Securonix SNYPR is an open and modular next-generation security intelligence platform that combines log management, security information and event management, user and entity behavior analytics and fraud detection, serving as a foundation for a broad portfolio of specialized security analytics solutions.
This document provides information about the Securonix SNYPR connector, which facilitates automated interactions, with a Securonix SNYPR server using FortiSOAR™ playbooks. Add the Securonix SNYPR connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving a list of all users from Securonix SNYPR, or retrieving the top violations from Securonix SNYPR based on the filter criteria you have specified.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 5.0.0-866
Authored By: Fortinet
Certified: Yes
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-securonix-snypr
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Securonix SNYPR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Securonix SNYPR server to which you will connect and perform the automated operations. |
Username | Username to access the Securonix SNYPR server to which you will connect and perform the automated operations. |
Password | password to access the Securonix SNYPR server to which you will connect and perform the automated operations. |
Tenant | Tenant ID that has been configured for your account to access the Securonix SNYPR server. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
List All Users | Retrieves a list of all users from Securonix SNYPR. | list_users Investigation |
List All Peer Groups | Retrieves a list of all peer groups from Securonix SNYPR. | list_peer_groups Investigation |
List All Resource Groups | Retrieves a list of all resource groups from Securonix SNYPR. | list_resource_groups Investigation |
List All Policies | Retrieves a list of all policies from Securonix SNYPR. | list_policies Investigation |
Get Top Threats | Retrieves the top threats from Securonix SNYPR based on when the threat was last seen and other input parameters that you have specified. | get_top_threats Investigation |
Get Top Violations | Retrieves the top violations from Securonix SNYPR based on when the violation was last seen and other input parameters that you have specified. | get_top_violations Investigation |
Get Top Violators | Retrieves the top violators from Securonix SNYPR based on when the violator was last seen and other input parameters that you have specified. | get_top_violators Investigation |
Get Risk Score | Retrieves risk scores for all users or risk scores from Securonix SNYPR based on the query attributes and other input parameters that you have specified. | get_risk_score Investigation |
Get Risk History | Retrieves risk history for all users or risk history from Securonix SNYPR based on the query attributes and other input parameters that you have specified. | get_risk_history Investigation |
Query Users | Retrieves details of all users or specific users from Securonix SNYPR based on the query attributes that you have specified. | query_for_users Investigation |
Query Violations | Retrieves details of all violations or specific violations from Securonix SNYPR based on the query attributes and other input parameters that you have specified. | query_for_violations Investigation |
Query Watchlist | Retrieves details of all watchlists or specific watchlists from Securonix SNYPR based on the query attributes that you have specified. | query_for_watchlist Investigation |
Query Third Party Intelligence | Retrieves details of all TPIs or specific TPIs from Securonix SNYPR based on the query attributes that you have specified. | query_third_party_intelligence Investigation |
Custom Query | Runs a search on Securonix SNYPR and retrieves details based on the query attributes and other input parameters that you have specified. | custom_query Investigation |
None.
The output contains the following populated JSON schema:
{
"users": {
"user": [
{
"approverEmployeeId": "",
"costCenterCode": "",
"criticality": "",
"department": "",
"disableDate": "",
"division": "",
"email": "",
"employeeId": "",
"employeeType": "",
"enableDate": "",
"firstName": "",
"hireDate": "",
"jobCode": "",
"lastName": "",
"location": "",
"managerEmployeeId": "",
"managerFirstname": "",
"managerLastname": "",
"masked": "",
"riskscore": "",
"skipEncryption": "",
"status": "",
"title": ""
}
]
}
}
None.
The output contains the following populated JSON schema:
{
"peerGroups": {
"peerGroup": [
{
"name": "",
"criticality": ""
},
{
"name": "",
"criticality": ""
}
]
}
}
None.
The output contains the following populated JSON schema:
{
"resourceGroups": {
"resourceGroup": [
{
"name": "",
"type": ""
},
{
"name": "",
"type": ""
},
{
"name": "",
"type": ""
},
{
"name": "",
"type": ""
}
]
}
}
None.
