FireEye Helix
Version: 1.2.1
FireEye Helix is a security operations platform that makes it simple to deliver advanced security to any organization. It surfaces unseen threats and empowers expert decisions with frontline intelligence to take back control of your defenses and capture the untapped potential of your security investments.
Connect FireEye Helix with Logichub
- Navigate to Automations > Integrations.
- Search for FireEye Helix.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Helix API Key: X-FireEye-API-Key for Helix
- Helix Id: Id for Helix. Example 'hexzsq689'
- After you've entered all the details, click Connect.
Search
Create custom search queries.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Query | Jinja-templated text containing the query. Example '{"state":{"$in":["Open","Reopened"]},"suppressed":false}' | Required |
Start | Jinja-templated text containing the start time in 'yyyy-mm-ddThh:mm:ss' format. Default is Batch start time. | Optional |
End | Jinja-templated text containing the end time in 'yyyy-mm-ddThh:mm:ss' format. Default is Batch end time | Optional |
Output
JSON containing the following items:
{
"alerts":[
{
"_assignedAt":null,
"alertThreat":"Unknown",
"alertType":"fireeye_rule",
"alertTypeDetails":{
"detail":{
"class":"bro_dns",
"domain":"ttos019108.3322.org",
"dstisp":"fq23ef qwfe qwef q34wfqe co. limited",
"srcisp":"private ip address lan",
"meta_ts":"2016-03-28T13:40:53.247Z",
"dstdomain":"asdf.com",
"dstcountry":"america",
"querytypename":"a"
},
"source":"172.19.1.161",
"summary":{
"domain":"ttos019108.3322.org",
"querytypename":"a"
},
"destination":"118.184.176.43"
},
"classification":0,
"closedState":"Escalated",
"confidence":"Medium",
"context":null,
"createDate":"2016-03-28T05:40:05.010000Z",
"customer_id":"hexryy776",
"description":"HUPIGON is capable of comprehensive remote access on a compromised system, to include remote command execution, a file system manager, audio/video capture, VNC-like remote viewing, telnet, and additional capabilities can be implemented using custom plugins. The malware communicates with a preconfigured host and installs itself as a Windows service. This is a generic signature leveraging DNS logs identifying beaconing activity for HUPIGON malware.",
"displayId":6,
"distinguisherKey":"1.19.1.161~,~~,~",
"distinguishers":{
"srcipv4":"1.19.1.161",
"srcipv6":"",
"xfwdforip":""
},
"emailedAt":1459143607860,
"eventCount":100,
"eventsThreshold":0,
"firstEventAt":"2016-03-28T13:36:20.124000Z",
"lastEventAt":"2016-03-28T13:40:53.247000Z",
"external":[
],
"externalCount":0,
"externalId":"",
"id":"asodfijq3peofhrujepriuf",
"infoLinks":[
"http://www.f-asodifjoa.com/v-descs/asdfijads;ocnjs;ad.shtml",
"http://www.asdfjn.com/en/descriptions/6212128/Backdoor.Win32.asdoifjaso;.fdnv",
"http://www.asodfjnvaos.com/security/portal/threat/asd'fjona/entry.aspx?name=Win32%2fHupigon#tab=2"
],
"internal":[
],
"internalCount":0,
"isThreat":false,
"isTuned":false,
"killChain":[
],
"lastSyncMs":2314124351243,
"message":"12rewf qwefwef [DNS]",
"notes":[
{
"_author":{
"id":"123f123d-7ba2-1033-9f52-123df12ewrd2",
"avatar":"https://secure.gravatar.com/avatar/25asdf2342rfqwef81e1c6",
"name":"MR TechBar",
"username":"mrbean",
"primary_email":"[email protected]"
},
"createDate":"2016-03-28T15:41:29.772000Z",
"customer_id":"abcdef",
"id":1,
"updateDate":"2016-03-28T15:41:29.772000Z",
"note":"Reviewing..."
