Securonix

Overview

Use the Securonix integration to manage incidents and watchlists. Integration was built and tested with SNYPR Versions: 6.2, 6.3, 6.3.1.

This integration supports both cloud and on-prem instances of Securonix. To configure a cloud base instance use the tenant parameter only. To configure an on-prem instance, use both the host and tenant parameters. For more information, visit: securonix/etnants/<tenantname>/securonix_home/responses/demisto

Configure Securonix on Demisto

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Securonix.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
hostHost (Overrides the default hostname: https://{tenant}.net/Snypr)False
tenantTenantTrue
usernameUsernameTrue
passwordPasswordTrue
isFetchFetch incidentsFalse
incident_statusIncidents to fetchFalse
incidentTypeIncident typeFalse
fetch_timeFirst fetch time range (<number> <time unit>, e.g., 1 hour, 30 minutes)False
max_fetchThe maximum number of incidents to fetch each time. Maximum is 50.False
unsecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

securonix-list-workflows


Gets a list of all available workflows.

Base Command

securonix-list-workflows

Input

There are no input arguments for this command.

Context Output
PathTypeDescription
Securonix.Workflows.WorkflowStringWorkflow name.
Securonix.Workflows.TypeStringWorkflow type.
Securonix.Workflows.ValueStringWorkflow value.
Command Example

!securonix-list-workflows

Context Example
{
"Securonix": {
"Workflows": [
{
"Type": "USER",
"Value": "admin",
"Workflow": "SOCTeamReview"
},
{
"Type": "USER",
"Value": "admin",
"Workflow": "ActivityOutlierWorkflow"
},
{
"Type": "USER",
"Value": "admin",
"Workflow": "AccessCertificationWorkflow"
},
{
"Type": "USER",
"Value": "admin",
"Workflow": "test"
}
]
}
}
Human Readable Output

Available workflows:

WorkflowTypeValue
SOCTeamReviewUSERadmin
ActivityOutlierWorkflowUSERadmin
AccessCertificationWorkflowUSERadmin
testUSERadmin

securonix-get-default-assignee-for-workflow


Gets the default assignee for the specified workflow.

Base Command

securonix-get-default-assignee-for-workflow

Input
Argument NameDescriptionRequired
workflowWorkflow name.Required
Context Output
PathTypeDescription
Securonix.Workflows.WorkflowStringWorkflow name.
Securonix.Workflows.TypeStringWorkflow type.
Securonix.Workflows.ValueStringWorkflow value.
Command Example

!securonix-get-default-assignee-for-workflow workflow=SOCTeamReview

Context Example
{
"Securonix": {
"Workflows": {
"Type": "USER",
"Value": "admin",
"Workflow": "SOCTeamReview"
}
}
}
Human Readable Output

Default assignee for the workflow SOCTeamReview is: admin.

securonix-list-possible-threat-actions


Gets a list available threat actions.

Base Command

securonix-list-possible-threat-actions

Input

There are no input arguments for this command.

Context Output
PathTypeDescription
Securonix.ThreatActionsStringA list of threat actions.
Command Example

!securonix-list-possible-threat-actions

Context Example
{
"Securonix": {
"ThreatActions": [
"Mark as concern and create incident",
"Non-Concern",
"Mark in progress (still investigating)"
]
}
}
Human Readable Output

Possible threat actions are: Mark as concern and create incident, Non-Concern, Mark in progress (still investigating).

securonix-list-policies


Gets a list of all policies.

Base Command

securonix-list-policies

Input

There are no input arguments for this command.

Context Output
PathTypeDescription
Securonix.Policies.CreatedByStringCreator of the policy.
Securonix.Policies.CreatedOnDatePolicy created date.
Securonix.Policies.CriticalityStringPolicy criticality.
Securonix.Policies.DescriptionStringPolicy description.
Securonix.Policies.HqlStringPolicy Hibernate Query Language.
Securonix.Policies.IDStringPolicy ID.
Securonix.Policies.NameStringPolicy name.
Command Example

