SonicWall

Overview

The SonicWall Network Security virtual (NSv) firewall series offers Next-Generation Firewall (NGFW) capabilities that enable security teams to mitigate security risks and vulnerabilities posed by threats. Through this integration, security teams can perform management actions, including getting syslogs, adding and removing IP addresses from groups and adding URLs to URI lists/groups.

SonicWall is available for use in:

D3 SOAR	V15.3.40.0+
Category	Network Security
Deployment Options	Option I, Option III

Connection

To connect to SonicWall from D3 SOAR, please follow this part to collect the required information below:

Parameter	Description	Example
Server URL	The server URL of the SonicWall instance.	https://1.1.1.1.123
User Name	The admin username to authenticate the connection.	admin
Password	The password to authenticate the connection	password

Permission Requirements

All commands in this integration require administrator permissions.

Configuring SonicWall to Work with D3 SOAR

Log in to your SonicWall instance with your account credentials.
Select DEVICE from the top navigation bar. From the left sidebar, select Administration, then click on the Audit/SonicOS API tab. Ensure both SonicOS API and RFC-7616 HTTP Digest Access authentication are enabled.

Configuring D3 SOAR to Work with SonicWall

Log in to D3 SOAR.
Find the SonicWall integration.
1. Navigate to Configuration on the top header menu.
2. Click on the Integration icon on the left sidebar.
3. Type SonicWall in the search box to find the integration, then click it to select it.
4. Click + New Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to SonicWall.
1. Connection Name: The desired name for the connection.
2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
5. Description (Optional): Add your desired description for the connection.
6. Configure User Permissions: Defines which users have access to the connection.
7. Active: Check the tick box to ensure the connection is available for use.
8. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
  1. Input the domain-level Server URL.
  2. Input the User Name (admin account).
  3. Input the Password.
9. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
10. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
  To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Test the connection.
1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
2. Click OK to close the alert window.
3. Click + Add to create and add the configured connection.

Commands

SonicWall includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the SonicWall API, please refer to the SonicWall API reference.

Reader Note

Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring SonicWall to Work with D3 SOAR for details.

Add Domains To URI List

Adds a list of domains to the specified domain-typed URI list. The configuration change is committed when the command runs successfully.

Reader Note

URI List Name is a required parameter to run this command.

Run the List URI Objects command to obtain URI List Names. URI List Names can be obtained from the returned raw data at the path $.content_filter.uri_list_object[*].name.

Alert

Attempting to add a domain that is already included on the specified URI list will result in an error.

Input

Input Parameter	Required/Optional	Description	Example
URI List Name	Required	The name of the URI list to add domains. URI List Name can be obtained using the List URI Objects command.	Domain URI
Domain Names	Required	The domains to add to the specified URI list.	["example.test", "store.test" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "content_filter": {
        "uri_list_object": [
            {
                "name": "Domain URI",
                "uuid": "00000000-0000-0000-0f00-0000000f00ab",
                "type": "domain",
                "domain": [
                    {
                        "domain": "test.com"
                    },
                    {
                        "domain": "example.test"
                    },
                    {
                        "domain": "store.test"
                    }
                ]
            }
        ]
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "URIListName": "\"Domain URI\"",
    "URIListUUID": "\"00000000-0000-0000-0f00-0000000f00ab\"",
    "Domains": "\"[ \\\"example.test\\\",    \\\"store.test\\\"]\""
}

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration

The API returned an error message

No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

NAME	UUID	TYPE	DOMAIN
Domain URI	00000000-0000-0000-0f00-0000000f00ab	domain	[{'domain': 'test.com'}, {'domain': 'example.test'}, {'domain': 'store.test'}]

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Add Domains To URI List failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Command 'show content-filter uri-list-object name \"****\"' does not match.

Error Sample Data

Add Domains To URI List failed.

Status Code: 400.

Message: Command 'show content-filter uri-list-object name \"****\"' does not match

Add IPs To Address Group

Adds IP addresses to the specified address group. Note: IPv4 and IPv6 addresses cannot be added to the same address group, as each group can only contain one type of IP address. The configuration change is committed when the command runs successfully.

Reader Note

Address Group Name is a required parameter to run this command.

Run the List Address Groups command to obtain Address Group Names. Address Group Names can be obtained from the returned raw data at the path $.address_groups[*].name.

Zone is an optional parameter to run this command.

Run the List Zone command to obtain Zones. Zones can be obtained from the returned raw data at the path $.zones[*].name.

