-
Notifications
You must be signed in to change notification settings - Fork 0
Securonix.CLI.IncidentManagement
Add a comment to an incident.
Add-SecuronixComment
[-Url] <string>
[-Token] <string>
[-IncidentId] <string>
[-Comment] <string>
[-Username <string>]
[-Firstname <string>]
[-Lastname <string>]
Add-SecuronixComment makes an API call to the Incident/Actions endpoint and adds a comment.
Request
Add-SecuronixComment -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' \
-IncidentId '10029' -Comment 'This is a test'
Response
{
"status": "OK",
"messages": [
"Add comment to incident id - [100289]"
],
"result": true
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
An API token to validate access. Use New-SecuronixApiToken to generate a new token.
A required API Parameter. Enter the incident id of the incident to update.
A required parameter. Enter a message to add to an incident.
An optional parameter. Enter the username of the user adding the comment.
An optional parameter. Enter the first name of the user adding the comment.
An optional parameter. Enter the last name of the user adding the comment.
Securonix 6.4 REST API Categories - Incident Management
Add to the Violation Score.
Add-SecuronixViolationScore
[-Url] <string>
[-Token] <string>
[-ScoreIncrement] <int>
[-TenantName] <string>
[-ViolationName] <string>
[-PolicyCategory] <string>
[-EntityType] <string>
[-EntityName] <string>
[-ResourceGroupName] <string>
[-ResourceName] <string>
Add-SecuronixViolationScore makes an API call to the incident/updateViolationScore endpoint and adds ScoreIncrement to the Violation Score.
Request
Add-SecuronixViolationScore -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' `
-ScoreIncrement 1 -TenantName 'Automationtenant' `
-ViolationName 'policy' -PolicyCategory 'category' `
-EntityType 'Users' -EntityName 'xyz' `
-ResourceGroupname 'rgGroup' -ResourceName 'resource'
Response
{
"status": "OK",
"messages": [
"Violation score updated for AA01MAC, Policyname:All Resources - AD04Dataset - 09 Nov 2020 by 5.0 from SOAR API'"
],
"result": []
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
An API token to validate access. Use New-SecuronixApiToken to generate a new token.
A required API parameter. Only accepts positive integers, enter the value to increase the violation score by.
A required API parameter. The name of the tenant the entity belongs to.
A required API parameter. Name of the violation/policy to increase the violation score.
A required API parameter. Policy category name of the policy being acted on.
A required API parameter. Type of entity, enter any of: Users, Activityaccount, Resources, IpAddress.
A required API parameter. Entityid/name of the entity being added. accountname for Activityaccount, userid for Users, ipadress for ActivityIp, resourceName for resources.
Required if EntityType is not Users. Enter the name of the resource group the entity belongs to.
Required if EntityType is not Users. Enter the name of the resource the entity belongs to.
Securonix 6.4 REST API Categories - Incident Management
Get available incident actions.
Confirm-SecuronixIncidentAction
[-Url] <string>
[-Token] <string>
[-IncidentId] <string>
[-Actioname] <string>
Confirm-SecuronixIncidentAction makes an API call to the Incident/Get endpoint and checks to see if an actions is possible, and returns with a list of parameters.
Request
Confirm-SecuronixIncidentAction -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' -IncidentId '100107' -ActionName 'Claim'
Response
{
"status": "OK",
"messages": [
"Check if action is possible and get list of parameters - Incident Id - [100289], action Name - [CLAIM], - status - [Open]"
],
"result": [{
"actionDetails": [{
"title": "Screen1",
"sections": {
"sectionName": "Comments",
"attributes": [{
"displayName": "Comments",
"attributeType": "textarea",
"attribute": "15_Comments",
"required": false
}]
}
}],
"actionName": "CLAIM",
"status": "CLAIMED"
}]
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
An API token to validate access. Use New-SecuronixApiToken to generate a new token.
A required API Parameter, enter the target incident id.
A required API Parameter, check to see if this action is available for an incident.
