Securonix SNYPR is an open and modular next-generation security intelligence platform that combines log management, security information and event management, user and entity behavior analytics and fraud detection, serving as a foundation for a broad portfolio of specialized security analytics solutions.
This document provides information about the Securonix SNYPR connector, which facilitates automated interactions, with a Securonix SNYPR server using FortiSOAR™ playbooks. Add the Securonix SNYPR connector as a step in FortiSOAR™ playbooks and perform automated operations with Securonix SNYPR.
Connector Version: 2.2.0
Authored By: Fortinet
Certified: No
Following enhancements have been made to the Securonix SNYPR connector in version 2.2.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-securonix-snypr
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Securonix SNYPR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Securonix SNYPR server to which you will connect and perform the automated operations. |
| Username | Username to access the Securonix SNYPR server to which you will connect and perform the automated operations. |
| Password | password to access the Securonix SNYPR server to which you will connect and perform the automated operations. |
| Tenant | Tenant ID that has been configured for your account to access the Securonix SNYPR server. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is selected, i.e., set to true. |
You can use the following automated operations in playbooks and also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Add Comment | Adds a comment on a Securonix SNYPR incident based on the incident ID you have specified. | add_comment Investigation |
| Create Incident | Creates a new incident in the Securonix SNYPR platform based on the policy name, entity type, and other input parameters you have specified. Note: If the case is already created and is present in the Securonix SNYPR platform, then return the details of the existing incident. | create_incident Investigation |
| Check Task on Incident | Checks if the action that you have specified is allowed on the specified Securonix SNYPR incident based on the incident ID and action name you have specified. | check_task_on_incident Investigation |
| Get Available Threat Action | Retrieves a list of all available threat actions from Securonix SNYPR. | get_available_threat_action Investigation |
| Get Incident Details | Retrieves details of a specific incident from Securonix SNYPR based on the incident ID you have specified. | get_incident_details Investigation |
| Get Incident Status | Retrieves the status of a specific incident from Securonix SNYPR based on the incident ID you have specified. | get_incident_status Investigation |
| Get Incident Workflow | Retrieves the workflow of a specific incident from Securonix SNYPR based on the incident ID you have specified. | get_incident_workflow Investigation |
| Get Possible Actions for Incident | Retrieves a list of all possible actions associated with a specific incident from Securonix SNYPR based on the incident ID you have specified. | get_possible_action_for_incident Investigation |
| Get Risk Score | Retrieves risk scores for all users or risk scores from Securonix SNYPRbased on the query attributes and other input parameters that you have specified. | get_risk_score Investigation |
| Get Risk History | Retrieves risk history for all users or risk history from Securonix SNYPR based on the query attributes and other input parameters that you have specified. | get_risk_history Investigation |
| Get Top Threats | Retrieves the top threats from Securonix SNYPR based on when the threat was last seen and other input parameters that you have specified. | get_top_threats Investigation |
| Get Top Violations | Retrieves the top violations from Securonix SNYPR based on when the violation was last seen and other input parameters that you have specified. | get_top_violations Investigation |
| Get Top Violators | Retrieves the top violators from Securonix SNYPR based on when the violator was last seen and other input parameters that you have specified. | get_top_violators Investigation |
| Get Workflows | Retrieves a list of all existing workflows from Securonix SNYPR. | get_workflows Investigation |
| Get Workflow Default Assignee | Retrieves the default assignee details for a specified workflow from Securonix SNYPR based on the workflow name you have specified. | get_workflow_default_assignee Investigation |
| List Incidents | Retrieves a list of incidents from the Securonix SNYPR platform based on the range type, date range, and other filter parameters that you have specified. | get_incident_details Investigation |
| List All Peer Groups | Retrieves a list of all peer groups from Securonix SNYPR. | list_peer_groups Investigation |
| List All Policies | Retrieves a list of all policies from Securonix SNYPR. | list_policies Investigation |
| List All Resource Groups | Retrieves a list of all resource groups from Securonix SNYPR. | list_resource_groups Investigation |
| List All Users | Retrieves a list of all users from Securonix SNYPR. | list_users Investigation |
| Custom Query | Runs a search on Securonix SNYPR and retrieves details based on the query attributes and other input parameters that you have specified. | custom_query Investigation |
| Query Third Party Intelligence | Retrieves details of all TPIs or specific TPIs from Securonix SNYPR based on the query attributes that you have specified. | query_third_party_intelligence Investigation |
| Query Violations | Retrieves details of all violations or specific violations from Securonix SNYPR based on the query attributes and other input parameters that you have specified. | query_violations Investigation |
