Fortinet Document Library

Version:


Table of Contents

Securonix SNYPR

2.0.0
Copy Link

About the connector

Securonix SNYPR is an open and modular next-generation security intelligence platform that combines log management, security information and event management, user and entity behavior analytics and fraud detection, serving as a foundation for a broad portfolio of specialized security analytics solutions.

This document provides information about the Securonix SNYPR connector, which facilitates automated interactions, with a Securonix SNYPR server using FortiSOAR™ playbooks. Add the Securonix SNYPR connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving a list of all users from Securonix SNYPR, or retrieving the top violations from Securonix SNYPR based on the filter criteria you have specified.

Version information

Connector Version: 2.0.0

Authored By: Fortinet

Certified: No

Release Notes for version 2.0.0

Following enhancements have been made to the Securonix SNYPR Connector in version 2.0.0:

  • Added the following new operations and playbooks:
    • Add Comment
    • Check Task on Incident
    • Create Incident
    • Get Available Threat Action
    • Get Incident Details
    • Get Incident Status
    • Get Incident Workflow
    • Get Possible Actions for Incident
    • Get Workflows
    • List Incidents
    • Take Action on Incident
    • Get Workflow Default Assignee

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-securonix-snypr

Prerequisites to configuring the connector

  • You must have the URL of Securonix SNYPR server to which you will connect and perform automated operations and credentials (Username-Password pair) to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Securonix SNYPR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the Securonix SNYPR server to which you will connect and perform the automated operations.
Username Username to access the Securonix SNYPR server to which you will connect and perform the automated operations.
Password password to access the Securonix SNYPR server to which you will connect and perform the automated operations.
Tenant Tenant ID that has been configured for your account to access the Securonix SNYPR server.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:  

Function Description Annotation and Category
List All Users Retrieves a list of all users from Securonix SNYPR. list_users
Investigation
List All Peer Groups Retrieves a list of all peer groups from Securonix SNYPR. list_peer_groups
Investigation
List All Resource Groups Retrieves a list of all resource groups from Securonix SNYPR. list_resource_groups
Investigation
List All Policies Retrieves a list of all policies from Securonix SNYPR. list_policies
Investigation
Get Top Threats Retrieves the top threats from Securonix SNYPR based on when the threat was last seen and other input parameters that you have specified. get_top_threats
Investigation
Get Top Violations Retrieves the top violations from Securonix SNYPR based on when the violation was last seen and other input parameters that you have specified. get_top_violations
Investigation
Get Top Violators Retrieves the top violators from Securonix SNYPR based on when the violator was last seen and other input parameters that you have specified. get_top_violators
Investigation
Get Risk Score Retrieves risk scores for all users or risk scores from Securonix SNYPR based on the query attributes and other input parameters that you have specified. get_risk_score
Investigation
Get Risk History Retrieves risk history for all users or risk history from Securonix SNYPR based on the query attributes and other input parameters that you have specified. get_risk_history
Investigation
Query Users Retrieves details of all users or specific users from Securonix SNYPR based on the query attributes that you have specified. query_for_users
Investigation
Query Violations Retrieves details of all violations or specific violations from Securonix SNYPR based on the query attributes and other input parameters that you have specified. query_for_violations
Investigation
Query Watchlist Retrieves details of all watchlists or specific watchlists from Securonix SNYPR based on the query attributes that you have specified. query_for_watchlist
Investigation
Query Third Party Intelligence Retrieves details of all TPIs or specific TPIs from Securonix SNYPR based on the query attributes that you have specified. query_third_party_intelligence
Investigation
Custom Query Runs a search on Securonix SNYPR and retrieves details based on the query attributes and other input parameters that you have specified. custom_query
Investigation
Add Comment Adds a comment on a Securonix SNYPR incident based on the incident ID you have specified. add_comment
Investigation
Take Action on Incident Takes a specified action on a Securonix SNYPR incident based on the incident ID, action, and other input parameters you have specified. take_action_on_incident
Investigation
Create Incident Creates a new incident in the Securonix SNYPR platform based on the policy name, entity type,  and other input parameters you have specified.
Note: If the case is already created and is present in the Securonix SNYPR platform, then return the details of the existing incident.
create_incident
Investigation
List Incidents Retrieves a list of incidents from the Securonix SNYPR platform based on the range type, date range, and other filter parameters that you have specified. get_incident_details
Investigation
Get Incident Details Retrieves details of a specific incident from Securonix SNYPR based on the incident ID you have specified. get_incident_details
Investigation
Get Incident Status Retrieves the status of a specific incident from Securonix SNYPR based on the incident ID you have specified. get_incident_status
Investigation
Get Incident Workflow Retrieves the workflow of a specific incident from Securonix SNYPR based on the incident ID you have specified. get_incident_workflow
Investigation
Get Possible Actions for Incident Retrieves a list of all possible actions associated with a specific incident from Securonix SNYPR based on the incident ID you have specified. get_possible_action_for_incident
Investigation
Check Task on Incident Checks if action that you have specified is allowed on the specified Securonix SNYPR incident based on the incident ID and action name you have specified. check_task_on_incident
Investigation
Get Workflows Retrieves a list of all existing workflows from Securonix SNYPR. get_workflows
Investigation
Get Available Threat Action Retrieves a list of all available threat actions from Securonix SNYPR. get_available_threat_action
Investigation
Get Workflow Default Assignee

Retrieves the default assignee details for a specified workflow from Securonix SNYPR based on the workflow name you have specified.