The output contains the following populated JSON schema:
{
"policies": {
"policy": [
{
"createdBy": "",
"criticality": "",
"hql": "",
"createdOn": "",
"id": "",
"name": "",
"description": ""
}
]
}
}
Parameter | Description |
---|---|
Last Seen | Time period for which you want to retrieve the top threats from Securonix SNYPR. You can choose one of the following: Hours, Days, or Years. Based on the option that you select in the Last Seen drop-down list, you must specify the value for the Hours, Days, or Years. For example, if you select Hours from the Last Seen drop-down list, then you must choose the value of the hours from the Last Hours drop-down list, for example, Last 24 hours, Last 1 hour etc. |
Offset | 0 based index of the page that this operation should return. |
Limit | Maximum number of results per page, that this operation should return. |
The output contains the following populated JSON schema:
{
"Response": {
"Docs": [
{
"Threat nodel name": "",
"Criticality": "",
"Generation time": "",
"No of violator": "",
"Threat model id": "",
"Description": ""
}
],
"Date range": [],
"Total records": ""
}
}
Parameter | Description |
---|---|
Last Seen | Time period for which you want to retrieve the top violations from Securonix SNYPR. You can choose one of the following: Hours, Days, or Years. Based on the option that you select in the Last Seen drop-down list, you must specify the value for the Hours, Days, or Years. For example, if you select Hours from the Last Seen drop-down list, then you must choose the value of the hours from the Last Hours drop-down list, for example, Last 24 hours, Last 1 hour etc. |
Offset | 0 based index of the page that this operation should return. |
Limit | Maximum number of results per page, that this operation should return. |
The output contains the following populated JSON schema:
{
"Response": {
"Docs": [
{
"Criticality": "",
"Violation entity": "",
"Generation time": "",
"No of violator": "",
"Threat indicator": "",
"Policy name": "",
"Policy id": "",
"Description": "",
"Policy category": ""
}
],
"Date range": [],
"Total records": ""
}
}
Parameter | Description |
---|---|
Last Seen | Time period for which you want to retrieve the top violators from Securonix SNYPR. You can choose one of the following: Hours, Days, or Years. Based on the option that you select in the Last Seen drop-down list, you must specify the value for the Hours, Days, or Years. For example, if you select Hours from the Last Seen drop-down list, then you must choose the value of the hours from the Last Hours drop-down list, for example, Last 24 hours, Last 1 hour etc. |
Offset | 0 based index of the page that this operation should return. |
Limit | Maximum number of results per page, that this operation should return. |
The output contains the following populated JSON schema:
{
"Response": {
"Docs": [
{
"Generation time": "",
"Risk score": "",
"Department": "",
"Name": "",
"Violator entity": ""
}
],
"Date range": [],
"Total records": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Query | Query attributes based on which you want to retrieve the risk score from Securonix SNYPR. Note: If you do not specify any query attribute, then the risk scores of all users is retrieved from Securonix SNYPR. |
Start Time |
Start date and time from when you want to retrieve the risk score from Securonix SNYPR. |
End Time |
End date and time till when you want to retrieve the risk score from Securonix SNYPR. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Query | Query attributes based on which you want to retrieve the risk history from Securonix SNYPR. Note: If you do not specify any query attribute, then the risk history of all users is retrieved from Securonix SNYPR. |
Start Time |
Start date and time from when you want to retrieve details of violations from Securonix SNYPR. |
End Time |
End date and time till when you want to retrieve details of violations from Securonix SNYPR. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Query | (Optional) Query attributes based on which you want to retrieve details of users from Securonix SNYPR. Note: If you do not specify any query attribute, then the details of all users are retrieved from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"error": "",
"available": "",
"to": "",
"totalDocuments": "",
"offset": "",
"searchViolations": "",
"from": "",
"events": [
{
"invalidEventAction": "",
"u_userid": "",
"hour": "",
"tenantname": "",
"directImport": "",
"u_id": "",
"tenantid": "",
"invalid": "",
"result": {
"entry": [
{
"key": "",
"value": ""
}
]
},
"ignored": ""
}
],
"query": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Query | Query attributes based on which you want to retrieve details of violations from Securonix SNYPR. Note: If you do not specify any query attribute, then the details of all violations are retrieved from Securonix SNYPR. |
Start Time |
Start date and time from when you want to retrieve details of violations from Securonix SNYPR. |
End Time |
End date and time till when you want to retrieve details of violations from Securonix SNYPR. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Query | (Optional) Query attributes based on which you want to retrieve details of watchlists from Securonix SNYPR. Note: If you do not specify any query attribute, then the details of all watchlists are retrieved from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"error": "",
"available": "",
"to": "",
"totalDocuments": "",
"offset": "",
"searchViolations": "",