| Query Users | Retrieves details of all users or specific users from Securonix SNYPR based on the query attributes that you have specified. | query_users Investigation |
| Query Watchlist | Retrieves details of all watchlists or specific watchlists from Securonix SNYPR based on the query attributes that you have specified. | query_watchlist Investigation |
| Task Action on Incident | Takes a specified action on a Securonix SNYPR incident based on the incident ID, action, and other input parameters you have specified. | take_action_on_incident Investigation |
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident in Securonix SNYPR to which you want to add comment. |
| Comment | Comment that you want to add to the specified incident. |
The output contains the following populated JSON schema:
{
"status": "",
"messages": [],
"result": ""
}
| Parameter | Description |
|---|---|
| Policy Name | Name of the policy that you want to associate with the new incident that you want to create in Securonix SNYPR. |
| Data Source Name | Name of the data source that you want to associate with the new incident that you want to create in Securonix SNYPR. |
| Account Name | Name of the account that you want to associate with the new incident that you want to create in Securonix SNYPR. |
| Entity Type | Type of entity that you want to associate with the new incident that you want to create in Securonix SNYPR. |
| Action Name | Name of the action available in threat management that you want to associate with the new incident that you want to create in Securonix SNYPR. You can choose from the following options: Mark as Concern and create incident, Non-Concern, or Mark in progress (still investigating). |
| Resource Name | (Optional) Name of the resource that you want to associate with the new incident that you want to create in Securonix SNYPR. Note: This parameter required for Activity account. |
| Employee ID | (Optional) ID of the employee that you want to associate with the new incident that you want to create in Securonix SNYPR. |
| Workflow Name | (Optional) Name of the workflow that you want to associate with the new incident that you want to create in Securonix SNYPR. Note: This field required when you specify the action name as Mark as concern and create incident. |
| Comment | (Optional) Comment that you want to associate with the new incident that you want to create in Securonix SNYPR. |
| Criticality | (Optional) Criticality that you want to associate with the new incident that you want to create in Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"totalIncidents": "",
"incidentItems": [
{
"violatorText": "",
"lastUpdateDate": "",
"violatorId": "",
"incidentType": "",
"incidentId": "",
"incidentStatus": "",
"riskscore": "",
"assignedUser": "",
"priority": "",
"reason": [],
"violatorSubText": "",
"entity": "",
"workflowName": "",
"url": "",
"isWhitelisted": "",
"watchlisted": "",
"statusCompleted": ""
}
]
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident whose associated tasks and actions you want to retrieve from Securonix SNYPR. |
| Action Name | Name of the action that you want to execute on the specific Securonix SNYPR incident. |
The output contains the following populated JSON schema:
{
"result": [
{
"status": "",
"actionName": "",
"actionDetails": [
{
"title": "",
"sections": {
"attributes": [
{
"required": "",
"attribute": "",
"displayName": "",
"attributeType": ""
}
],
"sectionName": ""
}
}
]
}
],
"status": "",
"messages": []
}
None.
The output contains the following populated JSON schema:
{
"status": "",
"messages": [],
"result": []
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident whose details you want to retrieve from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"status": "",
"messages": [],
"result": {
"data": {
"totalIncidents": "",
"incidentItems": [
{
"violatorText": "",
"lastUpdateDate": "",
"violatorId": "",
"incidentType": "",
"incidentId": "",
"incidentStatus": "",
"riskscore": "",
"assignedUser": "",
"assignedGroup": "",
"priority": "",
"reason": [],
"violatorSubText": "",
"entity": "",
"workflowName": "",
"url": "",
"isWhitelisted": "",
"watchlisted": "",
"statusCompleted": ""
}
]
}
}
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident whose status you want to retrieve from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"status": "",
"messages": [],
"result": {
"status": ""
}
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident whose workflow you want to retrieve from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"status": "",
"messages": [],
"result": {
"workflow": ""
}
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident whose related actions you want to retrieve from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"result": [
{
"status": "",
"actionName": "",
"actionDetails": [
{
"title": "",
"sections": {
"attributes": [
{
"required": "",
"attribute": "",
"displayName": "",
"attributeType": ""
}
],
"sectionName": ""
}
}
]
}
],
"status": "",
"messages": []
}
| Parameter | Description |
|---|---|
| Query | (Optional) Query attributes based on which you want to retrieve the risk score from Securonix SNYPR. Note: If you do not specify any query attribute, then the risk scores of all users is retrieved from Securonix SNYPR. |
| Start Time | (Optional) Start date and time from when you want to retrieve the risk score from Securonix SNYPR.If you click custom expression ({}), then you must add a custom jinja expressions for the start date and time from when you want to retrieve the risk score from Securonix SNYPR. |