!securonix-list-policies

Context Example
{
"Securonix": {
"Policies": [
{
"CreatedBy": "admin",
"CreatedOn": "2013-11-09T16:13:23Z",
"Criticality": "Low",
"Description": null,
"Hql": "FROM AccessAccount AS accessaccount, Resources AS resources, AccessAccountUser AS accessaccountuser WHERE ((accessaccount.resourceid = resources.id AND accessaccountuser.id.accountid = accessaccount.id )) AND ((accessaccountuser.id.userid = '-1'))",
"ID": "1",
"Name": "Accounts that dont have Users"
},
{
"CreatedBy": "admin",
"CreatedOn": "2013-11-09T16:31:09Z",
"Criticality": "Medium",
"Description": null,
"Hql": "FROM Users AS users, AccessAccountUser AS accessaccountuser, AccessAccount AS accessaccount, Resources AS resources WHERE ((users.id = accessaccountuser.id.userid AND accessaccountuser.id.accountid = accessaccount.id AND accessaccount.resourceid = resources.id )) AND ((users.status = '0'))",
"ID": "2",
"Name": "Accounts that belong to terminated user"
},
]
}
}
Human Readable Output

Policies:

IDNameCriticalityCreated OnCreated ByDescription
1Accounts that dont have UsersLow2013-11-09T16:13:23Zadmin
2Accounts that belong to terminated userMedium2013-11-09T16:31:09Zadmin

securonix-list-resource-groups


Gets a list of resource groups.

Base Command

securonix-list-resource-groups

Input

There are no input arguments for this command.

Context Output
PathTypeDescription
Securonix.ResourceGroups.NameStringResource group name.
Securonix.ResourceGroups.TypeStringResource group type.
Command Example

!securonix-list-resource-groups

Context Example
{
"Securonix": {
"ResourceGroups": [
{
"Name": "Windows-CST1",
"Type": "Microsoft Windows SNARE"
},
{
"Name": "Websense Proxy",
"Type": "Websense Proxy Server"
},
{
"Name": "Palo Alto",
"Type": "Palo Alto Next-Generation Firewall"
},
{
"Name": "CDS1",
"Type": "ControlsDS1"
},
{
"Name": "Bluecoat",
"Type": "Bluecoat Proxy"
},
{
"Name": "Symantec-Email",
"Type": "Symantec Message Security Gateway"
},
{
"Name": "Proofpoint Email Gateway",
"Type": "Proofpoint Email Gateway"
},
{
"Name": "CiscoASA",
"Type": "Cisco ASA"
},
{
"Name": "CiscoAMP",
"Type": "Cisco FireAMP"
},
{
"Name": "PA800-adam",
"Type": "Palo Alto Next-Generation Firewall"
},
{
"Name": "CrowdStrike-PartnerAPI",
"Type": "Crowdstrike Alerts Streaming"
},
{
"Name": "squid-partners",
"Type": "Squid Proxy"
},
{
"Name": "Bluecoat_OP",
"Type": "Bluecat_DHCP"
},
{
"Name": "Bluecoat - Test",
"Type": "Bluecoat Proxy"
},
{
"Name": "Bluecoat_New",
"Type": "Bluecoat Proxy"
}
]
}
}
Human Readable Output

Resource groups:

NameType
Windows-CST1Microsoft Windows SNARE
Websense ProxyWebsense Proxy Server
Palo AltoPalo Alto Next-Generation Firewall
CDS1ControlsDS1
BluecoatBluecoat Proxy
Symantec-EmailSymantec Message Security Gateway
Proofpoint Email GatewayProofpoint Email Gateway
CiscoASACisco ASA
CiscoAMPCisco FireAMP
PA800-adamPalo Alto Next-Generation Firewall
CrowdStrike-PartnerAPICrowdstrike Alerts Streaming
squid-partnersSquid Proxy
Bluecoat_OPBluecat_DHCP
Bluecoat - TestBluecoat Proxy
Bluecoat_NewBluecoat Proxy

securonix-list-users


Gets a list of users.

Base Command

securonix-list-users

Input

There are no input arguments for this command.

