Fidelis Endpoint®

SIEM Integrations Guide

Version 9.3.1

www.fidelissecurity.com
 Copyright © 2002–2020 Fidelis Cybersecurity®. All rights reserved worldwide.
Fidelis Cybersecurity
4500 East West Highway, Suite 400
Bethesda, MD 20814

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide

Revised February 2020
Users are granted permission to copy and/or distribute this document in its original electronic form
and print copies for personal use. This document cannot be modified or converted to any other
electronic or machine-readable form in whole or in part without prior written approval of Fidelis
Cybersecurity.
While we have done our best to ensure that the material found in this document is accurate, Fidelis
Cybersecurity makes no guarantee that the information contained herein is error free.
All third-party brand names and product names referenced in this documentation are trade names,
service marks, trademarks, or registered trademarks of their respective owners.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide ii www.fidelissecurity.com

 Table of Contents
Integrating with SIEM Applications ................................................................................................ 1
Exporting Log and Result Information to SIEM Applications ......................................................... 1
About Creating a Custom Export Configuration ................................................................... 12
Integrating Fidelis Endpoint and ArcSight .................................................................................. 13
Installing the ArcSight Connector ........................................................................................ 14
Configuring Fidelis Endpoint to Export Information to ArcSight ............................................ 19
Configuring ArcSight Console ............................................................................................. 20
Testing the ArcSight Integration .......................................................................................... 23
Integrating Fidelis Endpoint and QRadar ................................................................................... 27
Configuring Fidelis Endpoint to Export Information to QRadar ............................................. 27
Configuring the Fidelis Endpoint DSM in QRadar ................................................................ 28
Configuring Actions to Launch Script Tasks ........................................................................ 29
Configuring the Log Source in QRadar ................................................................................ 30
Testing the QRadar Integration ........................................................................................... 32
Integrating Fidelis Endpoint and McAfee Enterprise Security Manager ...................................... 35
Preparing for Remote Command Integration ....................................................................... 36
Setting up the Fidelis Endpoint Data Source ....................................................................... 38
Setting up Device URL Integration ...................................................................................... 43
Configuring a Remote Command (URL Integration) ............................................................ 45
Configuring a Remote Command (SSH/API Integration) ...................................................... 46
Configuring Alarms to Execute a Command ........................................................................ 48
Manually Executing a Remote Command............................................................................ 49
Technical Support ......................................................................................................................... 50
Getting Help .............................................................................................................................. 50
Other Documentation ................................................................................................................ 50

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide iii www.fidelissecurity.com

 Integrating with SIEM Applications
You can use the information in this section to integrate Fidelis Endpoint with SIEM (Security
Information and Event Management) applications.
Note: For information about configuring a third-party SIEM application to integrate with Fidelis
Endpoint, refer to integrations in this guide and contact support for Fidelis Endpoint.

Exporting Log and Result Information to SIEM

Applications
Using syslog, you can export log and activity data from Fidelis Endpoint to SIEM applications (usually
ArcSight or QRadar) in either of the following formats:
• Common Event Format (CEF)
• Log Event Extended Format (LEEF)
You can export log and activity data from Fidelis Endpoint as a file on disk or using a hostname/port
via User Datagram Protocol (UDP) by configuring the SyslogConfiguration.json file to export:
• Alerts
• Task Results (aka Job Results) from running a script package
• System Logs
• Server Health Logs
• Activity Logs (aka Audit Logs)

To configure exporting log and result information:

On the Windows Server, navigate to ProgramData\Fidelis\Endpoint\Shared\ and open the
SyslogConfiguration.json file in a text editor.
IMPORTANT: There is also a SyslogConfigurationDefault.json file in the folder that contains the
set of the default values. You should make any desired changes to SyslogConfiguration.json
only, since the Fidelis Endpoint upgrade process overwrites SyslogConfigurationDefault.json
file.
Locate the export type you want.
Specify the settings you want to use:

Value Description

Name Identifies the export type.

You reference the export type by name in
• Script Package REST API calls. For example:
"integrationOutputs": ["CEFOutput", "LEEFOutput"]

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 1 www.fidelissecurity.com

 Value Description

For more information, see “Script Packages API” in the API

Guide.
• Deep Links. For example:
&exportType=CEFOutput
For more information, see "Deep Linking to a Script Package" in
the Fidelis Endpoint online Help.

Enabled Enables (true) or disables (false) the export type.

Format Specifies the format of the exported information.

Use either CEF or LEEF.

UseHostname Enables (true) or disables (false) the use of hostname instead of IP

address when a hostname is known.

Host and Port Specifies the export destination as hostname/port via UDP.
• Set the hostname and port where you want to export information.
For example:
"Host": "10.10.0.0",
"Port": 514,
Note: Use either Host and Port, or use Folder.