get_workflow_default_assignee

Investigation

operation: List All Users

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"users": {
"user": [
               {
                 "approverEmployeeId": "",
                  "costCenterCode": "",
                  "criticality": "",
                  "department": "",
                  "disableDate": "",
                  "division": "",
                  "email": "",
                  "employeeId": "",
                  "employeeType": "",
                  "enableDate": "",
                  "firstName": "",
                  "hireDate": "",
                  "jobCode": "",
                  "lastName": "",
                  "location": "",
                  "managerEmployeeId": "",
                  "managerFirstname": "",
                  "managerLastname": "",
                  "masked": "",
                  "riskscore": "",
                  "skipEncryption": "",
                  "status": "",
                  "title": ""
              }
]
}
}

operation: List All Peer Groups

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "peerGroups": { 
         "peerGroup": [ 
             { 
                 "name": "", 
                 "criticality": "" 
             }, 
             { 
                 "name": "", 
                 "criticality": "" 
             } 
         ] 
     } 
}

operation: List All Resource Groups

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "resourceGroups": { 
         "resourceGroup": [ 
             { 
                 "name": "", 
                 "type": "" 
             }, 
             { 
                 "name": "", 
                 "type": "" 
             }, 
             { 
                 "name": "", 
                 "type": "" 
             }, 
             { 
                 "name": "", 
                 "type": "" 
             } 
         ] 
     } 
}

operation: List All Policies

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "policies": { 
         "policy": [ 
             { 
                 "createdBy": "", 
                 "criticality": "", 
                 "hql": "", 
                 "createdOn": "", 
                 "id": "", 
                 "name": "", 
                 "description": "" 
             } 
         ] 
     } 
}

operation: Get Top Threats

Input parameters

Parameter Description
Last Seen Time period for which you want to retrieve the top threats from Securonix SNYPR. You can choose one of the following: Hours, Days, or Years.
Based on the option that you select in the Last Seen drop-down list, you must specify the value for the Hours, Days, or Years. For example, if you select Hours from the Last Seen drop-down list, then you must choose the value of the hours from the Last Hours drop-down list, for example, Last 24 hours, Last 1 hour etc. 
Offset 0 based index of the page that this operation should return.
Limit Maximum number of results per page, that this operation should return.

Output

The output contains the following populated JSON schema:

     "Response": { 
         "Docs": [ 
             { 
                 "Threat nodel name": "", 
                 "Criticality": "", 
                 "Generation time": "", 
                 "No of violator": "", 
                 "Threat model id": "", 
                 "Description": "" 
             } 
         ], 
         "Date range": [], 
         "Total records": "" 
     } 
}

operation: Get Top Violations

Input parameters

Parameter Description
Last Seen Time period for which you want to retrieve the top violations from Securonix SNYPR. You can choose one of the following: Hours, Days, or Years.
Based on the option that you select in the Last Seen drop-down list, you must specify the value for the Hours, Days, or Years. For example, if you select Hours from the Last Seen drop-down list, then you must choose the value of the hours from the Last Hours drop-down list, for example, Last 24 hours, Last 1 hour etc.
Offset 0 based index of the page that this operation should return.
Limit Maximum number of results per page, that this operation should return.

Output

The output contains the following populated JSON schema:

     "Response": { 
         "Docs": [ 
             { 
                 "Criticality": "", 
                 "Violation entity": "", 
                 "Generation time": "", 
                 "No of violator": "", 
                 "Threat indicator": "", 
                 "Policy name": "", 
                 "Policy id": "", 
                 "Description": "", 
                 "Policy category": "" 
             } 
         ], 
         "Date range": [], 
         "Total records": "" 
     } 
}

operation: Get Top Violators

Input parameters

Parameter Description
Last Seen Time period for which you want to retrieve the top violators from Securonix SNYPR. You can choose one of the following: Hours, Days, or Years.
Based on the option that you select in the Last Seen drop-down list, you must specify the value for the Hours, Days, or Years. For example, if you select Hours from the Last Seen drop-down list, then you must choose the value of the hours from the Last Hours drop-down list, for example, Last 24 hours, Last 1 hour etc.
Offset 0 based index of the page that this operation should return.
Limit Maximum number of results per page, that this operation should return.

Output

The output contains the following populated JSON schema:

     "Response": { 
         "Docs": [ 
             { 
                 "Generation time": "", 
                 "Risk score": "", 
                 "Department": "", 
                 "Name": "", 
                 "Violator entity": "" 
             } 
         ], 
         "Date range": [], 
         "Total records": "" 
     } 
}

operation: Get Risk Score

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.   

Parameter Description
Query Query attributes based on which you want to retrieve the risk score from Securonix SNYPR.
Note: If you do not specify any query attribute, then the risk scores of all users is retrieved from Securonix SNYPR.
Start Time

Start date and time from when you want to retrieve the risk score from Securonix SNYPR.
If you click custom expression ({}), then you must add a custom jinja expressions for the start date and time from when you want to retrieve the risk score from Securonix SNYPR. 

End Time

End date and time till when you want to retrieve the risk score from Securonix SNYPR.
If you click custom expression ({}), then you must add a custom jinja expressions for the end date and time till when you want to retrieve the risk score from Securonix SNYPR. 

Output

The output contains a non-dictionary value.

operation: Get Risk History

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.   

Parameter Description
Query Query attributes based on which you want to retrieve the risk history from Securonix SNYPR.
Note: If you do not specify any query attribute, then the risk history of all users is retrieved from Securonix SNYPR.
Start Time

Start date and time from when you want to retrieve details of violations from Securonix SNYPR.
If you click custom expression ({}), then you must add a custom jinja expressions for the start date and time from when you want to retrieve the risk history from Securonix SNYPR. 

End Time

End date and time till when you want to retrieve details of violations from Securonix SNYPR.
If you click custom expression ({}), then you must add a custom jinja expressions for the end date and time till when you want to retrieve the risk history from Securonix SNYPR. 

Output

The output contains a non-dictionary value.

operation: Query Users

Input parameters

Parameter Description
Query (Optional) Query attributes based on which you want to retrieve details of users from Securonix SNYPR.
Note: If you do not specify any query attribute, then the details of all users are retrieved from Securonix SNYPR.

