Document toolboxDocument toolbox

Securonix SNYPR

Owned by Jonas Gonzalez
Last updated: Nov 29, 2024
6 min read
[ 1 Connect Securonix SNYPR with Devo SOAR ] [ 2 Actions for Securonix SNYPR ] [ 2.1 Get Activity Data ] [ 2.1.1 Input Field ] [ 2.1.2 Output ] [ 2.2 List Resources ] [ 2.2.1 Input Field ] [ 2.2.2 Output ] [ 2.3 Search Users ] [ 2.3.1 Input Field ] [ 2.3.2 Output ] [ 2.4 Search Watchlist ] [ 2.4.1 Input Field ] [ 2.4.2 Output ] [ 2.5 Get Violations ] [ 2.5.1 Input Field ] [ 2.6 Risk Scorecard/History ] [ 2.6.1 Input Field ] [ 2.6.2 Output ] [ 2.7 Run Spotter Query ] [ 2.7.1 Input Field ] [ 2.7.2 Output ] [ 2.8 Add Comment to Violation ] [ 2.8.1 Input Field ] [ 2.8.2 Output ] [ 3 Release Notes ]

SNYPR is a security analytics platform that transforms Big Data into actionable security intelligence. It delivers the proven power of Securonix analytics with the speed, scale, and affordable, long-term storage of Hadoop in a single, out-of-the box solution.

Connect Securonix SNYPR with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for Securonix SNYPR.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. URL: URL to your SNYPR instance. Example: 'https://www.example.com/Snypr'.

  9. Tenant (Optional): SNYPR Tenant. Default "Securonix".

  10. Username: Username for the SNYPR account.

  11. Password: Password for the SNYPR account.

  12. After you've entered all the details, click Connect.

Actions for Securonix SNYPR

Get Activity Data

Get Activity Data (also known as "event data") for a specific Datasource by running a Spotter query on Activity selection. For activity data, querying is allowed only for a 24-hour time range window. You can add additional conditions to the query for custom results.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Additional Query conditions

Jinja-templated text containing additional query conditions.

Optional

Event Time Start Range

Start Range of event time. The column value should be in the format 'MM/dd/yyyy HH:mm:ss' in the application timezone. (Default is flow-start-time).

Optional

Event Time End Range

End Range of event time. The column value should be in the format 'MM/dd/yyyy HH:mm:ss' in the application timezone. (Default is flow-end-time).

Optional

Split Rows

Split events into separate rows. Select 'Yes' to split or 'No' to get raw results. (Default 'Yes').

Optional

Output

If split rows are selected, events in separate rows are displayed in json format:

  • has_error: True/False

  • error: message/null

  • other fields of an Event data

else a single row containing an array of events is displayed:

  • has_error: True/False

  • error: message/null

  • events: array of Activity Events json data

List Resources

Displays a list of all users, peer groups, resource groups, or policies.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

List Type

Select the type of List to be listed. Policies/Resource Groups/Users/Peer Groups.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • resource json of either of Policies/Resource Groups/Users/Peer Groups

Search Users

Search users in your organization.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

User Attribute Filter

Enter Jinja-templatized text to filter users by attribute(s). Sample attributes: companycode, costcentername, country, department, employeeid, employeetype, employeetypedescription, firstname, lastname, hiredate, jobcode, lanid, location, manageremployeeid, status, statusdescription, title, workemail, networkid, approveremployeeid, mobile, usercriticality, managerfirstname, managerlastname, companynumber, orgunitnumber, regtempin, hierarchy, fulltimeparttimein, userriskscore, costcentercode, usertimezoneoffset. Example: location="{{location_column}}" AND lastname="{{lastname_column}}".

Optional

Split Rows

Split events into separate rows. Select 'Yes' to split or 'No' to get raw results. (Default 'Yes').