Folder Specifies the export destination as files in a folder.

• Set the value to the path where you want to export information.
Do not specify a file name, only the path. For example:
"Folder": "C:\\Syslog\\CEF",
The destination folder must already exist for information to be
exported to files.
• Files are written to the specified output path using this naming
format:
YYYY-MM-DD_HH-MM-SS_count#.extensiontype
…where count# is the count of files written during the same
second and where extensiontype is CEF or LEEF, depending on
the format. For example:
2017-02-03_10-37-43_9.cef
2017-02-03_10-37-43_10.cef
Note: Use either Folder or use Host and Port.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 2 www.fidelissecurity.com

 Value Description

Alerts Enables (true) or disables (false) exporting alerts.

AlertsFieldMap Provides a list of the HeaderFields and Fields that enable you to map
Fidelis Endpoint alerts to the CEF and LEEF formats.
The HeaderFields are variables you can set to the string values you
want.
Fields are name value pairs that map CEF and LEEF fields to the
standard Fidelis alerts. Each value is an array, though most alert fields
only contain a single value.
Be aware that some values are static strings, while others are string
variables that enable you to pass in a string value for the alert you are
mapping.
Note: The “msg” string value pair also includes a delimiter for use
between the values in the array. You can set the delimiter to whatever
you want.
X_Event – a special field that requires retrieving data from Elastic
Search. There are two ways to use this field:
• X_Event:* – dumps all alert fields and field values from Elastic
Search into a single mapped field.
• X_Event:PropertyNameHere – allows mapping of a specific
event property field.
Important: Whether you use a single field or all, using the
X_Event field makes a call to Elastic Search that returns all
fields. This has a large performance impact. Also, any field in
Elastic Search with the same name as another mapped alert
field overwrites that mapped field when the Elastic Search call
returns.
By default, due to its performance impact, the X_Event field is not
mapped.
The X_Event event property sub-fields are:
EventTime,
EndpointId,
EndpointName,
EventType,
ParentTargetID,
TargetID,
PID,

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 3 www.fidelissecurity.com

 Value Description
PPID,
ParentName,
ParentPath,
ParentHash,
Name,
Path,
CommandLine,
HashMD5,
User,
LocalIP,
LocalPort,
RemoteIP,
RemotePort,
URL,
Size,
FileVersion,
Signature,
SignedTime,
StrongName,
CertificateSubjectName,
CertificateIssuerName,
CertificatePublisher,
WinEventID,
Source,
WinSID,
Category,
Message,
Usb,
Hive,
DNSQuestion,
DNSAnswer,

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 4 www.fidelissecurity.com

 Value Description
ProxyInfo,
HashSHA1,
HashSHA256,
ProcessStartTime,
ProcessEndTime,
FirstEventTime,
LastEventTime,
Data,
LogonUserName,
LogonType,
LogonID,
Serial,
Model,
Media,
ReportIndex,
IndexingTime,
Computer,
DetectionId,
ScanType,
ThreatName,
AMDefinitionVersion,
Protocol,
ReportId,
EventIndex,
ReportTime,
Extension,
FileCategory,
FileType,
ID,
NetworkDirection,
remotePID,

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 5 www.fidelissecurity.com

 Value Description
remoteTID,
parentSignature,
parentCertificateSubjectName,
parentCertificateIssuerName,
parentCertificatePublisher,
parentHashSHA1,
parentHashSHA256,
entropy,
registryValue,

JobResults Enables (true) or disables (false) exporting script task results.

When (true) the export type appears as a menu item in the “Export
Results to” option in the “Options” pane in the “Task Options” screen in
the Task wizard.

JobResultFieldMap Provides a list of the HeaderFields and Fields that enable you to map
job (script package tasks) results to the CEF and LEEF formats.
The HeaderFields are variables you can set to the string values you
want.
Fields are name value pairs that map CEF and LEEF fields to the
standard Fidelis JobResults fields. Each value is an array, though by
default, an array of a single value.
Note: Some values are static strings, while others are string variables
that enable you to pass in a string value for the content you are
mapping.

JobResults_Default When exporting script task results (JobResults), sets (true) or unsets
(false) the export type as the default selected menu item in the “Export
Results to” option in the “Options” pane in the “Task Options” screen in
the Task wizard.
If multiple export types are configured as the default selected menu
item, the item that actually appears as the default selected item in the
“Export Results to” option in the user interface is the first-listed, script-
task-results-enabled export type in the configuration file.
Tip: You can change the order of items in the “Export Results to” option
by re-ordering the configurations sections in the configuration file.