Alert

Attempting to add an IP address that is already included in the specified address group will result in an error.

Input

Input Parameter	Required/Optional	Description	Example
Address Group Name	Required	The name of the address group name to add IP addresses. Address group names can be obtained using the List Address Groups command.	ipBlackList1101
Zone	Optional	The IP zone associated with the address group. IP zones can be obtained using the List Zones command. To learn more about zones in Sonicwall, see How do zones work in SonicOS? \| SonicWall.	WAN
IP Type	Required	The IP address type (i.e., IPv4 or IPv6) of the input IP addresses.	IPv4
IP Addresses	Required	The IP addresses to add to the specified address group.	[ "1.1.1.3" , "1.1.1.4" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "address_groups": [
        {
            "ipv4": {
                "name": "ipBlackList1101",
                "uuid": "00000000-0000-0000-0000-0000000f00ab",
                "address_object": {
                    "ipv4": [
                        {
                            "name": "ipBlackList1101-AO-1.1.1.4"
                        },
                        {
                            "name": "ipBlackList1101-AO-1.1.1.3"
                        },
                        {
                            "name": "test"
                        }
                    ]
                }
            }
        }
    ]
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "IPAddresses": "\"[ \\\"1.1.1.3\\\", \\\"1.1.1.4\\\" ]\"",
    "AddressGroupName": "\"ipBlackList1101\"",
    "AddressGroupUUID": "\"00000000-0000-0000-0000-0000000f00ab\""
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

name	ipBlackList1101
uuid	00000000-0000-0000-0000-0000000f00ab
address_object	{'ipv4': [{'name': 'ipBlackList1101-AO-1.1.1.4'}, {'name': 'ipBlackList1101-AO-1.1.1.3'}, {'name': 'test'}]}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Add IPs To Address Group failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: IP Address already exists.

Error Sample Data

Add IPs To Address Group failed.

Status Code: 400.

Message: IP Address already exists.

Add Keywords To URI List

Adds a list of keywords to the specified keyword-typed URI list. The configuration change is committed when the command runs successfully.

Reader Note

URI List Name is a required parameter to run this command.

Run the List URI Objects command to obtain URI List Names. URI List Names can be obtained from the returned raw data at the path $.content_filter.uri_list_object[*].name.

Alert

Attempting to add keyword names that are already keywords in the specified address group will result in an error.

Input

Input Parameter	Required/Optional	Description	Example
URI List Name	Required	The name of the URI list to add keywords. URI List Name can be obtained using the List URI Objects command.	Keyword URI
Keyword Names	Required	The list of keywords to add to the specified URI list.	[ "example", "test" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "content_filter": {
        "uri_list_object": [
            {
                "name": "Keyword URI",
                "uuid": "00000000-0000-0000-0f00-0000000f00ab",
                "type": "keyword",
                "keyword": [
                    {
                        "keyword": "spam"
                    },
                    {
                        "keyword": "example"
                    },
                    {
                        "keyword": "test"
                    }
                ]
            }
        ]
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "URIListName": "\"Keyword URI\"",
    "URIListUUID": "\"00000000-0000-0000-0f00-0000000f00ab\"",
    "Keywords": "\"[ \\\"example\\\", \\\"test\\\" ]\""
}

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration

The API returned an error message

No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

NAME	UUID	TYPE	KEYWORD
Keyword URI	00000000-0000-0000-0f00-0000000f00ab	keyword	[{'keyword': 'spam'}, {'keyword': 'example'}, {'keyword': 'test'}]

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Add Keywords To URI List failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Keyword already exists.

Error Sample Data

Add Keywords To URI List failed.

Status Code: 400.

Message: Keyword already exists.

Add URI List To URI Group

Adds a URI list to the specified URI list group. The configuration change is committed when the command runs successfully.

Reader Note

URI List Group Name and URI List Name are required parameters to run this command.

Run the List URI Objects command to obtain URI List Names. URI List Names can be obtained from the returned raw data at the path $.content_filter.uri_list_object[*].name.
Run the List URI Groups command to obtain URI List Group Names. URI List Group Names can be obtained from the returned raw data at the path $.content_filter.uri_list_group[*].name.