Output

The output contains the following populated JSON schema:

     "error": "", 
     "available": "", 
     "to": "", 
     "totalDocuments": "", 
     "offset": "", 
     "searchViolations": "", 
     "from": "", 
     "events": [ 
         { 
             "invalidEventAction": "", 
             "u_userid": "", 
             "hour": "", 
             "tenantname": "", 
             "directImport": "", 
             "u_id": "", 
             "tenantid": "", 
             "invalid": "", 
             "result": { 
                 "entry": [ 
                     { 
                         "key": "", 
                         "value": "" 
                     } 
                 ] 
             }, 
             "ignored": "" 
         } 
     ], 
     "query": "" 
}

operation: Query Violations

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.   

Parameter Description
Query Query attributes based on which you want to retrieve details of violations from Securonix SNYPR.
Note: If you do not specify any query attribute, then the details of all violations are retrieved from Securonix SNYPR.
Start Time

Start date and time from when you want to retrieve details of violations from Securonix SNYPR.
If you click custom expression ({}), then you must add a custom jinja expressions for the start date and time from when you want to retrieve details of violations from Securonix SNYPR. 

End Time

End date and time till when you want to retrieve details of violations from Securonix SNYPR.
If you click custom expression ({}), then you must add a custom jinja expressions for the end date and time till when you want to retrieve details of violations from Securonix SNYPR. 

Output

The output contains a non-dictionary value.

operation: Query Watchlist

Input parameters

Parameter Description
Query (Optional) Query attributes based on which you want to retrieve details of watchlists from Securonix SNYPR.
Note: If you do not specify any query attribute, then the details of all watchlists are retrieved from Securonix SNYPR.

Output

The output contains the following populated JSON schema:

     "error": "", 
     "available": "", 
     "to": "", 
     "totalDocuments": "", 
     "offset": "", 
     "searchViolations": "", 
     "from": "", 
     "events": [ 
         { 
             "invalidEventAction": "", 
             "u_userid": "", 
             "hour": "", 
             "tenantname": "", 
             "directImport": "", 
             "u_id": "", 
             "tenantid": "", 
             "invalid": "", 
             "result": { 
                 "entry": [ 
                     { 
                         "key": "", 
                         "value": "" 
                     } 
                 ] 
             }, 
             "ignored": "" 
         } 
     ], 
     "query": "" 
}

operation: Query Third Party Intelligence

Input parameters

Parameter Description
Query (Optional) Query attributes based on which you want to retrieve details of TPIs from Securonix SNYPR.
Note: If you do not specify any query attribute, then the details of all TPIs are retrieved from Securonix SNYPR.

Output

The output contains the following populated JSON schema:

     "error": "", 
     "available": "", 
     "to": "", 
     "totalDocuments": "", 
     "offset": "", 
     "searchViolations": "", 
     "from": "", 
     "events": [ 
         { 
             "invalidEventAction": "", 
             "u_userid": "", 
             "hour": "", 
             "tenantname": "", 
             "directImport": "", 
             "u_id": "", 
             "tenantid": "", 
             "invalid": "", 
             "result": { 
                 "entry": [ 
                     { 
                         "key": "", 
                         "value": "" 
                     } 
                 ] 
             }, 
             "ignored": "" 
         } 
     ], 
     "query": "" 
}

operation: Custom Query

Input parameters

Parameter Description
Query Query attributes based on which you want to run the search on Securonix SNYPR.
Start Time

Start date and time from when you want to run the search on Securonix SNYPR.
If you click custom expression ({}), then you must add a custom jinja expressions for the start date and time from when you want to retrieve the risk score from Securonix SNYPR. 

End Time

End date and time till when you want to run the search on Securonix SNYPR.
If you click custom expression ({}), then you must add a custom jinja expressions for the end date and time till when you want to retrieve the risk score from Securonix SNYPR. 

Output

 

The output contains the following populated JSON schema:

    "available": "",

    "error": "",

    "events": [],

    "from": "",

    "offset": "",

    "query": "",

    "searchViolations": "", 

    "to": "", 

    "totalDocuments": "",   
}

operation: Add Comment

Input parameters

Parameter Description
Incident ID ID of the incident in Securonix SNYPR to which you want to add comment.
Comment Comment that you want to add to the specified incident.

Output

The output contains a non-dictionary value.

operation: Take Action on Incident

Input parameters

Parameter Description
Incident ID ID of the incident in Securonix SNYPR on which you want to take the specified action.
Action Name Name of the action that you want to take on the specified Securonix SNYPR incident.
Other Required Fields (Optional) Additional required fields, in the JSON format, which you want to add to your request.

Output

The output contains the following populated JSON schema:

     "status": "", 
     "result": "" 
}

operation: Create Incident

Input parameters

Parameter Description
Policy Name Name of the policy that you want to associate with the new incident that you want to create in Securonix SNYPR.  
Data Source Name Name of the data source that you want to associate with the new incident that you want to create in Securonix SNYPR.
Account Name Name of the account that you want to associate with the new incident that you want to create in Securonix SNYPR.
Entity Type Type of entity that you want to associate with the new incident that you want to create in Securonix SNYPR.
Action Name Name of the action available in threat management that you want to associate with the new incident that you want to create in Securonix SNYPR.
You can choose from the following options: Mark as Concern and create incident, Non-Concern, or Mark in progress (still investigating).
Resource Name Name of the resource that you want to associate with the new incident that you want to create in Securonix SNYPR.
Note: This parameter required for Activity account.
Employee ID (Optional) ID of the employee that you want to associate with the new incident that you want to create in Securonix SNYPR.  
Workflow Name Name of the workflow that you want to associate with the new incident that you want to create in Securonix SNYPR.  
Note: This field required when you specify the action name as Mark as concern and create incident.
Comment Comment that you want to associate with the new incident that you want to create in Securonix SNYPR.
Criticality Criticality that you want to associate with the new incident that you want to create in Securonix SNYPR.

