Available search fields for query building

Question

Available search fields for query building

Closed this issue 3 years ago · 4 comments

I was going through HXTool code trying to find where available search fields (like 'Cookie Name', 'DNS Hostname', etc.) that are used in terms for /searches post are queried from fireeye API, cause they do not seem to be hardcoded. Help would be appreciated.

Answer 1 · 2021-06-24T17:39:15.000Z

Hi @vytska -
HXTool's Enterprise Search feature only supports OpenIOC terms. The OpenIOC terms that are supported by the Endpoint Security agent are listed in the Agent Admin on the FireEye Documentation Portal under the 'OpenIOC Search Terms Supported by
the Agent' section of the guide. The terms you are referencing are Quick Search terms, which map to OpenIOC terms, that mapping is documented in the Endpoint Security API guide, under the searches section.

Thanks,
Elazar

Answer 2 · 2021-06-25T14:32:56.000Z

Hi @B0fH,

Thank you for reply. Unfortunately I don't have access to inner fireeye documentation. Do I understand correctly that there is an endpoint to get supported search terms, but it is not listed in this API reference I've been using?
https://fireeye.dev/apis/lighthouse/

Answer 3 · 2021-06-29T19:26:18.000Z

Hi @vytska -
Unfortunately, there's no API that will give you a list of supported OpenIOC terms and their associated quick search terms. That being said, the OpenIOC terms themselves are listed in the OpenIOC Editor (OpenIOCe) on the FireEye Marketplace: https://fireeye.market/apps/211404

As for the documentation itself, I'm unable to share it here. I'd recommend reaching out to your FireEye account team to gain access to the documentation portal.

Thanks,
Elazar

Answer 4 · 2021-07-09T17:14:27.000Z

@B0fH thanks for all the info! I got everything I need now.