forked from demisto/content
-
Notifications
You must be signed in to change notification settings - Fork 13
/
Securonix.yml
1539 lines (1522 loc) · 58.8 KB
/
Securonix.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
category: Analytics & SIEM
commonfields:
id: Securonix
version: -1
configuration:
- display: Host (Overrides the default hostname, https://{tenant}.net/Snypr)
name: host
type: 0
required: false
- display: Tenant
name: tenant
required: true
type: 0
- display: Username
name: username
required: true
type: 0
- display: Password
name: password
required: true
type: 4
- additionalinfo: The type of Securonix entity to fetch. Supported entities are "Incident" and "Threat".
defaultvalue: Incident
display: Type of entity to fetch
name: entity_type_to_fetch
options:
- Incident
- Threat
type: 15
required: false
- additionalinfo: Name of the tenant to fetch threats from. This parameter is optional for Non MSSP users.
display: Tenant Name
name: tenant_name
type: 0
required: false
- display: Fetch incidents
name: isFetch
type: 8
required: false
- additionalinfo: |-
Selecting "all" will fetch incidents updated in the given time range.
Selecting "opened" will fetch incidents opened in the given time range.
Selecting "closed" will fetch incidents closed in the given time range.
defaultvalue: opened
display: Incidents to fetch
name: incident_status
options:
- All
- opened
- closed
type: 15
required: false
- display: Set default incident severity
name: default_severity
options:
- Low
- Medium
- High
type: 15
required: false
- display: Incident type
name: incidentType
type: 13
required: false
- additionalinfo: |-
The date or relative timestamp from where to start fetching incidents.
Supported formats: <number> <time unit>, e.g., 1 hour, 30 minutes, 7 days, 3 months, 1 year.
defaultvalue: 1 hour
display: First fetch time range
name: fetch_time
type: 0
required: false
- defaultvalue: '200'
additionalinfo: If the value is greater than 200, it will be considered as 200. The maximum is 200.
display: The maximum number of incidents to fetch each time.
name: max_fetch
type: 0
required: false
- additionalinfo: The mirroring direction in which to mirror the incidents. You can mirror "Incoming" (from Securonix to XSOAR), "Outgoing" (from XSOAR to Securonix), or in both directions.
defaultvalue: None
display: Incident Mirroring Direction
name: mirror_direction
options:
- None
- Incoming
- Outgoing
- Incoming And Outgoing
type: 15
required: false
- additionalinfo: |-
If enabled, the integration will close the respective Securonix
incident after fetching it in XSOAR. Following fields will be required for
this functionality:
1. Securonix action name to map with XSOAR's active state for Outgoing mirroring
2. Securonix status to map with XSOAR's active state for Outgoing mirroring
3. Securonix action name to map with XSOAR's closed state for Outgoing mirroring
4. Securonix status to map with XSOAR's closed state for Outgoing mirroring
display: Close respective Securonix incident after fetching
name: close_incident
type: 8
required: false
- additionalinfo: If the Securonix incident is in any one of the state mentioned here, then the incident will be Closed on XSOAR. Supports comma-separated values.
display: Securonix workflow state(s) that can be considered as Close state in XSOAR for Incoming mirroring
name: close_states_of_securonix
type: 0
required: false
- additionalinfo: Provide an action name to map with XSOAR's active state. E.g. IN PROGRESS
display: Securonix action name to map with XSOAR's active state for Outgoing mirroring
name: active_state_action_mapping
type: 0
required: false
- additionalinfo: Provide a workflow status to map with XSOAR's active state. E.g. In Progress
display: Securonix status to map with XSOAR's active state for Outgoing mirroring
name: active_state_status_mapping
type: 0
required: false
- additionalinfo: Provide an action name to map with XSOAR's Closed state. E.g. CLOSED
display: Securonix action name to map with XSOAR's closed state for Outgoing mirroring
name: closed_state_action_mapping
type: 0
required: false
- additionalinfo: Provide a workflow status to map with XSOAR's closed state. E.g. Completed
display: Securonix status to map with XSOAR's closed state for Outgoing mirroring
name: closed_state_status_mapping
type: 0
required: false
- additionalinfo: Choose the tag to add to an entry to mirror it as a comment in Securonix.
