Securonix
LAST UPDATED: SEPTEMBER 10, 2025
Overview
Securonix Next-Generation SIEM combines log management, UEBA and security incident response into a complete, end-to-end security operations platform.
Securonix is available for use in:
Known Limitations
The following are the known limitations of the commands in this integration:
Only available for version 6.2 CU4 SP4 and above.
Fetch Event parameters: Number of Event(s) Fetched and Query ID
Fetch Incident
Only available for version 6.2 CU4 SP5 and above:
Add Comment to Incidents
Create Watchlist
Get Incident Available Actions
List All Entities Present in an Existing Watchlist
List Watchlists
Take Incident Action
Connection
Gather the following information to connect D3 SOAR to Securonix.
Parameter | Description | Example |
Server URL | The server URL of the Securonix instance. | https://<Replace_Me> |
Username | The username used to access Securonix. | access21 |
Password | The password used to access Securonix. | ***** |
Is Multi-Tenancy | The option to indicate that the Securonix instance is multi-tenant when set to Yes. | No |
Tenant Name | The tenant name associated with the account for accessing Securonix. Tenant Name can be obtained using the List All Tenants command. If the tenant name is unknown, this parameter can be left empty temporarily. | Test_watchlist |
Configuring D3 SOAR to Work with Securonix
Log in to D3 SOAR.
Find the Securonix integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type Securonix in the search box to find the integration, then click it to select it.
Click on the + Connection button on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Securonix.
Connection Name: The desired name for the connection.
Site: The site on which to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.
Agent Name (Optional): The proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): The description for the connection.
Tenant (Optional): When configuring the connection from a master tenant site, users can choose the specific tenant sites with which to share the connection. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.
Active: The checkbox that enables the connection to be used when selected.
Configure User Permissions: Defines which users have access to the connection.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input the Server URL.
2. Input the Username.
3. Input the Password.
4. Select Yes if the instance is multi-tenant.
5. Input the Tenant Name.Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.
Connection Health Check: Periodically checks the connection status by scheduling the Test Connection command at the specified interval (in minutes). Available only for active connections, this feature also allows configuring email notifications for failed attempts.
Test the connection.
Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.
Click OK to close the alert window.
Click + Add to create and add the configured connection.
Commands
Securonix includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command function, users can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the Securonix API, refer to the Securonix API reference.
Note for Time-related parameters
The input format of time-related parameters may vary based on user account settings, which may cause the sample data in commands to differ from what is displayed. To adjust the time format, follow these steps:
Navigate to Configuration Application Settings. Select Date/Time Format.
Choose the desired date and time format, then click on the Save button.
The selected time format will now be visible when configuring Date/Time command input parameters.
Add Comment to Incidents
Adds a comment to the specified incidents.
READER NOTE
Incident IDs is a required parameter to run this command.
Run the Fetch Incident command to obtain the Incident IDs. Incident IDs can be found in the raw data at $.result.data.incidentItems[*].incidentId.
Input
Input Parameter | Required/Optional | Description | Example |
Incident IDs | Required | The IDs of the incidents to which a comment is added. Incident IDs can be obtained using the Fetch Incident command. |
JSON
|
Comment | Required | The comment to add to the incidents. | New Comment |
User Name | Optional | The name of the user adding the comment. If the third-party username exists in Unified Defense SIEM, the application adds the comment using that username. | user@example.com |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Add Comment to Incidents failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data Add Comment to Incidents failed. Status Code: 400. Message: Server URL is not valid in format. |
Create Incident
Creates an incident in Securonix.
READER NOTE
Violation Name, Datasource Name, and Entity Name are required parameters to run this command.
Run the List Violation Data command to obtain them.
Violation Names can be found in the raw data at $.events[*].policyname.
Datasource Names can be found in the raw data at $.events[*].resourcegroupname.
Entity Names can be found in the raw data at $.events[*].accountname.
Resource Name and Employee ID is an optional parameter to run this command.
Run the List Users command to obtain the Employee ID. Employee IDs can be found in the raw data at $.user[*].employeeId.
Run the List Violation Data command to obtain the Resource Name. Resource Names can be found in the raw data at $.events[*].resourcename.