| End Time | (Optional) End date and time till when you want to retrieve the risk score from Securonix SNYPR. If you click custom expression ({}), then you must add a custom jinja expressions for the end date and time till when you want to retrieve the risk score from Securonix SNYPR. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Query | (Optional) Query attributes based on which you want to retrieve the risk history from Securonix SNYPR. Note: If you do not specify any query attribute, then the risk history of all users is retrieved from Securonix SNYPR. |
| Start Time | (Optional) Start date and time from when you want to retrieve details of violations from Securonix SNYPR. If you click custom expression ({}), then you must add a custom jinja expressions for the start date and time from when you want to retrieve the risk history from Securonix SNYPR. |
| End Time | (Optional) End date and time till when you want to retrieve details of violations from Securonix SNYPR. If you click custom expression ({}), then you must add a custom jinja expressions for the end date and time till when you want to retrieve the risk history from Securonix SNYPR. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Last Seen | Time period for which you want to retrieve the top threats from Securonix SNYPR. You can choose one of the following: Hours, Days, or Years.Based on the option that you select in the Last Seen drop-down list, you must specify the value for the Hours, Days, or Years. For example, if you select Hours from the Last Seen drop-down list, then you must choose the value of the hours from the Last Hours drop-down list, for example, Last 24 hours, Last 1 hour etc. If you choose 'Hours'
|
The output contains the following populated JSON schema:
{
"Response": {
"Date range": [],
"Docs": [
{
"Threat model id": "",
"Threat nodel name": "",
"Criticality": "",
"No of violator": "",
"Description": "",
"Generation time": ""
}
],
"Total records": ""
}
}
| Parameter | Description |
|---|---|
| Last Seen | Time period for which you want to retrieve the top violations from Securonix SNYPR. You can choose one of the following: Hours, Days, or Years. Based on the option that you select in the Last Seen drop-down list, you must specify the value for the Hours, Days, or Years. For example, if you select Hours from the Last Seen drop-down list, then you must choose the value of the hours from the Last Hours drop-down list, for example, Last 24 hours, Last 1 hour, etc. If you choose 'Hours'
|
The output contains the following populated JSON schema:
{
"Response": {
"Date range": [],
"Docs": [
{
"Criticality": "",
"No of violator": "",
"Description": "",
"Generation time": "",
"Policy id": "",
"Policy name": "",
"Violation entity": "",
"Policy category": "",
"Threat indicator": ""
}
],
"Total records": ""
}
}
| Parameter | Description |
|---|---|
| Last Seen | Time period for which you want to retrieve the top violators from Securonix SNYPR. You can choose one of the following: Hours, Days, or Years. Based on the option that you select in the Last Seen drop-down list, you must specify the value for the Hours, Days, or Years. For example, if you select Hours from the Last Seen drop-down list, then you must choose the value of the hours from the Last Hours drop-down list, for example, Last 24 hours, Last 1 hour, etc. If you choose 'Hours'
|
| Offset | 0 based index of the page that this operation should return. |
| Limit | Maximum number of results per page, that this operation should return. |
The output contains the following populated JSON schema:
{
"Response": {
"Date range": [],
"Docs": [
{
"Violator entity": "",
"Department": "",
"Name": "",
"Risk score": "",
"Generation time": ""
}
],
"Total records": ""
}
}
None.
The output contains the following populated JSON schema:
{
"result": {
"workflows": [
{
"type": "",
"value": "",
"workflow": ""
}
]
},
"status": "",
"messages": []
}
| Parameter | Description |
|---|---|
| Workflow Name | Provide name of the workflow you want to retrieve default assignee from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"status": "",
"messages": [],
"result": {
"type": "",
"value": ""
}
}
| Parameter | Description |
|---|---|
| Range Type | Type of filter based on which you want to retrieve the list of incidents from Securonix SNYPR. You can choose from the following options: Opened, Updated, or Closed. |
| Start Time | DateTime from when you want to retrieve the list of incidents from Securonix SNYPR. |
| End Time | DateTime till when you want to retrieve the list of incidents from Securonix SNYPR. |
| Status | (Optional) CSV list of status values based on which you want to filter the list of incidents retrieved from Securonix SNYPR. |
| Offset | (Optional) 0-based index of the page that this operation should return. |
| Max Limit | (Optional) Specify the maximum number of results or records to include in the action response |
The output contains the following populated JSON schema:
{
"status": "",
"result": {
"data": {
"totalIncidents": "",
"incidentItems": [
{
"violatorText": "",
"lastUpdateDate": "",
"violatorId": "",
"incidentType": "",
"incidentId": "",
"incidentStatus": "",
"riskscore": "",
"assignedUser": "",
"priority": "",
"reason": [],
"violatorSubText": "",
"entity": "",
"workflowName": "",
"url": "",
"isWhitelisted": "",
"watchlisted": ""
}
]
}
}
}
None.
The output contains the following populated JSON schema:
{
"peerGroups": {
"peerGroup": [
{
"criticality": "",
"name": ""
}
]
}
}
None.
The output contains the following populated JSON schema:
{
"policies": {
"policy": [
{
"createdBy": "",
"description": "",
"criticality": "",
"id": "",
"createdOn": "",
"name": "",
"hql": ""
}
]
}
}
None.
The output contains the following populated JSON schema:
{
"resourceGroups": {
"resourceGroup": [
{
"name": "",
"type": ""
}
]
}
}
None.