AuditLogs Enables (true) or disables (false) exporting activity logs.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 6 www.fidelissecurity.com

 Value Description
Contains logged user activity in the Fidelis Endpoint Web application:
log in, log out, start task, change password, user management (create,
edit, delete), endpoint management, group management, configuration
management (create alert, delete alert, event configuration, etc.), script
package management (create, import, delete), etc.

AuditLogFieldMap" Provides a list of the HeaderFields and Fields that enable you to map
AuditLog (ActivityLog) entries to the CEF and LEEF formats.
The HeaderFields are variables you can set to the string values you
want.
Fields are name value pairs that map CEF and LEEF fields to the
standard Fidelis ActivityLog fields. Each value is an array, though by
default, an array of a single value.
Note: Some values are static strings, while others are string variables
that enable you to pass in a string value for the content you are
mapping.

SystemLogs Enables (true) or disables (false) exporting system logs.

Contains logged Info, Warn, and Error messages.

SystemLogFieldMap Provides a list of the HeaderFields and Fields that enable you to map
SystsemLog entries to the CEF and LEEF formats.
The HeaderFields are variables you can set to the string values you
want.
Fields are name value pairs that map CEF and LEEF fields to the
standard Fidelis SystemLog fields. Each value is an array, though by
default, an array of a single value.
Note: Some values are static strings, while others are string variables
that enable you to pass in a string value for the content you are
mapping.
System Logs provide content for all events that happen on the system,
so are quite “chatty”. If you want to look at more targeted data, you
might do better with the ServerHealth logs.

ServerHealth Enables (true) or disables (false) exporting ServerHealth logs.

Contains logged Info, Warn, and Error messages.

ServerHealthFieldMap Provides a list of the HeaderFields and Fields that enable you to map
ServerHealth entries to the CEF and LEEF formats.
The HeaderFields are variables you can set to the string values you
want.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 7 www.fidelissecurity.com

 Value Description
Fields are name value pairs that map CEF and LEEF fields to the
standard Fidelis ServerHealth fields. Each value is an array, though by
default, an array of a single value. Some values are static strings, while
others are string variables that enable you to pass in a string value for
the content you are mapping.
Note: The “cs7-14” string value pairs (excluding the Label versions of
those) also include a delimiter for use between the values in the array.
You can set the delimiter to whatever you want.
For your convenience we have grouped the fields in the list below into
areas of related functionality. Not all fields appear in the
SyslogConfiguration.JSON file, but all those listed below are available
for you to add to the file, as needed.
Note: Fidelis Endpoint Business Services logs individual servers’ health
statistics in the SystemHealth.csv file located on the Windows Server at
C:\ProgramData\Fidelis\Endpoint\Logs\.

CEF/LEEF values:
CreateDate
DeviceProduct
DeviceVendor
DeviceVersion
HostAddress
Name
Severity
SignatureID

Hub service values:

CpuUsage
MemUsage
NetUsage
GoRoutines
HeapSys_m
HeapAlloc_m
HeapIdle_m
HeapInuse_m
HeapReleased_m
NumGC_m
StackInUse_m
StackSys_m
CurrentFilestoreRequests
TotalFilestoreRequests
AverageFilestoreResponseTime

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 8 www.fidelissecurity.com

 Value Description

Gateway service values:

GatewayCpuUsage
GatewayMemUsage
GatewayNetUsage
GatewayGoRoutines
GatewayHeapSys_m
GatewayHeapAlloc_m
GatewayHeapIdle_m
GatewayHeapInuse_m
GatewayHeapReleased_m
GatewayNumGC_m
GatewayStackInUse_m
GatewayStackSys_m
GatewayCurrentFilestoreRequests
GatewayTotalFilestoreRequests
GatewayAverageFilestoreResponseTime
GatewayEndpointConnections

DataStore (Hub) values:

DataStoreEventsQueue_Capacity
DataStoreEventsQueue_Size
DataStoreEventsQueue_Total
DataStoreEventsQueue_ReQueued
DataStoreEventsQueue_Dropped
DataStoreEventsQueue_InFlowControl

DataStoreResultsQueue_Capacity
DataStoreResultsQueue_Size
DataStoreResultsQueue_Total
DataStoreResultsQueue_ReQueued
DataStoreResultsQueue_Dropped
DataStoreResultsQueue_InFlowControl

Job queue (Hub) values:

JobQueuePost_Capacity
JobQueuePost_Size
JobQueuePost_Total
JobQueuePost_ReQueued
JobQueuePost_Dropped
JobQueuePost_InFlowControl

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 9 www.fidelissecurity.com

 Value Description

Messages for business services (Hub):

MessagesToSendToBusinessServices_Capacity
MessagesToSendToBusinessServices_Size
MessagesToSendToBusinessServices_Total
MessagesToSendToBusinessServices_ReQueued
MessagesToSendToBusinessServices_Dropped
MessagesToSendToBusinessServices_InFlowControl