Input
Input Parameter | Required/Optional | Description | Example |
Workflow | Required | The workflow to assign to the incident. | SOCTeamReview |
Violation Name | Required | The name of the policy violation to associate with the incident. Violation Name can be obtained using the List Violation Data command. | POSSIBLE PRIVILEGE ENUMERATION |
Datasource Name | Required | The resource group name. Datasource Name can be obtained using the List Violation Data command. | A-IQ-Windows |
Entity Type | Required | The entity type of the incident. Valid values are:
By default, the value is Activityaccount. | Activityaccount |
Entity Name | Required | The account name linked to the violation associated with the incident. Entity Name can be obtained using the List Violation Data command. | ADMIN |
Resource Name | Optional | The resource name. This value is required when the Entity Type is Activityaccount. Resource Name can be obtained using the List Violation Data command. | COMPUTERNAME |
Comment | Optional | Adds a comment to the incident. | Incident created |
Employee ID | Optional | The employee ID of the creator. Employee ID can be obtained using the List Users command. | 1078 |
Criticality | Optional | The criticality of the incident. Valid values are:
| MEDIUM |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Incident failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data Create Incident failed. Status Code: 400. Message: Server URL is not valid in format. |
Create Watchlist
Creates a new watchlist in Securonix.
Input
Input Parameter | Required/Optional | Description | Example |
Watchlist Name | Required | The name of the new watchlist. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Watchlist failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data Create Watchlist failed. Status Code: 400. Message: Server URL is not valid in format. |
Execute Solr Query
Retrieves events with details based on the provided Solr query string.
READER NOTE
Solr Query of Violation is a required parameter to run this command.
Run the Fetch Incident command to obtain the Solr Query of Violation. Solr Queries of Violation can be found in the raw data at $.result.data.incidentItems[*].solrquery.
Input
Input Parameter | Required/Optional | Description | Example |
Solr Query of Violation | Required | The Solr query of the violation from the incident to retrieve incident-related events. Solr Query of Violation can be obtained using the Fetch Incident command. | index = violation and @policyName = "Security Alert SSO" and @resourcename = "2E22*****2234" and @resourcegroupname = "*****" and @tenantname = "*****" and generationtime between "05/15/2024 04:36:07" "05/15/2024 04:40:45" |
Event Query Maximum Days Allowed | Optional | The maximum number of days allowed by Securonix for event data to be queried in a single Solr query. When the specified Solr query contains a time range larger than the allowed limit, the command breaks it into multiple continuous time ranges within the limit to retrieve all event data. This parameter is required only when the Securonix tenant has a time range limitation for event data queries. | 7 |
Event Query Interval (Seconds) | Optional | The time delay for each time-range events query. A tuned value reduces the chance of API rate limit failures, especially when the Solr query contains a time range greater than 7 days. By default, the value is 1 second. The maximum allowed value is 60. A higher value may significantly increase the command run time. | 2 |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Execute Solr Query failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data Execute Solr Query failed. Status Code: 400. Message: Server URL is not valid in format. |
Fetch Event
Returns events based on the specified query.
READER NOTE
Tenant Name is an optional parameter to run this command.
Run the List All Tenants command to obtain the Tenant Name. Tenant Names can be found in the raw data at $.result*.