Output

The output contains the following populated JSON schema:

     "incidentItems": [ 
         { 
             "url": "", 
             "violatorSubText": "", 
             "violatorId": "", 
             "entity": "", 
             "lastUpdateDate": "", 
             "reason": [], 
             "incidentType": "", 
             "assignedUser": "", 
             "isWhitelisted": "", 
             "workflowName": "", 
             "riskscore": "", 
             "incidentId": "", 
             "statusCompleted": "", 
             "watchlisted": "", 
             "violatorText": "", 
             "priority": "", 
             "incidentStatus": "" 
         } 
     ], 
     "totalIncidents": "" 
}

operation: List Incidents

Input parameters

Parameter Description
Range Type Type of filter based on which you want to retrieve the list of incidents from Securonix SNYPR. You can choose from the following options: Opened, Updated, or Closed.
Start Time DateTime from when you want to retrieve the list of incidents from Securonix SNYPR
End Time DateTime till when you want to retrieve the list of incidents from Securonix SNYPR
Status (Optional) CSV list of status values based on which you want to filter the list of incidents retrieved from Securonix SNYPR.
Offset (Optional) 0-based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:

     "status": "", 
     "result": { 
         "data": { 
             "incidentItems": [ 
                 { 
                     "url": "", 
                     "violatorSubText": "", 
                     "violatorId": "", 
                     "entity": "", 
                     "lastUpdateDate": "", 
                     "reason": [], 
                     "incidentType": "", 
                     "assignedUser": "", 
                     "isWhitelisted": "", 
                     "workflowName": "", 
                     "riskscore": "", 
                     "incidentId": "", 
                     "watchlisted": "", 
                     "violatorText": "", 
                     "priority": "", 
                     "incidentStatus": "" 
                 } 
             ], 
             "totalIncidents": "" 
         } 
     } 
}

operation: Get Incident Details

Input parameters

Parameter Description
Incident ID ID of the incident whose details you want to retrieve from Securonix SNYPR.

Output

The output contains the following populated JSON schema:

     "status": "", 
     "result": { 
         "data": { 
             "incidentItems": [ 
                 { 
                     "assignedGroup": "", 
                     "url": "", 
                     "violatorSubText": "", 
                     "violatorId": "", 
                     "entity": "", 
                     "lastUpdateDate": "", 
                     "reason": [], 
                     "incidentType": "", 
                     "assignedUser": "", 
                     "isWhitelisted": "", 
                     "workflowName": "", 
                     "riskscore": "", 
                     "incidentId": "", 
                     "statusCompleted": "", 
                     "watchlisted": "", 
                     "violatorText": "", 
                     "priority": "", 
                     "incidentStatus": "" 
                 } 
             ], 
             "totalIncidents": "" 
         } 
     }, 
     "messages": [] 
}

operation: Get Incident Status

Input parameters

Parameter Description
Incident ID ID of the incident whose status you want to retrieve from Securonix SNYPR.

Output

The output contains the following populated JSON schema:

     "status": "", 
     "result": { 
         "status": "" 
     }, 
     "messages": [] 
}

operation: Get Incident Workflow

Input parameters

Parameter Description
Incident ID ID of the incident whose workflow you want to retrieve from Securonix SNYPR.

Output

The output contains the following populated JSON schema:

     "status": "", 
     "result": { 
         "workflow": "" 
     }, 
     "messages": [] 
}

operation: Get Possible Actions for Incident

Input parameters

Parameter Description
Incident ID ID of the incident whose related actions you want to retrieve from Securonix SNYPR.

Output

The output contains the following populated JSON schema:

     "result": [ 
         { 
             "status": "", 
             "actionName": "", 
             "actionDetails": [ 
                 { 
                     "sections": { 
                         "sectionName": "", 
                         "attributes": [ 
                             { 
                                 "required": "", 
                                 "attributeType": "", 
                                 "attribute": "", 
                                 "displayName": "" 
                             } 
                         ] 
                     }, 
                     "title": "" 
                 } 
             ] 
         } 
     ], 
     "status": "", 
     "messages": [] 
}

operation: Check Task on Incident

Input parameters

Parameter Description
Incident ID ID of the incident whose associated tasks and actions you want to retrieve from Securonix SNYPR.
Action Name Name of the action that you want to execute on the specific Securonix SNYPR incident.

Output

The output contains the following populated JSON schema:

     "result": [ 
         { 
             "status": "", 
             "actionName": "", 
             "actionDetails": [ 
                 { 
                     "sections": { 
                         "sectionName": "", 
                         "attributes": [ 
                             { 
                                 "required": "", 
                                 "attributeType": "", 
                                 "attribute": "", 
                                 "displayName": "" 
                             } 
                         ] 
                     }, 
                     "title": "" 
                 } 
             ] 
         } 
     ], 
     "status": "", 
     "messages": [] 
}

operation: Get Workflows

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "result": { 
         "workflows": [ 
             { 
                 "value": "", 
                 "workflow": "", 
                 "type": "" 
             } 
         ] 
     }, 
     "status": "", 
     "messages": [] 
}

operation: Get Available Threat Action

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "status": "", 
     "result": [], 
     "messages": [] 
}

operation: Get Workflow Default Assignee

Input parameters

Parameter Description
Workflow Name Name of the workflow whose default assignee details you want to retrieve from Securonix SNYPR.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - Securonix  SNYPR - 2.0.0 playbook collection comes bundled with the Securonix SNYPR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Securonix SNYPR connector.

