Gurucul Risk Analytics (GRA)
App Vendor: Gurucul
App Category: Case/Ticket Management
Connector Version: 1.0.0
API Version: v1
About App
The Gurucul Risk Analytics (GRA) app provides security teams with real-time insights into user and entity behavior, facilitating proactive threat detection and breach prevention across network, IT, cloud, and IoT environments.
The Gurucul Risk Analytics (GRA) app is configured with Cyware Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Get Anomalous Accounts Details | This action retrieves the details of anomalous accounts. |
Get Anomalous Entities Details | This action retrieves the details of anomalous entities. |
Get Anomalous Users Details | This action retrieves the details of anomalous users. |
Get Anomaly Names with Entities Count | This action retrieves anomaly names along with the total count of associated anomalous users, accounts, or entities. |
Get Anomaly Summary by Name | This action retrieves the detailed summary of the specified anomaly name. |
Get Count of Anomalous Entities | This action retrieves the total count of anomalous users, accounts, and entities. |
Get Count of Orphan/Rogue Accounts | This action retrieves the total count of orphan accounts. |
Get Model Names with Entities Count | This action retrieves model names along with the total count of associated anomalous users, accounts, or entities for a specific classifier. |
List Accounts Using Query | This action retrieves a list of accounts based on a search query. |
List Active Accounts by Resource | This action lists active accounts for the specified resource. |
List Active Accounts by User | This action lists active accounts for the specified user/identity. |
List Anomalies | This action retrieves the list of anomalies for the specified case ID. |
List Attribute Values | This action lists attribute values for the specified anomalous entity. |
List Cases | This action lists all the cases and associated anomalies based on the specified case/anomaly status. |
List Dormant Accounts by Resource | This action lists dormant accounts for the specified resource. |
List Dormant Accounts by User | This action lists dormant accounts by the given employee ID of a user. |
List High Privileged Accounts by Resource | This action lists high-privileged accounts for the specified resource. |
List High Risk Accounts by Resource | This action lists high-risk accounts for the specified resource. |
List High Risk Accounts by User | This action lists high-risk accounts by the given employee id of a user. |
List High Risk Orphan Accounts | This action lists the high-risk orphan accounts. |
List High Risk Orphan Accounts by Resource | This action lists high-risk orphan accounts for the specified resource. |
List High Risk Privileged Accounts | This action lists high-risk privileged accounts. |
List Orphan/Rogue Accounts | This action lists the orphan accounts. |
List Orphan/Rogue Accounts by Resource | This action lists orphan accounts for the specified resource. |
List Users | This action retrieves a list of all the users. |
List Users Using Query | This action retrieves a list of users based on a search query. |
Update Case Anomaly Status | This action updates the case anomaly status of the specified case. |
Update Case Status | This action updates the status of the specified case. |
Generic Action | This is a generic action used to make requests to any Gurucul Risk Analytics endpoint. |
Configuration Parameters
The following configuration parameters are required for the Gurucul Risk Analytics (GRA) app to communicate with the Gurucul Risk Analytics (GRA) enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL to access Gurucul Risk Analytics (GRA). | Text | Required | |
Access Token | Enter the access token to access Gurucul Risk Analytics (GRA). Example: xN0mJM8FoqXQ7phQZSkqSRneM3tH4Jp8mhiLcFg2TCk= | Password | Required | |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, verification is enabled. |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Gurucul Risk Analytics (GRA). | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Action: Get Anomalous Accounts Details
This action retrieves the details of anomalous accounts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Enter the extra parameters to retrieve anomalous account details. | Key Value | Optional | Allowed keys: max, offset, sortColumn, sortDirection, fromDate, toDate, modelName, classifierName, searchstring |
Example Request
[
{
"extra_params": {
"max": 30
}
}
]Action: Get Anomalous Entities Details
This action retrieves the details of anomalous entities.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Enter the extra parameters to retrieve anomalous entity details. | Key Value | Optional | Allowed keys: max, offset, sortColumn, sortDirection, fromDate, toDate, modelName, classifierName, searchstring, (execution & modelId) |
Example Request
[
{
"extra_params": {
"max": 30
}
}
]Action: Get Anomalous Users Details
This action retrieves the details of anomalous users.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Enter the extra parameters to retrieve anomalous user details. | Key Value | Optional | Allowed keys: max, offset, sortColumn, sortDirection, fromDate, toDate, modelName, classifierName, searchstring, (execution & modelId) |
Example Request
[
{
"extra_params": {
"max": 30
}
}
]Action: Get Anomaly Names with Entities Count
