Skip to main content Link Search Menu Expand Document (external link)

ResourceName - FEHxDevice

Table of contents

An example of what this resource includes:

"@FEHxDevice": {
    "_id": "KpZXgaaSDFasdfN4XI",
    "ad_common_names": "KBSL881KD22",
    "ad_domain_comps": "usa, abccorp",
    "ad_org_units": "Computers, Europe, Kiosk Stations",
    "agent_version": "34.28.6",
    "containment_missing_software": false,
    "containment_queued": false,
    "containment_state": "normal",
    "domain": "ABCD",
    "excluded_from_containment": false,
    "gmt_offset_seconds": 7200,
    "hostname": "ABCDKD22",
    "initial_agent_checkin": "2022-05-30T06:34:47.000Z",
    "last_alert": null,
    "last_alert_timestamp": null,
    "last_audit_timestamp": "2022-08-29T13:10:46.496Z",
    "last_exploit_block": null,
    "last_exploit_block_timestamp": null,
    "last_poll_ip": "12.230.45.167",
    "last_poll_timestamp": "2022-08-29T13:07:31.000Z",
    "os": {
      "bitness": "64-bit",
      "kernel_version": null,
      "patch_level": null,
      "platform": "win",
      "product_name": "Windows 10 Enterprise"
    },
    "primary_ip_address": "10.40.22.52",
    "primary_mac": "11-22-bb-dd-c4-e8",
    "reported_clone": false,
    "stats": {
      "acqs": 0,
      "alerting_conditions": 0,
      "alerts": 0,
      "exploit_alerts": 0,
      "exploit_blocks": 0,
      "false_positive_alerts": 0,
      "false_positive_alerts_by_source": {},
      "generic_alerts": 0,
      "malware_alerts": 0,
      "malware_cleaned_count": 0,
      "malware_false_positive_alerts": 0,
      "malware_quarantined_count": 0
    },
    "sysinfo": {
      "url": "/hx/api/v3/hosts/KpZXgaaSDFasdfN4XI/sysinfo"
    },
    "timezone": "W. Europe Daylight Time",
    "url": "/hx/api/v3/hosts/KpZXgaaSDFasdfN4XI"
  },
  "@customer": "default",
  "@dayIndex": "20220829",
  "@key": "KpZXgaaSDFasdfN4XI",
  "@resource_type": "FEHxDevice",
  "@source": "FireEyeHx",
  "@timestamp": 1661778695690,
  "@type": "resource"

An example of loading the resource:

function loadDevices()
    load resource FEHxDevice
    let {uuid="_id", ad_common_names, hostname,last_poll_ip,last_poll_timestamp,primary_ip_address, osName="os.product_name"}=f("@FEHxDevice")
end
  
function loadUniqueDevices()
    load resource FEHxDevice
    let {uuid="_id", ad_common_names, hostname,last_poll_ip,last_poll_timestamp,primary_ip_address, osName="os.product_name"}=f("@FEHxDevice")
    aggregate last_poll_timestamp=max(last_poll_timestamp) by hostname
end
  
function loadAgents()
    load resource sentinelOneAgent
    let {uuid, computerName} = f("@sentinelOneAgent")
end
  
stream  devices=loadDevices()
stream  uniqueDevices=loadUniqueDevices()
join devices on hostname, last_poll_timestamp