The output contains the following populated JSON schema:
{
"users": {
"user": [
{
"approverEmployeeId": "",
"costCenterCode": "",
"criticality": "",
"department": "",
"disableDate": "",
"division": "",
"email": "",
"employeeId": "",
"employeeType": "",
"enableDate": "",
"firstName": "",
"hireDate": "",
"jobCode": "",
"lastName": "",
"location": "",
"managerEmployeeId": "",
"managerFirstname": "",
"managerLastname": "",
"masked": "",
"riskscore": "",
"skipEncryption": "",
"status": "",
"title": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Query | Query attributes based on which you want to run the search on Securonix SNYPR. |
| Event Start Time | (Optional) Start date and time from when you want to run the search on Securonix SNYPR. If you click custom expression ({}), then you must add a custom jinja expressions for the start date and time from when you want to retrieve the risk score from Securonix SNYPR. |
| Event End Time | (Optional) End date and time till when you want to run the search on Securonix SNYPR. If you click custom expression ({}), then you must add a custom jinja expressions for the end date and time till when you want to retrieve the risk score from Securonix SNYPR. |
| Generation Start Time | (Optional) Start date and time from when you want to run the search on Securonix SNYPR. If you click custom expression ({}), then you must add a custom jinja expressions for the start date and time from when you want to retrieve the risk score from Securonix SNYPR. |
| Generation End Time | (Optional) End date and time till when you want to run the search on Securonix SNYPR.If you click custom expression ({}), then you must add a custom jinja expressions for the end date and time till when you want to retrieve the risk score from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"available": "",
"error": "",
"events": [],
"from": "",
"offset": "",
"query": "",
"searchViolations": "",
"to": "",
"totalDocuments": ""
}
| Parameter | Description |
|---|---|
| Query | (Optional) Query attributes based on which you want to retrieve details of TPIs from Securonix SNYPR. Note: If you do not specify any query attribute, then the details of all TPIs are retrieved from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"available": "",
"error": "",
"events": [
{
"directImport": " ",
"hour": "",
"ignored": "",
"invalid": "",
"invalidEventAction": "",
"tenantid": "",
"tenantname": "",
"u_id": "",
"u_userid": "",
"result": {
"entry": [
{
"key": "",
"value": ""
}
]
}
}
],
"from": "",
"offset": "",
"query": "",
"searchViolations": "",
"to": "",
"totalDocuments": ""
}
| Parameter | Description |
|---|---|
| Query | (Optional) Query attributes based on which you want to retrieve details of violations from Securonix SNYPR. Note: If you do not specify any query attribute, then the details of all violations are retrieved from Securonix SNYPR. |
| Generation Start Time | Start date and time from when you want to retrieve details of violations from Securonix SNYPR. If you click custom expression ({}), then you must add a custom jinja expressions for the start date and time from when you want to retrieve details of violations from Securonix SNYPR. |
| Generation End Time | (Optional) End date and time till when you want to retrieve details of violations from Securonix SNYPR. If you click custom expression ({}), then you must add a custom jinja expressions for the end date and time till when you want to retrieve details of violations from Securonix SNYPR. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Query | (Optional) Query attributes based on which you want to retrieve details of users from Securonix SNYPR. Note: If you do not specify any query attribute, then the details of all users are retrieved from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"available": "",
"error": "",
"events": [
{
"directImport": "",
"hour": "",
"ignored": "",
"invalid": "",
"invalidEventAction": "",
"tenantid": "",
"tenantname": "",
"u_id": "",
"u_userid": "",
"result": {
"entry": [
{
"key": "",
"value": ""
}
]
}
}
],
"from": "",
"offset": "",
"query": "",
"searchViolations": "",
"to": "",
"totalDocuments": ""
}
| Parameter | Description |
|---|---|
| Query | (Optional) Query attributes based on which you want to retrieve details of watchlists from Securonix SNYPR. Note: If you do not specify any query attribute, then the details of all watchlists are retrieved from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"available": "",
"error": "",
"events": [
{
"directImport": "",
"hour": "",
"ignored": "",
"invalid": "",
"invalidEventAction": "",
"tenantid": "",
"tenantname": "",
"u_id": "",
"u_userid": "",
"result": {
"entry": [
{
"key": "",
"value": ""
}
]
}
}
],
"from": "",
"offset": "",
"query": "",
"searchViolations": "",
"to": "",
"totalDocuments": ""
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident in Securonix SNYPR on which you want to take the specified action. |
| Action Name | Name of the action that you want to take on the specified Securonix SNYPR incident. |
| Other Required Fields | (Optional) Additional required fields, in the JSON format, which you want to add to your request. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
The Sample - Securonix SNYPR - 2.2.0 playbook collection comes bundled with the Securonix SNYPR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Securonix SNYPR connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Securonix SNYPR. Currently, incidents ingested from Securonix SNYPR is mapped to Alerts in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Securonix SNYPR incidents to FortiSOAR™'s Alerts.
The Data Ingestion Wizard helps you to configure the scheduled pulling of data from Securonix SNYPR into FortiSOAR™. It also lets you pull some sample data from Securonix SNYPR using which you can define the mapping of data between Securonix SNYPR and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Securonix SNYPR incidents.
To begin configuring data ingestion, click Configure Data Ingestion on the Securonix SNYPR connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Data screen.
Sample data is required to create a field mapping between Securonix SNYPR data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch incidents from Securonix SNYPR.
Users can pull incidents from Securonix SNYPR by selecting the time and date, from Securonix SNYPR from the Fetch Incidents Since drop-down list, for which they want to retrieve incidents. Additionally, you can also specify a number in the Limit field, to limit the incident records being pulled from Securonix SNYPR.
The fetched data is used to create a mapping between the incidents from Securonix SNYPR and FortiSOAR Alerts. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested incidents Securonix SNYPR to the fields of a Alerts present in FortiSOAR™.
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the name parameter of an ingested incident from Securonix SNYPR to the Alert Name parameter of a FortiSOAR™ alert, click the Alert Name field and then click the name field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Securonix SNYPR, so that the content gets pulled from the Securonix SNYPR integration into FortiSOAR™
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from Securonix SNYPR every day at 5 AM, click Daily, and in the minute, hour, and day of month boxes enter 0, 5, and * respectively. This means that the incidents will be pulled from Securonix SNYPR daily at 5:00 AM:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
Securonix SNYPR is an open and modular next-generation security intelligence platform that combines log management, security information and event management, user and entity behavior analytics and fraud detection, serving as a foundation for a broad portfolio of specialized security analytics solutions.