Context Output
PathTypeDescription
Securonix.Users.LastNameStringUser last name.
Securonix.Users.SkipEncryptionStringWhether user encryption was skipped.
Securonix.Users.RiskscoreStringUser risk score.
Securonix.Users.EmployeeIDStringUser Employee ID.
Securonix.Users.MaskedStringWhether the user is masked.
Securonix.Users.DivisionStringUser division.
Securonix.Users.CriticalityStringUser criticality.
Securonix.Users.StatusStringUser status.
Securonix.Users.DepartmentStringUser department.
Securonix.Users.TitleStringUser title.
Securonix.Users.FirstNameStringUser first name.
Securonix.Users.EmailStringUser email address.
Command Example

!securonix-list-users

Context Example
{
"Securonix": {
"Users": [
{
"ContractEndDate": "2020-01-14T00:40:44Z",
"Criticality": "Low",
"Department": "Data Services",
"Division": "Global Technology",
"Email": "jon.doe@test.com",
"EmployeeID": "1001",
"FirstName": "jon",
"LastName": "doe",
"Masked": "false",
"Riskscore": "0.0",
"SkipEncryption": "false",
"Status": "1",
"Title": "Associate-Data Services"
}
]
}
}
Human Readable Output

Resource groups:

First NameLast NameCriticalityTitleEmail
jondoeLowAssociate-Data Servicesjon.doe@test.com

securonix-list-activity-data


Gets a list of activity data for the specified resource group.

Base Command

securonix-list-activity-data

Input
Argument NameDescriptionRequired
fromStart date/time for which to retrieve activity data (in the format MM/dd/yyyy HH:mm:ss).Required
toEnd date/time for which to retrieve activity data (in the format MM/dd/yyyy HH:mm:ss).Required
queryFree-text query. For example, query=“resourcegroupname=WindowsSnare and policyname=Possible Privilege Escalation - Self Escalation”.Optional
Context Output
PathTypeDescription
Securonix.ActivityData.AccountnameStringAccount name.
Securonix.ActivityData.AgentfilenameStringAgent file name.
Securonix.ActivityData.CategorybehaviorStringCategory behavior.
Securonix.ActivityData.CategoryobjectStringCategory object.
Securonix.ActivityData.CategoryseverityStringCategory severity.
Securonix.ActivityData.CollectionmethodStringCollection method.
Securonix.ActivityData.CollectiontimestampStringCollection timestamp.
Securonix.ActivityData.DestinationprocessnameStringDestination process name.
Securonix.ActivityData.DestinationusernameStringDestination username.
Securonix.ActivityData.DeviceaddressStringDevice address.
Securonix.ActivityData.DeviceexternalidStringDevice external ID.
Securonix.ActivityData.DevicehostnameStringDevice hostname.
Securonix.ActivityData.EventIDStringEvent ID.
Securonix.ActivityData.EventoutcomeStringEvent outcome.
Securonix.ActivityData.EventtimeStringTime the event occurred.
Securonix.ActivityData.FilepathStringFile path.
Securonix.ActivityData.IngestionnodeidStringIngestion node ID.
Securonix.ActivityData.JobIDStringJob ID.
Securonix.ActivityData.JobstarttimeStringJob start time.
Securonix.ActivityData.MessageStringMessage.
Securonix.ActivityData.PublishedtimeStringPublished time.
Securonix.ActivityData.ReceivedtimeStringReceived time.
Securonix.ActivityData.ResourcenameStringResource name.
Securonix.ActivityData.ResourceGroupCategoryStringResource group category.
Securonix.ActivityData.ResourceGroupFunctionalityStringResource group functionality.
Securonix.ActivityData.ResourceGroupIDStringResource group ID.
Securonix.ActivityData.ResourceGroupNameStringResource group name.
Securonix.ActivityData.ResourceGroupTypeIDStringResource group resource type ID.
Securonix.ActivityData.ResourceGroupVendorStringResource group vendor.
Securonix.ActivityData.SourcehostnameStringSource hostname.
Securonix.ActivityData.SourceusernameStringSource username.
Securonix.ActivityData.TenantIDStringTenant ID.
Securonix.ActivityData.TenantnameStringTenant name.
Securonix.ActivityData.TimelineStringTime when the activity occurred, in Epoch time.
Command Example

Human Readable Output

securonix-list-violation-data


Gets a list activity data for an account name.

