Original Message:
Sent: Mon May 05, 2025 02:43 AM
From: Farrukh Majid
Subject: Help with Creating a Playbook for FireEye HX Incident in IBM SOAR
Hi Richard,
Thank you for your support.
I have just integrated the FireEye HX application with IBM SOAR, as per the plan. Our next step is to automate the response from IBM SOAR to FireEye HX. We are already configured to receive FireEye HX-related incidents in IBM SOAR.
As of Now, I am planning to create the playbook we discussed earlier. My plan is as follows:
Identify FireEye HX incidents with artifacts/IOCs.
Extract hashes from the alerts.
Check the health of those hashes.
If the hashes are unhealthy, block them on the FireEye HX end.
An important question: Can we achieve this using the predefined functions of the FireEye HX application, or will we need to make any customizations to achieve this goal?
if customization needed then which kind of customization we required.
Regards,
Farrukh Majid.
------------------------------
Farrukh Majid
Original Message:
Sent: Thu May 01, 2025 08:50 AM
From: Richard Swierk
Subject: Help with Creating a Playbook for FireEye HX Incident in IBM SOAR
Hello, as of right now it is not possible to add a loop into a playbook.
------------------------------
Richard Swierk
Original Message:
Sent: Wed April 30, 2025 03:07 AM
From: Farrukh Majid
Subject: Help with Creating a Playbook for FireEye HX Incident in IBM SOAR
Thanks for your support
As per my objective the flow that I want to achieve is mentioned below:
Start
↓
Get Alert (FireEye HX: Get Alert)
↓
Extract Hashes (Python)
↓
For Each Hash:
├─ Get Health (FireEye HX: Get Indicator)
│ ├─ Unhealthy? → Block (FireEye HX: Create Indicator) → Add Note
│ └─ Healthy? → Skip
↓
End
Although I have created some steps to achieve this scenario in the playbook/workflow.
Your assistance required in this manner.
------------------------------
Farrukh Majid
Original Message:
Sent: Tue April 22, 2025 01:22 AM
From: Mohamad islam Hamadieh
Subject: Help with Creating a Playbook for FireEye HX Incident in IBM SOAR
if you are new to playbook creation checkout this video
Playbooks: Improving SOPs and Automations
other videos in the channel are also very helpful.
------------------------------
Mohamad islam Hamadieh
I post SOAR content and tips on linkedIn , follow me :)
https://linkedin.com/in/mohamadislam
Original Message:
Sent: Mon April 21, 2025 04:25 AM
From: Farrukh Majid
Subject: Help with Creating a Playbook for FireEye HX Incident in IBM SOAR
Hello all,
I have successfully integrated the FireEye HX application with IBM SOAR (Resilient). Now, I need to create a playbook using the predefined functions provided by the FireEye HX app.
The available functions are:
FireEye HX: Append Conditions
FireEye HX: Approve Host Containment
FireEye HX: Create Indicator
FireEye HX: Create Triage Acquisition
FireEye HX: Find Host
FireEye HX: Get Alert
FireEye HX: Get Alerts
FireEye HX: Get Host Information
FireEye HX: Get Indicator
FireEye HX: Get Indicators
FireEye HX: Release Host Containment
FireEye HX: Request Host Containment
FireEye HX: Suppress Alert
My objective:
First, retrieve the IOCs (Indicators of Compromise) related to the incident.
Check the health/status of each IOC.
If any IOC is found to be harmful, block the hash value on the FireEye HX platform using the appropriate function.
If needed, isolate the affected host by using the relevant host containment functions.
NOTE:
If anyone has encountered a similar scenario and faced any issues, setbacks, or errors during implementation, I would appreciate it if you could share your experience.
Kindly suggest the best approach to proceed with this task, along with any important considerations or best practices to keep in mind while working on it.
Could someone also guide me on how to structure this playbook using the predefined functions? Any examples or recommendations would be greatly appreciated.
Thank you!
------------------------------
Farrukh Majid
------------------------------