defaultvalue: comment
display: Comment Entry Tag
name: comment_tag
type: 0
required: false
- additionalinfo: Numbers of retries to be performed. (Recommended is 3)
defaultvalue: '3'
display: Securonix Retry Count
name: securonix_retry_count
options:
- '0'
- '1'
- '2'
- '3'
- '4'
- '5'
type: 15
required: false
- additionalinfo: The delay between two retries. Range in 30 to 300 Seconds (5 minutes). Anything less than 30 seconds is considered 30 seconds, and anything more than 300 seconds is considered 300 seconds. (Recommended is 30 seconds)
defaultvalue: '30'
display: Securonix Retry Delay
name: securonix_retry_delay
type: 0
required: false
- additionalinfo: Delay type of retry mechanism. (Recommended is Exponential)
defaultvalue: Exponential
display: Securonix Retry Delay Type
name: securonix_retry_delay_type
options:
- Exponential
- Fixed
type: 15
required: false
- display: Trust any certificate (not secure)
name: unsecure
type: 8
required: false
- display: Use system proxy settings
name: proxy
type: 8
required: false
description: Use the Securonix integration to manage incidents, threats, lookup tables, whitelists and watchlists.
display: Securonix
name: Securonix
script:
commands:
- description: Gets a list of all available workflows.
name: securonix-list-workflows
outputs:
- contextPath: Securonix.Workflows.Workflow
description: Workflow name.
type: String
- contextPath: Securonix.Workflows.Type
description: Workflow type.
type: String
- contextPath: Securonix.Workflows.Value
description: Workflow value.
type: String
- arguments:
- description: Workflow name.
name: workflow
required: true
description: Gets the default assignee for the specified workflow.
name: securonix-get-default-assignee-for-workflow
outputs:
- contextPath: Securonix.Workflows.Workflow
description: Workflow name.
type: String
- contextPath: Securonix.Workflows.Type
description: Workflow type.
type: String
- contextPath: Securonix.Workflows.Value
description: Workflow value.
type: String
- description: Gets a list available threat actions.
name: securonix-list-possible-threat-actions
outputs:
- contextPath: Securonix.ThreatActions
description: A list of threat actions.
type: String
- description: Gets a list of all policies.
name: securonix-list-policies
outputs:
- contextPath: Securonix.Policies.CreatedBy
description: Creator of the policy.
type: String
- contextPath: Securonix.Policies.CreatedOn
description: Policy created date.
type: Date
- contextPath: Securonix.Policies.Criticality
description: Policy criticality.
type: String
- contextPath: Securonix.Policies.Description
description: Policy description.
type: String
- contextPath: Securonix.Policies.Hql
description: Policy Hibernate Query Language.
type: String
- contextPath: Securonix.Policies.ID
description: Policy ID.
type: String
- contextPath: Securonix.Policies.Name
description: Policy name.
type: String
- description: Gets a list of resource groups.
name: securonix-list-resource-groups
outputs:
- contextPath: Securonix.ResourceGroups.Name
description: Resource group name.
type: String
- contextPath: Securonix.ResourceGroups.Type
description: Resource group type.
type: String
- description: Gets a list of users.
name: securonix-list-users
outputs:
- contextPath: Securonix.Users.LastName
description: User last name.
type: String
- contextPath: Securonix.Users.SkipEncryption
description: Whether user encryption was skipped.
type: String
- contextPath: Securonix.Users.Riskscore
description: User risk score.
type: String
- contextPath: Securonix.Users.EmployeeID
description: User Employee ID.
type: String
- contextPath: Securonix.Users.Masked
description: Whether the user is masked.
type: String
- contextPath: Securonix.Users.Division
description: User division.
type: String
- contextPath: Securonix.Users.Criticality
description: User criticality.
