FireEye Additional Actions on Endpoint

Release version: Yokohama

Updated July 31, 2025

5 minutes to read

Summarize

Summarized using AI

Summary of FireEye Additional Actions on Endpoint

The FireEye integration with ServiceNow extends endpoint security capabilities by supporting additional data acquisition actions beyond the standard gold actions. These actions include Triage Acquisition and two types of Data Acquisitions: Comprehensive Investigative Details Script and Standard Investigative Details Script. Customers can use the out-of-the-box options or create custom data acquisition scripts through the FireEye Additional Actions module.

Show full answer Show less

Key Features

Comprehensive Investigative Details Script: Collects all forensic and investigative artifacts from an endpoint. This is a high-cost, thorough option suited for scenarios where only one chance exists to gather data.
Standard Investigative Details Script: Provides common forensic data collection for deep-dive endpoint analysis. It balances thoroughness with efficiency, avoiding costly data that can be acquired later.
Triage Acquisition: Gathers information like URL download history, process and port listings, and system info to assess suspicious network traffic and endpoint activity quickly.
Data Acquisition Scripts Management: Users can create, edit, copy, and delete scripts in the FireEye Endpoint Security web interface. Scripts are OS-specific and allow precise control over data types collected.
Configurable Limits: Maximum file size for additional actions defaults to 1024 but can be adjusted. The default data collection timeout is 120 minutes and configurable via the FireEye Default Setting page.

Working with Data Acquisition Scripts

Data acquisition scripts enable targeted forensic data collection from endpoints. In the FireEye Endpoint Security UI, admins can:

Create scripts by selecting an OS, naming the script, and adding acquisition data types.
Manage acquisition data options carefully, noting that the UI does not sanitize input for formatting or unwanted characters.
Export scripts as JSON files for backup or reuse, with filenames indicating the applicable OS.
Note that the integration does not support the “Allow Edits before acquiring” option.

Creating and Managing Additional Actions in ServiceNow

Within ServiceNow’s FireEye Integration module, users can create new additional actions by specifying:

Action Name for identification.
Configured FireEye Source and Acquisition Type (read-only fields).
Activation status and optional approval requirements.
Operating system type (currently supports only one OS per action, such as Windows, Mac, or Linux).
Associated imported FireEye data acquisition script matching the selected OS.

Once created, these additional actions can be triggered directly from security incidents via the “Run Additional Action(s) on Endpoint” related link.

Practical Benefits for ServiceNow Customers

Enables comprehensive and customizable endpoint data acquisition integrated within security incident workflows.
Provides flexibility to tailor forensic data collection according to investigation needs and endpoint OS.
Supports governance by allowing optional approval requirements before running actions.
Facilitates efficient incident response by integrating FireEye’s powerful endpoint forensic capabilities directly into ServiceNow.

FireEye integration supports running additional actions beyond the gold standard actions.

These actions comprise of Triage Acquisition and Data Acquisitions. Out of the box, two data acquisitions are supported:

Comprehensive Investigative Details Script
Standard Investigative Details Script

In addition, Triage Acquisition is also supported out of the box. All these three are created by default along with the source. The customers can also create their own actions i.e., Data acquisitions from the FireEye Additional Actions Module.[1] The maximum file size supported for FireEye Additional Actions is 1024, and this value can be configured by changing com.glide.attachment.max_size, and the default timeout is 120 minutes that can be configured from the FireEye Default Setting page.

Comprehensive Investigative Details Script

Enables collecting all forensic and investigative artifacts from the endpoint but is the most prohibitively expensive option. This configuration is ideal for situations where there will only be one window for collecting data from the endpoint in question, and the ability to acquire more data cannot be guaranteed later. So, use this action with caution.

Standard Investigative Details Script

Enables the most common options for collecting forensic and investigative artifacts from an endpoint. Meant to be the primary response tool when you have suspicion that an endpoint may be compromised and need to perform a deep dive analysis of that endpoint. Aims to strike a balance between collecting the most relevant and valuable data whilst avoiding the costly options that can be collected later once further investigation proves them necessary.