Input
Input Parameter | Required/Optional | Description | Example |
Start Time | Required | The start of the event retrieval range (in UTC) in the MM-dd-yyyy HH:mm AM|PM format. The range between Start Time and End Time cannot exceed 24 hours when Index is set to Activity. | 11/01/2022 12:00 AM |
End Time | Required | The end of the event retrieval range (in UTC) in the MM-dd-yyyy HH:mm AM|PM format. The range between Start Time and End Time cannot exceed 24 hours when Index is set to Activity. | 11/24/2022 12:00 AM |
Index | Optional | The index from which to return events. Valid values are:
By default, the value is set to Activity. | Activity |
Open Query | Optional | The query string used to fetch events in the <FieldName> = <FieldValue> AND <FieldName> = <FieldValue> syntax. For details on Spotter query structure, see Getting Started with Spotter Queries. Supported field names include (non-exhaustive):
If the input contains only text without operators, the command queries by keyword. For more information about keyword queries, see Keyword searches. | resourcegroupname=vcenter AND categoryseverity=0 |
Tenant Name | Optional | The name of the tenant from which to retrieve events when using an MSSP account. This parameter is not applicable for tenant user accounts, where the tenant name is applied automatically. Tenant Name can be obtained using the List All Tenants command. | Partners001 |
Number of Event(s) Fetched | Optional | The maximum number of events to return. A value of 0 or a negative number returns all events within the given time range. By default, all events within the given time range are returned. | 2 |
Query ID | Optional | The ID used to paginate results within the specified duration. When Query ID is specified, all other parameters are ignored. The first query response includes a queryId, which can be used to retrieve records from a specific page. | Spotterwebservice5059*****f78e |
Tolerance Scope (Minutes) | Optional | Sets the tolerance scope for fetching events between the specified start and end times. This prevents event loss or fetch failures caused by system time differences between D3 and Securonix. Events are fetched between {Start Time − Tolerance Scope, End Time}. | 1 |
Custom Index | Optional | The name of the custom index from which to return events. Use this parameter if the required index is not available in the Index parameter list. When specified, this parameter overrides the Index parameter. | snowflake |
Output
To view the sample output data for all commands, refer to this article.
Fetch Event Field Mapping
See Field Mappings.
The Securonix system integration includes pre-configured field mappings for the default event source.
The Default Event Source is the default system-provided set of field mappings applied when the fetch event command is executed. It includes a Main Event JSON Path, which is the JSONPath expression that points to the base array of event objects. The source field path continues from this array to locate the required data.
The Main Event JSON Path can be viewed by clicking on the Edit Event Source button.
Main Event JSON Path: $.events
The events array contains the event objects. Within each object, the key eventid denotes the Unique Event Key field. As such, the full JSONPath expression to extract the Unique Event Key is $.events.eventid.
The pre-configured field mappings are detailed below:
Field Name | Source Field |
Default | |
Unique Event Key | .eventid |
Event Type | .riskthreatname |
Start Time | .datetime |
Severity | .categoryseverity |
Description | .category |
Username | .fullname |
Employee ID | .employeeid |
Tenant Name | .tenantname |
Event Source for Violations (Search String: {$.eventType}=violation) | |
Unique Event Key | .eventid |
Event Type | .riskthreatname |
Start Time | .eventtime |
Description | .category |
Alert Raw Log | .rawevent |
Hostname | .devicehostname |
Destination NT domain | .destinationntdomain |
Process file path | .filepath |
Source IP address | .sourceaddress |
Account Name | .accountname |
Policy Name | .policyname |
Employee ID | .employeeid |
Tenant Name | .tenantname |
Username | .fullname |
Department | .department |
Status | .status |
Work Email | .workemail |
Event City | .eventcity |
Manager Employee ID | .manageremployeeid |
Resource Type | .resourcetype |
User Criticality | .usercriticality |
Message | .message |
Entity Type | .violator |
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Fetch Event failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data Fetch Event failed. Status Code: 400. Message: Server URL is not valid in format. |
Fetch Incident
Returns incidents based on the specified criteria.
Input
Input Parameter | Required/Optional | Description | Example |
Start Time | Required | The start of the incident retrieval range (in UTC) in the MM-dd-yyyy HH:mm AM|PM format. | 11/10/2021 12:00 AM |
End Time | Required | The end of the incident retrieval range (in UTC) in the MM-dd-yyyy HH:mm AM|PM format. | 12/10/2021 12:00 AM |
Time Range Type | Required | Indicates how the Start Time and End Time are applied. Valid options are:
For example, if Closed is selected, the query returns incidents closed within the specified time range. | Updated |
Offset | Optional | The start position for querying incident records. By default, the value is the beginning of the record set. | 50 |
Number of Incident(s) Fetched | Optional | The maximum number of incidents to return. Valid input values are integers between 0 and 100 inclusive. By default, the value is 100. | 2 |
Include Events | Optional | Whether to include related events for each incident. When "True," the returned incidents will include their related events. When "False," only incidents will be returned. By default, the value is True. | False |
Output
To view the sample output data for all commands, refer to this article.