"from": "",
"events": [
{
"invalidEventAction": "",
"u_userid": "",
"hour": "",
"tenantname": "",
"directImport": "",
"u_id": "",
"tenantid": "",
"invalid": "",
"result": {
"entry": [
{
"key": "",
"value": ""
}
]
},
"ignored": ""
}
],
"query": ""
}
Parameter | Description |
---|---|
Query | (Optional) Query attributes based on which you want to retrieve details of TPIs from Securonix SNYPR. Note: If you do not specify any query attribute, then the details of all TPIs are retrieved from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"error": "",
"available": "",
"to": "",
"totalDocuments": "",
"offset": "",
"searchViolations": "",
"from": "",
"events": [
{
"invalidEventAction": "",
"u_userid": "",
"hour": "",
"tenantname": "",
"directImport": "",
"u_id": "",
"tenantid": "",
"invalid": "",
"result": {
"entry": [
{
"key": "",
"value": ""
}
]
},
"ignored": ""
}
],
"query": ""
}
Parameter | Description |
---|---|
Query | Query attributes based on which you want to run the search on Securonix SNYPR. |
Start Time |
Start date and time from when you want to run the search on Securonix SNYPR. |
End Time |
End date and time till when you want to run the search on Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"available": "",
"error": "",
"events": [],
"from": "",
"offset": "",
"query": "",
"searchViolations": "",
"to": "",
"totalDocuments": "",
}
The Sample - Securonix SNYPR - 1.0.0
playbook collection comes bundled with the Securonix SNYPR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Securonix SNYPR connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Securonix SNYPR is an open and modular next-generation security intelligence platform that combines log management, security information and event management, user and entity behavior analytics and fraud detection, serving as a foundation for a broad portfolio of specialized security analytics solutions.
This document provides information about the Securonix SNYPR connector, which facilitates automated interactions, with a Securonix SNYPR server using FortiSOAR™ playbooks. Add the Securonix SNYPR connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving a list of all users from Securonix SNYPR, or retrieving the top violations from Securonix SNYPR based on the filter criteria you have specified.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 5.0.0-866
Authored By: Fortinet
Certified: Yes
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-securonix-snypr
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Securonix SNYPR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Securonix SNYPR server to which you will connect and perform the automated operations. |
Username | Username to access the Securonix SNYPR server to which you will connect and perform the automated operations. |
Password | password to access the Securonix SNYPR server to which you will connect and perform the automated operations. |
Tenant | Tenant ID that has been configured for your account to access the Securonix SNYPR server. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
List All Users | Retrieves a list of all users from Securonix SNYPR. | list_users Investigation |
List All Peer Groups | Retrieves a list of all peer groups from Securonix SNYPR. | list_peer_groups Investigation |
List All Resource Groups | Retrieves a list of all resource groups from Securonix SNYPR. | list_resource_groups Investigation |
List All Policies | Retrieves a list of all policies from Securonix SNYPR. | list_policies Investigation |
Get Top Threats | Retrieves the top threats from Securonix SNYPR based on when the threat was last seen and other input parameters that you have specified. | get_top_threats Investigation |
Get Top Violations | Retrieves the top violations from Securonix SNYPR based on when the violation was last seen and other input parameters that you have specified. | get_top_violations Investigation |
Get Top Violators | Retrieves the top violators from Securonix SNYPR based on when the violator was last seen and other input parameters that you have specified. | get_top_violators Investigation |
Get Risk Score | Retrieves risk scores for all users or risk scores from Securonix SNYPR based on the query attributes and other input parameters that you have specified. | get_risk_score Investigation |
Get Risk History | Retrieves risk history for all users or risk history from Securonix SNYPR based on the query attributes and other input parameters that you have specified. | get_risk_history Investigation |
Query Users | Retrieves details of all users or specific users from Securonix SNYPR based on the query attributes that you have specified. | query_for_users Investigation |
Query Violations | Retrieves details of all violations or specific violations from Securonix SNYPR based on the query attributes and other input parameters that you have specified. | query_for_violations Investigation |
Query Watchlist | Retrieves details of all watchlists or specific watchlists from Securonix SNYPR based on the query attributes that you have specified. | query_for_watchlist Investigation |
Query Third Party Intelligence | Retrieves details of all TPIs or specific TPIs from Securonix SNYPR based on the query attributes that you have specified. | query_third_party_intelligence Investigation |
Custom Query | Runs a search on Securonix SNYPR and retrieves details based on the query attributes and other input parameters that you have specified. | custom_query Investigation |
None.