Optional

Output

If split rows are selected, users in separate rows are displayed in json format:

  • has_error: True/False

  • error: message/null

  • other fields of User data

else a single row containing an array of users is displayed:

  • has_error: True/False

  • error: message/null

  • events: array of User json data

Search Watchlist

Search watchlists in your organization.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

User Attribute Filter

Enter Jinja-templatized text to filter watchlists by attribute(s). Sample attributes: companycode, costcentername, country, department, employeeid, employeetype, employeetypedescription, firstname, lastname, hiredate, jobcode, lanid, location, manageremployeeid, status, statusdescription, title, workemail, confidencefactor, decayflag, entityname, expired, expirydate, reason, type, watchlistname, watchlistuniquekey. Eg: location="{{location_column}}" AND lastname="{{lastname_column}}".

Optional

Split Rows

Split events into separate rows. Select 'Yes' to split or 'No' to get raw results. (Default 'Yes').

Optional

Output

If split rows are selected, watchlists in separate rows are displayed in json format:

  • has_error: True/False

  • error: message/null

  • other fields of Watchlist data

else a single row containing an array of users is displayed:

  • has_error: True/False

  • error: message/null

  • events: array of Watchlist json data

Get Violations

Get violations in violation collection.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

User Attribute Filter

Jinja-templated text containing additional query conditions.

Optional

From

Generation-time From. The column value should be in the format 'MM/dd/yyyy HH:mm:ss' in the application timezone. (Default is flow-start-time).

Optional

To

Generation-time To. The column value should be in the format 'MM/dd/yyyy HH:mm:ss' in the application timezone. (Default is flow-end-time).

Optional

Split Rows

Split events into separate rows. Select 'Yes' to split or 'No' to get raw results. (Default 'Yes').

Optional

Output of Action:
If split rows are selected, violations data in separate rows are displayed in json format:

  • has_error: True/False

  • error: message/null

  • other fields of a Violation data

else a single row containing an array of violations is displayed:

  • has_error: True/False

  • error: message/null

  • events: array of Violation json data

Risk Scorecard/History

List the user's risk scorecard or history data.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Risk Data

Select the required Risk Data. Risk Score/Risk History.

Required

User Attribute Filter

Enter Jinja-templatized text to filter risks by attribute(s). Sample attributes: violator, companycode, costcentername, country, department, division, employeeid, employeetype, employeetypedescription, firstname, lastname, hiredate, jobcode, lanid, location, manageremployeeid, status, statusdescription, title, userid, workemail, workphone. Eg: location="{{location_column}}" AND lastname="{{lastname_column}}".

Optional

Split Rows

Split events into separate rows. Select 'Yes' to split or 'No' to get raw results. (Default 'Yes').

Optional

Output

If split rows are selected, risk data in separate rows are displayed in json format:

  • has_error: True/False

  • error: message/null

  • other fields of an Risk data

else a single row containing an array of risk is displayed:

  • has_error: True/False

  • error: message/null

  • events: array of Risk json data

Run Spotter Query

Run generic Spotter Query on your SNYPR Instance.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Query String

Enter Jinja-templatized query string.

 

Example: 'index=users AND location="Dallas" AND lastname="OGWA"'.

Required

 

Split Rows

Split events into separate rows. Select 'Yes' to split or 'No' to get raw results. (Default 'Yes').

Optional

Output

if Split Rows is selected, results in separate rows are displayed in json format:

  • has_error: True/False

  • error: message/null

  • other fields of result data

else a single row containing an array of users is displayed:

  • has_error: True/False

  • error: message/null

  • events: array of json results

Add Comment to Violation

Adds a comment to a SNYPR Violation.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Violation Name

Enter Jinja-templatized violation policy name.

 

Datasource Name

Enter Jinja-templatized resource group name.

 

Entity Type

Select column containing the value for entity type. Valid values are "Users", "Activityaccount", "RGActivityaccount", "Resources", "Activityip".

 

Entity Name

Enter Jinja-templatized account name associated with the violation.

 

Comment

Enter Jinja-templatized comment that you want to add.

 

Status Action

Select column containing the value for action to perform.

 

Example: "Non-Concern".

 

 

Resource Name

Enter Jinja-templatized resource name. It is mandatory to provide a resource name if the entity type is Activityaccount.

Optional

Employee Id

Enter Jinja-templatized employee id.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • other fields of result data

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem