PowerShell Module for HX API Interaction

https://github.com/bw-0/Invoke-HX :+1:

I’ve been developing and using these functions (one main function named “Invoke-HX_API”) for about a year and a half since I started working with HX. As such it’s been developed as needed, so there isn’t 100% coverage for all the API endpoints, but the important endpoints like hosts (including file acquisitions), alert_groups, and policies are included which covers about 99% of my activities.

Analysts will like the ability grab thousands of alert groups for analysis. Admins will like the ability to pull down their entire host set for evaluation, as well as the ability to programmatically edit policies. One of the design principles of our HX instance is to create separate malware policies based on BU. However, HX policies are not additive; e.g. if you want to make a global exclusion, those exclusions will need to be added to about 10 different polices, and clicking around the webUI is a good way to make a mistake, so doing it via script is much neater, and safer.

Hopefully y’all like it and want to contribute to the project, it’s been an indispensable tool for me as it’s used for several automations that wouldn’t be possible otherwise. If you have any questions they’d probably best be posed on the GitHub page so many can benefit, but if you’d rather stay here in the trust tree that’s fine too.

I’d also be willing to walk through any use cases in a WebEX or something if FEYE wanted to collab, or just for customers, let me know.




You rock, @Bryon_W!

Thanks for sharing your fantastic work with the Developers Community!
I’m positive both FireEye and Community developers will find this incredibly useful and keep your GitHub page busy :wink:

Keep us all posted, please!


Wow, thank you so much for this! I wish I would have found it sooner.

You’re super welcome MrMr. I’ve been adding a bunch of features to my private build, just need to commit to the public build soon.
I added a fun “helper” function that decreased my speed to contain a host by 200% (API vs logging into webUI w/MFA), aptly named “Invoke-BigRedButton”. Its a state-aware function that first checks to see if containment has been requested and prompts to request containment if not, or confirms containment if the request was already made.

1 Like