type: String
- contextPath: Securonix.Users.Status
description: User status.
type: String
- contextPath: Securonix.Users.Department
description: User department.
type: String
- contextPath: Securonix.Users.Title
description: User title.
type: String
- contextPath: Securonix.Users.FirstName
description: User first name.
type: String
- contextPath: Securonix.Users.Email
description: User email address.
type: String
- arguments:
- description: Start date/time for which to retrieve activity data (in the format MM/dd/yyyy HH:mm:ss).
name: from
required: true
- description: End date/time for which to retrieve activity data (in the format MM/dd/yyyy HH:mm:ss).
name: to
required: true
- description: Free-text query. For example, query=?resourcegroupname=WindowsSnare and policyname=Possible Privilege Escalation - Self Escalation?.
name: query
description: Gets a list of activity data for the specified resource group.
name: securonix-list-activity-data
outputs:
- contextPath: Securonix.ActivityData.Accountname
description: Account name.
type: String
- contextPath: Securonix.ActivityData.Agentfilename
description: Agent file name.
type: String
- contextPath: Securonix.ActivityData.Categorybehavior
description: Category behavior.
type: String
- contextPath: Securonix.ActivityData.Categoryobject
description: Category object.
type: String
- contextPath: Securonix.ActivityData.Categoryseverity
description: Category severity.
type: String
- contextPath: Securonix.ActivityData.Collectionmethod
description: Collection method.
type: String
- contextPath: Securonix.ActivityData.Collectiontimestamp
description: Collection timestamp.
type: String
- contextPath: Securonix.ActivityData.Destinationprocessname
description: Destination process name.
type: String
- contextPath: Securonix.ActivityData.Destinationusername
description: Destination username.
type: String
- contextPath: Securonix.ActivityData.Deviceaddress
description: Device address.
type: String
- contextPath: Securonix.ActivityData.Deviceexternalid
description: Device external ID.
type: String
- contextPath: Securonix.ActivityData.Devicehostname
description: Device hostname.
type: String
- contextPath: Securonix.ActivityData.EventID
description: Event ID.
type: String
- contextPath: Securonix.ActivityData.Eventoutcome
description: Event outcome.
type: String
- contextPath: Securonix.ActivityData.Eventtime
description: Time the event occurred.
type: String
- contextPath: Securonix.ActivityData.Filepath
description: File path.
type: String
- contextPath: Securonix.ActivityData.Ingestionnodeid
description: Ingestion node ID.
type: String
- contextPath: Securonix.ActivityData.JobID
description: Job ID.
type: String
- contextPath: Securonix.ActivityData.Jobstarttime
description: Job start time.
type: String
- contextPath: Securonix.ActivityData.Message
description: Message.
type: String
- contextPath: Securonix.ActivityData.Publishedtime
description: Published time.
type: String
- contextPath: Securonix.ActivityData.Receivedtime
description: Received time.
type: String
- contextPath: Securonix.ActivityData.Resourcename
description: Resource name.
type: String
- contextPath: Securonix.ActivityData.ResourceGroupCategory
description: Resource group category.
type: String
- contextPath: Securonix.ActivityData.ResourceGroupFunctionality
description: Resource group functionality.
type: String
- contextPath: Securonix.ActivityData.ResourceGroupID
description: Resource group ID.
type: String
- contextPath: Securonix.ActivityData.ResourceGroupName
description: Resource group name.
type: String
- contextPath: Securonix.ActivityData.ResourceGroupTypeID
description: Resource group resource type ID.
type: String
- contextPath: Securonix.ActivityData.ResourceGroupVendor
description: Resource group vendor.
type: String
- contextPath: Securonix.ActivityData.Sourcehostname
description: Source hostname.
type: String
- contextPath: Securonix.ActivityData.Sourceusername
description: Source username.
type: String
- contextPath: Securonix.ActivityData.TenantID
description: Tenant ID.
type: String
- contextPath: Securonix.ActivityData.Tenantname
description: Tenant name.