Base Command

securonix-list-violation-data

Input
Argument NameDescriptionRequired
fromStart date/time for which to retrieve activity data (in the format MM/dd/yyyy HH:mm:ss).Required
toEnd date/time for which to retrieve activity data (in the format MM/dd/yyyy HH:mm:ss).Required
queryFree-text query. For example, query="resourcegroupname=WindowsSnare and policyname=Possible Privilege Escalation - Self Escalation"."Optional
Context Output
PathTypeDescription
Securonix.ViolationData.AccountnameStringAccount name.
Securonix.ViolationData.AgentfilenameStringAgent file name.
Securonix.ViolationData.BaseeventidStringBase event ID.
Securonix.ViolationData.CategorybehaviorStringCategory behavior.
Securonix.ViolationData.CategoryStringViolation category.
Securonix.ViolationData.CategoryobjectStringCategory object.
Securonix.ViolationData.CategoryseverityStringCategory severity.
Securonix.ViolationData.DestinationaddressStringDestination address.
Securonix.ViolationData.DestinationntdomainStringDestination nt domain.
Securonix.ViolationData.DestinationuseridStringDestination user ID.
Securonix.ViolationData.GestinationusernameStringDestination username.
Securonix.ViolationData.DeviceaddressStringDevice address.
Securonix.ViolationData.DeviceeventcategoryStringDevice event category.
Securonix.ViolationData.DeviceexternalidStringDevice external ID.
Securonix.ViolationData.DevicehostnameStringDevice hostname.
Securonix.ViolationData.EventIDStringEvent ID.
Securonix.ViolationData.EventoutcomeStringEvent outcome.
Securonix.ViolationData.EventtimeStringTime the event occurred.
Securonix.ViolationData.GenerationtimeStringTime that the violation was generated in Securonix.
Securonix.ViolationData.InvalidStringWhether the violation is valid.
Securonix.ViolationData.JobIDStringJob ID.
Securonix.ViolationData.JobstarttimeStringJob start time.
Securonix.ViolationData.PolicynameStringPolicy name.
Securonix.ViolationData.ResourcenameStringResource name.
Securonix.ViolationData.ResourceGroupIDStringResource group ID.
Securonix.ViolationData.ResourceGroupNameStringResource group name.
Securonix.ViolationData.RiskscoreStringRisk score.
Securonix.ViolationData.RiskthreatnameStringRisk threat name.
Securonix.ViolationData.SessionidStringSession ID.
Securonix.ViolationData.SourcehostnameStringSource hostname.
Securonix.ViolationData.SourcentdomainStringSource nt domain.
Securonix.ViolationData.SourceuseridStringSource user ID.
Securonix.ViolationData.SourceusernameStringSource username.
Securonix.ViolationData.SourceuserprivilegesStringSource user privileges.
Securonix.ViolationData.TenantIDStringTenant ID.
Securonix.ViolationData.TenantnameStringTenant name.
Securonix.ViolationData.TimelineStringTime when the activity occurred, in Epoch time.
Securonix.ViolationData.CreatedateStringCreate date.
Securonix.ViolationData.CriticalityStringViolation criticality.
Securonix.ViolationData.DataSourceIDStringData source ID.
Securonix.ViolationData.DepartmentStringDepartment affected by the violation.
Securonix.ViolationData.EmployeeIDStringEmployee ID.
Securonix.ViolationData.EncryptedStringWhether the violation is encrypted.
Securonix.ViolationData.FirstnameStringFirst name of the user that violated the policy.
Securonix.ViolationData.FullnameStringFull name of the user that violated the policy.
Securonix.ViolationData.IDStringID of the user that violated the policy.
Securonix.ViolationData.LanIDStringLAN ID associated with the policy violation.
Securonix.ViolationData.LastnameStringLast name of the user that violated the policy.
Securonix.ViolationData.LastsynctimeStringLast sync time, in Epoch time.
Securonix.ViolationData.MaskedStringWhether the violation is masked.
Securonix.ViolationData.MergeuniquecodeStringMerge unique code.
Securonix.ViolationData.RiskscoreStringRisk score.
Securonix.ViolationData.SkipencryptionStringSkip encryption.
Securonix.ViolationData.StatusStringStatus of the policy violation.
Securonix.ViolationData.TimezoneoffsetStringTimezone offset.
Securonix.ViolationData.TitleStringTitle.
Securonix.ViolationData.UniquecodeStringUnique code.
Securonix.ViolationData.UserIDStringLast sync time, in Epoch time.
Securonix.ViolationData.WorkemailStringWork email address of the user that violated the policy.
Securonix.ViolationData.ViolatorStringViolator.
Command Example

Human Readable Output

securonix-list-incidents


Gets a list of incidents.