Input

Input Parameter	Required/Optional	Description	Example
URI List Group Name	Required	The name of the URI group to add the URI list. URI List Group Name can be obtained using the List URI Objects command.	Blocked Group
URI List Name	Required	The name of the URI list to add to the specified URI group. URI List Name can be obtained using the List URI Objects command.	["Keyword URI"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "content_filter": {
        "uri_list_group": [
            {
                "name": "Blocked Group",
                "uuid": "00000000-0000-0000-0000-0000000f00ab",
                "uri_list_object": [
                    {
                        "name": "Keyword URI"
                    },
                    {
                        "name": "Domain URI"
                    }
                ]
            }
        ]
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "URIListGroupName": "\"Blocked Group\"",
    "URIListGroupUUID": "\"00000000-0000-0000-0000-0000000f00ab\"",
    "URI Lists": "\"[ { \\\"name\\\": \\\"Keyword URI\\\" },   { \\\"name\\\": \\\"Domain URI\\\" } ]\""
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

NAME	UUID	URI_LIST_OBJECT
Blocked Group	00000000-0000-0000-0000-0000000f00ab	[{'name': 'Keyword URI'}, {'name': 'Domain URI'}]

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Add URI List To URI Group failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: URL List does not match.

Error Sample Data

Add URI List To URI Group failed.

Status Code: 400.

Message: URL List does not match.

Add URLs To URI List

Adds a list of URLs to the specified URI-typed URI list. The configuration change is committed when the command runs successfully.

Reader Note

URI List Name is a required parameter to run this command.

Run the List URI Objects command to obtain URI List Names. URI List Names can be obtained from the returned raw data at the path $.content_filter.uri_list_object[*].name.

Alert

Attempting to add URLs that are already on the specified URI list will result in an error. Additionally, the URI list type must be "URI" for the operation to succeed; otherwise, an error will occur.

Input

Input Parameter	Required/Optional	Description	Example
URI List Name	Required	The name of the URI list to add URLs. Note: The URI list type must be "URI". URI List Name can be obtained using the List URI Objects command.	Path URI
URL Names	Required	The list of URLs to add to the URI list.	[ "example.com/test", "store.club/test" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "content_filter": {
        "uri_list_object": [
            {
                "name": "Path URI",
                "uuid": "00000000-0000-0000-0f00-0000000f00ab",
                "type": "uri",
                "uri": [
                    {
                        "uri": "test.com"
                    },
                    {
                        "uri": "example.com/test"
                    },
                    {
                        "uri": "store.club/test"
                    }
                ]
            }
        ]
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "URIListName": "\"Path URI\"",
    "URIListUUID": "\"00000000-0000-0000-0f00-0000000f00ab\"",
    "URLs": "\"[ \\\"example.com/test\\\",    \\\"store.club/test\\\"]\""
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

NAME	UUID	TYPE	URI
Path URI	00000000-0000-0000-0f00-0000000f00ab	uri	[{'uri': 'test.com'}, {'uri': 'example.com/test'}, {'uri': 'store.club/test'}]

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Add URLs To URI List failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The URl already exists.

Error Sample Data

Add URLs To URI List failed.

Status Code: 400.

Message: You must have a valid Support account to call this API.

Create Address Group

Creates a new IP address group. The configuration change is committed when the command runs successfully.

Reader Note

Address Object Names is a required parameter to run this command.

Run the List Address Objects command to obtain URI List Names. URI List Names can be obtained from the returned raw data at the path $.address_objects[*].name.

Alert

To avoid errors, ensure that you do not enter the same values as an existing address group.
When adding Address Object Names to the new group, verify that the IP Type is correct to avoid an error message indicating a mismatch between the Address Object and its type.

Input

Input Parameter	Required/Optional	Description	Example
IP Type	Required	The IP address type (i.e., IPv4 or IPv6) of the input IP addresses.	IPv4
Address Group Name	Required	The name of the address group.	ipBlackList1101
Address Object Names	Required	The names of the address objects to add to the address group. Address object names can be obtained using the List Address Object command.	[ "X1 IP", "X0 IP" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "address_groups": [
        {
            "ipv4": {
                "name": "ipBlackList1121V4",
                "uuid": "00000000-0000-0000-0000-0000000f00ab",
                "address_object": {
                    "ipv4": [
                        {
                            "name": "X1 IP"
                        },
                        {
                            "name": "X0 IP"
                        }
                    ]
                }
            }
        }
    ]
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "AddressGroupName": "\"[ \\\"ipBlackList1121V4\\\" ]\"",
    "AddressGroupUUID": "\"[ \\\"00000000-0000-0000-00000-0000000f00ab\\\" ]\""
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

name	ipBlackList1121V4
uuid	00000000-0000-0000-0000-0000000f00ab
address_object	{'ipv4': [{'name': 'X1 IP'}, {'name': 'X0 IP'}]}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Create Address Group failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The Address Group already exists.