type: String
- contextPath: Securonix.ActivityData.Timeline
description: Time when the activity occurred, in Epoch time.
type: String
- arguments:
- description: Start date/time for which to retrieve activity data (in the format MM/dd/yyyy HH:mm:ss).
name: from
required: true
- description: End date/time for which to retrieve activity data (in the format MM/dd/yyyy HH:mm:ss).
name: to
required: true
- description: Free-text query. For example, query="resourcegroupname=WindowsSnare and policyname=Possible Privilege Escalation - Self Escalation"."
name: query
- description: Paginate next set of results.
name: query_id
description: Gets a list activity data for an account name.
name: securonix-list-violation-data
polling: true
outputs:
- contextPath: Securonix.ViolationData.Accountname
description: Account name.
type: String
- contextPath: Securonix.ViolationData.Agentfilename
description: Agent file name.
type: String
- contextPath: Securonix.ViolationData.Baseeventid
description: Base event ID.
type: String
- contextPath: Securonix.ViolationData.Categorybehavior
description: Category behavior.
type: String
- contextPath: Securonix.ViolationData.Category
description: Violation category.
type: String
- contextPath: Securonix.ViolationData.Categoryobject
description: Category object.
type: String
- contextPath: Securonix.ViolationData.Categoryseverity
description: Category severity.
type: String
- contextPath: Securonix.ViolationData.Destinationaddress
description: Destination address.
type: String
- contextPath: Securonix.ViolationData.Destinationntdomain
description: Destination nt domain.
type: String
- contextPath: Securonix.ViolationData.Destinationuserid
description: Destination user ID.
type: String
- contextPath: Securonix.ViolationData.Gestinationusername
description: Destination username.
type: String
- contextPath: Securonix.ViolationData.Deviceaddress
description: Device address.
type: String
- contextPath: Securonix.ViolationData.Deviceeventcategory
description: Device event category.
type: String
- contextPath: Securonix.ViolationData.Deviceexternalid
description: Device external ID.
type: String
- contextPath: Securonix.ViolationData.Devicehostname
description: Device hostname.
type: String
- contextPath: Securonix.ViolationData.EventID
description: Event ID.
type: String
- contextPath: Securonix.ViolationData.Eventoutcome
description: Event outcome.
type: String
- contextPath: Securonix.ViolationData.Eventtime
description: Time the event occurred.
type: String
- contextPath: Securonix.ViolationData.Generationtime
description: Time that the violation was generated in Securonix.
type: String
- contextPath: Securonix.ViolationData.Invalid
description: Whether the violation is valid.
type: String
- contextPath: Securonix.ViolationData.JobID
description: Job ID.
type: String
- contextPath: Securonix.ViolationData.Jobstarttime
description: Job start time.
type: String
- contextPath: Securonix.ViolationData.Policyname
description: Policy name.
type: String
- contextPath: Securonix.ViolationData.Resourcename
description: Resource name.
type: String
- contextPath: Securonix.ViolationData.ResourceGroupID
description: Resource group ID.
type: String
- contextPath: Securonix.ViolationData.ResourceGroupName
description: Resource group name.
type: String
- contextPath: Securonix.ViolationData.Riskscore
description: Risk score.
type: String
- contextPath: Securonix.ViolationData.Riskthreatname
description: Risk threat name.
type: String
- contextPath: Securonix.ViolationData.Sessionid
description: Session ID.
type: String
- contextPath: Securonix.ViolationData.Sourcehostname
description: Source hostname.
type: String
- contextPath: Securonix.ViolationData.Sourcentdomain
description: Source nt domain.
type: String
- contextPath: Securonix.ViolationData.Sourceuserid
description: Source user ID.
type: String
- contextPath: Securonix.ViolationData.Sourceusername
description: Source username.
type: String
- contextPath: Securonix.ViolationData.Sourceuserprivileges
description: Source user privileges.
type: String
- contextPath: Securonix.ViolationData.TenantID
description: Tenant ID.
type: String
- contextPath: Securonix.ViolationData.Tenantname
description: Tenant name.