Base Command

securonix-list-incidents

Input
Argument NameDescriptionRequired
fromStart time range for which to return incidents (<number> <time unit>, e.g., 1 hour, 30 minutes)Required
toEnd date/time for which to retrieve incidents (in the format MM/dd/yyyy HH:mm:ss) Default is current time.Optional
incident_typesThe incident type. Can be "updated", "opened", or "closed". Supports multiple selections.Optional
Context Output
PathTypeDescription
Securonix.Incidents.ViolatorIDStringIncident Violator ID.
Securonix.Incidents.EntityStringIncident entity.
Securonix.Incidents.RiskscoreNumberIncident risk score.
Securonix.Incidents.PriorityStringIncident priority.
Securonix.Incidents.ReasonStringReason for the incident. Usually includes policy name and/or possible threat name.
Securonix.Incidents.IncidentStatusStringIncident status.
Securonix.Incidents.WorkflowNameStringIncident workflow name.
Securonix.Incidents.WatchlistedBooleanWhether the incident is in a watchlist.
Securonix.Incidents.IncidentTypeStringIncident type.
Securonix.Incidents.IncidentIDStringIncident ID.
Securonix.Incidents.LastUpdateDateNumberLast update date of the incident in Epoch time.
Securonix.Incidents.UrlStringURL that links to the incident on Securonix.
Securonix.Incidents.ViolatorTextStringIncident violator text.
Securonix.Incidents.AssignedUserStringUser assigned to the incident.
Securonix.Incidents.IsWhitelistedBooleanWhether the incident is whitelisted.
Command Example

!securonix-list-incidents from="5 days" incident_types=opened

Context Example
Human Readable Output

No incidents where found in this time frame.

securonix-get-incident


Gets details of the specified incident.

Base Command

securonix-get-incident

Input
Argument NameDescriptionRequired
incident_idIncident ID.Required
Context Output
PathTypeDescription
Securonix.Incidents.ViolatorIDStringIncident violator ID.
Securonix.Incidents.EntityStringIncident entity.
Securonix.Incidents.RiskscoreNumberIncident risk score.
Securonix.Incidents.PriorityStringIncident priority.
Securonix.Incidents.ReasonStringReason for the incident. Usually includes policy name and/or possible threat name.
Securonix.Incidents.IncidentStatusStringIncident status.
Securonix.Incidents.WorkflowNameStringIncident workflow name.
Securonix.Incidents.WatchlistedBooleanWhether the incident is in a watchlist.
Securonix.Incidents.IncidentTypeStringIncident type.
Securonix.Incidents.IncidentIDStringIncident ID.
Securonix.Incidents.LastUpdateDateNumberThe time when the incident was last updated, in Epoch time.
Securonix.Incidents.UrlStringURL that links to the incident on Securonix.
Securonix.Incidents.ViolatorTextStringIncident violator text.
Securonix.Incidents.AssignedUserStringUser assigned to the incident.
Securonix.Incidents.IsWhitelistedBooleanWhether the incident is whitelisted.
Command Example

!securonix-get-incident incident_id=30107

Context Example
{
"Securonix": {
"Incidents": {
"AssignedUser": "Admin Admin",
"Casecreatetime": 1579687173702,
"Entity": "Users",
"IncidentID": "30107",
"IncidentStatus": "Open",
"IncidentType": "Policy",
"IsWhitelisted": false,
"LastUpdateDate": 1579687173702,
"ParentCaseId": "",
"Priority": "Critical",
"Reason": [
"Resource: BLUECOAT",
"Policy: Uploads to personal websites",
"Threat: Data egress via network uploads"
],
"Riskscore": 0,
"SandBoxPolicy": false,
"StatusCompleted": false,
"TenantInfo": {
"tenantcolor": "#000000",
"tenantid": 1,
"tenantname": "Securonix",
"tenantshortcode": "SE"
},
"Url": {url},
"ViolatorID": "9",
"ViolatorSubText": "1009",
"ViolatorText": "Judi Mcabee",
"Watchlisted": false,
"WorkflowName": "SOCTeamReview"
}
}
}
Human Readable Output

Incident:

Assigned UserCasecreatetimeEntityIncident StatusIncident TypeIncidentIDIs WhitelistedLast Update DatePriorityReasonRiskscoreSand Box PolicyStatus CompletedTenant InfoUrlViolator Sub TextViolator TextViolatorIDWatchlistedWorkflow Name
Admin Admin1579687173702UsersOpenPolicy30107false1579687173702CriticalResource: BLUECOAT,Policy: Uploads to personal websites,Threat: Data egress via network uploads0.0falsefalsetenantid: 1 tenantname: {name}{url}1009john smith9falseSOCTeamReview

securonix-get-incident-status


Gets the status of the specified incident.