This document provides information about the Securonix SNYPR connector, which facilitates automated interactions, with a Securonix SNYPR server using FortiSOAR™ playbooks. Add the Securonix SNYPR connector as a step in FortiSOAR™ playbooks and perform automated operations with Securonix SNYPR.
Connector Version: 2.2.0
Authored By: Fortinet
Certified: No
Following enhancements have been made to the Securonix SNYPR connector in version 2.2.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-securonix-snypr
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Securonix SNYPR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Securonix SNYPR server to which you will connect and perform the automated operations. |
| Username | Username to access the Securonix SNYPR server to which you will connect and perform the automated operations. |
| Password | password to access the Securonix SNYPR server to which you will connect and perform the automated operations. |
| Tenant | Tenant ID that has been configured for your account to access the Securonix SNYPR server. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is selected, i.e., set to true. |
You can use the following automated operations in playbooks and also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Add Comment | Adds a comment on a Securonix SNYPR incident based on the incident ID you have specified. | add_comment Investigation |
| Create Incident | Creates a new incident in the Securonix SNYPR platform based on the policy name, entity type, and other input parameters you have specified. Note: If the case is already created and is present in the Securonix SNYPR platform, then return the details of the existing incident. | create_incident Investigation |
| Check Task on Incident | Checks if the action that you have specified is allowed on the specified Securonix SNYPR incident based on the incident ID and action name you have specified. | check_task_on_incident Investigation |
| Get Available Threat Action | Retrieves a list of all available threat actions from Securonix SNYPR. | get_available_threat_action Investigation |
| Get Incident Details | Retrieves details of a specific incident from Securonix SNYPR based on the incident ID you have specified. | get_incident_details Investigation |
| Get Incident Status | Retrieves the status of a specific incident from Securonix SNYPR based on the incident ID you have specified. | get_incident_status Investigation |
| Get Incident Workflow | Retrieves the workflow of a specific incident from Securonix SNYPR based on the incident ID you have specified. | get_incident_workflow Investigation |
| Get Possible Actions for Incident | Retrieves a list of all possible actions associated with a specific incident from Securonix SNYPR based on the incident ID you have specified. | get_possible_action_for_incident Investigation |
| Get Risk Score | Retrieves risk scores for all users or risk scores from Securonix SNYPRbased on the query attributes and other input parameters that you have specified. | get_risk_score Investigation |
| Get Risk History | Retrieves risk history for all users or risk history from Securonix SNYPR based on the query attributes and other input parameters that you have specified. | get_risk_history Investigation |
| Get Top Threats | Retrieves the top threats from Securonix SNYPR based on when the threat was last seen and other input parameters that you have specified. | get_top_threats Investigation |
| Get Top Violations | Retrieves the top violations from Securonix SNYPR based on when the violation was last seen and other input parameters that you have specified. | get_top_violations Investigation |
| Get Top Violators | Retrieves the top violators from Securonix SNYPR based on when the violator was last seen and other input parameters that you have specified. | get_top_violators Investigation |
| Get Workflows | Retrieves a list of all existing workflows from Securonix SNYPR. | get_workflows Investigation |
| Get Workflow Default Assignee | Retrieves the default assignee details for a specified workflow from Securonix SNYPR based on the workflow name you have specified. | get_workflow_default_assignee Investigation |
| List Incidents | Retrieves a list of incidents from the Securonix SNYPR platform based on the range type, date range, and other filter parameters that you have specified. | get_incident_details Investigation |
| List All Peer Groups | Retrieves a list of all peer groups from Securonix SNYPR. | list_peer_groups Investigation |
| List All Policies | Retrieves a list of all policies from Securonix SNYPR. | list_policies Investigation |
| List All Resource Groups | Retrieves a list of all resource groups from Securonix SNYPR. | list_resource_groups Investigation |
| List All Users | Retrieves a list of all users from Securonix SNYPR. | list_users Investigation |
| Custom Query | Runs a search on Securonix SNYPR and retrieves details based on the query attributes and other input parameters that you have specified. | custom_query Investigation |
| Query Third Party Intelligence | Retrieves details of all TPIs or specific TPIs from Securonix SNYPR based on the query attributes that you have specified. | query_third_party_intelligence Investigation |
| Query Violations | Retrieves details of all violations or specific violations from Securonix SNYPR based on the query attributes and other input parameters that you have specified. | query_violations Investigation |
| Query Users | Retrieves details of all users or specific users from Securonix SNYPR based on the query attributes that you have specified. | query_users Investigation |