The output contains the following populated JSON schema:
{
"users": {
"user": [
{
"approverEmployeeId": "",
"costCenterCode": "",
"criticality": "",
"department": "",
"disableDate": "",
"division": "",
"email": "",
"employeeId": "",
"employeeType": "",
"enableDate": "",
"firstName": "",
"hireDate": "",
"jobCode": "",
"lastName": "",
"location": "",
"managerEmployeeId": "",
"managerFirstname": "",
"managerLastname": "",
"masked": "",
"riskscore": "",
"skipEncryption": "",
"status": "",
"title": ""
}
]
}
}
None.
The output contains the following populated JSON schema:
{
"peerGroups": {
"peerGroup": [
{
"name": "",
"criticality": ""
},
{
"name": "",
"criticality": ""
}
]
}
}
None.
The output contains the following populated JSON schema:
{
"resourceGroups": {
"resourceGroup": [
{
"name": "",
"type": ""
},
{
"name": "",
"type": ""
},
{
"name": "",
"type": ""
},
{
"name": "",
"type": ""
}
]
}
}
None.
The output contains the following populated JSON schema:
{
"policies": {
"policy": [
{
"createdBy": "",
"criticality": "",
"hql": "",
"createdOn": "",
"id": "",
"name": "",
"description": ""
}
]
}
}
Parameter | Description |
---|---|
Last Seen | Time period for which you want to retrieve the top threats from Securonix SNYPR. You can choose one of the following: Hours, Days, or Years. Based on the option that you select in the Last Seen drop-down list, you must specify the value for the Hours, Days, or Years. For example, if you select Hours from the Last Seen drop-down list, then you must choose the value of the hours from the Last Hours drop-down list, for example, Last 24 hours, Last 1 hour etc. |
Offset | 0 based index of the page that this operation should return. |
Limit | Maximum number of results per page, that this operation should return. |
The output contains the following populated JSON schema:
{
"Response": {
"Docs": [
{
"Threat nodel name": "",
"Criticality": "",
"Generation time": "",
"No of violator": "",
"Threat model id": "",
"Description": ""
}
],
"Date range": [],
"Total records": ""
}
}
Parameter | Description |
---|---|
Last Seen | Time period for which you want to retrieve the top violations from Securonix SNYPR. You can choose one of the following: Hours, Days, or Years. Based on the option that you select in the Last Seen drop-down list, you must specify the value for the Hours, Days, or Years. For example, if you select Hours from the Last Seen drop-down list, then you must choose the value of the hours from the Last Hours drop-down list, for example, Last 24 hours, Last 1 hour etc. |
Offset | 0 based index of the page that this operation should return. |
Limit | Maximum number of results per page, that this operation should return. |
The output contains the following populated JSON schema:
{
"Response": {
"Docs": [
{
"Criticality": "",
"Violation entity": "",
"Generation time": "",
"No of violator": "",
"Threat indicator": "",
"Policy name": "",
"Policy id": "",
"Description": "",
"Policy category": ""
}
],
"Date range": [],
"Total records": ""
}
}
Parameter | Description |
---|---|
Last Seen | Time period for which you want to retrieve the top violators from Securonix SNYPR. You can choose one of the following: Hours, Days, or Years. Based on the option that you select in the Last Seen drop-down list, you must specify the value for the Hours, Days, or Years. For example, if you select Hours from the Last Seen drop-down list, then you must choose the value of the hours from the Last Hours drop-down list, for example, Last 24 hours, Last 1 hour etc. |
Offset | 0 based index of the page that this operation should return. |
Limit | Maximum number of results per page, that this operation should return. |
The output contains the following populated JSON schema:
{
"Response": {
"Docs": [
{
"Generation time": "",
"Risk score": "",
"Department": "",
"Name": "",
"Violator entity": ""
}
],
"Date range": [],