Base Command

securonix-get-incident-status

Input
Argument NameDescriptionRequired
incident_idIncident ID.Required
Context Output
PathTypeDescription
Securonix.Incidents.IncidentStatusStringIncident status.
Securonix.Incidents.IncidentIDStringIncident ID.
Command Example

!securonix-get-incident-status incident_id=30107

Context Example
{
"Securonix": {
"Incidents": {
"IncidentID": "30107",
"IncidentStatus": "Open"
}
}
}
Human Readable Output

Incident 30107 status is Open.

securonix-get-incident-workflow


Gets the workflow of the specified incident.

Base Command

securonix-get-incident-workflow

Input
Argument NameDescriptionRequired
incident_idIncident ID.Required
Context Output
PathTypeDescription
Securonix.Incidents.WorkflowStringIncident workflow.
Securonix.Incidents.IncidentIDStringIncident ID.
Command Example

!securonix-get-incident-workflow incident_id=30107

Context Example
{
"Securonix": {
"Incidents": {
"IncidentID": "30107",
"WorkflowName": "SOCTeamReview"
}
}
}
Human Readable Output

Incident 30107 workflow is SOCTeamReview.

securonix-get-incident-available-actions


Gets a list of available actions for the specified incident.

Base Command

securonix-get-incident-available-actions

Input
Argument NameDescriptionRequired
incident_idIncident ID.Required
Context Output

There is no context output for this command.

Command Example

!securonix-get-incident-available-actions incident_id=30107

Context Example
{
"Securonix": {
"Incidents": {
"AvailableActions": [
"CLAIM",
"ASSIGN TO ANALYST",
"ASSIGN TO SECOPS"
],
"IncidentID": "30107"
}
}
}
Human Readable Output

Incident 30107 available actions: ['CLAIM', 'ASSIGN TO ANALYST', 'ASSIGN TO SECOPS'].

securonix-perform-action-on-incident


Performs an action on the specified incident.

Base Command

securonix-perform-action-on-incident

Input
Argument NameDescriptionRequired
incident_idIncident ID.Required
actionAction to perform on the incident. You can see them using securonix-get-incident-available-actions. e.g: "CLAIM", "ASSIGN TO SECOPS", "ASSIGN TO ANALYST", "RELEASE", or "COMMENT".Required
action_parametersThe parameters, if needed, to perform the action. e.g, For the ASSIGN TO ANALYST action: assigntouserid={user_id},assignedTo=USER.Optional
Context Output

There is no context output for this command.

Command Example

Human Readable Output

securonix-add-comment-to-incident


Adds a comment to the specified incident.

Base Command

securonix-add-comment-to-incident

Input
Argument NameDescriptionRequired
incident_idIncident ID.Required
commentComment to add to the incident.Required
Context Output

There is no context output for this command.

Command Example

!securonix-add-comment-to-incident incident_id=30107 comment="Just a comment"

Context Example
{}
Human Readable Output

Comment was added to the incident 30107 successfully.

securonix-list-watchlists


Gets a list of watchlists.

Base Command

securonix-list-watchlists

Input

There are no input arguments for this command.

Context Output
PathTypeDescription
Securonix.WatchlistsNamesStringWatchlist names.
Command Example

!securonix-list-watchlists

Context Example
{
"Securonix": {
"WatchlistsNames": {
"Bad_Performance_Review": "0",
"Contractors-UpComing_Termination": "0",
"Domain_Admin": "0",
"Employees-UpComing_Terminations": "0",
"Exiting_Behavior_Watchlist": "0",
"Flight_Risk_Users_Watchlist": "0",
"Privileged_Accounts": "0",
"Privileged_Users": "0",
"Recent_Hires": "0",
"Recent_Transfers": "0",
"Terminated_Contractors": "0",
"Terminated_Employees": "0",
"Test_watchlist": "0",
"Test_watchlist2": "0"
}
}
}
Human Readable Output

Watchlists: Domain_Admin, Flight_Risk_Users_Watchlist, Recent_Transfers, Exiting_Behavior_Watchlist, Test_watchlist2, Bad_Performance_Review, Terminated_Contractors, Contractors-UpComing_Termination, Privileged_Accounts, Terminated_Employees, Test_watchlist, Privileged_Users, Recent_Hires, Employees-UpComing_Terminations.

securonix-get-watchlist


Gets information for the specified watchlist.