Messages for Gateway (Hub)

MessagesToSendToGateway_Capacity
MessagesToSendToGateway_Size
MessagesToSendToGateway_Total
MessagesToSendToGateway_ReQueued
MessagesToSendToGateway_Dropped
MessagesToSendToGateway_InFlowControl

Script results (Hub)

ScriptResult_Capacity
ScriptResult_Size
ScriptResult_Total
ScriptResult_ReQueued
ScriptResult_Dropped
ScriptResult_InFlowControl

Threat Bridge queues (Hub)

TbBatchQueue_Capacity
TbBatchQueue_Size
TbBatchQueue_Total
TbBatchQueue_ReQueued
TbBatchQueue_Dropped
TbBatchQueue_InFlowControl

TbRawQueue_Capacity
TbRawQueue_Size
TbRawQueue_Total
TbRawQueue_ReQueued
TbRawQueue_Dropped
TbRawQueue_InFlowControl

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 10 www.fidelissecurity.com

 Value Description
Messages from Endpoint (Gateway)
MessagesReceivedFromEndpointQueue_Capacity
MessagesReceivedFromEndpointQueue_Size
MessagesReceivedFromEndpointQueue_Total
MessagesReceivedFromEndpointQueue_ReQueued
MessagesReceivedFromEndpointQueue_Dropped
MessagesReceivedFromEndpointQueue_InFlowControl
Save the configuration file.
For changes to take effect, refresh the Web browser.
Tip: Keep track of any manually-specified customizations to verify after upgrading.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 11 www.fidelissecurity.com

 About Creating a Custom Export Configuration
You can create custom export configuration sections to export log and result information from Fidelis
Endpoint to use in other applications.
When creating a custom export configuration section, be sure to separate configurations sections {}
with commas. For example:
},
{
"Name": "MyExportType",
"Enabled": false,
"Format": "CEF",
"UseHostname": true,
"Folder": "C:\\Syslog\\MyOutput",
"Alerts": true,
"JobResults": true,
"JobResults_Default": true,
"AuditLogs": true,
"SystemLogs": false
}
Tip: Keep track of any manually-specified customizations to verify after upgrading.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 12 www.fidelissecurity.com

 Integrating Fidelis Endpoint and ArcSight
You can integrate Fidelis Endpoint and HP ArcSight.
Note: This documentation is based on specific versions of the SIEM application and Fidelis Endpoint.
Depending on the versions in your system, the documentation may roughly apply.
Pre-Requisites
• Have access to Fidelis Endpoint 9.1.2 SR3 or later.
• Obtain the Fidelis_Endpoint_Integration_Package.arb file, located in the distributed software
in the SIEM_Integrations\ArcSight folder.
• Have access to HP Enterprise ArcSight ESM 6.9.1.
To integrate Fidelis Endpoint and ArcSight, complete steps for the following:
• Installing the ArcSight Connector
• Configuring Fidelis Endpoint to Export Information to ArcSight
• Configuring ArcSight Console
• Testing the ArcSight Integration

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 13 www.fidelissecurity.com

 Installing the ArcSight Connector
You can install an ArcSight connector to use to connect to Fidelis Endpoint.

To install the ArcSight connector:

Run the ArcSight SmartConnector installer.
Select Typical as the install set.

In the Connector Setup dialog, select Add a Connector.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 14 www.fidelissecurity.com

 For the connector type, select Syslog Daemon.

Use the default parameter details.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 15 www.fidelissecurity.com

 For the destination, select ArcSight Manager.

Enter the connection parameters for your ArcSight Manager installation.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 16 www.fidelissecurity.com

 Enter a name for the connector.

Import the certificate.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 17 www.fidelissecurity.com

 Select Install as a service.

Specify the service parameters.

Finish the connector install.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 18 www.fidelissecurity.com

 Configuring Fidelis Endpoint to Export Information to ArcSight
You can configure Fidelis Endpoint to export log and result information to ArcSight.
For more information, see Exporting Log and Result Information to SIEM Applications.

To configure exporting log and result information:

On the Windows Server, open the \Program
Files\Fidelis\Endpoint\bin\SyslogConfiguration.json file in a text editor.
Locate the ArcSight export type section.
In the configuration section for each export type you want, specify the settings you want to use.
Notes:
• For the Host parameter, specify the IP address of the HP Smart connector.
• For the Port parameter, specify the port as specified in the connector (514).
For more information, see Exporting Log and Result Information to SIEM Applications.
Save the configuration file.
For changes to take effect, refresh the Web browser.
Tip: Keep track of any manually-specified customizations to verify after upgrading.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 19 www.fidelissecurity.com

 Configuring ArcSight Console
You can configure ArcSight Console to collect information exported from Fidelis Endpoint.