Error Sample Data

Create Address Group failed.

Status Code: 400.

Message: The Address Group already exists.

Delete Config Pending

Deletes all pending (unsaved) configurations.

Input

N/A

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "status": {
        "success": true,
        "cli": {
            "mode": "config_mode",
            "depth": 1,
            "configuring": true,
            "pending_config": false,
            "restart_required": "FALSE"
        },
        "info": [
            {
                "level": "info",
                "code": "E_OK",
                "message": "Success."
            }
        ]
    }
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

LEVEL	CODE	MESSAGE
info	E_OK	Success.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Delete Config Pending failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Unauthorized. Incorrect name/password

Error Sample Data

Delete Config Pending failed.

Status Code: 401.

Message: Unauthorized. Incorrect name/password

Get Address Groups By Names

Retrieves IP address group configurations.

Reader Note

Address Group Name is a required parameter to run this command.

Run the List Address Groups command to obtain Address Group Names. Address Group Names can be obtained from the returned raw data at the path $.address_groups[*].name

Alert

Ensure that the correct IP type is selected for the corresponding address groups. Otherwise, an error message indicating mismatched address groups will be returned.

Input

Input Parameter	Required/Optional	Description	Example
IP Type	Required	The IP address type (i.e., IPv4 or IPv6) of the input address groups.	IPv4
Address Group Names	Required	The names of the address groups to retrieve. Address group names can be obtained using the List Address Groups command.	[ "LAN Subnets" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "address_groups": [
        {
            "ipv4": {
                "name": "LAN Subnets",
                "uuid": "***-***-***-***-***",
                "address_object": {
                    "ipv4": [
                        {
                            "name": "X0 Subnet"
                        }
                    ]
                }
            }
        }
    ],
    "errors": [
        {
            "addressGroupName": "LAN Subnets%",
            "failedAction": "Get address group detail failed.",
            "statusCode": 404,
            "reason": "notfound",
            "message": {
                "status": {
                    "success": false,
                    "cli": {
                        "depth": 1,
                        "mode": "{string}",
                        "command": "{string}",
                        "configuring": false,
                        "pending_config": true,
                        "restart_required": "{string}"
                    },
                    "info": [
                        {
                            "level": "info",
                            "code": "E_OK",
                            "message": "Changes made."
                        }
                    ]
                }
            }
        }
    ]
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "AddressGroupNames": "\"[ \\\"LAN Subnets\\\" ]\"",
    "AddressGroupUUIDs": "\"[ \\\"***-***-***-***-***\\\" ]\""
}

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration

The API returned an error message

No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

name	LAN Subnets
uuid	*----*
address_object	{'ipv4': [{'name': 'X0 Subnet'}]}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get Address Groups By Names failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Show address-group ipv4 type \"*****\" does not match.

Error Sample Data

Get Address Groups By Names failed.

Status Code: 400.

Message: Show address-group ipv4 type \"*****\" does not match.

Get Config Pending

Retrieves a list of all pending (unsaved) configurations.

Input

N/A

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "address_objects": [
        {
            "pending": "ADD",
            "ipv4": {
                "name": "ipBlackList1101-AO-1.1.1.6",
                "uuid": "",
                "zone": "WAN",
                "host": {
                    "ip": "1.1.1.6"
                }
            }
        }
    ]
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

address_objects

{'pending': 'ADD', 'ipv4': {'name': 'ipBlackList1101-AO-1.1.1.6', 'uuid': '', 'zone': 'WAN', 'host': {'ip': '1.1.1.6'}}}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Delete Config Pending failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Unauthorized. Incorrect name/password.

Error Sample Data

Delete Config Pending failed.

Status Code: 401.

Message: Unauthorized. Incorrect name/password.

Get Syslog

Retrieves SonicWall syslog messages.

Reader Note

Start Time and End Time are optional parameters to run this command.

For Start Time, please use local time if your syslog setting also uses local time; otherwise, use UTC time. If you do not specify a start time, all syslog events up to the specified end time will be returned.
For End time, please use local time if your syslog setting also uses local time; otherwise, use UTC time. If you do not specify an end time, all syslog events from the specified start time up to the current time will be returned.

