# FireEye HX

FireEye HX (now Trellix Endpoint Security HX) is an endpoint detection and response product that detects intrusions, malware, lateral movement, and credential theft on managed hosts. Connecting through Cribl Stream forwards FireEye HX alerts and host data to Radiant Security over a webhook. Radiant uses these alerts for AI triage, classifying and enriching each before it reaches an analyst.

### Prerequisites

* [ ] Admin access to Cribl Stream
* [ ] FireEye HX alert and host data configured as a source in Cribl Stream

### Add the data connector in Radiant Security

1. Sign in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, select **Settings** > **Data Connectors**, then click **+ Add Connector**.
3. Search for and select **FireEye HX**, then click **Data Feeds**.
4. Under **Select your data feeds**, select **FireEye HX**, then click **Credentials**.
5. Under **Credential Name**, enter an identifiable name for this credential.
6. Under **Required Credentials**, enter a **Webhook Auth Token**. Use a long, randomly generated value, and rotate it periodically.
7. Click **Add Connector**.
8. Open the newly created connector. Under **Vendor Configuration**, copy and save the **Webhook URL**. You will need it in the Create a webhook destination in Cribl Stream section.

### Create a webhook destination in Cribl Stream

1. Sign in to Cribl. 
2. Navigate to **Stream**.
3. Use the top navigation to open **Manage** > **Groups**. 
4. From the list of groups, click the group that has the FireEye HX data as a **Source**. 
5. Use the top navigation to open **Data** > **Destinations**. 
6. Filter the Destinations and click **Webhook**.
7. Click **Add Destination**. 
8. Under **General Settings**, configure the following:
   * **Output ID**: `rs-cribl-fireeye-hx`
   * **URL**: the **Webhook URL** copied from Radiant Security.

     <figure><img src="https://20705827.fs1.hubspotusercontent-na1.net/hubfs/20705827/Knowledge%20Base%20Articles/Cribl%20FireEye%20HX%20Trellix/Screenshot%202023-06-19%20at%203.11.52%20PM(1).png" alt=""><figcaption></figcaption></figure>
9. Click **Authentication** and configure the following:
   * **Authentication** **type**: `Auth Token`
   * **Token**: the **Webhook Auth Token** configured in Radiant Security.<br>

     <figure><img src="https://20705827.fs1.hubspotusercontent-na1.net/hubfs/20705827/Knowledge%20Base%20Articles/Cribl%20FireEye%20HX%20Trellix/Screenshot%202023-06-19%20at%203.12.15%20PM.png" alt=""><figcaption></figcaption></figure>
10. Click **Save**.
11. Use the top navigation to open **Routing** > **Data Routes**.
12. Click **Add Route**.
13. Configure the route to send FireEye HX data (Hosts and Alerts) to a Pipeline that outputs to the `rs-cribl-fireeye-hx` Destination. For details on configuring Routes and Pipelines, see the [Cribl Stream Routing documentation](https://docs.cribl.io/stream/routes/).

### Verify ingestion

After Cribl Stream begins forwarding, confirm events are reaching Radiant.

1. In Radiant, navigate to [Log Management](https://app.radiantsecurity.ai/logs).
2. Filter by `rs_connectorType:"cribl_webhook_hx"`.
3. Confirm recent events appear.

{% hint style="info" %}
Allow several minutes for events to be parsed, indexed, and available for search.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/fireeye-hx.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.