To configure ArcSight Console:

In the ArcSight Console application, click the Packages tab, then click Import.

Open the script package bundle Fidelis_Endpoint_Integration_Package.arb.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 20 www.fidelissecurity.com

 After importing the script, click the Resources tab, then select Integration Commands.

Note the new integration command “Run Fidelis Endpoint Script On Target”.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 21 www.fidelissecurity.com

 By default, the host name for the Fidelis Endpoint Server is “FIDELIS_ENDPOINT_SERVER”.
Do either of the following:
a. Modify the URL and replace “FIDELIS_ENDPOINT_SERVER” with the IP address of your
Fidelis Endpoint Windows Server
b. Add “FIDELIS_ENDPOINT_SERVER” to your hosts file and map the correct IP address.
Navigate to the Connectors page, select the “Fidelis Endpoint Syslog Service” connector, then
set Preserve Raw Event to “Yes” to preserve useful details in event messages.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 22 www.fidelissecurity.com

 Testing the ArcSight Integration
After configuring Fidelis Endpoint and ArcSight, test sending script task result information from Fidelis
Endpoint to ArcSight. You can also test taking actions on the script task results in ArcSight Console.

To test the integration:

In Fidelis Endpoint, select Tasks > Start New, select a script package to run, then click Next.
For example, select “Process List”.
In the Task Options screen, expand the Options section, in the Export Results to option
select “ArcSight”, then click Next.
Select the endpoints to run the script on, then click Start.
In the ArcSight Console application, select New Active Channel.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 23 www.fidelissecurity.com

 Specify the settings for the active channel.

Click the “Edit Inline Filter” button to create a filter for viewing only Fidelis Endpoint events.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 24 www.fidelissecurity.com

 Specify the device product as “FidelisEndpoint”.

Click OK, then click Apply.

After results appear, click an item and test taking an action.
For example, right-click on a row with a Target Address specified, then select Integration
Commands > Run Fidelis Endpoint Script on Target.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 25 www.fidelissecurity.com

 When you select this command, Fidelis Endpoint opens the Task wizard in a Web browser
window where you can select a script task to run against the endpoint.
In Fidelis Endpoint, select a script to run against the endpoint, then continue through the Task
wizard.
In the Target Selection screen, the endpoint is pre-selected.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 26 www.fidelissecurity.com

 Integrating Fidelis Endpoint and QRadar
You can integrate Fidelis Endpoint and IBM QRadar.
Note: This documentation is based on specific versions of the SIEM application and Fidelis Endpoint.
Depending on the versions in your system, the documentation may roughly apply.
Pre-Requisites
• Have access to Fidelis Endpoint 9.1.2 SR3 or later.
• Obtain the arielRightClick.properties and Fidelis_DSM.xml files, located in the distributed
software in the SIEM_Integrations\QRadar folder.
• Have access to IBM QRadar Security Intelligence Platform 7.3.0 or later.
To integrate Fidelis Endpoint and QRadar, complete steps for the following:
• Configuring Fidelis Endpoint to Export Information to QRadar
• Configuring the Fidelis Endpoint DSM in QRadar
• Configuring the Log Source in QRadar
• Testing the QRadar Integration

Configuring Fidelis Endpoint to Export Information to QRadar

You can configure Fidelis Endpoint to export log and result information to QRadar.
For more information, see Exporting Log and Result Information to SIEM Applications.

To configure exporting log and result information:

On the Windows Server, open the \Program
Files\Fidelis\Endpoint\bin\SyslogConfiguration.json file in a text editor.
Locate the QRadar export type section.
In the configuration section for each export type you want, specify the settings you want to use.
Notes:
• For the Host parameter, specify the IP address of your QRadar server.
• For the Port parameter, specify the port as specified in the DSM (514).
• For the Format parameter, use LEEF as the format of the exported information.
For more information, see Exporting Log and Result Information to SIEM Applications.
Save the configuration file.
For changes to take effect, refresh the Web browser.
Tip: Keep track of any manually-specified customizations to verify after upgrading.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 27 www.fidelissecurity.com

 Configuring the Fidelis Endpoint DSM in QRadar
You can configure a Device Support Module (DSM) in QRadar to use to collect information exported
from Fidelis Endpoint.