  • Add Comment
  • Check Task on Incident
  • Create Incident
  • Custom Query
  • Get Available Threat Action
  • Get Incident Details
  • Get Incident Status
  • Get Incident Workflow
  • Get Possible Actions for Incident
  • Get Risk History
  • Get Risk Score
  • Get Top Threats
  • Get Top Violations
  • Get Top Violators
  • Get Workflow Default Assignee
  • Get Workflows
  • List All Peer Groups
  • List All Policies
  • List All Resource Groups
  • List Incidents
  • List Users
  • Query Third Party Intelligence
  • Query Users
  • Query Violations
  • Query Watchlist
  • Take Action on Incident

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

Securonix SNYPR is an open and modular next-generation security intelligence platform that combines log management, security information and event management, user and entity behavior analytics and fraud detection, serving as a foundation for a broad portfolio of specialized security analytics solutions.

This document provides information about the Securonix SNYPR connector, which facilitates automated interactions, with a Securonix SNYPR server using FortiSOAR™ playbooks. Add the Securonix SNYPR connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving a list of all users from Securonix SNYPR, or retrieving the top violations from Securonix SNYPR based on the filter criteria you have specified.

Version information

Connector Version: 2.0.0

Authored By: Fortinet

Certified: No

Release Notes for version 2.0.0

Following enhancements have been made to the Securonix SNYPR Connector in version 2.0.0:

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-securonix-snypr

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Securonix SNYPR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the Securonix SNYPR server to which you will connect and perform the automated operations.
Username Username to access the Securonix SNYPR server to which you will connect and perform the automated operations.
Password password to access the Securonix SNYPR server to which you will connect and perform the automated operations.
Tenant Tenant ID that has been configured for your account to access the Securonix SNYPR server.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:  

Function Description Annotation and Category
List All Users Retrieves a list of all users from Securonix SNYPR. list_users
Investigation
List All Peer Groups Retrieves a list of all peer groups from Securonix SNYPR. list_peer_groups
Investigation
List All Resource Groups Retrieves a list of all resource groups from Securonix SNYPR. list_resource_groups
Investigation
List All Policies Retrieves a list of all policies from Securonix SNYPR. list_policies
Investigation
Get Top Threats Retrieves the top threats from Securonix SNYPR based on when the threat was last seen and other input parameters that you have specified. get_top_threats
Investigation
Get Top Violations Retrieves the top violations from Securonix SNYPR based on when the violation was last seen and other input parameters that you have specified. get_top_violations
Investigation
Get Top Violators Retrieves the top violators from Securonix SNYPR based on when the violator was last seen and other input parameters that you have specified. get_top_violators
Investigation
Get Risk Score Retrieves risk scores for all users or risk scores from Securonix SNYPR based on the query attributes and other input parameters that you have specified. get_risk_score
Investigation
Get Risk History Retrieves risk history for all users or risk history from Securonix SNYPR based on the query attributes and other input parameters that you have specified. get_risk_history
Investigation
Query Users Retrieves details of all users or specific users from Securonix SNYPR based on the query attributes that you have specified. query_for_users
Investigation
Query Violations Retrieves details of all violations or specific violations from Securonix SNYPR based on the query attributes and other input parameters that you have specified. query_for_violations
Investigation
Query Watchlist Retrieves details of all watchlists or specific watchlists from Securonix SNYPR based on the query attributes that you have specified. query_for_watchlist
Investigation
Query Third Party Intelligence Retrieves details of all TPIs or specific TPIs from Securonix SNYPR based on the query attributes that you have specified. query_third_party_intelligence
Investigation
Custom Query Runs a search on Securonix SNYPR and retrieves details based on the query attributes and other input parameters that you have specified. custom_query
Investigation
Add Comment Adds a comment on a Securonix SNYPR incident based on the incident ID you have specified. add_comment
Investigation
Take Action on Incident Takes a specified action on a Securonix SNYPR incident based on the incident ID, action, and other input parameters you have specified. take_action_on_incident
Investigation
Create Incident Creates a new incident in the Securonix SNYPR platform based on the policy name, entity type,  and other input parameters you have specified.
Note: If the case is already created and is present in the Securonix SNYPR platform, then return the details of the existing incident.
create_incident
Investigation
List Incidents Retrieves a list of incidents from the Securonix SNYPR platform based on the range type, date range, and other filter parameters that you have specified. get_incident_details
Investigation
Get Incident Details Retrieves details of a specific incident from Securonix SNYPR based on the incident ID you have specified. get_incident_details
Investigation
Get Incident Status Retrieves the status of a specific incident from Securonix SNYPR based on the incident ID you have specified. get_incident_status
Investigation
Get Incident Workflow Retrieves the workflow of a specific incident from Securonix SNYPR based on the incident ID you have specified. get_incident_workflow
Investigation
Get Possible Actions for Incident Retrieves a list of all possible actions associated with a specific incident from Securonix SNYPR based on the incident ID you have specified. get_possible_action_for_incident
Investigation
Check Task on Incident Checks if action that you have specified is allowed on the specified Securonix SNYPR incident based on the incident ID and action name you have specified. check_task_on_incident
Investigation
Get Workflows Retrieves a list of all existing workflows from Securonix SNYPR. get_workflows
Investigation
Get Available Threat Action Retrieves a list of all available threat actions from Securonix SNYPR. get_available_threat_action
Investigation
Get Workflow Default Assignee

Retrieves the default assignee details for a specified workflow from Securonix SNYPR based on the workflow name you have specified.