Triage Acquisition

Triage collections contain information from within the lookback cache as well as additional forensic audit information, such as URL download history, file download history, process and ports listings, and standard system information. You might want to examine such information when anomalous network traffic is detected, and you want more visibility into endpoint actions.

Maintaining Data Acquisition Scripts on FireEye

Data acquisition requests (sometimes referred to as Live Response requests) allow you to acquire any data you need from a single running endpoint. Using the Data Acquisition Scripts page on FireEye, you can create, edit, copy, and delete the data acquisitions scripts used for data acquisition requests.

Accessing the Data Acquisition Scripts Page on FireEye

To access the Data Acquisition Scripts page:

Navigate to Endpoint Security web user interface.
Select Data Acquisition Scripts on the Admin menu.

Creating a Script on FireEye

To create a data acquisition script:

Select Data Acquisition Scripts > Admin menu of the Endpoint Security web user interface.
Click Create Script.
Enter a name for the new script in the Script Name field.
Optionally, enter a description of the script.
Select the operating system to which the script applies. You can only select a single operating system on the Create Script dialog.
Click Create to start the script definition.
Select an acquisition data type in the Add an acquisition typedrop-down box and click Add. Options for the acquisition type you requested appear to the right of the script list.
Supply values for the acquisition type options or use the default values that are already selected. The Web UI does not warn you or remove tabs, spaces, or unwanted characters (such as \n) in your specifications.
Repeat the previous 2 steps to request additional data for the data acquisition script. Some acquisition data types are available only once for a script, while others can be specified more than once. After adding an acquisition type to a script, the list of acquisition types available in the Add an acquisition typedrop-down box adjusts appropriately.
To remove an acquisition data type from the script, click the x icon ( ) on the acquisition tab on the left side of the page.

Note:

This integration does not support Allow Edits before acquiring option while creating scripts. So, ensure that the check box is unchecked.

Exporting a Script from FireEye

You can export a data acquisition script to a JSON file. To export a data acquisition script:

Select Data Acquisition Scripts > Admin of the Endpoint Security web user interface.
Select Data Acquisition Scripts on the Admin menu.
Select the script you want to export on the left side of the page.
select Actions > Export Script.
A JSON file is downloaded to your computer. The JSON file name includes the operating system so you can easily determine which scripts are for which operating system.

Creating a new Data Acquisition Action in the ServiceNow AI Platform

To create a new action, follow these steps:

Navigate to FireEye Integration > FireEye Additional Actions. The FireEye Additional Actions list is displayed.
Click New. The form for the new action is displayed.

Fill out of the form.



Action Name	Name of the FireEye action that is performed. This name helps you identify the Action type and describe it.
Acquisition	An acquisition obtains the data to analyze. This is a read only field, and is defaulted to Data Acquisition.
Source	Name of the FireEye source. Only configured sources are available from the choice list.
Capability	This is a read only field and is populated with Run Additional Action(s) capability
Acquisition Type	Type of acquisition action that needs to be obtained, and analyzed.
Active	This indicates that the Action is active.
Require Approval	When you enable the Require Approval option, the Approvers field is available on the form. After you submit a request, approval is required from the group to complete the request.
Display tag	Type of operation system such as Windows, Mac, Linux for adding scripts. Note: Only one type of OS is supported currently. You can create one action per operating system. For other operating systems, create new actions as required.
Scripts	Imported script from FireEye needs to be provided for the selected OS Type. Only one script can be added to each OS type.

Click Submit.

Triggering Data Acquisitions from Security Incident

The Additional actions created can be run via the Related Link called Run Additional Action(s) on Endpoint on the security incident.

Note:

Allow Edits before acquiring FireEye functionality is not supported for the Additional Actions on Endpoint.