Securonix 6.4 REST API Categories - Incident Management
Get a list of children incidents.
Get-SecuronixChildIncidents
[-Url] <string>
[-Token] <string>
[-ParentId] <string>
Get-SecuronixChildIncidentListmakes an API call to the Incident/Get endpoint and retrieves all children incident ids of an incident.
Request
Get-SecuronixChildIncidentList-Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' \
-ParentId '20019'
Response
{
"status": "OK",
"messages": [
"Get child case details for incident ID [20019]"
],
"result": [
"20046",
"20073",
"20100",
"20127",
"20154",
"20181",
"20208",
"20235"
]
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
An API token to validate access. Use New-SecuronixApiToken to generate a new token.
A required API Parameter, enter the incident id to view the details.
Securonix 6.4 REST API Categories - Incident Management
Get incident details.
Get-SecuronixIncident
[-Url] <string>
[-Token] <string>
[-IncidentId] <string>
Get-SecuronixIncident makes an API call to the Incident/Get endpoint and retrieves all details of an incident.
Request
Get-SecuronixIncident -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' \
-IncidentId '100107'
Response
{
"status": "OK",
"messages": [
"Get incident details for incident ID [100107]"
],
"result": {
"data": {
"totalIncidents": 1.0,
"incidentItems": [{
"violatorText": "Cyndi Converse",
"lastUpdateDate": 1566232568502,
"violatorId": "96",
"incidentType": "Policy",
"incidentId": "100107",
"incidentStatus": "COMPLETED",
"riskscore": 0.0,
"assignedUser": "Admin Admin",
"priority": "low",
"reason": [
"Resource: Symantec Email DLP",
"Policy: Emails with large File attachments",
"Threat: Data egress attempts"
],
"violatorSubText": "1096",
"entity": "Users",
"workflowName": "SOCTeamReview",
"url": "DunderMifflin.securonix.com/Snypr/configurableDashboards/view?&type=incident&id=100107",
"isWhitelisted": false,
"watchlisted": false
}]
}
}
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
Valid authentication token.
A required API Parameter, enter the incident id to view the details.
Securonix 6.4 REST API Categories - Incident Management
Get available incident actions.
Get-SecuronixIncidentActionList
[-Url] <string>
[-Token] <string>
[-IncidentId] <string>
Get-SecuronixIncidentActionList makes an API call to the incident/Get endpoint and retrieves the actions available for an incident.
Request
Get-SecuronixIncidentActionList -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' -IncidentId '100107'
Response
{
"status": "OK",
"messages": [
"Get possible actions for incident ID [100289], incident status [Open]"
],
"result": [
{
"actionDetails": [{
"title": "Screen1",
"sections": {
"sectionName": "Comments",
"attributes": [{
"displayName": "Comments",
"attributeType": "textarea",
"attribute": "15_Comments",
"required": false
}]
}
}],
"actionName": "CLAIM",
"status": "CLAIMED"
},{
"actionDetails": [{
"title": "Screen1",
"sections": {
"sectionName": "Comments",
"attributes": [
{
"displayName": "Business Response",
"attributeType": "dropdown",
"values": [
"Inaccurate alert-User not a HPA",
"Inaccurate alert-inaccurate log data",
"Inaccurate alert-host does not belong to our business",
"Need more information",
"Duplicate alert"
],
"attribute": "10_Business-Response",
"required": false
},{
"displayName": "Business Justification",
"attributeType": "text",
"attribute": "11_Business-Justification",
"required": false
},{
"displayName": "Remediation Performed",
"attributeType": "text",
"attribute": "12_Remediation-Performed",
"required": false
},{
"displayName": "Business Internal Use",
"attributeType": "text",
"attribute": "13_Business-Internal-Use",
"required": false
},{