Input

Input Parameter	Required/Optional	Description	Example
Start Time	Optional	The start time of the time range to retrieve syslogs, by event creation time. If your syslog setting uses local time, use local time. Otherwise, use UTC time. If no start time is specified, all events in the syslog until the specified end time will be retrieved.	2023-04-01 00:00
End Time	Optional	The end time of the time range to retrieve syslogs, by event creation time. If your syslog setting uses local time, use local time. Otherwise, use UTC time. If no end time is specified, all events in the syslog up to the current time will be retrieved.	2023-04-02 00:00
Category	Optional	The category of syslogs to retrieve. If this parameter is not defined, syslogs of any category will be returned.	Security Services
Priority	Optional	The priority level of syslogs to retrieve. If this parameter is not defined, syslogs of any priority level will be returned.	Alert
Source IPs	Optional	The source IP addresses filter the returned syslogs.	[ "10.0.1.1" ]
Destination IPs	Optional	The destination IP addresses to filter the returned syslogs.	[ "10.0.1.16" ]
MessageText	Optional	The full or partial event message to filter the returned syslogs.	IP spoof

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

[
  {
      "Time": "11/01/2022 15:39:38",
      "ID": 23,
      "Category": "Security Services",
      "Group": "Attacks",
      "Event": "IP Spoof Detected",
      "Msg. Type": "Standard Note Ethernet Network",
      "Priority": "Alert",
      "Ether Type": 2048,
      "Src. MAC": "****:****:****:***::****",
      "Src. Vendor": "VMWARE",
      "Src. Int.": "X0",
      "Src. Zone": "LAN",
      "Dst. MAC": "****:****:****:***::****",
      "Dst. Vendor": "VMWARE",
      "Dst. Int.": "X1",
      "Dst. Zone": "WAN",
      "Src. IP": "***.***.***.***",
      "Src. Port": 67,
      "Src. Name": "",
      "Src.NAT IP": "",
      "Src.NAT Port": "",
      "In SPI": "",
      "Dst. IP": "***.***.***.***",
      "Dst. Port": 68,
      "Dst. Name": "",
      "Dst.NAT IP": "",
      "Dst.NAT Port": "",
      "Out SPI": "",
      "IP Protocol": "udp",
      "ICMP Type": null,
      "ICMP Code": null,
      "RX Bytes": 328,
      "TX Bytes": "",
      "Access Rule": "",
      "NAT Policy": 1,
      "User Name": "",
      "Session Time": "",
      "Session Type": "",
      "IDP Rule": "",
      "IDP Priority": "",
      "HTTP OP": "",
      "URL": "",
      "VPN Policy": "",
      "HTTP Result": "",
      "Block Cat": "",
      "Application": "",
      "FW Action": "drop",
      "DPI": "",
      "Notes": "",
      "Message": "IP spoof dropped",
      "HTTP Referer": ""
  }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "Time": "\"[ \\\"11/01/2022 15:39:38\\\", \\\"13/01/2022 15:39:38\\\" ]\"",
    "EventIDs": "\"[ ***, ***]\"",
    "Categories": "\"[ \\\"Security Services\\\", \\\"Security Services\\\" ]\"",
    "Priorities": "\"[ \\\"Alert\\\", \\\"Alert\\\" ]\"",
    "Messages": "\"[ \\\"IP spoof dropped\\\", \\\"URL spoof dropped\\\" ]\"",
    "SourceIPs": "\"[ \\\"10.0.1.1\\\", \\\"10.0.1.13\\\" ]\"",
    "DestinationIPs": "\"[ \\\"10.0.1.16\\\", \\\"10.0.1.19\\\" ]\"",
    "SourceZones": "\"[ \\\"LAN\\\", \\\"LAN\\\" ]\"",
    "DestinationZones": "\"[ \\\"WAN\\\", \\\"WAN\\\" ]\""
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

FilteredCount	5
TotalLogCount	10

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Delete Config Pending failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Unauthorized. Incorrect name/password.

Error Sample Data

Delete Config Pending failed.

Status Code: 401.

Message: Unauthorized. Incorrect name/password.

List Address Groups

Retrieves the configurations of IPv4 or IPv6 address groups.