type: String
- contextPath: Securonix.ViolationData.Timeline
description: Time when the activity occurred, in Epoch time.
type: String
- contextPath: Securonix.ViolationData.Createdate
description: Create date.
type: String
- contextPath: Securonix.ViolationData.Criticality
description: Violation criticality.
type: String
- contextPath: Securonix.ViolationData.DataSourceID
description: Data source ID.
type: String
- contextPath: Securonix.ViolationData.Department
description: Department affected by the violation.
type: String
- contextPath: Securonix.ViolationData.EmployeeID
description: Employee ID.
type: String
- contextPath: Securonix.ViolationData.Encrypted
description: Whether the violation is encrypted.
type: String
- contextPath: Securonix.ViolationData.Firstname
description: First name of the user that violated the policy.
type: String
- contextPath: Securonix.ViolationData.Fullname
description: Full name of the user that violated the policy.
type: String
- contextPath: Securonix.ViolationData.ID
description: ID of the user that violated the policy.
type: String
- contextPath: Securonix.ViolationData.LanID
description: LAN ID associated with the policy violation.
type: String
- contextPath: Securonix.ViolationData.Lastname
description: Last name of the user that violated the policy.
type: String
- contextPath: Securonix.ViolationData.Lastsynctime
description: Last sync time, in Epoch time.
type: String
- contextPath: Securonix.ViolationData.Masked
description: Whether the violation is masked.
type: String
- contextPath: Securonix.ViolationData.Mergeuniquecode
description: Merge unique code.
type: String
- contextPath: Securonix.ViolationData.Riskscore
description: Risk score.
type: String
- contextPath: Securonix.ViolationData.Skipencryption
description: Skip encryption.
type: String
- contextPath: Securonix.ViolationData.Status
description: Status of the policy violation.
type: String
- contextPath: Securonix.ViolationData.Timezoneoffset
description: Timezone offset.
type: String
- contextPath: Securonix.ViolationData.Title
description: Title.
type: String
- contextPath: Securonix.ViolationData.Uniquecode
description: Unique code.
type: String
- contextPath: Securonix.ViolationData.UserID
description: Last sync time, in Epoch time.
type: String
- contextPath: Securonix.ViolationData.Workemail
description: Work email address of the user that violated the policy.
type: String
- contextPath: Securonix.ViolationData.Violator
description: Violator.
type: String
- contextPath: Securonix.Violation.totalDocuments
description: Total number of events.
type: Number
- contextPath: Securonix.Violation.message
description: Message from the API.
type: String
- contextPath: Securonix.Violation.queryId
description: Query Id for the pagination.
type: String
- arguments:
- description: ' Start time range for which to return incidents (<number> <time unit>, e.g., 1 hour, 30 minutes)'
name: from
required: true
- description: End date/time for which to retrieve incidents (in the format MM/dd/yyyy HH:mm:ss) Default is current time.
name: to
- description: The incident type. Can be "updated", "opened", or "closed". Supports multiple selections.
name: incident_types
- defaultValue: '50'
description: Maximum number of incidents to retrieve.
name: max
description: Gets a list of incidents.
name: securonix-list-incidents
outputs:
- contextPath: Securonix.Incidents.ViolatorID
description: Incident Violator ID.
type: String
- contextPath: Securonix.Incidents.Entity
description: Incident entity.
type: String
- contextPath: Securonix.Incidents.Riskscore
description: Incident risk score.
type: Number
- contextPath: Securonix.Incidents.Priority
description: Incident priority.
type: String
- contextPath: Securonix.Incidents.Reason
description: Reason for the incident. Usually includes policy name and/or possible threat name.
type: String
- contextPath: Securonix.Incidents.IncidentStatus
description: Incident status.
type: String
- contextPath: Securonix.Incidents.WorkflowName
description: Incident workflow name.
type: String
- contextPath: Securonix.Incidents.Watchlisted
description: Whether the incident is in a watchlist.