Incident Field Mapping
For this integration, the default incident fields in D3 SOAR contain built-in source fields.
Event and Incident Intake Field Mapping
See Field Mappings.
Incident field mapping is required.
Incident Main JSON Path: $.result.data.incidentItems
Field Name | Source Field |
Title | .violatorText |
Description | .reason |
Severity | <user-selected> |
Incident Type * | <user-selected> |
Incident Creator | <user-defined> |
Incident Owner | <user-defined> |
Investigation Playbook | <user-defined> |
Due In Date | <user-defined> |
Unique Key | .properties.incidentNumber |
Tactics | .properties.additionalData.tactics |
Techniques | <user-defined> |
Event Field Mapping
Main Event JSON Path: $.events (Search String: {$.eventType}=violation)
The event field mappings here are the same as that of Fetch Event.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Fetch Incident failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data Fetch Incident failed. Status Code: 400. Message: Server URL is not valid in format. |
Get Default Workflow Assignee
Returns the default assignee of the specified workflow.
READER NOTE
Workflow Name is a required parameter to run this command.
Run the List Workflows command to obtain the Workflow Name. Workflow Names can be found in the raw data at $.result.workflows[*].workflow.
Input
Input Parameter | Required/Optional | Description | Example |
Workflow Name | Required | The name of the workflow. Workflow Name can be obtained using the List Workflows command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Default Workflow Assignee failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data Get Default Workflow Assignee failed. Status Code: 400. Message: Server URL is not valid in format. |
Get Incident Available Actions
Retrieves possible actions available for the specified incident.
READER NOTE
Incident ID is a required parameter to run this command.
Run the Fetch Incident command to obtain the Incident ID. Incident IDs can be found in the raw data at $.result.data.incidentItems[*].incidentId.
Input
Input Parameter | Required/Optional | Description | Example |
Incident ID | Required | The ID of the incident for which to retrieve available actions. Incident ID can be obtained using the Fetch Incident command. | ***** |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Incident Available Actions failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data Get Incident Available Actions failed. Status Code: 400. Message: Server URL is not valid in format. |
List Activity Data
Retrieves activity (also known as event data) based on the specified query.
Input
Input Parameter | Required/Optional | Description | Example |
Start Time | Required | The start of the data retrieval range (in UTC) in the MM-dd-yyyy HH:mm AM|PM format. The range between Start Time and End Time cannot exceed 24 hours. | 11/01/2022 12:00 AM |
End Time | Required | The end of the data retrieval range (in UTC) in the MM-dd-yyyy HH:mm AM|PM format. The range between Start Time and End Time cannot exceed 24 hours. | 11/24/2022 12:00 AM |
Open Query | Optional | The query string to return data in the <FieldName> = <FieldValue> AND <FieldName> = <FieldValue> syntax. Supported field names include (non-exhaustive):
In multitenant environments, this command returns all tenants accessible to the authenticated user if no tenant name is specified. For details about the query, see Getting Started with Spotter Queries. | tenantname=partners001 AND resourcegroupname=vcenter |
Limit | Optional | The maximum number of results to return. Valid values are integers from 0 to 1,000. By default, the value is 100. | 2 |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Incident Available Actions failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data Get Incident Available Actions failed. Status Code: 400. Message: Server URL is not valid in format. |
List All Entities Present in an Existing Watchlist
Checks whether specified entities are present in a watchlist.
Input
Input Parameter | Required/Optional | Description | Example |
Entity ID | Required | The ID of the entity to check against the watchlist. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List All Entities Present in an Existing Watchlist failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data List All Entities Present in an Existing Watchlist failed. Status Code: 400. Message: Server URL is not valid in format. |
List All Tenants
Returns the list of tenants configured in the SNYPR multi-tenant environment that are accessible to the authenticated account.
Input
N/A
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List All Tenants failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data List All Tenants failed. Status Code: 400. Message: Server URL is not valid in format. |
List Policies
Retrieves the list of policies (rules) configured in Unified Defense SIEM for detecting violators, violations, and threats. The response returns all policies available in the system.