"displayName": "Assign To Analyst",
"attributeType": "assignto",
"values": [
{
"key": "GROUP",
"value": "Administrators"
},{
"key": "GROUP",
"value": "SECURITYOPERATIONS"
},{
"key": "USER",
"value": "admin"
},{
"key": "USER",
"value": "auditor"
},{
"key": "USER",
"value": "useradmin"
},{
"key": "USER",
"value": "accessscanner"
},{
"key": "USER",
"value": "account08"
},{
"key": "USER",
"value": "account10"
},{
"key": "USER",
"value": "account06"
},{
"key": "USER",
"value": "account07"
},{
"key": "USER",
"value": "account02"
},{
"key": "USER",
"value": "account09"
},{
"key": "USER",
"value": "account01"
},{
"key": "USER",
"value": "account05"
},{
"key": "USER",
"value": "account03"
},{
"key": "USER",
"value": "account04"
}
],
"attribute": "assigntouserid",
"required": true
}
]
}
}],
"actionName": "ASSIGN TO ANALYST",
"status": "OPEN"
},{
"actionDetails": [{
"title": "Screen1",
"sections": {
"sectionName": "Comments",
"attributes": [{
"displayName": "Comments",
"attributeType": "textarea",
"attribute": "15_Comments",
"required": false
}]
}
}],
"actionName": "ASSIGN TO SECOPS",
"status": "OPEN"
}
]
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
An API token to validate access. Use New-SecuronixApiToken to generate a new token.
A required API Parameter, enter the incident id to view available actions.
Securonix 6.4 REST API Categories - Incident Management
Get a list of incident activity.
Get-SecuronixIncidentActivityHistory
[-Url] <string>
[-Token] <string>
[-IncidentId] <string>
Get-SecuronixIncidentActivityHistory makes an API call to the incident/Get endpoint and retrieves a list of activity and actions taken on an incident.
Request
Get-SecuronixIncidentActivityHistory -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' \
-IncidentId '20019'
Response
{
"status": "OK",
"messages": [
"Get activity stream details for incident ID [20019]"
],
"result": {
"activityStreamData": [{
"caseid": "20019",
"actiontaken": "CREATED",
"status": "Open",
"comment": [],
"eventTime": "Jan 21, 2020 2:33:37 AM",
"username": "Admin Admin",
"currentassignee": "admin",
"commentType": [],
"currWorkflow": "SOCTeamReview"
}]
}
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
An API token to validate access. Use New-SecuronixApiToken to generate a new token.
A required API Parameter, enter the incident id to view the details.
Securonix 6.4 REST API Categories - Incident Management
Make a request to Securonix API.
Get-SecuronixWorkflowsList
Get-SecuronixIncidentAPIResponse
[-Url] <string>
[-Token] <string>
[-type] <string>
Get-SecuronixIncident, Get-SecuronixIncidentStatus, Get-SecuronixIncidentWorkflowName, Get-SecuronixIncidentActionList, Get-SecuronixChildIncidents, Get-SecuronixIncidentActivityHistory
Get-SecuronixIncidentAPIResponse
[-Url] <string>
[-Token] <string>
[-type] <string>
[-incidentId] <string>
Confirm-SecuronixIncidentAction
Get-SecuronixIncidentAPIResponse
[-Url] <string>
[-Token] <string>
[-type] <string>
[-incidentId] <string>
[-actionName] <string>
Get-SecuronixIncidentsList, Get-SecuronixIncidentAttachments
Get-SecuronixIncidentAPIResponse
[-Url] <string>
[-Token] <string>
[-type] <string>
[-from] <string>
[-to] <string>
[-rangeType] <string>
[-status <string>]
[-allowChildCases]
[-max <int>]
[-offset <int>]
Get-SecuronixWorkflowDefinition, Get-SecuronixWorkflowDefaultAssignee
Get-SecuronixIncidentAPIResponse
[-Url] <string>
[-Token] <string>
[-type] <string>
[-workflowname] <string>
Get-SecuronixIncidentAPIResponse makes an API call to the incident/Get endpoint with the supplied request type. Parameters vary based on the type of request your are making. It is recommended to use the alternative wrappers in this module.