type: Boolean
- contextPath: Securonix.Incidents.IncidentType
description: Incident type.
type: String
- contextPath: Securonix.Incidents.IncidentID
description: Incident ID.
type: String
- contextPath: Securonix.Incidents.LastUpdateDate
description: Last update date of the incident in Epoch time.
type: Number
- contextPath: Securonix.Incidents.Url
description: URL that links to the incident on Securonix.
type: String
- contextPath: Securonix.Incidents.ViolatorText
description: Incident violator text.
type: String
- contextPath: Securonix.Incidents.AssignedUser
description: User assigned to the incident.
type: String
- contextPath: Securonix.Incidents.IsWhitelisted
description: Whether the incident is added to allow list.
type: Boolean
- arguments:
- description: Incident ID.
name: incident_id
required: true
description: Gets details of the specified incident.
name: securonix-get-incident
outputs:
- contextPath: Securonix.Incidents.ViolatorID
description: Incident violator ID.
type: String
- contextPath: Securonix.Incidents.Entity
description: Incident entity.
type: String
- contextPath: Securonix.Incidents.Riskscore
description: Incident risk score.
type: Number
- contextPath: Securonix.Incidents.Priority
description: Incident priority.
type: String
- contextPath: Securonix.Incidents.Reason
description: Reason for the incident. Usually includes policy name and/or possible threat name.
type: String
- contextPath: Securonix.Incidents.IncidentStatus
description: Incident status.
type: String
- contextPath: Securonix.Incidents.WorkflowName
description: Incident workflow name.
type: String
- contextPath: Securonix.Incidents.Watchlisted
description: Whether the incident is in a watchlist.
type: Boolean
- contextPath: Securonix.Incidents.IncidentType
description: Incident type.
type: String
- contextPath: Securonix.Incidents.IncidentID
description: Incident ID.
type: String
- contextPath: Securonix.Incidents.LastUpdateDate
description: The time when the incident was last updated, in Epoch time.
type: Number
- contextPath: Securonix.Incidents.Url
description: URL that links to the incident on Securonix.
type: String
- contextPath: Securonix.Incidents.ViolatorText
description: Incident violator text.
type: String
- contextPath: Securonix.Incidents.AssignedUser
description: User assigned to the incident.
type: String
- contextPath: Securonix.Incidents.IsWhitelisted
description: Whether the incident is added to allow list.
type: Boolean
- arguments:
- description: Incident ID.
name: incident_id
required: true
description: Gets the status of the specified incident.
name: securonix-get-incident-status
outputs:
- contextPath: Securonix.Incidents.IncidentStatus
description: Incident status.
type: String
- contextPath: Securonix.Incidents.IncidentID
description: Incident ID.
type: String
- arguments:
- description: Incident ID.
name: incident_id
required: true
description: Gets the workflow of the specified incident.
name: securonix-get-incident-workflow
outputs:
- contextPath: Securonix.Incidents.Workflow
description: Incident workflow.
type: String
- contextPath: Securonix.Incidents.IncidentID
description: Incident ID.
type: String
- arguments:
- description: Incident ID.
name: incident_id
required: true
description: Gets a list of available actions for the specified incident.
name: securonix-get-incident-available-actions
- arguments:
- description: Incident ID.
name: incident_id
required: true
- auto: PREDEFINED
description: 'Action to perform on the incident. You can see them using securonix-get-incident-available-actions. e.g: "CLAIM", "ASSIGN TO SECOPS", "ASSIGN TO ANALYST", "RELEASE", or "COMMENT".'
name: action
predefined:
- ''
required: true
- description: 'The parameters, if needed, to perform the action. For example, for the ASSIGN TO ANALYST action: assigntouserid={user_id},assignedTo=USER.'
name: action_parameters
description: Performs an action on the specified incident.
name: securonix-perform-action-on-incident
- arguments:
- description: Incident ID.
name: incident_id
required: true
- description: Comment to add to the incident.
name: comment
required: true
description: Adds a comment to the specified incident.
