPath": null,
"DnsFeed": false,
"EFEnabled": true,
"FileCheckAlert": true,
"FileName": null,
"FileSize": 2990,
"FileType": "",
"JsSubmitable": true,
"JsonReport": null,
"Md5": null,
"PcapUrl": "",
"RecordingComplete": true,
"ReportUrl": "",
"SandBoxOn": true,
"Score": null,
"Size": 0,
"Status": "Submitted",
"StatusMessage": null,
"SubmitId": "0",
"SubmitTime": 1585559253000,
"Submitable": true,
"TgReport": false,
"ThreatGridOn": false,
"Type": "alert",
"Uuid": null,
"VideoUrl": ""
},
"ID": "9"
}
}
}
Human Readable Output
Alert 9
| Alert Flags Xe Nonsubmit | Alert Id | Dns Feed | EF Enabled | File Check Alert | File Size | Js Submitable | Recording Complete | Sand Box On | Size | Status | Submit Id | Submit Time | Submitable | Tg Report | Threat Grid On | Type |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| false | 9 | false | true | true | 2990 | true | true | true | 0 | Submitted | 0 | 1585559253000 | true | false | false | alert |
fidelis-add-alert-comment
Adds a comment to an alert.
Base Command
fidelis-add-alert-comment
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_id | Alert ID | Required |
| comment | comment | Required |
Context Output
There is no context output for this command.
Command Example
!fidelis-add-alert-comment alert_id=1 comment="my new comment"
Human Readable Output
Added this comment: my new comment To alert ID: 1
fidelis-assign-user-to-alert
Assign a user to an alert.
Base Command
fidelis-assign-user-to-alert
Input
| Argument Name | Description | Required |
|---|---|---|
| conclusion_id | The alert conclusion ID. | Required |
| comment | Add a comment to the alert | Optional |
| assign_user | The user to assign. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Fidelis.Alert.AssignedUser | String | Assigned user ID. |
| Fidelis.Alert.ConclusionID | Number | The alert conclusion ID. |
Command Example
!fidelis-assign-user-to-alert assign_user=cloud-user conclusion_id=2
Context Example
{
"Fidelis": {
"Alert": {
"AssignedUser": "cloud-user",
"ConclusionID": "2"
}
}
}
Human Readable Output
Assigned User: cloud-user to alert with conclusion ID 2
fidelis-close-alert
Closes a fidelis alert and can assign a user.
Base Command
fidelis-close-alert
Input
| Argument Name | Description | Required |
|---|---|---|
| conclusion_id | The conclusion ID. | Required |
| resolution | The alert resolution. | Required |
| comment | Add a comment to the alert. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Fidelis.Alert.ConclusionID | Number | The conclusion ID. |
Command Example
!fidelis-close-alert conclusion_id=2 resolution="False Positive"
Human Readable Output
Closed alert conclusion ID 2
fidelis-manage-alert-label
Adds a label to an alert.
Base Command
fidelis-manage-alert-label
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_id | Alert ID. | Required |
| label | The label to add. | Required |
| action | What action should be taken. | Required |
Context Output
There is no context output for this command.
Command Example
!fidelis-manage-alert-label action=Add alert_id=3 label="example-label"
Human Readable Output
Assigned label: example-label to alert 3