Securonix
App Vendor: Securonix
App Category: IT Services
Connector Version: 1.5.0
API Version: 6.4
Note
This app is currently released as a beta version.
About App
Securonix is a big data security analytics platform that utilizes Securonix machine-learning-based anomaly detection techniques and threat models to detect sophisticated cyber and insider attacks.
The Securonix app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
List Incidents | This action lists all the incidents. |
Get Incident | This action retrieves the details of a particular incident. |
Create Incident | This action creates an incident. |
Add Comments to Incident | This action adds a comment to the particular incident. |
Update Incident Criticality | This action updates the criticality of a particular incident. |
List Watchlist | This action lists all the watchlists. |
Check Entity Watchlist | This action is used to get the values of a particular watchlist. |
Add Entity Watchlist | This action adds the entity to a watchlist. |
Create New Watchlist | This action creates a new watchlist. |
List All Entity Present in Watchlist | This action lists all the entities present in an existing watchlist. |
Search Watchlist by Entity | This action checks the watchlist by one or more entities. |
TPI Domain Match | This action gathers intelligence from third-party sources to add value to the events seen from sources like DLP, web gateways or proxies, and firewalls. Securonix stores and indexes the Third-Party Intel (TPI) data as a separate collection to facilitate investigations. |
Fetch User Risk Score | This action is used to get user risk score. SNYPR stores and indexes Risk Scorecard for all entities as separate collections to facilitate investigations. |
Fetch User Risk History | This action gets the user's risk history. SNYPR stores and indexes risk history for all entities as separate collections to facilitate investigations. |
Lookup by Attributes | This action enriches security events during activity ingestion. |
Fetch Asset by Attribute | This action fetches assets by attribute. It can be used for enriching security events during activity ingestion. |
Get All Violations | This action retrieves all the violations. |
Get Violation by Policy Name | This action retrieves violations by policy name. |
Fetch By Query | This action fetches a response based on the query passed in the query parameter. |
Generic Action | This is a generic action used to make requests to any Securonix endpoint. |
Configuration Parameters
The following configuration parameters are required for the Securonix app to communicate with the Securonix enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL. | Text | Required | Allowed format: https://<hostname or IP address> |
Username | Enter the username to connect to Securonix. | Text | Required | |
Password | Enter the password to authenticate with Securonix. | Password | Required | |
TLS Verification | Choose your preference to verify TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | Allowed values:
Default value: False |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Securonix | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Action: List Incidents
This action lists all the incidents.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Start Time | Enter the start time in epoch. Example: 1042585071 | Text | Required | |
End Time | Enter the end time in epoch. Example: 1642585071 | Text | Required | |
Range Type | Enter the range type. Example: opened | Text | Required | Allowed values:
|
Extra Params | Enter the extra parameters if required. Example: "status": "open" | Key Value | Optional | Allowed values:
|
Example Request
[
{
"end_time": "1642585071",
"range_type": "opened",
"start_time": "1086246648",
"extra_params": {
"status": "open",
}
}
]Action: Get Incident
This action retrieves the details of a particular incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident ID to fetch the details. Example: 59 | Text | Required | You can retrieve the Incident ID using the action List Incidents. |
Type | Enter the type. Example:
| Text | Required |
Example Request
[
{
"incident_id":"59",
"type":"status"
}
]Action: Create Incident
This action creates an incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Violation Name | Enter the violation policy name. Example: Abnormal amount of data aggregated from FTP ports - Next Gen Firewall-Next Generation Firewall | Text | Required | |
Resource Group | Enter the resource group name. Example: INMUM01FGT001 | Text | Required | |
Resource Name | Enter the resource name. Example: sampleresourcename | Text | Required | |
Entity Type | Enter the entity type. Example: users | Text | Required | Allowed values:
|
Entity Name | Enter the account name associated with the violation. Example: sampleentityname | Text | Required | |
Action Name | Enter the action name. Example: mark as concern | Text | Required | |
Workflow | Enter the workflow name. Example: SOCTeamReview | Text | Optional | |
Comment | Enter any additional comments. | Text | Optional | |
Criticality | Enter the criticality of the incident that you creating. Example: low | Text | Optional |
Example Request
[
{
"workflow": "SOCTeamReview",
"action_name": "Mark as concern and create incident",
"entity_name": "sampleentityname",
"entity_type": "users",
"resource_name": "sampleresourcename",
"resource_group": "INMUM01FGT001",
"violation_name": "Abnormal amount of data aggregated from FTP ports - Next Gen Firewall-Next Generation Firewall"
}
]Action: Add Comments to Incident
This action adds comments to a particular incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident ID to add a comment. Example: 59 | Text | Required | You can retrieve the Incident ID using the action List Incidents. |
Comments | Enter comments to add. Example: Sample comment to add | Text | Required | |
Extra Params | Enter the extra parameters to add comments to an incident. | Key Value | Optional |
Example Request
[
{
"comment": "Sample comment to add",
"incident_id": "59"
}
]Action: Update Incident Criticality
This action updates the criticality of a particular incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident ID to update the criticality. Example: 59 | Text | Required | You can retrieve the Incident ID using the action List Incidents. |
Criticality | Enter the criticality of the incident. Example: "low" | Text | Required | Allowed values:
|
Example Request
[
{
"criticality": "low",
"incident_id": "59"
}
]Action: List watchlist
This action lists all the watchlists.
Action Input Parameters
No input parameters are required for this action.