execution: true
name: securonix-add-comment-to-incident
- description: Gets a list of watchlists.
name: securonix-list-watchlists
outputs:
- contextPath: Securonix.WatchlistsNames
description: Watchlist names.
type: String
- arguments:
- description: Watchlist name.
name: watchlist_name
required: true
description: Gets information for the specified watchlist.
name: securonix-get-watchlist
outputs:
- contextPath: Securonix.Watchlists.TenantID
description: Watchlist tenant ID.
type: String
- contextPath: Securonix.Watchlists.Tenantname
description: Watchlist tenant name.
type: String
- contextPath: Securonix.Watchlists.Type
description: Watchlist type.
type: String
- contextPath: Securonix.Watchlists.Watchlistname
description: Watchlist name.
type: String
- contextPath: Securonix.Watchlists.Events.ExpiryDate
description: Expiration date of the entity in the watchlist, in Epoch time.
type: String
- contextPath: Securonix.Watchlists.Events.Workemail
description: Work email address of the entity in the watchlist.
type: String
- contextPath: Securonix.Watchlists.Events.Fullname
description: Full name of the entity in the watchlist.
type: String
- contextPath: Securonix.Watchlists.Events.Reason
description: Reason that the entity is in the watchlist.
type: String
- contextPath: Securonix.Watchlists.Events.LanID
description: Lan ID of the entity in the watchlist.
type: String
- contextPath: Securonix.Watchlists.Events.Lastname
description: Last name of the entity in the watchlist.
type: String
- contextPath: Securonix.Watchlists.Events.EntityName
description: Entity name of the entity in the watchlist.
type: String
- contextPath: Securonix.Watchlists.Events.Title
description: Title of the entity in the watchlist.
type: String
- contextPath: Securonix.Watchlists.Events.Firstname
description: First name of the entity in the watchlist.
type: String
- contextPath: Securonix.Watchlists.Events.EmployeeID
description: Employee ID of the entity in the watchlist.
type: String
- contextPath: Securonix.Watchlists.Events.Masked
description: Whether the entity in the watchlist is masked.
type: String
- contextPath: Securonix.Watchlists.Events.Division
description: Division of the entity in the watchlist.
type: String
- contextPath: Securonix.Watchlists.Events.Departmant
description: Department of the entity in the watchlist.
type: String
- contextPath: Securonix.Watchlists.Events.Status
description: Status of the entity in the watchlist.
type: String
- arguments:
- description: The name of the watchlist.
name: watchlist_name
required: true
- description: |-
Name of the tenant the watchlist belongs to.
The tenant name parameter is required for MSSP users.
name: tenant_name
description: Creates a watchlist in Securonix.
name: securonix-create-watchlist
outputs:
- contextPath: Securonix.Watchlists.Watchlistname
description: Name of the Watchlist.
type: String
- contextPath: Securonix.Watchlists.TenantName
description: Tenant Name.
type: String
- arguments:
- description: 'The name of the entity to check. For example: 1002.'
name: entity_name
required: true
- description: The name of the watchlist in which to check the entity.
name: watchlist_name
required: true
description: Checks if the specified entity is in a watchlist.
name: securonix-check-entity-in-watchlist
outputs:
- contextPath: Securonix.EntityInWatchlist.Watchlistnames
description: The names of the watchlists in which the entity appears.
type: String
- contextPath: Securonix.EntityInWatchlist.EntityID
description: The entity ID.
type: String
- arguments:
- description: The name of the watchlist to which to add the entity.
name: watchlist_name
required: true
- auto: PREDEFINED
description: The entity type. Can be "Users", "Activityaccount", "RGActivityaccount", "Resources", or "Activityip".
name: entity_type
predefined:
- Users
- Activityaccount
- RGActivityaccount
- Resources
- Activityip
required: true
- description: 'The name of the entity to add to the watchlist. For example: 1022.'
name: entity_name
required: true
- defaultValue: '30'
description: The number of days after which the entity will be removed from the watchlist. The default value is "30".