This action retrieves anomaly names along with the total count of associated anomalous users, accounts, or entities.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
From Date | Enter the start date from which you want to retrieve the count. Example: 2020-07-01%2000:00:00 | Text | Optional | |
To Date | Enter the end date until which you want to retrieve the count. Example: 2020-12-31%2023:59:59 | Text | Optional | |
Classifier Name | Enter the classifier name. Example: Categories | Text | Optional | You can retrieve the classifier name using the action Get Anomaly Summary by Name. |
Page | Enter the page number to retrieve results from. | Text | Optional | |
Page Size | Enter the number of results to retrieve on each page. | Text | Optional | Maximum allowed value: 100 Default value: 25 |
Example Request
[
{
"page": 3,
"page_size": 25
}
]Action: Get Anomaly Summary by Name
This action retrieves the detailed summary of the specified anomaly name.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Anomaly Name | Enter the anomaly name to retrieve the summary. | Text | Required | You can retrieve the anomaly name using the action List Anomalies. |
From Date | Enter the start date from which you want to retrieve the summary details. Example: 2020-07-01%2000:00:00 | Text | Optional | |
To Date | Enter the end date until which you want to retrieve the summary details. Example: 2020-12-31%2023:59:59 | Text | Optional |
Example Request
[
{
"anomaly_name": "Use of Remote Desktop Tools"
}
]Action: Get Count of Anomalous Entities
This action retrieves the total count of anomalous users, accounts, and entities.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
From Date | Enter the start date from which you want to retrieve the count. Example: 2020-07-01%2000:00:00 | Text | Optional | |
To Date | Enter the end date until which you want to retrieve the count. Example: 2020-12-31%2023:59:59 | Text | Optional |
Example Request
[
{
"from_date": "2020-07-01%2000:00:00"
"to_date": "2020-12-31%2023:59:59"
}
]
Action: Get Count of Orphan/Rogue Accounts
This action retrieves the total count of orphan accounts.
Action Input Parameters
No input parameters are required for this action.
Action: Get Model Names with Entities Count
This action retrieves model names along with the total count of associated anomalous users, accounts, or entities for a specific classifier.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
From Date | Enter the start date from which you want to retrieve the count. Example: 2020-07-01%2000:00:00 | Text | Optional | |
To Date | Enter the end date until which you want to retrieve the count. Example: 2020-12-31%2023:59:59 | Text | Optional | |
Parent Classifier Name | Enter the parent classifier name. Example: Categories | Text | Optional | You can retrieve the parent classifier name using the action Get Anomaly Summary by Name. |
Example Request
[
{
"from_date": "2020-07-01%2000:00:00"
"to_date": "2020-12-31%2023:59:59"
}
]Action: List Accounts Using Query
This action retrieves a list of accounts based on a search query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page | Enter the page number to retrieve results from. | Integer | Optional | |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Maximum allowed value: 100 Default value: 25 |
Query | Enter the search query using operators to list accounts. Example: account.accountname="bob.lawson" | Text | Optional | Allowed Operators: =, <, >, !=, <=, >=, in, not, Like, not like, ’OR’, ’AND’ |
Example Request
[
{
"page": 3,
"page_size": 25
}
]Action: List Active Accounts by Resource
This action lists active accounts for the specified resource.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Resource Name | Enter the resource name to list associated active accounts. Example: DLP | Text | Required | You can retrieve the resource name using the action Get Anomaly Summary by Name. |
Page | Enter the page number to retrieve results from. | Integer | Optional | |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Maximum allowed value: 100 Default value: 25 |
Example Request
[
{
"resource_name": "Windows Security"
}
]Action: List Active Accounts by User
This action lists active accounts for the specified user/identity.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Employee ID | Enter the employee ID to list associated active accounts. Example: John.Doe | Text | Required | You can retrieve the employee ID using the action List Users. |
Page | Enter the page number to retrieve results from. | Integer | Optional | |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Maximum allowed value: 100 Default value: 25 |
Example Request
[
{
"employee_id": "John.Doe"
}
]Action: List Anomalies
This action retrieves the list of anomalies for the specified case ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the case ID to retrieve the associated anomaly list. Example: 106 | Integer | Required | You can retrieve the case ID using the action List Cases. |
Extra Params | Enter the extra parameters to retrieve the list of anomalies. | Key Value | Optional | Allowed keys: page and max |
Example Request
[
{
"case_id": "187",
"extra_params": {}
}
]Action: List Attribute Values
This action lists attribute values for the specified anomalous entity.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Entity Type | Enter the entity type. | Text | Required | Allowed values: accounts, users, entities |