get_workflow_default_assignee

Investigation

operation: List All Users

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"users": {
"user": [
               {
                 "approverEmployeeId": "",
                  "costCenterCode": "",
                  "criticality": "",
                  "department": "",
                  "disableDate": "",
                  "division": "",
                  "email": "",
                  "employeeId": "",
                  "employeeType": "",
                  "enableDate": "",
                  "firstName": "",
                  "hireDate": "",
                  "jobCode": "",
                  "lastName": "",
                  "location": "",
                  "managerEmployeeId": "",
                  "managerFirstname": "",
                  "managerLastname": "",
                  "masked": "",
                  "riskscore": "",
                  "skipEncryption": "",
                  "status": "",
                  "title": ""
              }
]
}
}

operation: List All Peer Groups

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "peerGroups": { 
         "peerGroup": [ 
             { 
                 "name": "", 
                 "criticality": "" 
             }, 
             { 
                 "name": "", 
                 "criticality": "" 
             } 
         ] 
     } 
}

operation: List All Resource Groups

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "resourceGroups": { 
         "resourceGroup": [ 
             { 
                 "name": "", 
                 "type": "" 
             }, 
             { 
                 "name": "", 
                 "type": "" 
             }, 
             { 
                 "name": "", 
                 "type": "" 
             }, 
             { 
                 "name": "", 
                 "type": "" 
             } 
         ] 
     } 
}

operation: List All Policies

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "policies": { 
         "policy": [ 
             { 
                 "createdBy": "", 
                 "criticality": "", 
                 "hql": "", 
                 "createdOn": "", 
                 "id": "", 
                 "name": "", 
                 "description": "" 
             } 
         ] 
     } 
}

operation: Get Top Threats

Input parameters

Parameter Description
Last Seen Time period for which you want to retrieve the top threats from Securonix SNYPR. You can choose one of the following: Hours, Days, or Years.
Based on the option that you select in the Last Seen drop-down list, you must specify the value for the Hours, Days, or Years. For example, if you select Hours from the Last Seen drop-down list, then you must choose the value of the hours from the Last Hours drop-down list, for example, Last 24 hours, Last 1 hour etc. 
Offset 0 based index of the page that this operation should return.
Limit Maximum number of results per page, that this operation should return.

Output

The output contains the following populated JSON schema:

     "Response": { 
         "Docs": [ 
             { 
                 "Threat nodel name": "", 
                 "Criticality": "", 
                 "Generation time": "", 
                 "No of violator": "", 
                 "Threat model id": "", 
                 "Description": "" 
             } 
         ], 
         "Date range": [], 
         "Total records": "" 
     } 
}

operation: Get Top Violations

Input parameters

Parameter Description
Last Seen Time period for which you want to retrieve the top violations from Securonix SNYPR. You can choose one of the following: Hours, Days, or Years.
Based on the option that you select in the Last Seen drop-down list, you must specify the value for the Hours, Days, or Years. For example, if you select Hours from the Last Seen drop-down list, then you must choose the value of the hours from the Last Hours drop-down list, for example, Last 24 hours, Last 1 hour etc.
Offset 0 based index of the page that this operation should return.
Limit Maximum number of results per page, that this operation should return.

Output

The output contains the following populated JSON schema:

     "Response": { 
         "Docs": [ 
             { 
                 "Criticality": "", 
                 "Violation entity": "", 
                 "Generation time": "", 
                 "No of violator": "", 
                 "Threat indicator": "", 
                 "Policy name": "", 
                 "Policy id": "", 
                 "Description": "", 
                 "Policy category": "" 
             } 
         ], 
         "Date range": [], 
         "Total records": "" 
     } 
}

operation: Get Top Violators

Input parameters

Parameter Description
Last Seen Time period for which you want to retrieve the top violators from Securonix SNYPR. You can choose one of the following: Hours, Days, or Years.
Based on the option that you select in the Last Seen drop-down list, you must specify the value for the Hours, Days, or Years. For example, if you select Hours from the Last Seen drop-down list, then you must choose the value of the hours from the Last Hours drop-down list, for example, Last 24 hours, Last 1 hour etc.
Offset 0 based index of the page that this operation should return.
Limit Maximum number of results per page, that this operation should return.

Output

The output contains the following populated JSON schema:

     "Response": { 
         "Docs": [ 
             { 
                 "Generation time": "", 
                 "Risk score": "", 
                 "Department": "", 
                 "Name": "", 
                 "Violator entity": "" 
             } 
         ], 
         "Date range": [], 
         "Total records": "" 
     } 
}

operation: Get Risk Score

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.   

Parameter Description
Query Query attributes based on which you want to retrieve the risk score from Securonix SNYPR.
Note: If you do not specify any query attribute, then the risk scores of all users is retrieved from Securonix SNYPR.
Start Time

Start date and time from when you want to retrieve the risk score from Securonix SNYPR.
If you click custom expression ({}), then you must add a custom jinja expressions for the start date and time from when you want to retrieve the risk score from Securonix SNYPR. 

End Time

End date and time till when you want to retrieve the risk score from Securonix SNYPR.
If you click custom expression ({}), then you must add a custom jinja expressions for the end date and time till when you want to retrieve the risk score from Securonix SNYPR. 

Output

The output contains a non-dictionary value.

operation: Get Risk History

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.   

Parameter Description
Query Query attributes based on which you want to retrieve the risk history from Securonix SNYPR.
Note: If you do not specify any query attribute, then the risk history of all users is retrieved from Securonix SNYPR.
Start Time

Start date and time from when you want to retrieve details of violations from Securonix SNYPR.
If you click custom expression ({}), then you must add a custom jinja expressions for the start date and time from when you want to retrieve the risk history from Securonix SNYPR. 

End Time

End date and time till when you want to retrieve details of violations from Securonix SNYPR.
If you click custom expression ({}), then you must add a custom jinja expressions for the end date and time till when you want to retrieve the risk history from Securonix SNYPR. 

Output

The output contains a non-dictionary value.

operation: Query Users

Input parameters

Parameter Description
Query (Optional) Query attributes based on which you want to retrieve details of users from Securonix SNYPR.
Note: If you do not specify any query attribute, then the details of all users are retrieved from Securonix SNYPR.