To install the Fidelis Endpoint DSM for QRadar:

Copy the Fidelis_DSM.xml file to the QRadar server.
SSH into the QRadar server and log in as root.
Import the Fidelis_DSM.xml file:
/opt/qradar/bin/contentManagement.pl --action import --file <full path to
file>/Fidelis_DSM.xml --user admin
The imported file contains the event categorization (QIDs) mappings for Fidelis Endpoint.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 28 www.fidelissecurity.com

 Configuring Actions to Launch Script Tasks
In QRadar, when viewing logged event information from Fidelis Endpoint, you can select actions to
launch script tasks that run in Fidelis Endpoint.
(When you select a script to run, Fidelis Endpoint opens the Task wizard in a Web browser window
where you can specify options in running the script task against the endpoint.)
When configured, the actions appear as right-click options on the columns in Log Activity.
To get started, you can configure actions to launch script tasks using the arielRightClick.properties
file distributed with Fidelis Endpoint.

To configure actions to launch script tasks:

SSH into the QRadar server and log in as root.
Change directory to /opt/qradar/conf.
Edit the arielRightClick.properties file .
nano arielRightClick.properties
Merge the contents of the arielRightClick.properties file distributed with Fidelis Endpoint.
Edit the FE_Action.url lines, by replacing “CHANGEME” with the IP address of the Fidelis
Endpoint Windows Server. For examples:
FE_Action1.url=https://CHANGEME/Endpoint/#/wizard/preload?targetIPs=$sourceIP$
FE_Action2.url=https://CHANGEME/Endpoint/#/wizard/preload?targetIPs=$destinationIP$
(Optional) Add other actions by adding the set of parameters (with a unique name), then adding
the action name to the pluginActions statement (separated with a comma). For example:
pluginActions=FE_Action1,FE_Action2,MyAction1
…
MyAction1.arielProperty=sourceIP
MyAction1.text=Fidelis Endpoint - Run Script on Source IP
MyAction1.url=https://ipaddress/Endpoint/#/wizard/preload?targetIPs=$sourceIP$
Save and close the file.
Restart the Web services on the QRadar server.
service tomcat restart

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 29 www.fidelissecurity.com

 Configuring the Log Source in QRadar
You can configure the log source in QRadar.
Log in to QRadar and click Admin > Data Sources > Events > Log Sources:

In the Log Sources window, click Add.

In the Add a Log Source page, specify the following options:

Option Description

Log Source Name Specify the name of the log source. For example, Fidelis_Endpoint

Log Source Specify the description of the log source. For example, Fidelis
Description Endpoint

Log Source Type Select the "Fidelis Endpoint" option, which uses LEEF format.

Protocol Ensure the “Syslog” option is selected.

Configuration

Log Source Identifier Enter the IP address of your Fidelis Endpoint Windows Server.

Log Source Select the "Fidelis_Endpoint_9" option.

Extension

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 30 www.fidelissecurity.com

 For example:

Click Save, then close the Log Sources window.

In the Admin tab, click Deploy Changes.
After deploying the changes, QRadar is ready to receive messages from Fidelis Endpoint.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 31 www.fidelissecurity.com

 Testing the QRadar Integration
After configuring Fidelis Endpoint and QRadar, you can test sending log and result information from
Fidelis Endpoint to QRadar. You can also test launching script tasks in Fidelis Endpoint from QRadar.

To test the integration:

In Fidelis Endpoint, select Tasks > Start New, select a script package to run, then click Next.
For example, select “Process List”.
In the Task Options screen, expand the Options section, in the Export Results to option
select “QRadar”, then click Next.
Select the endpoints to run the script on, then click Start.
In QRadar, click the Log Activity tab, then click Add Filter.
a. In the Parameter field, select “Log Source [Indexed]”
b. In the Operator field, select “Equals”
c. In the Log Source Filter field, select the name of the log source for Fidelis Endpoint.
For example: Fidelis_Endpoint
d. Click Add Filter.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 32 www.fidelissecurity.com

 In the View menu, select the time interval you want to use in viewing log information.

The filtered events appear for Fidelis Endpoint. For example:

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 33 www.fidelissecurity.com

 After results appear, right click on a row with a Source or Destination IP specified, select
Plugin options, then select a Fidelis Endpoint script to run on the endpoint.

When you select a script to run, Fidelis Endpoint opens the Task wizard in a Web browser
window where you can specify options in running the script task against the endpoint.
In Fidelis Endpoint, continue through the Task wizard.
In the Target Selection screen, the endpoint is pre-selected.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 34 www.fidelissecurity.com