Attribute Name | Enter the attribute name. | Text | Required | |
Search String | Enter the search string to list attribute values. | Text | Optional | |
Extra Params | Enter the extra parameters to list attribute values. | Key Value | Optional | Allowed keys: fromDate, toDate, modelName, classifierNa me, |
Example Request
[
{
"entity_type": "298",
"extra_params": {},
"attribute_name": "department"
}
]Action: List Cases
This action lists all the cases and associated anomalies based on the specified case/anomaly status.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Status | Enter the status to list cases and associated anomalies. The allowed values depend on the Is Case Anomaly parameter. | Text | Required | Allowed values: When Is Case Anomaly is true: OPEN, CLOSED, RISK ACCEPTED, MODEL REVIEWED, REOPENED, ALL When Is Case Anomaly is false: OPEN, CLOSED, ON HOLD, IN PROGRESS, REOPENED, ALL |
Is Case Anomaly | Choose true to retrieve case anomalies matching the specified case anomaly status in status. If you choose false, it retrieves all cases matching the specified case status. | Boolean | Optional | Default value: True |
Extra Params | Enter the extra parameters to list cases. | Key Value | Optional | Allowed keys: page, max |
Example Request
[
{
"status": "ALL",
"extra_params": {},
"is_case_anomaly": true
}
]Action: List Dormant Accounts by Resource
This action lists dormant accounts for the specified resource.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Resource Name | Enter the resource name to list associated dormant accounts. Example: DLP | Text | Required | You can retrieve the resource name using the action Get Anomaly Summary by Name. |
Page | Enter the page number from which to retrieve results. | Integer | Optional | |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Maximum allowed value: 100 Default value: 25 |
Action: List Dormant Accounts by User
This action lists dormant accounts by the given employee ID of a user.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Employee ID | Enter the employee ID to list associated dormant accounts. Example: John.Doe | Text | Required | You can retrieve the employee ID using the action List Users. |
Page | Enter the page number to retrieve results from. | Integer | Optional | |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Maximum allowed value: 100 Default value: 25 |
Action: List High Privileged Accounts by Resource
This action lists high-privileged accounts for the specified resource.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Resource Name | Enter the resource name to list associated high-privileged accounts. Example: DLP | Text | Required | You can retrieve the resource name using the action Get Anomaly Summary by Name. |
Page | Enter the page number to retrieve results from. | Integer | Optional | |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Maximum allowed value: 100 Default value: 25 |
Action: List High Risk Accounts by Resource
This action lists high-risk accounts for the specified resource.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Resource Name | Enter the resource name to list associated high-risk accounts. Example: fedora | Text | Required | You can retrieve the resource name using the action Get Anomaly Summary by Name. |
Page | Enter the page number to retrieve results from. | Integer | Optional | |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Maximum allowed value: 100 Default value: 25 |
Action: List High Risk Accounts by User
This action lists high-risk accounts by the given employee ID of a user.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Employee ID | Enter the employee ID to list associated high-risk accounts. Example: John.Doe | Text | Required | You can retrieve the employee ID using the action List Users. |
Page | Enter the page number to retrieve results from. | Integer | Optional | |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Maximum allowed value: 100 Default value: 25 |
Action: List High Risk Orphan Accounts
This action lists the high-risk orphan accounts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page | Enter the page number to retrieve results from. | Integer | Optional | |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Maximum allowed value: 100 Default value: 25 |
Action: List High Risk Orphan Accounts by Resource
This action lists high risk orphan accounts for the specified resource.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Resource Name | Enter the resource name to list associated high risk orphan accounts. Example: DLP | Text | Required | You can retrieve the resource name using the action Get Anomaly Summary by Name. |
Page | Enter the page number to retrieve results from. | Integer | Optional | |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Maximum allowed value: 100 Default value: 25 |
Action: List High Risk Privileged Accounts
This action lists high-risk privileged accounts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page | Enter the page number to retrieve results from. | Integer | Optional | |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Maximum allowed value: 100 Default value: 25 |
Action: List Orphan/Rogue Accounts