Request
Get-SecuronixIncidentAPIResponse -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' \
-Type 'metaInfo' -IncidentId '100107'
Response
{
"status": "OK",
"messages": [
"Get incident details for incident ID [100107]"
],
"result": {
"data": {
"totalIncidents": 1.0,
"incidentItems": [{
"violatorText": "Cyndi Converse",
"lastUpdateDate": 1566232568502,
"violatorId": "96",
"incidentType": "Policy",
"incidentId": "100107",
"incidentStatus": "COMPLETED",
"riskscore": 0.0,
"assignedUser": "Admin Admin",
"priority": "low",
"reason": [
"Resource: Symantec Email DLP",
"Policy: Emails with large File attachments",
"Threat: Data egress attempts"
],
"violatorSubText": "1096",
"entity": "Users",
"workflowName": "SOCTeamReview",
"url": "DunderMifflin.securonix.com/Snypr/configurableDashboards/view?&type=incident&id=100107",
"isWhitelisted": false,
"watchlisted": false
}]
}
}
}
Request
Get-SecuronixIncidentsList -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' \
-type 'list' \
-from '1566249473000' -to '1566335873000' -rangeType 'updated'
Response
{
"status": "OK",
"result": {
"data": {
"totalIncidents": 1.0,
"incidentItems": [{
"violatorText": "Cyndi Converse",
"lastUpdateDate": 1566293234026,
"violatorId": "96",
"incidentType": "RISK MODEL",
"incidentId": "100181",
"incidentStatus": "COMPLETED",
"riskscore": 0.0,
"assignedUser": "Account Access 02",
"assignedGroup": "Administrators",
"priority": "None",
"reason": [
"Resource: Symantec Email DLP"
],
"violatorSubText": "1096",
"entity": "Users",
"workflowName": "SOCTeamReview",
"url": "DunderMifflin.securonix.com/Snypr/configurableDashboards/view?&type=incident&id=100181",
"isWhitelisted": false,
"watchlisted": false
}]
}
}
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
An API token to validate access. Use New-SecuronixApiToken to generate a new token.
A required API Parameter, enter the API type to view the details.
A required API Parameter, enter the unique incident id number.
A required API Parameter, enter time starting point. Time (epoch) in ms.
A required API Parameter, enter time ending point. Time (epoch) in ms.
A required API Parameter, enter the incident action status. Select any of updated,opened,closed.
An optional API Parameter, filter results by status.
An optional API Parameter, used to receive the list of child cases associated with a parent case in the response.
An optional API Parameter, enter maximum number of records the API will display.
An optional API Parameter, used for pagination of the request.
A required API Parameter, enter the name of a Securonix workflow.
Securonix 6.4 REST API Categories - Incident Management
Get a list of files attached to incidents.
Get-SecuronixIncidentAttachments
[-Url] <string>
[-Token] <string>
[-IncidentId] <string>
[[-AttachmentType] <string>]
Get-SecuronixIncidentAttachments
[-Url] <string>
[-Token] <string>
[-IncidentId] <string>
[-TimeStart] <string>
[-TimeEnd] <string>
[[-AttachmentType] <string>]
Get-SecuronixIncidentAttachments makes an API call to the Incident/attachments endpoint and retrieves attachments from an incident.
Request
Get-SecuronixIncidentAttachments -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' \
-IncidentId '100107'
Request
Get-SecuronixIncidentAttachments -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' \
-IncidentId '100107'
Response
{
"error": "[User] do not have access to incident tenant",
"type": "Bad Request",
"code": "400"
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
An API token to validate access. Use New-SecuronixApiToken to generate a new token.
A required API Parameter, enter starting point for the search. Time (epoch) in ms or Date Time in 'mm/dd/YYYY HH:MM:SS-00'.
A required API Parameter, enter ending point for the search. Time (epoch) in ms or Date Time in 'mm/dd/YYYY HH:MM:SS-00'.
A required API Parameter, select any of: csv, pdf, txt.
Securonix 6.4 REST API Categories - Incident Management
Get a list of Securonix incidents.