Base Command

securonix-get-watchlist

Input
Argument NameDescriptionRequired
watchlist_nameWatchlist name.Required
Context Output
PathTypeDescription
Securonix.Watchlists.TenantIDStringWatchlist tenant ID.
Securonix.Watchlists.TenantnameStringWatchlist tenant name.
Securonix.Watchlists.TypeStringWatchlist type.
Securonix.Watchlists.WatchlistnameStringWatchlist name.
Securonix.Watchlists.Events.ExpiryDateStringExpiration date of the entity in the watchlist, in Epoch time.
Securonix.Watchlists.Events.WorkemailStringWork email address of the entity in the watchlist.
Securonix.Watchlists.Events.FullnameStringFull name of the entity in the watchlist.
Securonix.Watchlists.Events.ReasonStringReason that the entity is in the watchlist.
Securonix.Watchlists.Events.LanIDStringLan ID of the entity in the watchlist.
Securonix.Watchlists.Events.LastnameStringLast name of the entity in the watchlist.
Securonix.Watchlists.Events.EntityNameStringEntity name of the entity in the watchlist.
Securonix.Watchlists.Events.TitleStringTitle of the entity in the watchlist.
Securonix.Watchlists.Events.FirstnameStringFirst name of the entity in the watchlist.
Securonix.Watchlists.Events.EmployeeIDStringEmployee ID of the entity in the watchlist.
Securonix.Watchlists.Events.MaskedStringWhether the entity in the watchlist is masked.
Securonix.Watchlists.Events.DivisionStringDivision of the entity in the watchlist.
Securonix.Watchlists.Events.DepartmantStringDepartment of the entity in the watchlist.
Securonix.Watchlists.Events.StatusStringStatus of the entity in the watchlist.
Command Example

Human Readable Output

securonix-create-watchlist


Creates a watchlist in Securonix.

Base Command

securonix-create-watchlist

Input
Argument NameDescriptionRequired
watchlist_nameThe name of the watchlist.Required
Context Output

There is no context output for this command.

Command Example

!securonix-create-watchlist watchlist_name=test_watchlist

Context Example
{
"Securonix": {
"Watchlists": "test_watchlist"
}
}
Human Readable Output

Watchlist test_watchlist was created successfully.

securonix-check-entity-in-watchlist


Checks if the specified entity is in a watchlist.

Base Command

securonix-check-entity-in-watchlist

Input
Argument NameDescriptionRequired
entity_nameThe name of the entity to check. For example: 1002.Required
watchlist_nameThe name of the watchlist in which to check the entity.Required
Context Output
PathTypeDescription
Securonix.EntityInWatchlist.WatchlistnamesStringThe names of the watchlists in which the entity appears.
Securonix.EntityInWatchlist.EntityIDStringThe entity ID.
Command Example

!securonix-check-entity-in-watchlist entity_name=1002 watchlist_name=test_watchlist

Context Example
{
"Securonix": {
"EntityInWatchlist": {
"Entityname": "1002"
}
}
}
Human Readable Output

Entity unique identifier 1002 provided is not in the watchlist: test_watchlist.

securonix-add-entity-to-watchlist


Adds an entity to a watchlist.

Base Command

securonix-add-entity-to-watchlist

Input
Argument NameDescriptionRequired
watchlist_nameThe name of the watchlist to which to add the entity.Required
entity_typeThe entity type. Can be "Users", "Activityaccount", "RGActivityaccount", "Resources", or "Activityip".Required
entity_nameThe name of the entity to add to the watchlist. For example: 1022.Required
expiry_daysThe number of days after which the entity will be removed from the watchlist. The default value is "30".Optional
Context Output

There is no context output for this command.