Output

The output contains the following populated JSON schema:

     "error": "", 
     "available": "", 
     "to": "", 
     "totalDocuments": "", 
     "offset": "", 
     "searchViolations": "", 
     "from": "", 
     "events": [ 
         { 
             "invalidEventAction": "", 
             "u_userid": "", 
             "hour": "", 
             "tenantname": "", 
             "directImport": "", 
             "u_id": "", 
             "tenantid": "", 
             "invalid": "", 
             "result": { 
                 "entry": [ 
                     { 
                         "key": "", 
                         "value": "" 
                     } 
                 ] 
             }, 
             "ignored": "" 
         } 
     ], 
     "query": "" 
}

operation: Query Violations

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.   

Parameter Description
Query Query attributes based on which you want to retrieve details of violations from Securonix SNYPR.
Note: If you do not specify any query attribute, then the details of all violations are retrieved from Securonix SNYPR.
Start Time

Start date and time from when you want to retrieve details of violations from Securonix SNYPR.
If you click custom expression ({}), then you must add a custom jinja expressions for the start date and time from when you want to retrieve details of violations from Securonix SNYPR. 

End Time

End date and time till when you want to retrieve details of violations from Securonix SNYPR.
If you click custom expression ({}), then you must add a custom jinja expressions for the end date and time till when you want to retrieve details of violations from Securonix SNYPR. 

Output

The output contains a non-dictionary value.

operation: Query Watchlist

Input parameters

Parameter Description
Query (Optional) Query attributes based on which you want to retrieve details of watchlists from Securonix SNYPR.
Note: If you do not specify any query attribute, then the details of all watchlists are retrieved from Securonix SNYPR.

Output

The output contains the following populated JSON schema:

     "error": "", 
     "available": "", 
     "to": "", 
     "totalDocuments": "", 
     "offset": "", 
     "searchViolations": "", 
     "from": "", 
     "events": [ 
         { 
             "invalidEventAction": "", 
             "u_userid": "", 
             "hour": "", 
             "tenantname": "", 
             "directImport": "", 
             "u_id": "", 
             "tenantid": "", 
             "invalid": "", 
             "result": { 
                 "entry": [ 
                     { 
                         "key": "", 
                         "value": "" 
                     } 
                 ] 
             }, 
             "ignored": "" 
         } 
     ], 
     "query": "" 
}

operation: Query Third Party Intelligence

Input parameters

Parameter Description
Query (Optional) Query attributes based on which you want to retrieve details of TPIs from Securonix SNYPR.
Note: If you do not specify any query attribute, then the details of all TPIs are retrieved from Securonix SNYPR.

Output

The output contains the following populated JSON schema:

     "error": "", 
     "available": "", 
     "to": "", 
     "totalDocuments": "", 
     "offset": "", 
     "searchViolations": "", 
     "from": "", 
     "events": [ 
         { 
             "invalidEventAction": "", 
             "u_userid": "", 
             "hour": "", 
             "tenantname": "", 
             "directImport": "", 
             "u_id": "", 
             "tenantid": "", 
             "invalid": "", 
             "result": { 
                 "entry": [ 
                     { 
                         "key": "", 
                         "value": "" 
                     } 
                 ] 
             }, 
             "ignored": "" 
         } 
     ], 
     "query": "" 
}

operation: Custom Query

Input parameters

Parameter Description
Query Query attributes based on which you want to run the search on Securonix SNYPR.
Start Time

Start date and time from when you want to run the search on Securonix SNYPR.
If you click custom expression ({}), then you must add a custom jinja expressions for the start date and time from when you want to retrieve the risk score from Securonix SNYPR. 

End Time

End date and time till when you want to run the search on Securonix SNYPR.
If you click custom expression ({}), then you must add a custom jinja expressions for the end date and time till when you want to retrieve the risk score from Securonix SNYPR. 

Output

 

The output contains the following populated JSON schema:

    "available": "",

    "error": "",

    "events": [],

    "from": "",

    "offset": "",

    "query": "",

    "searchViolations": "", 

    "to": "", 

    "totalDocuments": "",   
}

operation: Add Comment

Input parameters

Parameter Description
Incident ID ID of the incident in Securonix SNYPR to which you want to add comment.
Comment Comment that you want to add to the specified incident.

Output

The output contains a non-dictionary value.

operation: Take Action on Incident

Input parameters

Parameter Description
Incident ID ID of the incident in Securonix SNYPR on which you want to take the specified action.
Action Name Name of the action that you want to take on the specified Securonix SNYPR incident.
Other Required Fields (Optional) Additional required fields, in the JSON format, which you want to add to your request.

Output

The output contains the following populated JSON schema:

     "status": "", 
     "result": "" 
}

operation: Create Incident

Input parameters

Parameter Description
Policy Name Name of the policy that you want to associate with the new incident that you want to create in Securonix SNYPR.  
Data Source Name Name of the data source that you want to associate with the new incident that you want to create in Securonix SNYPR.
Account Name Name of the account that you want to associate with the new incident that you want to create in Securonix SNYPR.
Entity Type Type of entity that you want to associate with the new incident that you want to create in Securonix SNYPR.
Action Name Name of the action available in threat management that you want to associate with the new incident that you want to create in Securonix SNYPR.
You can choose from the following options: Mark as Concern and create incident, Non-Concern, or Mark in progress (still investigating).
Resource Name Name of the resource that you want to associate with the new incident that you want to create in Securonix SNYPR.
Note: This parameter required for Activity account.
Employee ID (Optional) ID of the employee that you want to associate with the new incident that you want to create in Securonix SNYPR.  
Workflow Name Name of the workflow that you want to associate with the new incident that you want to create in Securonix SNYPR.  
Note: This field required when you specify the action name as Mark as concern and create incident.
Comment Comment that you want to associate with the new incident that you want to create in Securonix SNYPR.
Criticality Criticality that you want to associate with the new incident that you want to create in Securonix SNYPR.