Get-SecuronixIncidentsList
[-Url] <string>
[-Token] <string>
[-TimeStart] <string>
[-TimeEnd] <string>
[-RangeType] <string>
[-Status <string>]
[-AllowChildCases]
[-Max <int>]
[-Offset <int>]
Get-SecuronixIncidentsList makes an API call to the Incident/Get endpoint and retrieves a list of incidents opened within the supplied time range and any additional filters provided.
Request
Get-SecuronixIncidentsList -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' \
-TimeStart '1566249473000' -TimeEnd '1566335873000' -RangeType 'updated'
Response
{
"status": "OK",
"result": {
"data": {
"totalIncidents": 1.0,
"incidentItems": [{
"violatorText": "Cyndi Converse",
"lastUpdateDate": 1566293234026,
"violatorId": "96",
"incidentType": "RISK MODEL",
"incidentId": "100181",
"incidentStatus": "COMPLETED",
"riskscore": 0.0,
"assignedUser": "Account Access 02",
"assignedGroup": "Administrators",
"priority": "None",
"reason": [
"Resource: Symantec Email DLP"
],
"violatorSubText": "1096",
"entity": "Users",
"workflowName": "SOCTeamReview",
"url": "DunderMifflin.securonix.com/Snypr/configurableDashboards/view?&type=incident&id=100181",
"isWhitelisted": false,
"watchlisted": false
}]
}
}
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
An API token to validate access. Use New-SecuronixApiToken to generate a new token.
A required API Parameter, enter starting point for the search. Time (epoch) in ms or Date Time in 'mm/dd/YYYY HH:MM:SS-00'.
A required API Parameter, enter ending point for the search. Time (epoch) in ms or Date Time in 'mm/dd/YYYY HH:MM:SS-00'.
A required API Parameter, select any of updated|opened|closed.
An optional API Parameter, filter results by status.
An optional API Parameter, enter true to receive the list of child cases associated with a parent case in the response. Otherwise, enter false. This parameter is optional.
An optional API Parameter, enter maximum number of records the API will display.
An optional API Parameter, used for pagination of the request.
Securonix 6.4 REST API Categories - Incident Management
Get incident status.
Get-SecuronixIncidentStatus
[-Url] <string>
[-Token] <string>
[-IncidentId] <string>
Get-SecuronixIncidentStatus makes an API call to the Incident/Get endpoint and retrieves the status of an incident.
Request
Get-SecuronixIncidentStatus -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' -IncidentId '100107'
Response
{
"status": "OK",
"messages": [
"Get incident status for incident ID [100107] - [COMPLETED]"
],
"result": {
"status": "COMPLETED"
}
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
An API token to validate access. Use New-SecuronixApiToken to generate a new token.
A required API Parameter, enter the incident id to view the status.
Securonix 6.4 REST API Categories - Incident Management
Get incident workflow.
Get-SecuronixIncidentWorkflowName
[-Url] <string>
[-Token] <string>
[-IncidentId] <string>
Get-SecuronixIncidentWorkflowName makes an API call to the Incident/Get endpoint and retrieves the workflow name of an incident.
Request
Get-SecuronixIncidentWorkflowName -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' -IncidentId '100107'
Response
{
"status": "OK",
"messages": [
"Get incident workflow for incident ID [100107] - [SOCTeamReview]"
],
"result": {
"workflow": "SOCTeamReview"
}
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
An API token to validate access. Use New-SecuronixApiToken to generate a new token.
A required API Parameter, enter the incident id to view the workflow name.
Securonix 6.4 REST API Categories - Incident Management
Get a list of available actions.
Get-SecuronixThreatActionList
[-Url] <string>
[-Token] <string>
Get-SecuronixThreatActionList makes an API call to the Incident/Get endpoint and retrieves all threat management actions available for an incident.
Request
Get-SecuronixThreatActionList -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' \
Response
{
"status": "OK",
"messages": [
"test Message 04"
],
"result": [
"Mark as concern and create incident",
"Non-Concern",
"Mark in progress (still investigating)"
]
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
An API token to validate access. Use New-SecuronixApiToken to generate a new token.