}
],
"notesCount":1,
"organization":"hexryy776",
"originId":"MAP_RULE",
"queues":[
"Default Queue"
],
"revision":17,
"revisionNotes":"",
"risk":"High",
"riskOrder":3,
"riskScore":null,
"search":"metaclass:dns domain:/(ttos|yutao)[0-9]{6}/ NOT srcipv4=inclusion.local.srcipv4",
"secondsThreshold":0,
"severity":"High",
"sourceRevision":0,
"state":"Closed",
"suppressed":false,
"tags":[
"asdf",
"qwer",
"etyru",
"ertyherthn"
],
"threatChangedAt":null,
"threatType":0,
"triggerId":"1.1.100",
"triggerRevision":0,
"tuningSearch":"",
"updateDate":"2018-10-03T10:11:11.609162Z"
}
],
"error":null,
"has_error":false
}
Get Alerts
View for tying together the serializer, authentication, permission and data restrictions for accessing Alerts
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Query | Jinja-templated text containing the Mongo JSON query syntax used to filter for specific results. Example '{"state":{"$in":["Open","Reopened"]},"suppressed":false}' | Optional |
Sort | Jinja-templated text containing the comma-separated list of field names to sort the results by. Example '-updateDate,riskOrder' | Optional |
Fields | Jinja-templated text containing comma-separated list of field names to only select or exclude from the resulting data. | Optional |
Includes | Jinja-templated text containing comma-separated list of field names to expand an ID into a full object representation of the related data. | Optional |
Limit | Jinja-templated number containing limit the no. of result. Default is '5000' | Optional |
Output
JSON containing the following items:
{
"alerts":[
{
"_assignedAt":null,
"alertThreat":"Unknown",
"alertType":"fireeye_rule",
"alertTypeDetails":{
"detail":{
"class":"bro_dns",
"domain":"ttos019108.3322.org",
"dstisp":"fq23ef qwfe qwef q34wfqe co. limited",
"srcisp":"private ip address lan",
"meta_ts":"2016-03-28T13:40:53.247Z",
"dstdomain":"asdf.com",
"dstcountry":"america",
"querytypename":"a"
},
"source":"172.19.1.161",
"summary":{
"domain":"ttos019108.3322.org",
"querytypename":"a"
},
"destination":"118.184.176.43"
},
"classification":0,
"closedState":"Escalated",
"confidence":"Medium",
"context":null,
"createDate":"2016-03-28T05:40:05.010000Z",
"customer_id":"hexryy776",
"description":"HUPIGON is capable of comprehensive remote access on a compromised system, to include remote command execution, a file system manager, audio/video capture, VNC-like remote viewing, telnet, and additional capabilities can be implemented using custom plugins. The malware communicates with a preconfigured host and installs itself as a Windows service. This is a generic signature leveraging DNS logs identifying beaconing activity for HUPIGON malware.",
"displayId":6,
"distinguisherKey":"1.19.1.161~,~~,~",
"distinguishers":{
"srcipv4":"1.19.1.161",
"srcipv6":"",
"xfwdforip":""
},
"emailedAt":1459143607860,
"eventCount":100,
"eventsThreshold":0,
"firstEventAt":"2016-03-28T13:36:20.124000Z",
"lastEventAt":"2016-03-28T13:40:53.247000Z",
"external":[
],
"externalCount":0,
"externalId":"",
"id":"asodfijq3peofhrujepriuf",
"infoLinks":[
"http://www.f-asodifjoa.com/v-descs/asdfijads;ocnjs;ad.shtml",
"http://www.asdfjn.com/en/descriptions/6212128/Backdoor.Win32.asdoifjaso;.fdnv",
"http://www.asodfjnvaos.com/security/portal/threat/asd'fjona/entry.aspx?name=Win32%2fHupigon#tab=2"
],
"internal":[
],
"internalCount":0,
"isThreat":false,
"isTuned":false,
"killChain":[
],
"lastSyncMs":2314124351243,
"message":"12rewf qwefwef [DNS]",
"notes":[
{
"_author":{
"id":"123f123d-7ba2-1033-9f52-123df12ewrd2",
"avatar":"https://secure.gravatar.com/avatar/25asdf2342rfqwef81e1c6",
"name":"MR TechBar",
"username":"mrbean",
"primary_email":"[email protected]"
},
"createDate":"2016-03-28T15:41:29.772000Z",
"customer_id":"abcdef",
"id":1,
"updateDate":"2016-03-28T15:41:29.772000Z",
"note":"Reviewing..."