| Query Watchlist | Retrieves details of all watchlists or specific watchlists from Securonix SNYPR based on the query attributes that you have specified. | query_watchlist Investigation |
| Task Action on Incident | Takes a specified action on a Securonix SNYPR incident based on the incident ID, action, and other input parameters you have specified. | take_action_on_incident Investigation |
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident in Securonix SNYPR to which you want to add comment. |
| Comment | Comment that you want to add to the specified incident. |
The output contains the following populated JSON schema:
{
"status": "",
"messages": [],
"result": ""
}
| Parameter | Description |
|---|---|
| Policy Name | Name of the policy that you want to associate with the new incident that you want to create in Securonix SNYPR. |
| Data Source Name | Name of the data source that you want to associate with the new incident that you want to create in Securonix SNYPR. |
| Account Name | Name of the account that you want to associate with the new incident that you want to create in Securonix SNYPR. |
| Entity Type | Type of entity that you want to associate with the new incident that you want to create in Securonix SNYPR. |
| Action Name | Name of the action available in threat management that you want to associate with the new incident that you want to create in Securonix SNYPR. You can choose from the following options: Mark as Concern and create incident, Non-Concern, or Mark in progress (still investigating). |
| Resource Name | (Optional) Name of the resource that you want to associate with the new incident that you want to create in Securonix SNYPR. Note: This parameter required for Activity account. |
| Employee ID | (Optional) ID of the employee that you want to associate with the new incident that you want to create in Securonix SNYPR. |
| Workflow Name | (Optional) Name of the workflow that you want to associate with the new incident that you want to create in Securonix SNYPR. Note: This field required when you specify the action name as Mark as concern and create incident. |
| Comment | (Optional) Comment that you want to associate with the new incident that you want to create in Securonix SNYPR. |
| Criticality | (Optional) Criticality that you want to associate with the new incident that you want to create in Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"totalIncidents": "",
"incidentItems": [
{
"violatorText": "",
"lastUpdateDate": "",
"violatorId": "",
"incidentType": "",
"incidentId": "",
"incidentStatus": "",
"riskscore": "",
"assignedUser": "",
"priority": "",
"reason": [],
"violatorSubText": "",
"entity": "",
"workflowName": "",
"url": "",
"isWhitelisted": "",
"watchlisted": "",
"statusCompleted": ""
}
]
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident whose associated tasks and actions you want to retrieve from Securonix SNYPR. |
| Action Name | Name of the action that you want to execute on the specific Securonix SNYPR incident. |
The output contains the following populated JSON schema:
{
"result": [
{
"status": "",
"actionName": "",
"actionDetails": [
{
"title": "",
"sections": {
"attributes": [
{
"required": "",
"attribute": "",
"displayName": "",
"attributeType": ""
}
],
"sectionName": ""
}
}
]
}
],
"status": "",
"messages": []
}
None.
The output contains the following populated JSON schema:
{
"status": "",
"messages": [],
"result": []
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident whose details you want to retrieve from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"status": "",
"messages": [],
"result": {
"data": {
"totalIncidents": "",
"incidentItems": [
{
"violatorText": "",
"lastUpdateDate": "",
"violatorId": "",
"incidentType": "",
"incidentId": "",
"incidentStatus": "",
"riskscore": "",
"assignedUser": "",
"assignedGroup": "",
"priority": "",
"reason": [],
"violatorSubText": "",
"entity": "",
"workflowName": "",
"url": "",
"isWhitelisted": "",
"watchlisted": "",
"statusCompleted": ""
}
]
}
}
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident whose status you want to retrieve from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"status": "",
"messages": [],
"result": {
"status": ""
}
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident whose workflow you want to retrieve from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"status": "",
"messages": [],
"result": {
"workflow": ""
}
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident whose related actions you want to retrieve from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"result": [
{
"status": "",
"actionName": "",
"actionDetails": [
{
"title": "",
"sections": {
"attributes": [
{
"required": "",
"attribute": "",
"displayName": "",
"attributeType": ""
}
],
"sectionName": ""
}
}
]
}
],
"status": "",
"messages": []
}
| Parameter | Description |
|---|---|
| Query | (Optional) Query attributes based on which you want to retrieve the risk score from Securonix SNYPR. Note: If you do not specify any query attribute, then the risk scores of all users is retrieved from Securonix SNYPR. |
| Start Time | (Optional) Start date and time from when you want to retrieve the risk score from Securonix SNYPR.If you click custom expression ({}), then you must add a custom jinja expressions for the start date and time from when you want to retrieve the risk score from Securonix SNYPR. |