Securonix 6.4 REST API Categories - Incident Management
Get default resource assigned to a workflow.
Get-SecuronixWorkflowDefaultAssignee
[-Url] <string>
[-Token] <string>
[-WorkflowName] <string>
Get-SecuronixWorkflowDefaultAssignee makes an API call to the Incident/Get endpoint and retrieves the resource an incident will be assigned for the selected workflow.
Request
Get-SecuronixWorkflowDefaultAssignee -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' \
-WorkflowName 'SOCTeamReview'
Response
{
"status": "OK",
"messages": [
"Default assignee for workflow [SOCTeamReview] - [admin]"
],
"result": {
"type": "USER",
"value": "admin"
}
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
An API token to validate access. Use New-SecuronixApiToken to generate a new token.
A required API Parameter, enter the name of a Securonix workflow.
Securonix 6.4 REST API Categories - Incident Management
Get details of a workflow.
Get-SecuronixWorkflowDefinition
[-Url] <string>
[-Token] <string>
[-WorkflowName] <string>
Get-SecuronixWorkflowDefinition makes an API call to the Incident/Get endpoint and returns with the details for the specified workflow.
Request
Get-SecuronixWorkflowDefinition -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' \
-WorkflowName 'SOCTeamReview'
Response
{
"status": "OK",
"messages": [
"Workflow Details"
],
"result": {
"SOCTeamReview": {
"CLAIMED": [
{
"Status": "OPEN",
"Action": "ASSIGN TO ANALYST"
},{
"Status": "COMPLETED",
"Action": "ACCEPT RISK"
},{
"Status": "OPEN",
"Action": "RELEASE"
},{
"Status": "CLOSED",
"Action": "VIOLATION"
},{
"Status": "OPEN",
"Action": "ASSIGN TO SECOPS"
}
],
"CLOSED": [
{
"Status": "PENDING VERIFICATION",
"Action": "CLAIM"
},{
"Status": "OPEN",
"Action": "ASSIGN TO ANALYST"
},{
"Status": "OPEN",
"Action": "RELEASE"
}
],
"PENDING VERIFICATION": [{
"Status": "COMPLETED",
"Action": "VERIFY"
}],
"OPEN": [
{
"Status": "OPEN",
"Action": "ASSIGN TO ANALYST"
},{
"Status": "CLAIMED",
"Action": "CLAIM"
},{
"Status": "OPEN",
"Action": "ASSIGN TO SECOPS"
},{
"Status": "Do Not Change",
"Action": "WhiteList_Action"
}
]
}
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
An API token to validate access. Use New-SecuronixApiToken to generate a new token.
A required API Parameter, enter the name of a Securonix workflow.
Securonix 6.4 REST API Categories - Incident Management
Get list of workflows.
Get-SecuronixWorkflowsList
[-Url] <string>
[-Token] <string>
Get-SecuronixWorkflowsList makes an API call to the Incident/Get endpoint and returns with a list of workflows.
Request
Get-SecuronixWorkflowsList -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF'
Response
{
"status": "OK",
"messages": [
"Get all possible workflows"
],
"result": {
"workflows": [
{
"workflow": "SOCTeamReview",
"type": "USER",
"value": "admin"
},{
"workflow": "ActivityOutlierWorkflow",
"type": "USER",
"value": "admin"
},{
"workflow": "AccessCertificationWorkflow",
"type": "USER",
"value": "admin"
}
]
}
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
An API token to validate access. Use New-SecuronixApiToken to generate a new token.
Securonix 6.4 REST API Categories - Incident Management
Create a securonix incident.
New-SecuronixIncident
[-Url] <string>
[-Token] <string>
[-ViolationName] <string>
[-DatasourceName] <string>
[-EntityType] <string>
[-EntityName] <string>
[-Workflow] <string>
[-Comment <string>]
[-EmployeeId <string>]
[-Criticality <string>]
New-SecuronixIncident makes an API call to the Incident/Actions endpoint and creates a new incident.