Input

Input Parameter	Required/Optional	Description	Example
IP Type	Required	The IP address type (i.e., IPv4 or IPv6) of the address groups to retrieve.	IPv4

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "address_groups": [
        {
            "ipv4": {
                "name": "LAN Subnets",
                "uuid": "***-***-***-***-***",
                "address_object": {
                    "ipv4": [
                        {
                            "name": "X0 Subnet"
                        }
                    ]
                }
            }
        },
        {
            "ipv4": {
                "name": "Firewalled Subnets",
                "uuid": "***-***-***-***-***",
                "address_group": {
                    "ipv4": [
                        {
                            "name": "DMZ Subnets"
                        },
                        {
                            "name": "LAN Subnets"
                        }
                    ]
                }
            }
        }
    ]
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "AddressGroupNames": "\"[ \\\"LAN Subnets\\\", \\\"Firewalled Subnets\\\" ]\"",
    "AddressGroupUUIDs": "\"[ \\\"***-***-***-***-***\\\",\\\"***-***-***-***-***\\\" ]\""
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

NAME	UUID	ADDRESS_OBJECT	ADDRESS_GROUP
LAN Subnets	*----**	{'ipv4': [{'name': 'X0 Subnet'}]}
Firewalled Subnets	*----**		{'ipv4': [{'name': 'DMZ Subnets'}, {'name': 'LAN Subnets'}]}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Delete Config Pending failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Unauthorized. Incorrect name/password.

Error Sample Data

Delete Config Pending failed.

Status Code: 401.

Message: Unauthorized. Incorrect name/password.

List Address Objects

Retrieves address objects.

Input Parameter	Required/Optional	Description	Example
IP Type	Required	The IP address type (i.e., IPv4 or IPv6) of the address objects to retrieve.	IPv4

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
  "address_objects": [
      {
          "ipv6": {
              "name": "X0 IPv6 Link-Local Address",
              "uuid": "***-***-***-***-***",
              "zone": "LAN",
              "host": {
                  "ip": "****:****:****:***::****"
              }
          }
      },
      {
          "ipv6": {
              "name": "X0 IPv6 Primary Static Address",
              "uuid": "***-***-***-***-***",
              "zone": "LAN",
              "host": {}
          }
      }
  ]
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "AddressObjectNames": "\"[ \\\"X0 IPv6 Link-Local Address\\\", \\\"X0 IPv6 Primary Static Address\\\" ]\"",
    "AddressGroupUUIDs": "\"[ \\\"***-***-***-***-***\\\", \\\"***-***-***-***-***\\\" ]\"",
    "Zones": "\"[ \\\"LAN\\\", \\\"LAN\\\" ]\"",
    "AddressObjectHostIPs": "\"[ \\\"***::***:***:***:***\\\" ]\""
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

address_objects

{'ipv6': {'name': 'X0 IPv6 Link-Local Address', 'uuid': '***-***-***-***-***', 'zone': 'LAN', 'host': {'ip': '***::2***:***:***'}}}
{'ipv6': {'name': 'X0 IPv6 Primary Static Address', 'uuid': '***-***-***-***-***', 'zone': 'LAN', 'host': {}}}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Delete Config Pending failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Unauthorized. Incorrect name/password.

Error Sample Data

Delete Config Pending failed.

Status Code: 401.

Message: Unauthorized. Incorrect name/password.

List URI Groups

Retrieves the configurations of URI list groups. URI lists are used for content filtering.

Input

N/A

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "content_filter": {
        "uri_list_group": [
            {
                "name": "Blocked Group",
                "uuid": "00000000-0000-0000-0000-0000000f00ab",
                "uri_list_object": [
                    {
                        "name": "Domain URI"
                    }
                ]
            },
            {
                "name": "Whitelist",
                "uuid": "00000000-0000-0000-0000-0000000f00ab",
                "uri_list_object": [
                    {
                        "name": "Keyword URI"
                    }
                ]
            }
        ]
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "URIGroupNames": "\"[ \\\"Blocked Group\\\", \\\"Whitelist\\\" ]\"",
    "URIGroupUUIDs": "\"[ \\\"00000000-0000-0000-0000-0000000f00ab\\\",\\\"00000000-0000-0000-0000-0000000f00ab\\\" ]\""
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

NAME	UUID	URI_LIST_OBJECT
Blocked Group	00000000-0000-0000-0000-0000000f00ab	[{'name': 'Domain URI'}]
Whitelist	00000000-0000-0000-0000-0000000f00ab	[{'name': 'Keyword URI'}]

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Delete Config Pending failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Unauthorized. Incorrect name/password.