Output

The output contains the following populated JSON schema:

     "incidentItems": [ 
         { 
             "url": "", 
             "violatorSubText": "", 
             "violatorId": "", 
             "entity": "", 
             "lastUpdateDate": "", 
             "reason": [], 
             "incidentType": "", 
             "assignedUser": "", 
             "isWhitelisted": "", 
             "workflowName": "", 
             "riskscore": "", 
             "incidentId": "", 
             "statusCompleted": "", 
             "watchlisted": "", 
             "violatorText": "", 
             "priority": "", 
             "incidentStatus": "" 
         } 
     ], 
     "totalIncidents": "" 
}

operation: List Incidents

Input parameters

Parameter Description
Range Type Type of filter based on which you want to retrieve the list of incidents from Securonix SNYPR. You can choose from the following options: Opened, Updated, or Closed.
Start Time DateTime from when you want to retrieve the list of incidents from Securonix SNYPR
End Time DateTime till when you want to retrieve the list of incidents from Securonix SNYPR
Status (Optional) CSV list of status values based on which you want to filter the list of incidents retrieved from Securonix SNYPR.
Offset (Optional) 0-based index of the page that this operation should return.

Output

The output contains the following populated JSON schema:

     "status": "", 
     "result": { 
         "data": { 
             "incidentItems": [ 
                 { 
                     "url": "", 
                     "violatorSubText": "", 
                     "violatorId": "", 
                     "entity": "", 
                     "lastUpdateDate": "", 
                     "reason": [], 
                     "incidentType": "", 
                     "assignedUser": "", 
                     "isWhitelisted": "", 
                     "workflowName": "", 
                     "riskscore": "", 
                     "incidentId": "", 
                     "watchlisted": "", 
                     "violatorText": "", 
                     "priority": "", 
                     "incidentStatus": "" 
                 } 
             ], 
             "totalIncidents": "" 
         } 
     } 
}

operation: Get Incident Details

Input parameters

Parameter Description
Incident ID ID of the incident whose details you want to retrieve from Securonix SNYPR.

Output

The output contains the following populated JSON schema:

     "status": "", 
     "result": { 
         "data": { 
             "incidentItems": [ 
                 { 
                     "assignedGroup": "", 
                     "url": "", 
                     "violatorSubText": "", 
                     "violatorId": "", 
                     "entity": "", 
                     "lastUpdateDate": "", 
                     "reason": [], 
                     "incidentType": "", 
                     "assignedUser": "", 
                     "isWhitelisted": "", 
                     "workflowName": "", 
                     "riskscore": "", 
                     "incidentId": "", 
                     "statusCompleted": "", 
                     "watchlisted": "", 
                     "violatorText": "", 
                     "priority": "", 
                     "incidentStatus": "" 
                 } 
             ], 
             "totalIncidents": "" 
         } 
     }, 
     "messages": [] 
}

operation: Get Incident Status

Input parameters

Parameter Description
Incident ID ID of the incident whose status you want to retrieve from Securonix SNYPR.

Output

The output contains the following populated JSON schema:

     "status": "", 
     "result": { 
         "status": "" 
     }, 
     "messages": [] 
}

operation: Get Incident Workflow

Input parameters

Parameter Description
Incident ID ID of the incident whose workflow you want to retrieve from Securonix SNYPR.

Output

The output contains the following populated JSON schema:

     "status": "", 
     "result": { 
         "workflow": "" 
     }, 
     "messages": [] 
}

operation: Get Possible Actions for Incident

Input parameters

Parameter Description
Incident ID ID of the incident whose related actions you want to retrieve from Securonix SNYPR.

Output

The output contains the following populated JSON schema:

     "result": [ 
         { 
             "status": "", 
             "actionName": "", 
             "actionDetails": [ 
                 { 
                     "sections": { 
                         "sectionName": "", 
                         "attributes": [ 
                             { 
                                 "required": "", 
                                 "attributeType": "", 
                                 "attribute": "", 
                                 "displayName": "" 
                             } 
                         ] 
                     }, 
                     "title": "" 
                 } 
             ] 
         } 
     ], 
     "status": "", 
     "messages": [] 
}

operation: Check Task on Incident

Input parameters

Parameter Description
Incident ID ID of the incident whose associated tasks and actions you want to retrieve from Securonix SNYPR.
Action Name Name of the action that you want to execute on the specific Securonix SNYPR incident.

Output

The output contains the following populated JSON schema:

     "result": [ 
         { 
             "status": "", 
             "actionName": "", 
             "actionDetails": [ 
                 { 
                     "sections": { 
                         "sectionName": "", 
                         "attributes": [ 
                             { 
                                 "required": "", 
                                 "attributeType": "", 
                                 "attribute": "", 
                                 "displayName": "" 
                             } 
                         ] 
                     }, 
                     "title": "" 
                 } 
             ] 
         } 
     ], 
     "status": "", 
     "messages": [] 
}

operation: Get Workflows

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "result": { 
         "workflows": [ 
             { 
                 "value": "", 
                 "workflow": "", 
                 "type": "" 
             } 
         ] 
     }, 
     "status": "", 
     "messages": [] 
}

operation: Get Available Threat Action

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "status": "", 
     "result": [], 
     "messages": [] 
}

operation: Get Workflow Default Assignee

Input parameters

Parameter Description
Workflow Name Name of the workflow whose default assignee details you want to retrieve from Securonix SNYPR.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - Securonix  SNYPR - 2.0.0 playbook collection comes bundled with the Securonix SNYPR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Securonix SNYPR connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.