FireEye Endpoint Security (HX Series) On-Premises Device

Configure a FireEye Security Endpoint (HX Series) on-premises device.

The following table shows device-specific integration characteristics:

Method of pushAll new IOCs that were discovered since the previous update are pushed to the device.
IOC types supportedDomains, file hashes (MD5, SHA-1, and SHA-256), IP addresses, and URLs.
IOC group limitationAll IOC types can be pulled in the same group.

Device-specific integration characteristics table

IOCs are pushed from Threat Command to the device.

To integrate the device, perform these steps (described in the following sections):

  1. Add the device to the Threat Command with the virtual appliance web interface.
  2. Configure an IOC group whose IOCs will be pushed to the device.

FireEye Security Endpoint devices are supported with the Threat Command OVA v5.2.0 or later.

Add a FireEye Endpoint Security on-premises device

Use the Threat Command virtual appliance web interface to integrate the device with Threat Command.


  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
  • You have the credentials to access the Threat Command virtual appliance web interface.
  • You have the administrative credentials to access the device management console.
  • You have the credentials of a user with API permissions (either the role of API Analyst or API Admin).

To add a FireEye Endpoint Security device:

  1. From an internet browser, navigate to https://<virtual appliance IP address>
  2. Log in to the Threat Command virtual appliance using the web access username and password.
  3. From the Devices page, click Devices.
  4. Click Add new device.
  5. In the Devices screen, set up the new device:
    1. Type a user-defined, unique device name (for example, FE_HX).
    2. Select the FireEye Endpoint Security device type. 
      temporary placeholder 
    3. Type values for User  and Password
      These are the credentials of a user with API permissions.
    4. Type the URL or IP address of the FireEye Security Endpoint machine.
    5. (Optional) You can test the connection by clicking Test connection.
    6. Click Create.
    7. Review and approve messages.
  6. Verify that the new device is displayed in the Threat Command platform:
    1. Log in to Threat Command at
    2. From the main menu, selectAutomation > Integrations
      If this window is already open, refresh it by selecting Automation > Integrations  from the menu. 
      The new device is displayed in the On-Premises tab.

The following figure shows a newly added device in the Threat Command Automation > Integrations  window: 
temporary placeholder

Configure an IOC group to push IOCs to the device 

Once the FireEye Security Endpoint device has been added and is synching with the Threat Command virtual appliance, it is ready to receive IOCs that are pushed from Threat Command. IOCs are pushed by creating an IOC group for this device in Threat Command.

Create the IOC group, as described in Create an IOC group..

Verify that IOCs are being pushed to the device 

You can verify that IOCs are being pushed to the FireEye Security Endpoint device.

To verify IOCs:

  1. From the Threat Command main menu, select Automation > Integrations.
  2. Select the device.
  3. On an IOC group of the device, click the Information icon:
    temporary placeholder
    The IOCs in the group are displayed:
    temporary placeholder
  4. From the FireEye Endpoint Security management console, navigate to Rules > Indicators
    temporary placeholder
    The Category name is the name of the Threat Command IOC group.
    The integration automatically assigns an Active Condition to each IOC.