Error Sample Data

Delete Config Pending failed.

Status Code: 401.

Message: Unauthorized. Incorrect name/password.

List URI Objects

Retrieves the configurations of URI list objects. URI lists are used for content filtering.

Input

N/A

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "content_filter": {
        "uri_list_object": [
            {
                "name": "Domain URI",
                "uuid": "00000000-0000-0000-0f00-0000000f00ab",
                "type": "domain",
                "domain": [
                    {
                        "domain": "tenonet.com"
                    },
                    {
                        "domain": "test.xyz"
                    },
                    {
                        "domain": "qqexample.store"
                    }
                ]
            },
            {
                "name": "Keyword URI",
                "uuid": "00000000-0000-0000-0f00-0000000f00ab",
                "type": "keyword",
                "keyword": [
                    {
                        "keyword": "test"
                    },
                    {
                        "keyword": "example"
                    }
                ]
            }
        ]
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "content_filter": {
        "uri_list_object": [
            {
                "name": "Domain URI",
                "uuid": "00000000-0000-0000-0f00-0000000f00ab",
                "type": "domain",
                "domain": [
                    {
                        "domain": "tenonet.com"
                    },
                    {
                        "domain": "test.xyz"
                    },
                    {
                        "domain": "qqexample.store"
                    }
                ]
            },
            {
                "name": "Keyword URI",
                "uuid": "00000000-0000-0000-0f00-0000000f00ab",
                "type": "keyword",
                "keyword": [
                    {
                        "keyword": "test"
                    },
                    {
                        "keyword": "example"
                    }
                ]
            }
        ]
    }
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

NAME	UUID	TYPE	DOMAIN	KEYWORD
Domain URI	00000000-0000-0000-0f00-0000000f00ab	domain	[{'domain': 'tenonet.com'}, {'domain': 'test.xyz'}, {'domain': 'qqexample.store'}]
Keyword URI	00000000-0000-0000-0f00-0000000f00ab	keyword		[{'keyword': 'test'}, {'keyword': 'example'}]

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Delete Config Pending failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Unauthorized. Incorrect name/password.

Error Sample Data

Delete Config Pending failed.

Status Code: 401.

Message: Unauthorized. Incorrect name/password.

List Zones

Retrieves a list of all zones configured in SonicWall.

Input

N/A

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
  "zones": [
      {
          "name": "LAN",
          "uuid": "***-***-***-***-***",
          "security_type": "trusted",
          "interface_trust": true,
          "auto_generate_access_rules": {
              "allow_from_to_equal": true,
              "allow_from_higher": true,
              "allow_to_lower": true,
              "deny_from_lower": true
          },
          "client": {
              "anti_virus": false,
              "content_filtering": false
          },
          "gateway_anti_virus": true,
          "intrusion_prevention": true,
          "anti_spyware": true,
          "app_control": true,
          "dpi_ssl_client": true,
          "dpi_ssl_server": false,
          "create_group_vpn": false,
          "ssl_control": false,
          "sslvpn_access": false,
          "guest_services": {}
      },
      {
          "name": "WAN",
          "uuid": "***-***-***-***-***",
          "security_type": "untrusted",
          "interface_trust": false,
          "auto_generate_access_rules": {
              "allow_from_to_equal": true,
              "allow_from_higher": true,
              "allow_to_lower": true,
              "deny_from_lower": true
          },
          "gateway_anti_virus": true,
          "intrusion_prevention": true,
          "anti_spyware": true,
          "app_control": true,
          "dpi_ssl_client": false,
          "dpi_ssl_server": true,
          "create_group_vpn": true,
          "ssl_control": false,
          "sslvpn_access": false
      }
  ]
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "ZoneNames": "\"[ \\\"LAN\\\" ,  \\\"WAN\\\" ]\"",
    "ZoneUUID": "\"[ \\\"***-***-***-***-***\\\", \\\"***-***-***-***-***\\\"]\"",
    "SecurityType": "\"[ \\\"trusted\\\",  \\\"untrusted\\\" ]\""
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

NAME	UUID	SECURITY_TYPE	INTERFACE_TRUST	AUTO_GENERATE_ACCESS_RULES	CLIENT	GATEWAY_ANTI_VIRUS	INTRUSION_PREVENTION	ANTI_SPYWARE	APP_CONTROL	DPI_SSL_CLIENT	DPI_SSL_SERVER	CREATE_GROUP_VPN	SSL_CONTROL	SSLVPN_ACCESS	GUEST_SERVICES
LAN	*----**	trusted	True	{'allow_from_to_equal': True, 'allow_from_higher': True, 'allow_to_lower': True, 'deny_from_lower': True}	{'anti_virus': False, 'content_filtering': False}	True	True	True	True	True	False	False	False	False	{}
WAN	*----**	untrusted	False	{'allow_from_to_equal': True, 'allow_from_higher': True, 'allow_to_lower': True, 'deny_from_lower': True}		True	True	True	True	False	True	True	False	False

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Delete Config Pending failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Unauthorized. Incorrect name/password.