| End Time | (Optional) End date and time till when you want to retrieve the risk score from Securonix SNYPR. If you click custom expression ({}), then you must add a custom jinja expressions for the end date and time till when you want to retrieve the risk score from Securonix SNYPR. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Query | (Optional) Query attributes based on which you want to retrieve the risk history from Securonix SNYPR. Note: If you do not specify any query attribute, then the risk history of all users is retrieved from Securonix SNYPR. |
| Start Time | (Optional) Start date and time from when you want to retrieve details of violations from Securonix SNYPR. If you click custom expression ({}), then you must add a custom jinja expressions for the start date and time from when you want to retrieve the risk history from Securonix SNYPR. |
| End Time | (Optional) End date and time till when you want to retrieve details of violations from Securonix SNYPR. If you click custom expression ({}), then you must add a custom jinja expressions for the end date and time till when you want to retrieve the risk history from Securonix SNYPR. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Last Seen | Time period for which you want to retrieve the top threats from Securonix SNYPR. You can choose one of the following: Hours, Days, or Years.Based on the option that you select in the Last Seen drop-down list, you must specify the value for the Hours, Days, or Years. For example, if you select Hours from the Last Seen drop-down list, then you must choose the value of the hours from the Last Hours drop-down list, for example, Last 24 hours, Last 1 hour etc. If you choose 'Hours'
|
The output contains the following populated JSON schema:
{
"Response": {
"Date range": [],
"Docs": [
{
"Threat model id": "",
"Threat nodel name": "",
"Criticality": "",
"No of violator": "",
"Description": "",
"Generation time": ""
}
],
"Total records": ""
}
}
| Parameter | Description |
|---|---|
| Last Seen | Time period for which you want to retrieve the top violations from Securonix SNYPR. You can choose one of the following: Hours, Days, or Years. Based on the option that you select in the Last Seen drop-down list, you must specify the value for the Hours, Days, or Years. For example, if you select Hours from the Last Seen drop-down list, then you must choose the value of the hours from the Last Hours drop-down list, for example, Last 24 hours, Last 1 hour, etc. If you choose 'Hours'
|
The output contains the following populated JSON schema:
{
"Response": {
"Date range": [],
"Docs": [
{
"Criticality": "",
"No of violator": "",
"Description": "",
"Generation time": "",
"Policy id": "",
"Policy name": "",
"Violation entity": "",
"Policy category": "",
"Threat indicator": ""
}
],
"Total records": ""
}
}
| Parameter | Description |
|---|---|
| Last Seen | Time period for which you want to retrieve the top violators from Securonix SNYPR. You can choose one of the following: Hours, Days, or Years. Based on the option that you select in the Last Seen drop-down list, you must specify the value for the Hours, Days, or Years. For example, if you select Hours from the Last Seen drop-down list, then you must choose the value of the hours from the Last Hours drop-down list, for example, Last 24 hours, Last 1 hour, etc. If you choose 'Hours'
|
| Offset | 0 based index of the page that this operation should return. |
| Limit | Maximum number of results per page, that this operation should return. |
The output contains the following populated JSON schema:
{
"Response": {
"Date range": [],
"Docs": [
{
"Violator entity": "",
"Department": "",
"Name": "",
"Risk score": "",
"Generation time": ""
}
],
"Total records": ""
}
}
None.
The output contains the following populated JSON schema:
{
"result": {
"workflows": [
{
"type": "",
"value": "",
"workflow": ""
}
]
},
"status": "",
"messages": []
}
| Parameter | Description |
|---|---|
| Workflow Name | Provide name of the workflow you want to retrieve default assignee from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"status": "",
"messages": [],
"result": {
"type": "",
"value": ""
}
}
| Parameter | Description |
|---|---|
| Range Type | Type of filter based on which you want to retrieve the list of incidents from Securonix SNYPR. You can choose from the following options: Opened, Updated, or Closed. |
| Start Time | DateTime from when you want to retrieve the list of incidents from Securonix SNYPR. |
| End Time | DateTime till when you want to retrieve the list of incidents from Securonix SNYPR. |
| Status | (Optional) CSV list of status values based on which you want to filter the list of incidents retrieved from Securonix SNYPR. |
| Offset | (Optional) 0-based index of the page that this operation should return. |
| Max Limit | (Optional) Specify the maximum number of results or records to include in the action response |
The output contains the following populated JSON schema:
{
"status": "",
"result": {
"data": {
"totalIncidents": "",
"incidentItems": [
{
"violatorText": "",
"lastUpdateDate": "",
"violatorId": "",
"incidentType": "",
"incidentId": "",
"incidentStatus": "",
"riskscore": "",
"assignedUser": "",
"priority": "",
"reason": [],
"violatorSubText": "",
"entity": "",
"workflowName": "",
"url": "",
"isWhitelisted": "",
"watchlisted": ""
}
]
}
}
}
None.
The output contains the following populated JSON schema:
{
"peerGroups": {
"peerGroup": [
{
"criticality": "",
"name": ""
}
]
}
}
None.
The output contains the following populated JSON schema:
{
"policies": {
"policy": [
{
"createdBy": "",
"description": "",
"criticality": "",
"id": "",
"createdOn": "",
"name": "",
"hql": ""
}
]
}
}
None.
The output contains the following populated JSON schema:
{
"resourceGroups": {
"resourceGroup": [
{
"name": "",
"type": ""
}
]
}
}
None.
