Hello All,

i have integrated already FireEye HX Application with the SOAR.

I am seeking guidance on a specific playbook design for an integration between FireEye HX and IBM SOAR.

My objective is to create a playbook that allows an analyst to directly block a hash value on FireEye HX from the SOAR platform.

The integration has been successfully set up, and I have access to the following predefined FireEye HX functions within IBM SOAR:

• FireEye HX: Append Conditions

• FireEye HX: Approve Host Containment

• FireEye HX: Create Indicator

• FireEye HX: Create Triage Acquisition

• FireEye HX: Find Host

• FireEye HX: Get Alert

• FireEye HX: Get Alerts

• FireEye HX: Get Host Information

• FireEye HX: Get Indicator

• FireEye HX: Get Indicators

• FireEye HX: Release Host Containment

• FireEye HX: Request Host Containment

• FireEye HX: Suppress Alert

I am trying to determine the correct sequence of functions to achieve the goal of blocking a hash value. It seems that the FireEye HX: Create Indicator function is the most relevant, but I would appreciate any insight or examples on how to correctly sequence the steps within a playbook to ensure the hash is successfully blocked.

Any assistance, suggestions, or examples of a similar playbook would be greatly appreciated.

Thank you in advance for your help.

Regards,

Farrukh Majid.
Infromation Security Consultant.