}
],
"notesCount":1,
"organization":"hexryy776",
"originId":"MAP_RULE",
"queues":[
"Default Queue"
],
"revision":17,
"revisionNotes":"",
"risk":"High",
"riskOrder":3,
"riskScore":null,
"search":"metaclass:dns domain:/(ttos|yutao)[0-9]{6}/ NOT srcipv4=inclusion.local.srcipv4",
"secondsThreshold":0,
"severity":"High",
"sourceRevision":0,
"state":"Closed",
"suppressed":false,
"tags":[
"asdf",
"qwer",
"etyru",
"ertyherthn"
],
"threatChangedAt":null,
"threatType":0,
"triggerId":"1.1.100",
"triggerRevision":0,
"tuningSearch":"",
"updateDate":"2018-10-03T10:11:11.609162Z"
}
],
"error":null,
"has_error":false
}
Create Alert
View for tying together the serializer, authentication, permission and data restrictions for accessing Alerts
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Data | Jinja-templated JSON containing the data of the alert. | Required |
Output
JSON containing the following items:
{
"error":null,
"has_error":false,
"msg": "Successfully Created"
}
Update Alert
View for tying together the serializer, authentication, permission and data restrictions for accessing Alerts
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Data | Jinja-templated JSON containing the data of the alert. | Required |
Output
JSON containing the following items:
{
"error":null,
"has_error":false,
"msg": "Successfully Updated"
}
Get Events
View for tying together the serializer, authentication, permission and data restrictions for accessing Events
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Query | Jinja-templated text containing the Mongo JSON query syntax used to filter for specific results. Example '{"state":{"$in":["Open","Reopened"]},"suppressed":false}' | Optional |
Sort | Jinja-templated text containing the comma-separated list of field names to sort the results by. Example '-updateDate,riskOrder' | Optional |
Includes | Jinja-templated text containing comma-separated list of field names to expand an ID into a full object representation of the related data. | Optional |
Limit | Jinja-templated number containing limit the no. of result. Default is '5000' | Optional |
Output
JSON containing the following items:
{
"events": [
{
"customer_id": "hex_id",
"id": 123,
"externalId": "extrenal-id",
"eventtime": "2024-09-42T07:10:32.859000Z",
"_source": {
"msg": "normal",
"pid": 24,
"name": "executed",
"uuid": "uuid",
"class": "alert",
"assets": [
{
"status": "active",
"asset_id": 32,
"location": null,
"org_data": {
"id": 9,
"hex_id": "hex_id",
"properties": null,
"parent_org_id": null
},
"asset_name": "system",
"asset_tags": [
"hx"
],
"asset_type": "user",
"asset_uuid": "uuid",
"cidr_range": null,
"properties": {},
"risk_score": 741,
"asset_alias": [
"system"
],
"event_fields": [
"username"
],
"extended_data": null
}
],
"dstisp": "security",
"result": "alert",
"agentid": "agentid",
"agentip": "ip",
"agentos": "windows ",
"dstcity": "new japan",
"dstipv4": "ip",
"dstport": 43,
"eventid": "14",
"meta_ts": "2024-32-03T07:10:32.859Z",
"process": "httpd.exe",
"product": "hx",
"srccity": "private",
"srcipv4": "131",
"srcport": 443,
"version": "5371",
"_eventid": "d73d",
"agentmac": "003",
"deviceid": "33",
"eventlog": "ioc",
"iocnames": "ad389",
"protocol": "tcp",
"appliance": {
"hostname": "host.com"
},
"condition": {
"tests": [
{
"type": "text",
"token": "ip-ip",
"value": "58",
"operator": "equal"
}
],
"enabled": true
},
"meta_rule": "fir2",
"metaclass": "ids",
"srcregion": "region",
"devicename": "name",
"dstcountry": "new japan",
"matched_at": "2024-09-03t07:09:17+00:00",
"srccountry": "country",
"agentdomain": "sbs",
"agentstatus": "normal",
"conditionid": "jn=",
"customer_id": "h123",
"dstlatitude": 1,
"event_epoch": {
"day": 3,
"hour": 7,
"year": 2024,
"month": 9,
"minute": 8,
"second": 47,
"weekday": "tuesday",
"timezone": "utc",
"epochtime_field": "eventtime"
},
"__metadata__": {
"id": "d13",
"batch_id": "321be",
"received": "2024-09-03T07:10:32.000Z",
"data_type": "passthrough",
"num_events": 1,
"customer_id": "id",
"source_type": "json",
"raw_batch_id": "683be",
"target_index": "alerts",
"disable_index": false,
"sequence_number": 0,
"dynamic_taxonomy": true
},
"agentversion": "3",
"detectedtime": "2025-09-03t07:09:40.802z",
"dstlongitude": 103,
"meta_agentid": "5zuxzgtw",
"agenthostname": "cldp3",
"meta_deviceid": "861D",
"detect_ruleids": [
"19"
],
"dstcountrycode": "2",
"srccountrycode": "9",
"detect_rulenames": [
"trellix endpoint"
],
"detect_rulematches": [
{
"tags": [
"Trellix"
],
"output": [
"alert"
],
"ruleid": "19",
"revision": 30,
"rulename": "trellix endpoint",
"severity": "medium",
"confidence": "high",
"distinguishers": [
"agentid"
],
"eventsThreshold": 1,
"secondsThreshold": 60
}
],
"indicator_category": {
"_id": 2,
"uri_name": "custom"
},
"threat_model_associations": [
{
"ids": [],
"type": "mitre"
}
]
},
"_alerts": [
"e4"
],
"_incidents": [],
"type": "MG"
}
],
"error": null,
"has_error": false
}
Release Notes
v1.2.1
- Added new actionGet events
v1.0.0
- Added New Integration with 4 actions:Search
,Get Alerts
,Create Alert
andUpdate Alert
.
Updated 4 months ago