The output contains the following populated JSON schema:
{
"users": {
"user": [
{
"approverEmployeeId": "",
"costCenterCode": "",
"criticality": "",
"department": "",
"disableDate": "",
"division": "",
"email": "",
"employeeId": "",
"employeeType": "",
"enableDate": "",
"firstName": "",
"hireDate": "",
"jobCode": "",
"lastName": "",
"location": "",
"managerEmployeeId": "",
"managerFirstname": "",
"managerLastname": "",
"masked": "",
"riskscore": "",
"skipEncryption": "",
"status": "",
"title": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Query | Query attributes based on which you want to run the search on Securonix SNYPR. |
| Event Start Time | (Optional) Start date and time from when you want to run the search on Securonix SNYPR. If you click custom expression ({}), then you must add a custom jinja expressions for the start date and time from when you want to retrieve the risk score from Securonix SNYPR. |
| Event End Time | (Optional) End date and time till when you want to run the search on Securonix SNYPR. If you click custom expression ({}), then you must add a custom jinja expressions for the end date and time till when you want to retrieve the risk score from Securonix SNYPR. |
| Generation Start Time | (Optional) Start date and time from when you want to run the search on Securonix SNYPR. If you click custom expression ({}), then you must add a custom jinja expressions for the start date and time from when you want to retrieve the risk score from Securonix SNYPR. |
| Generation End Time | (Optional) End date and time till when you want to run the search on Securonix SNYPR.If you click custom expression ({}), then you must add a custom jinja expressions for the end date and time till when you want to retrieve the risk score from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"available": "",
"error": "",
"events": [],
"from": "",
"offset": "",
"query": "",
"searchViolations": "",
"to": "",
"totalDocuments": ""
}
| Parameter | Description |
|---|---|
| Query | (Optional) Query attributes based on which you want to retrieve details of TPIs from Securonix SNYPR. Note: If you do not specify any query attribute, then the details of all TPIs are retrieved from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"available": "",
"error": "",
"events": [
{
"directImport": " ",
"hour": "",
"ignored": "",
"invalid": "",
"invalidEventAction": "",
"tenantid": "",
"tenantname": "",
"u_id": "",
"u_userid": "",
"result": {
"entry": [
{
"key": "",
"value": ""
}
]
}
}
],
"from": "",
"offset": "",
"query": "",
"searchViolations": "",
"to": "",
"totalDocuments": ""
}
| Parameter | Description |
|---|---|
| Query | (Optional) Query attributes based on which you want to retrieve details of violations from Securonix SNYPR. Note: If you do not specify any query attribute, then the details of all violations are retrieved from Securonix SNYPR. |
| Generation Start Time | Start date and time from when you want to retrieve details of violations from Securonix SNYPR. If you click custom expression ({}), then you must add a custom jinja expressions for the start date and time from when you want to retrieve details of violations from Securonix SNYPR. |
| Generation End Time | (Optional) End date and time till when you want to retrieve details of violations from Securonix SNYPR. If you click custom expression ({}), then you must add a custom jinja expressions for the end date and time till when you want to retrieve details of violations from Securonix SNYPR. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Query | (Optional) Query attributes based on which you want to retrieve details of users from Securonix SNYPR. Note: If you do not specify any query attribute, then the details of all users are retrieved from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"available": "",
"error": "",
"events": [
{
"directImport": "",
"hour": "",
"ignored": "",
"invalid": "",
"invalidEventAction": "",
"tenantid": "",
"tenantname": "",
"u_id": "",
"u_userid": "",
"result": {
"entry": [
{
"key": "",
"value": ""
}
]
}
}
],
"from": "",
"offset": "",
"query": "",
"searchViolations": "",
"to": "",
"totalDocuments": ""
}
| Parameter | Description |
|---|---|
| Query | (Optional) Query attributes based on which you want to retrieve details of watchlists from Securonix SNYPR. Note: If you do not specify any query attribute, then the details of all watchlists are retrieved from Securonix SNYPR. |
The output contains the following populated JSON schema:
{
"available": "",
"error": "",
"events": [
{
"directImport": "",
"hour": "",
"ignored": "",
"invalid": "",
"invalidEventAction": "",
"tenantid": "",
"tenantname": "",
"u_id": "",
"u_userid": "",
"result": {
"entry": [
{
"key": "",
"value": ""
}
]
}
}
],
"from": "",
"offset": "",
"query": "",
"searchViolations": "",
"to": "",
"totalDocuments": ""
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident in Securonix SNYPR on which you want to take the specified action. |
| Action Name | Name of the action that you want to take on the specified Securonix SNYPR incident. |
| Other Required Fields | (Optional) Additional required fields, in the JSON format, which you want to add to your request. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
The Sample - Securonix SNYPR - 2.2.0 playbook collection comes bundled with the Securonix SNYPR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Securonix SNYPR connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Securonix SNYPR. Currently, incidents ingested from Securonix SNYPR is mapped to Alerts in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Securonix SNYPR incidents to FortiSOAR™'s Alerts.
The Data Ingestion Wizard helps you to configure the scheduled pulling of data from Securonix SNYPR into FortiSOAR™. It also lets you pull some sample data from Securonix SNYPR using which you can define the mapping of data between Securonix SNYPR and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Securonix SNYPR incidents.
To begin configuring data ingestion, click Configure Data Ingestion on the Securonix SNYPR connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Data screen.
Sample data is required to create a field mapping between Securonix SNYPR data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch incidents from Securonix SNYPR.
Users can pull incidents from Securonix SNYPR by selecting the time and date, from Securonix SNYPR from the Fetch Incidents Since drop-down list, for which they want to retrieve incidents. Additionally, you can also specify a number in the Limit field, to limit the incident records being pulled from Securonix SNYPR.
The fetched data is used to create a mapping between the incidents from Securonix SNYPR and FortiSOAR Alerts. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested incidents Securonix SNYPR to the fields of a Alerts present in FortiSOAR™.
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the name parameter of an ingested incident from Securonix SNYPR to the Alert Name parameter of a FortiSOAR™ alert, click the Alert Name field and then click the name field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Securonix SNYPR, so that the content gets pulled from the Securonix SNYPR integration into FortiSOAR™
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from Securonix SNYPR every day at 5 AM, click Daily, and in the minute, hour, and day of month boxes enter 0, 5, and * respectively. This means that the incidents will be pulled from Securonix SNYPR daily at 5:00 AM:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.