Input
N/A
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Policies failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data List Policies failed. Status Code: 400. Message: Server URL is not valid in format. |
List Possible Threat Actions
Retrieves all possible threat actions.
Input
N/A
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Policies failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data List Policies failed. Status Code: 400. Message: Server URL is not valid in format. |
List Resource Groups
Retrieves grouping of similar data sources (i.e. devices, applications, servers, databases, etc.) configured in Unified Defense SIEM for monitoring. The response returns all resource groups available in the system.
Input
N/A
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Resource Groups failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data List Resource Groups failed. Status Code: 400. Message: Server URL is not valid in format. |
List Users
Retrieves all users available in the system.
Input
N/A
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Users failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data List Users failed. Status Code: 400. Message: Server URL is not valid in format. |
List Violation Data
Runs a Spotter query to list all violations in the violation collection. This command supports simple searches on the activity collection from the Unified Defense SIEM interface. Operator-based searches, including the pipe (|) operator, are not supported.
Input
Input Parameter | Required/Optional | Description | Example |
Start Time | Required | The start of the violation data retrieval range (in UTC) in the MM-dd-yyyy HH:mm AM|PM format. | 11/01/2022 12:00 AM |
End Time | Required | The end of the violation data retrieval range (in UTC) in the MM-dd-yyyy HH:mm AM|PM format. | 11/24/2022 12:00 AM |
Open Query | Optional | The query string to return events in the <FieldName> = <FieldValue> AND <FieldName> = <FieldValue> syntax. Supported field names include (non-exhaustive): For details about the query, see Getting Started with Spotter Queries. | baseeventid=***** AND tenantname=partners001 |
Limit | Optional | The maximum number of violation data results to return. Valid values are integers from 0 to 1,000. By default, the value is 100. | 2 |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Violation Data failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data List Violation Data failed. Status Code: 400. Message: Server URL is not valid in format. |
List Watchlists
Retrieves all watchlists.
Input
N/A
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Violation Data failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data List Violation Data failed. Status Code: 400. Message: Server URL is not valid in format. |
List Workflows
Retrieves all available incident workflows.
Input
N/A
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Workflows failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data List Workflows failed. Status Code: 400. Message: Server URL is not valid in format. |
Search by Index
Retrieves search results from an index using Spotter query syntax. When executed, the system returns up to 1,000 event records for hot data and up to 300 event records for archived data.
Input
Input Parameter | Required/Optional | Description | Example |
Index | Optional | The index in which to search. Valid values are:
By default, the value is set to Activity. | Threat Intelligence |
Query Statement | Optional | The query statement using Spotter query syntax. See Getting Started with Spotter Queries. | tpi_src=syslog |
Start Time | Optional | The start time (in UTC) of the search range for the Activity, Violation, or Archive index. The range between Start Time and End Time cannot exceed 24 hours. | 11/01/2022 12:00 AM |
End Time | Optional | The end time (in UTC) of the search range for the Activity, Violation, or Archive index. The range between Start Time and End Time cannot exceed 24 hours. | 11/02/2022 12:00 AM |
Custom Index | Optional | The name of the custom index in which to search. Use this parameter if the required index is not available in the Index parameter list. When specified, this parameter overrides the Index parameter. | snowflake |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Search by Index failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data Search by Index failed. Status Code: 400. Message: Server URL is not valid in format. |
Search Events
Retrieves a list of events with details based on the specified query.
READER NOTE
Tenant Name is an optional parameter to run this command.
Run the List All Tenants command to obtain the Tenant Name. Tenant Names can be found in the raw data at $.result.*.