name: expiry_days
description: Adds an entity to a watchlist.
name: securonix-add-entity-to-watchlist
- arguments:
- description: 'The violation name or policy name. For example: "Uploads to personal Websites".'
name: violation_name
required: true
- description: 'The resource group name. For example: "BLUECOAT", "Palo Alto Firewall".'
name: resource_group
required: true
- auto: PREDEFINED
description: The entity type. Can be "Users", "Activityaccount", "RGActivityaccount", "Resources", or "Activityip".
name: entity_type
predefined:
- Users
- Activityaccount
- RGActivityaccount
- Resources
- Activityip
required: true
- description: The entity name associated with the violation. Can be "LanID" or "Workemail". For more information, see the Securonix documentation.
name: entity_name
required: true
- auto: PREDEFINED
description: The action name. Can be "Mark as concern and create incident", "Non-Concern", or "Mark in progress (still investigating)".
name: action_name
predefined:
- Mark as concern and create incident
- Non-Concern
- Mark in progress (still investigating)
required: true
- description: 'The resource name. For example: "BLUECOAT", "Palo Alto Firewall".'
name: resource_name
required: true
- auto: PREDEFINED
description: The incident severity (criticality) for the new incident. Can be "Low", "High", or "Critical".
name: criticality
predefined:
- Low
- High
- Critical
- description: A comment for the new incident.
name: comment
- auto: PREDEFINED
description: The workflow name. This argument is optional, but required when the action_name argument is set to "Mark as concern and create incident". Can be "SOCTeamReview", "ActivityOutlierWorkflow", or "AccessCertificationWorkflow".
name: workflow
predefined:
- SOCTeamReview
- ActivityOutlierWorkflow
- AccessCertificationWorkflow
description: Creates an incident. For more information about the required arguments, see the Securonix documentation.
name: securonix-create-incident
outputs:
- contextPath: Securonix.Incidents.ViolatorID
description: The ID of the incident violator.
type: String
- contextPath: Securonix.Incidents.Entity
description: The incident entity.
type: String
- contextPath: Securonix.Incidents.Riskscore
description: The incident risk score.
type: Number
- contextPath: Securonix.Incidents.Priority
description: The incident priority.
type: String
- contextPath: Securonix.Incidents.Reason
description: The reason that the incident was created. Usually includes the policy name and/or possible threat name.
type: String
- contextPath: Securonix.Incidents.IncidentStatus
description: The incident status.
type: String
- contextPath: Securonix.Incidents.WorkflowName
description: The incident workflow name.
type: String
- contextPath: Securonix.Incidents.Watchlisted
description: Whether the incident is in a watchlist.
type: Boolean
- contextPath: Securonix.Incidents.IncidentType
description: The incident type.
type: String
- contextPath: Securonix.Incidents.IncidentID
description: The incident ID.
type: String
- contextPath: Securonix.Incidents.LastUpdateDate
description: The time when the incident was last updated, in Epoch time.
type: Number
- contextPath: Securonix.Incidents.Url
description: The URL that links to the incident on Securonix.
type: String
- contextPath: Securonix.Incidents.ViolatorText
description: Text of the incident violator.
type: String
- contextPath: Securonix.Incidents.AssignedUser
description: The user assigned to the incident.
type: String
- contextPath: Securonix.Incidents.IsWhitelisted
description: Whether the incident is added to allow list.
type: Boolean
- arguments:
- description: |-
Start time range for which to return threats (Supported formats: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ
For example: 01 Jan 2023, 01 Feb 2023 04:45:33, 2023-01-26T14:05:44Z)
name: date_from
required: true
- description: |-
End date/time for which to retrieve threats (Supported formats: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ
For example: 01 Jan 2023, 01 Feb 2023 04:45:33, 2023-01-26T14:05:44Z) Default is current time.
name: date_to
- defaultValue: '10'
description: The number of results to retrieve.
name: page_size
- description: Name of the tenant to fetch threats from. This parameter is optional for Non MSSP users.
name: tenant_name
- defaultValue: '0'