Action: Check Entity Watchlist
This action is used to get the values of a particular watchlist.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Watchlist Name | Enter the watchlist name to check if the entity exists. Example: domain_admins | Text | Required | |
Entity ID | Enter the entity ID. Example: 3007 | Text | Required |
Example Request
[
{
"entity_id": 3007,
"watchlist_name": "domain_admins"
}
]Action: Add Entity Watchlist
This action adds the entities to a watchlist.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Watchlist Name | Enter the watchlist name to add the entity. Example: sample_watchlist | Text | Required | |
Entity ID | Enter the entity ID. The entity ID is the employee ID, whereas the entity type is users. | Text | Required | |
Entity Type | Enter the type of entity you are adding. Example: users | Text | Required | Allowed values:
|
Expiry Days | Enter the number of days the entity will be assigned to the watchlist. Example: 90 | Text | Required |
Example Request
[
{
"entity_id": "s72564",
"entity_type": "Users",
"expiry_days": "90",
"watchlist_name": "sample_watchlist"
}
]Action: Create New Watchlist
This action creates a new watchlist.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Watchlist Name | Enter the name of the watchlist that you want to create. Example: sample_watchlist | Text | Required |
Example Request
[
{
"watchlist_name": "sample_watchlist"
}
]Action: List All Entity Present in Watchlist
This action lists all the entities present in the existing watchlist.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Watchlist Name | Enter the name of the watchlist to list all entities. Example: sample_watchlist | Text | Required |
Example Request
[
{
"watchlist_name": "sample_watchlist"
}
]Action: Search Watchlist by Entity
This action performs a search in the watchlist by an entity.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Entity ID | Enter the name of the entity ID to search the watchlist. Example: admin | Text | Required | You can retrieve the Entity ID using the action List All Entity Present in Watchist. |
Example Request
[
{
"entity_id": "sample_entity"
}
]Action: TPI Domain Match
This action gathers intelligence from third-party sources to add value to the events seen from sources such as DLP, web gateways or proxies, and a firewall. SNYPR stores and indexes Third-Party Intel (TPI) data as a separate collection to facilitate investigations.
Action Input Parameters
No input parameters are required for this action.
Action: Fetch User Risk Score
This action gets the user risk score. SNYPR stores and indexes the Risk Scorecard for all entities as a separate collection to facilitate investigations.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Employee ID | Enter the employee ID to fetch the user risk score. Example: s72564 | Text | Required |
Example Request
[
{
"employee_id": "s72564"
}
]Action: Fetch By Query
This action fetches a response based on the query passed in the query parameter.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query to search to fetch a response. Example: 'index = violation and @policyname=\"poForTMManualCaseActAcc\" and @accountname=\"TESTPB101\"' | Text | Required | |
Generation From Time | Enter the violation epoch start time to fetch the response by query. The time format must be epoch Example: 1692170742698 | Integer | Required | |
Generation Until Time | Enter the end violation time to fetch the response by query. The time format must be epoch. Example: 1692170742888 | Integer | Required |
Action: Fetch Asset by Attribute
This action fetches an asset by the attribute name. It can be used for enriching security events during activity ingestion.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Entity Name | Enter the entity name to fetch assets. Example: sample_entity | Text | Required |
Example Request
[
{
"entity_name": "sample_entity"
}
]Action: Fetch User Risk History
This action retrieves user risk history. SNYPR stores and indexes risk history for all entities as separate collections to facilitate investigations.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Employee ID | Enter the employee ID to fetch the user risk history. Example: s72564 | Text | Required |
Example Request
[
{
"employee_id": "s72564"
}
]Action: Get All Violations
This action retrieves all violations.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Generation From Time | Enter the violation time start range. Example: 08/19/2019 12:04:32 | Text | Required | Allowed format: MM/dd/yyyy HH:mm:ss |
Generation Until Time | Enter the violation time end range. Example: 08/20/2019 12:04:32 | Text | Required | Allowed format: MM/dd/yyyy HH:mm:ss |
Example Request
[
{
"generationtime_from":"08/19/2019 12:04:32",
"generationtime_to":"08/20/2019 12:04:32"
}
]Action: Get Violation by Policy Name
This action retrieves violations by policy name.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Policy Name | Enter the policy name to search. Example: Phishing | Text | Required | |
Generation From Time | Enter the violation time start range. Example: 08/19/2019 12:04:32 | Text | Required | Allowed format: MM/dd/yyyy HH:mm:ss |
Generation Until Time | Enter the violation time end range. Example: 08/20/2019 12:04:32 | Text | Required | Allowed format: MM/dd/yyyy HH:mm:ss |
Example Request
[
{
"policy_name":"Phishing",
"generationtime_from":"08/19/2019 12:04:32",
"generationtime_to":"08/20/2019 12:04:32"
}
]Action: Lookup by Attributes
This action enriches security events during activity ingestion.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Lookup Name | Enter the lookup name to retrieve all the details. Example: Abnormal_IAM_policy_activity_NL | Text | Required |
Example Request
[
{
"lookup_name": "Abnormal_IAM_policy_activity_NL"
}
]Action: Generic Action
This is a generic action used to make requests to any Securonix endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint | Enter the endpoint to initiate a request. Example: spotter/index/search | Text | Required | |
Method | Enter the HTTP method to make the request. Example: GET | Text | Required | Allowed values:
|
Query Params | Enter the query parameters to filter the result. Example: "limit":10 | Key Value | Optional | |
Payload | Enter the payload data to pass to the API. Example: {"data": {"reason": "security_testing"}} | Key Value | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional | Allowed keys: payload_json, custom_output, download, filename, files, retry_wait, retry_count, and response_type |
Example Request
[
{
"method":"GET",
"endpoint":"spotter/index/search",
"payload":
{
"reason":"security_testing"
}
,
"query_params":{
"limit":10
}
}
]