 Integrating Fidelis Endpoint and McAfee Enterprise
Security Manager
You can integrate Fidelis Endpoint and McAfee Enterprise Security Manager (ESM). There are these
ways to integrate:
• Using the Fidelis Endpoint API to execute remote commands that run in the background.
• Can execute automatically, based on alarms.
• Can be executed manually via the user interface.
• Using URL integration to manually respond or execute scripts via the Fidelis Endpoint website.
• Using Syslog integration to enable ESM to receive alerts, script results, and audit logs from
Fidelis Endpoint.
For information about Syslog integration, see Integrating with SIEM Applications.
Note: This documentation is based on specific versions of the SIEM application and Fidelis Endpoint.
Depending on the versions in your system, the documentation may roughly apply.
Pre-Requisites
• Have access to Fidelis Endpoint 9.1.2 SR3 or later.
• Obtain the integration files, located in the distributed software in the SIEM_Integrations\McAfee
ESM folder. The files include config.json, JobOptions.json, RunJob.py, and
FidelisEndpoint_Policy.exp.
• Enable SSH on a Linux server.
• Have access to McAfee Enterprise Security Manager 10.3.0.
To integrate Fidelis Endpoint and ESM, see the following:
• Preparing for Remote Command Integration
• Setting up the Fidelis Endpoint Data Source
• Setting up Device URL Integration
• Configuring a Remote Command (URL Integration)
• Configuring a Remote Command (SSH/API Integration)
• Configuring Alarms to Execute a Command
• Manually Executing a Remote Command

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 35 www.fidelissecurity.com

 Preparing for Remote Command Integration
Remote Command integration allows for executing a remote command over SSH. To facilitate this
integration, copy the python script and config files (provided with the integration) to a Linux server
(jump box) with SSH enabled for password authentication. When the Remote Command is run, ESM
connects to the Linux server and executes the python script that calls the Fidelis Endpoint API.
Note: If another Linux server (jump box) is not available, a Linux server where Fidelis Endpoint
services are installed can be used.
To prepare for Remote Command integration:
Log into the Linux server to use for Remote Command integration:
ssh username@ip
Make a directory in the /opt folder. For example, integration.
mkdir /opt/integration
Copy the integration files (config.json, JobOptions.json, and RunJob.py) to /opt/integration.
Edit the config.json file to add the Fidelis Endpoint UI Server IP address, user name, and
password of the Fidelis Endpoint user account with appropriate permissions to execute API
calls.
vi /opt/integration/config.json
For example:
{
"FidelisServerIp" : "10.0.1.230",
"FidelisUserName" : "esm_user",
"FidelisPassword" : "password"
}
(Optional) Edit the JobOptions.json file to customize what “answers” or arguments are
predefined when a script is executed.
For example, you could customize the "Process List (Windows)" script with the following:
{
"scripts: :
{
"2D32A530-0716-4542-AFDC-8DA3BD47D8BF: {
"name" : "Process List (Windows)",
"questions" :
{
"1" : "True",
"2" : "True",
"3" : "True",
"4" : "False",
"5" : "False",
"6" : ""
}

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 36 www.fidelissecurity.com

 },
These “answers” predefine these arguments in the user interface:

Tip: You can add other scripts to this file by specifying the script IDs and any answers.
For information about getting script IDs, see the GET request in "Script Package APIs" in
the API Guide.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 37 www.fidelissecurity.com

 Setting up the Fidelis Endpoint Data Source
In ESM, you can set up the data source for Fidelis Endpoint.

To set up the Fidelis Endpoint data source:

In ESM, click > Configuration.
Select Event Receiver, then, in the toolbar, click to add a data source.

Specify the settings for your Fidelis Endpoint data source, then click OK.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 38 www.fidelissecurity.com

 Under Event Receiver, select Fidelis Endpoint, then, in the toolbar, click to open the Policy
Editor.

Click File > Import > Policy.

Click Import Policy, then browse to the FidelisEndpoint_Policy.exp file (included with Fidelis
Endpoint) and click Upload.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 39 www.fidelissecurity.com

 Use the default options, then click OK to import the policy.
In the Policy editor, show the imported rules by selecting the Tags tab on the right, expanding
the tags, then checking the box for Fidelis Endpoint.

In the Policy editor, clear the current filters by selecting the Filter tab on the right, then clicking
the Clear All button.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 40 www.fidelissecurity.com

 In the Policy editor, refresh the filter tags by doing the following:
a. Select the Filter tab on the right, then click the Tags section in the Filter tab.
b. Check the box for Fidelis Endpoint, then click the Run Query button.

The imported rules appear.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 41 www.fidelissecurity.com

 (Conditional) If any action is disabled, click the action and enable it.
Click Operations > Rollout.
Ensure the Fidelis Endpoint policy is selected to roll out now, then click OK.

Close the Policy Editor.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 42 www.fidelissecurity.com

 Setting up Device URL Integration
In ESM, you can set up Device URL integration, which allows one website per device to be
configured.
When set up, you can click the launch device URL button in ESM to manually start a script task in
Fidelis Endpoint against an endpoint. The script task opens in the Task wizard with the endpoint
selected in the Target Selection screen.
For information about configuring additional URL commands, see Configuring a Remote Command
(URL Integration).