Command Example

Human Readable Output

securonix-create-incident


Creates an incident. For more information about the required arguments, see the Securonix documentation.

Base Command

securonix-create-incident

Input
Argument NameDescriptionRequired
violation_nameThe violation name or policy name. For example: "Uploads to personal Websites".Required
resource_groupThe resource group name. For example: "BLUECOAT", "Palo Alto Firewall".Required
entity_typeThe entity type. Can be "Users", "Activityaccount", "RGActivityaccount", "Resources", or "Activityip".Required
entity_nameThe entity name associated with the violation. Can be "LanID" or "Workemail". For more information, see the Securonix documentation.Required
action_nameThe action name. Can be "Mark as concern and create incident", "Non-Concern", or "Mark in progress (still investigating)".Required
resource_nameThe resource name. For example: "BLUECOAT", "Palo Alto Firewall".Required
criticalityThe incident severity (criticality) for the new incident. Can be "Low", "High", or "Critical".Optional
commentA comment for the new incident.Optional
workflowThe workflow name. This argument is optional, but required when the action_name argument is set to "Mark as concern and create incident". Can be "SOCTeamReview", "ActivityOutlierWorkflow", or "AccessCertificationWorkflow".Optional
Context Output
PathTypeDescription
Securonix.Incidents.ViolatorIDStringThe ID of the incident violator.
Securonix.Incidents.EntityStringThe incident entity.
Securonix.Incidents.RiskscoreNumberThe incident risk score.
Securonix.Incidents.PriorityStringThe incident priority.
Securonix.Incidents.ReasonStringThe reason that the incident was created. Usually includes the policy name and/or possible threat name.
Securonix.Incidents.IncidentStatusStringThe incident status.
Securonix.Incidents.WorkflowNameStringThe incident workflow name.
Securonix.Incidents.WatchlistedBooleanWhether the incident is in a watchlist.
Securonix.Incidents.IncidentTypeStringThe incident type.
Securonix.Incidents.IncidentIDStringThe incident ID.
Securonix.Incidents.LastUpdateDateNumberThe time when the incident was last updated, in Epoch time.
Securonix.Incidents.UrlStringThe URL that links to the incident on Securonix.
Securonix.Incidents.ViolatorTextStringText of the incident violator.
Securonix.Incidents.AssignedUserStringThe user assigned to the incident.
Securonix.Incidents.IsWhitelistedBooleanWhether the incident is whitelisted.
Command Example

!securonix-create-incident action_name="Mark as concern and create incident" entity_name=MH1014 entity_type=Users resource_group="BLUECOAT" resource_name="BLUECOAT" violation_name="Uploads to personal Websites" workflow=SOCTeamReview comment=bgdfs criticality=Critical

Context Example
{
"Securonix": {
"Incidents": {
"AssignedUser": "Admin Admin",
"Casecreatetime": 1579687771677,
"Entity": "Users",
"IncidentID": "30134",
"IncidentStatus": "Open",
"IncidentType": "Policy",
"IsWhitelisted": false,
"LastUpdateDate": 1579687771677,
"ParentCaseId": "",
"Priority": "Critical",
"Reason": [
"Resource: BLUECOAT",
"Policy: Uploads to personal websites",
"Threat: Data egress via network uploads"
],
"Riskscore": 0,
"SandBoxPolicy": false,
"StatusCompleted": false,
"TenantInfo": {
"tenantcolor": "#000000",
"tenantid": 1,
"tenantname": "Securonix",
"tenantshortcode": "SE"
},
"Url": "{url}",
"ViolatorID": "14",
"ViolatorSubText": "1014",
"ViolatorText": "john doe",
"Watchlisted": false,
"WorkflowName": "SOCTeamReview"
}
}
}
Human Readable Output

Incident was created successfully

EntityIncident StatusIncident TypeIncidentIDPriorityReasonUrl
UsersOpenPolicy30134CriticalResource: BLUECOAT,Policy: Uploads to personal websites,Threat: Data egress via network uploads{url}

Limitations

  • The opened argument for fetching and listing incidents is currently not filtering only the opened incidents. This is an open issue on the vendor side.
  • Until version 6.3.1, the max_fetch argument is not used. Hence, every fetch incidents*, only the 10 most recent incidents are going to be fetched.