Input
Input Parameter | Required/Optional | Description | Example |
Start Time | Required | The start of the event retrieval range (in UTC) in the MM-dd-yyyy HH:mm AM|PM format. The range between Start Time and End Time cannot exceed 24 hours. | 11/01/2022 12:00 AM |
End Time | Required | The end of the event retrieval range (in UTC) in the MM-dd-yyyy HH:mm AM|PM format. The range between Start Time and End Time cannot exceed 24 hours. | 1/24/2022 12:00 AM |
Open Query | Optional | The query string to return targeted events based on specific keywords and syntax. Supported field names include (non-exhaustive):
For details about the query, see Spotter Query Structure. | resourcegroupname=vcenter AND categoryseverity=0 |
Tenant Name | Optional | The name of the tenant from which to retrieve events when using an MSSP account. This parameter is not applicable for tenant user accounts, where the tenant name is applied automatically. Tenant Name can be obtained using the List All Tenants command. | Partners001 |
Limit | Optional | The maximum number of events to return. Valid values are integers from 0 to 1,000. By default, the value is 100. | 2 |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Search by Index failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data Search by Index failed. Status Code: 400. Message: Server URL is not valid in format. |
Search Threats
Retrieves a list of threats with corresponding details based on the specified query.
READER NOTE
Tenant Name is an optional parameter to run this command.
Run the List All Tenants command to obtain the Tenant Name. Tenant Names can be found in the raw data at $.result.*.
Input
Input Parameter | Required/Optional | Description | Example |
Tenant Name | Optional | The name of the tenant from which to retrieve threats when using an MSSP account. This parameter is not applicable for tenant user accounts, where the tenant name is applied automatically. Tenant Name can be obtained using the List All Tenants command. | Securonix |
Domain | Optional | Filters threats by domain. | paiapark.com |
IP Address | Optional | Filters threats by IP address. | ***.***.***.*** |
Category | Optional | Filters threats by category. | phishing |
Severity | Optional | Filters threats by severity. | high |
Type | Optional | Filters threats by type. | Malicious Domain |
Source | Optional | Filters threats by source. | MalwareDomains |
Optional Conditions | Optional | Filters threats using additional fields in the Field1=Value1 AND Field2=Value2 format. See Attributes by Field Group. | tpi_src=syslog AND tpi_filename=fiel1.zip |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Search Threats failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data Search Threats failed. Status Code: 400. Message: Server URL is not valid in format. |
Take Incident Action
Executes a specified action on one or more incidents.
READER NOTE
Incident IDs and Action Name are required parameters to run this command.
Run the Fetch Incident command to obtain the Incident IDs. Incident IDs can be found in the raw data at $.result.data.incidentItems[*].incidentId.
Run the Get Incident Available Actions command to obtain the Action Name. Action Names can be found in the raw data at $.result[*].actionName.
Required Attributes is an optional parameter to run this command.
Run the Get Incident Available Actions command to obtain the Required Attributes. Required Attributes can be found in the raw data at $.result[*].actionDetails[*].sections.attributes[*].attribute.
Recommended approach for using this command:
Run the Fetch Incident command to retrieve the desired incident IDs at $.result.data.incidentItems[*].incidentId.
Use the retrieved incident IDs with the Get Incident Available Actions command to obtain the action name at $.result[*].actionName and any required attributes at $.result[*].actionDetails[*].sections.attributes[*].attribute.
Required attributes are identified by "required": true in the same object within the attributes array.
Provide those values when running this command.
Input
Input Parameter | Required/Optional | Description | Example |
Incident IDs | Required | The IDs of the incidents on which to take action. Incident IDs can be obtained using the Fetch Incident command. |
JSON
|
Action Name | Required | The action to perform for the incident. Not all actions are available for every incident. Valid values are:
Available action names for the specified incidents can be obtained using the Get Incident Available Actions command. | Close |
Required Attributes | Optional | The attributes required by the configured workflow in the organization. All available attributes for an incident are returned in the attributes array from the Get Incident Available Actions command, where "required": true indicates a required attribute. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Take Incident Action failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data Take Incident Action failed. Status Code: 400. Message: Server URL is not valid in format. |
Test Connection
Allows users to perform a health check on an integration connection. Users can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Output Type | Description | Return Data Type |
Return Data | Indicates one of the possible command execution states: Successful or Failed. The Failed state can be triggered by any of the following errors:
More details about an error can be viewed in the Error tab. | String |
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. Failed to check the connector. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Securonix portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server URL is not valid in format. |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 400. Message: Server URL is not valid in format. |