This action lists the orphan accounts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page | Enter the page number to retrieve results from. | Integer | Optional | |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Maximum allowed value: 100 Default value: 25 |
Action: List Orphan/Rogue Accounts by Resource
This action lists orphan accounts for the specified resource.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Resource Name | Enter the resource name to list associated orphan accounts. Example: fedora | Text | Required | You can retrieve the resource name using the action Get Anomaly Summary by Name. |
Page | Enter the page number to retrieve results from. | Integer | Optional | |
Page Size | Enter the number of results to retrieve on each page. | Integer | Optional | Maximum allowed value: 100 Default value: 25 |
Action: List Users
This action retrieves a list of all the users.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Enter the extra parameters to list the users. | Key Value | Optional | Allowed keys: page, max |
Example Request
[
{
"extra_params": {
"page": 3
}
}
]Action: List Users Using Query
This action retrieves a list of users based on a search query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the search query using operators to list users. Example: user.department=qa | Text | Optional | Allowed operators: =, <, >, !=, <=, >=, in, not, Like, not like, ’OR’, ’AND’ |
Extra Params | Enter the extra parameters to list users. | Key Value | Optional | Allowed keys: page, max |
Example Request
[
{
"extra_params": {
"page": 3
}
}
]Action: Update Case Anomaly Status
This action updates the case anomaly status of the specified case.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Action | Enter the action to update the status. | Text | Required | Allowed values: closeCaseAnomaly, riskAcceptCaseAnomaly, modelReviewCaseAnomaly, reopenCaseAnomaly, addCommentOnCaseAnomaly, assignAnomaly |
Case ID | Enter the case ID to update the status. Example: 638 | Integer | Required | You can retrieve the case ID using the action List Cases. |
Anomaly Names | Enter one or more anomaly names, separated by commas. Example: “anomalynames”: “panthreat user aaf automation”, “varonis - high volume file uploads - auto” | Text | Required | You can retrieve the case ID using the action List Anomalies. |
Case Comment | Enter a comment for the case. | Text | Required | |
Assignee Name | Enter the name of the assignee. This parameter applies only when the action parameter is assignAnomaly. | Text | Optional | |
Risk Accept Date | Enter the acceptance date in yyyy-mm-dd format. This parameter applies only when closing a case anomaly as Risk Managed. Example: 2021-03-10 | Text | Optional | |
Assignee Type | Enter the type of the assignee. This parameter applies only when the action parameter is assignAnomaly. | Text | Optional | Allowed values: role, user |
Sub Option | Enter the sub-option. This parameter applies only when closing/risk managing and model reviewing a case anomaly. | Text | Optional |
Example Request
[
{
"action": "addCommentOnCase",
"case_id": "187",
"case_comment": "This is a sample comment",
"anomaly_names": "Use of Remote Desktop Tools - Sysmon Event ID 3 - RDP Event"
}
]Action: Update Case Status
This action updates the status of the specified case.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Action | Enter the action to update the status. | Text | Required | closeCase, modelReviewCase, riskManageCase, addCommentOnCase, assignCase, changeOwnerCase, inProgressCase, onHoldCase, reopenCase, resumeCase, stopProgressCase |
Case ID | Enter the case ID to update the status. Example: 638 | Integer | Required | You can retrieve the case ID using the action List Cases. |
Case Comment | Enter a comment for the case. | Text | Required | |
Assignee Name | Enter the name of the assignee. This parameter applies only when the action parameter is assignCase. | Text | Optional | |
Risk Accept Date | Enter the acceptance date in yyyy-mm-dd format. This parameter applies only when closing a case as Risk Managed. Example: 2021-03-10 | Text | Optional | |
Assignee Type | Enter the type of the assignee. This parameter applies only when the action parameter is assignCase. | Text | Optional | Allowed values: role, user |
Owner Type | Enter the type of the owner. This parameter applies only when the action parameter is changeOwnerCase. | Text | Optional | Allowed values: role, user |
Owner | Enter the name of the owner. This parameter applies only when the action parameter is changeOwnerCase. | Text | Optional | |
Sub Option | Enter the sub-option. This parameter applies only when closing/risk managing and model reviewing a case. | Text | Optional |
Example Request
[
{
"action": "addCommentOnCase",
"case_id": "187",
"case_comment": "This is a sample comment."
}
]Action: Generic Action
This is a generic action used to make requests to any Gurucul Risk Analytics endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP methods to make the request. | Text | Required | Allowed values: GET, PUT, POST, DELETE |
Endpoint | Enter the endpoint to make the request. Example: /api/users | Text | Required | |
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Payload | Enter the payload to pass to the API. | Any | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional | Allowed keys: payload_json, download, files, filename, retry_wait, retry_count, custom_output, response_type |