Request
New-SecuronixIncident -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' \
-ViolationName 'Repeated Visits to Potentially Malicious address' -DatasourceName 'Websense Proxy' \
-EntityType 'Activityip' -EntityName '134.119.189.29' -Workflow 'SOCTeamReview'
Response
{
"status": "OK",
"messages":[
"Get incident details for incident ID [100317]"
],
"result": {
"data": {
"totalIncidents": 1.0,
"incidentItems": [{
"violatorText": "134.119.189.29",
"lastUpdateDate": 1566337840264,
"violatorId": "134.119.189.29",
"incidentType": "Policy",
"incidentId": "100317",
"incidentStatus": "Open",
"riskscore": 3.0,
"assignedUser": "Admin Admin",
"priority": "low",
"reason": [
"Policy: Repeated Visits to Potentially Malicious address",
"Threat: Possible C2 Communication"
],
"entity": "Activityip",
"workflowName": "SOCTeamReview",
"url": "https://saaspocapp2t14wptp.securonix.net/Snypr/configurableDashboards/view?&type=incident&id=100317",
"isWhitelisted": false,
"watchlisted": false
}]
}
}
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
An API token to validate access. Use New-SecuronixApiToken to generate a new token.
A required API Parameter. Enter the incident id of the incident to update.
A required API Parameter. Enter the violation policy name.
A required API Parameter. Enter the resource group name.
A required API Parameter. Enter any of the following types: Users, Activityaccount, RGActivityaccount, Resources, Activityip.
A required API Parameter. Enter the accountname associated with the violation.
A required API Parameter. Enter the workflow name.
An optional API Parameter. Enter an additional comment.
An optional API Parameter. Enter the employee id.
A required parameter. Enter the new criticality. Possible values: 'none','low','medium','high','custom'.
Securonix 6.4 REST API Categories - Incident Management
Update an incidents criticality.
Update-SecuronixCriticality
[-Url] <string>
[-Token] <string>
[-IncidentId] <string>
[-Criticality] <string>
Update-SecuronixCriticality makes an API call to the Incident/Actions endpoint and updates the incidents criticality.
Request
Update-SecuronixCriticality -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' \
-IncidentId '10029' -Criticality 'low'
Response
{
"status": "OK",
"messages": [
"Criticality updated for incidents : [1727657,172992]"
]
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
An API token to validate access. Use New-SecuronixApiToken to generate a new token.
A required API Parameter. Enter the incident id of the incident to update.
A required parameter. Enter the new criticality. Possible values: 'none','low','medium','high','custom'.
Securonix 6.4 REST API Categories - Incident Management
Update a securonix incident.
Update-SecuronixIncident
[-Url] <string>
[-Token] <string>
[-IncidentId] <string>
[-ActionName] <string>
[-Attributes <hashtable>]
Update-SecuronixIncident makes an API call to the Incident/Actions endpoint and updates an incident with the supplied action.
Request
Update-SecuronixIncident -Url 'DunderMifflin.securonix.com/Snypr' -Token '12345678-90AB-CDEF-1234-567890ABCDEF' \
-IncidentId '10029' -ActionName 'comment' \
-Attributes @{'comment'='comment message';'username'='jhalpert';'firstname'='Jim';'lastname'='Halpert'}
Response
{
"status": "OK",
"result": "submitted"
}
Url endpoint for your Securonix instance. It must be in the following format:
https://<hostname or IPaddress>/Snypr
An API token to validate access. Use New-SecuronixApiToken to generate a new token.
A required API Parameter. Enter the incident id of the incident to update.
A required API Parameter. Enter an action that you want to perform for the incident. You can run the Available Threat Actions on an Incident API to view the available actions.
Depending on workflow configured in your organization, add the required attributes. Run Confirm-SecuronixIncidentAction, or Get-SecuronixIncidentActionList to view all the attributes (required or not).