To set up Device URL integration:

Select the Fidelis Endpoint data source, then click to edit the data source properties.

Click Editor.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 43 www.fidelissecurity.com

 At the bottom of the editor, click Advanced.

In the Device URL field, enter the following, replacing ipaddress with the IP address or
hostname of the Fidelis Endpoint UI server.
https://ipadress/Endpoint/#/wizard/preload?scriptId=&endpointNames=
Set the cursor at the end of the entry, after the last = character, then add a variable by clicking
the Star > Custom Types > HostID.

The Device URL field contains a variable. For example, [CustomType_4].

Click OK to save and exit the editor.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 44 www.fidelissecurity.com

 Configuring a Remote Command (URL Integration)
In ESM, you can configure a Remote command using URL integration to execute a script task in
Fidelis Endpoint directly from the Remote Commands list.

To configure a Remote command:

In ESM, click > System Properties > Profile Management > Remote Commands.
Click Add.

Enter a name and description for the script to launch.

Set the type to "Launch URL".
In the Command String field, enter the following, replacing ipaddress with the IP address of the
Fidelis Endpoint UI server:
https://ipaddress/Endpoint/#/wizard/preload?scriptId=&endpointNames=[$%HostID]
Tip: You can specify a script ID of the script package you want to be selected in the Task
wizard.
For information about getting script IDs, see the GET request in "Script Package APIs" in
the API Guide.
Click OK.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 45 www.fidelissecurity.com

 Configuring a Remote Command (SSH/API Integration)
In ESM, you can configure a Remote command using SSH/API integration to execute a script task in
Fidelis Endpoint in the background rather than through the Task wizard in the user interface. This
integration method is useful for automated alarms or executing a script quickly from the Remote
Commands menu.

To configure a Remote command:

In ESM, click > System Properties > Profile Management > Remote Commands.
Click Add.

Enter a name and description for the script to run.

Set the type to “Execute Command”.
Enter the SSH information for connecting to the Linux host in the Host, Port, Username, and
Password fields.
In the Command String field, enter the following, replacing scriptpackageId with the script ID of
the script package you want to execute:
python /opt/integration/RunJob.py [$%HostID] scriptpackageId

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 46 www.fidelissecurity.com

 For information about getting script IDs, see the GET request in "Script Package APIs" in the
API Guide.
Click OK.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 47 www.fidelissecurity.com

 Configuring Alarms to Execute a Command
In ESM, you can configure alarms to execute a command.

To configure an alarm to execute a command:

In ESM, in Alarm Settings, click the Actions tab.
Click Execute remote command, then click Configure.

Click Use profile, select an existing command, then click OK.

Finish configuring the alarm.

Note: When the alarm triggers, it executes the specified command and script on the endpoint
automatically.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 48 www.fidelissecurity.com

 Manually Executing a Remote Command
In ESM, you can manually execute a Remote command on events in the dashboard.

To manually execute a Remote command:

• In ESM, in the dashboard, right-click an event, click Actions, click Remote Commands, then
click the Remote command to execute.

Note: The Remote command can launch a URL or execute a script via the Fidelis Endpoint API.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 49 www.fidelissecurity.com

 Technical Support
For all technical support related to this product, check with your site administrator to determine
support contract details. Contact your reseller or, if you have a direct support contract, contact the
Fidelis Cybersecurity support team at:

Phone: +1 301.652.7190*
Toll free
in the US: +1.800.652.4020*
Email: support@fidelissecurity.com
Web: https://support.fidelissecurity.com

*Use the customer support option.

Getting Help
If you have questions about Fidelis Endpoint:
• Access help for pages and dialogs (in the HTML user interface).
In pages, click the icon in the navigation bar, then click Help.
In dialogs, click the icon.
• In help, use Search to find information you want. Or use the
navigation menu to browse the topics in the content.

Other Documentation
You can learn more about Fidelis Endpoint in other documentation, including the following:

Title This document contains information…

Agent Installation About installing and upgrading the Fidelis Endpoint Platform agent on
Guide endpoints.
API Guide About the APIs you can use with Fidelis Endpoint.

Integrations Guide About integrating Fidelis Endpoint with SIEM (Security Information and
Event Management) applications.
Release Notes About the latest features, changes, and improvements in Fidelis Endpoint.
Server Installation About installing and configuring Fidelis Endpoint on servers.
Guide
Server Upgrade About upgrading Fidelis Endpoint on servers.
Guide
System About hardware and system requirements for implementing Fidelis
Specifications Guide Endpoint.

To provide feedback, send your comments to documentation@fidelissecurity.com.

Fidelis Endpoint® 9.3.1 SIEM Integrations Guide 50 www.fidelissecurity.com