"Total records": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Query | Query attributes based on which you want to retrieve the risk score from Securonix SNYPR. Note: If you do not specify any query attribute, then the risk scores of all users is retrieved from Securonix SNYPR. |
Start Time |
Start date and time from when you want to retrieve the risk score from Securonix SNYPR. |
End Time |
End date and time till when you want to retrieve the risk score from Securonix SNYPR. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Query | Query attributes based on which you want to retrieve the risk history from Securonix SNYPR. Note: If you do not specify any query attribute, then the risk history of all users is retrieved from Securonix SNYPR. |
Start Time |
Start date and time from when you want to retrieve details of violations from Securonix SNYPR. |
End Time |
End date and time till when you want to retrieve details of violations from Securonix SNYPR. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Query | (Optional) Query attributes based on which you want to retrieve details of users from Securonix SNYPR. Note: If you do not specify any query attribute, then the details of all users are retrieved from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"error": "",
"available": "",
"to": "",
"totalDocuments": "",
"offset": "",
"searchViolations": "",
"from": "",
"events": [
{
"invalidEventAction": "",
"u_userid": "",
"hour": "",
"tenantname": "",
"directImport": "",
"u_id": "",
"tenantid": "",
"invalid": "",
"result": {
"entry": [
{
"key": "",
"value": ""
}
]
},
"ignored": ""
}
],
"query": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Query | Query attributes based on which you want to retrieve details of violations from Securonix SNYPR. Note: If you do not specify any query attribute, then the details of all violations are retrieved from Securonix SNYPR. |
Start Time |
Start date and time from when you want to retrieve details of violations from Securonix SNYPR. |
End Time |
End date and time till when you want to retrieve details of violations from Securonix SNYPR. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Query | (Optional) Query attributes based on which you want to retrieve details of watchlists from Securonix SNYPR. Note: If you do not specify any query attribute, then the details of all watchlists are retrieved from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"error": "",
"available": "",
"to": "",
"totalDocuments": "",
"offset": "",
"searchViolations": "",
"from": "",
"events": [
{
"invalidEventAction": "",
"u_userid": "",
"hour": "",
"tenantname": "",
"directImport": "",
"u_id": "",
"tenantid": "",
"invalid": "",
"result": {
"entry": [
{
"key": "",
"value": ""
}
]
},
"ignored": ""
}
],
"query": ""
}
Parameter | Description |
---|---|
Query | (Optional) Query attributes based on which you want to retrieve details of TPIs from Securonix SNYPR. Note: If you do not specify any query attribute, then the details of all TPIs are retrieved from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"error": "",
"available": "",
"to": "",
"totalDocuments": "",
"offset": "",
"searchViolations": "",
"from": "",
"events": [
{
"invalidEventAction": "",
"u_userid": "",
"hour": "",
"tenantname": "",
"directImport": "",
"u_id": "",
"tenantid": "",
"invalid": "",
"result": {
"entry": [
{
"key": "",
"value": ""
}
]
},
"ignored": ""
}
],
"query": ""
}
Parameter | Description |
---|---|
Query | Query attributes based on which you want to run the search on Securonix SNYPR. |
Start Time |
Start date and time from when you want to run the search on Securonix SNYPR. |
End Time |
End date and time till when you want to run the search on Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"available": "",
"error": "",
"events": [],
"from": "",
"offset": "",
"query": "",
"searchViolations": "",
"to": "",
"totalDocuments": "",
}
The Sample - Securonix SNYPR - 1.0.0
playbook collection comes bundled with the Securonix SNYPR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Securonix SNYPR connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.