Error Sample Data

Delete Config Pending failed.

Status Code: 401.

Message: Unauthorized. Incorrect name/password.

Remove Domains

Removes domains from the specified URI list. The configuration change is committed when the command runs successfully.

Reader Note

URI List Name and Domains are required parameters to run this command.

Run the List URI Objects command to obtain URI List Names. URI List Names can be obtained from the returned raw data at the path $.content_filter.uri_list_object[*].name.
Run the List URI Objects command to obtain Domains. Domains can be obtained from the returned raw data at the path $.content_filter.uri_list_object.domain[*].domain.

Alert

Attempting to remove a domain that is not on the specified URI list will result in an error.

Input

Input Parameter	Required/Optional	Description	Example
URI List Name	Required	The name of the URI list to remove domains. URI List Name can be obtained using the List URI Objects command.	Path URI
Domains	Required	The domains to remove from the specified URI list. Domians can be obtained using the List URI Objects command.	[ "example.test", "store.test" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "domains": {
        "uriListName": "Path URI",
        "domains": [
            "example.com"
        ],
        "message": "Domains have been removed successfully."
    },
    "errors": [
        {
            "uriListName": "Path URI",
            "domain": "store.test",
            "failedAction": "Remove domain from URI list failed.",
            "statusCode": 404,
            "reason": "notfound",
            "message": {
                "status": {
                    "success": false,
                    "cli": {
                        "depth": 1,
                        "mode": "config_mode",
                        "configuring": false,
                        "pending_config": true,
                        "restart_required": "FALSE"
                    },
                    "info": [
                        {
                            "level": "info",
                            "code": "E_OK",
                            "message": "Changes made."
                        }
                    ]
                }
            }
        }
    ]
}

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration

The API returned an error message

No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

RemoveSuccessfulCount	1
RemoveFailedCount	1

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Remove Domains failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Domains do not exist in the URI list.

Error Sample Data

Remove Domains failed.

Status Code: 404.

Message: Domains do not exist in the URI list.

Remove IPs From Address Group

Removes IP addresses from the specified address group. The configuration change is committed when the command runs successfully.

Reader Note

Address Group Name is a required parameter to run this command.

Run the List Address Groups command to obtain Address Group Names. Address Group Names can be obtained from the returned raw data at the path $.address_groups[*].name

Alert

When removing an IP Address, ensure that it belongs to the specified address group. Otherwise, an error message indicating that the IP address cannot be found in the address group will be returned.
When removing an IP Address, ensure that the selected IP type matches the IP address being removed. Otherwise, an error message indicating that the IP address cannot be found in the address group will be returned.

Input

Input Parameter	Required/Optional	Description	Example
Address Group Name	Required	The name of the address group to remove IP addresses. Address group names can be obtained using the List Address Groups command.	ipBlackList1101
IP Type	Required	The IP address type (i.e., IPv4 or IPv6) of the input IP addresses.	IPv4
IP Addresses	Required	The IP addresses to remove from the specified address group.	[ "1.1.1.2", "1.1.1.4" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "ipAddresses": {
        "addressGroupName": "ipBlackList1101",
        "ipType": "ipv4",
        "ipAddresses": [
            "1.1.1.2"
        ],
        "message": "IP addresses have been removed successfully."
    },
    "errors": [
        {
            "addressGroupName": "ipBlackList1101",
            "ipType": "ipv4",
            "ipAddresse": "1.1.1.4",
            "failedAction": "Remove IP Address from address group failed.",
            "statusCode": 404,
            "reason": "notfound",
            "message": {
                "status": {
                    "success": false,
                    "cli": {
                        "depth": 1,
                        "mode": "config_mode",
                        "configuring": false,
                        "pending_config": true,
                        "restart_required": "FALSE"
                    },
                    "info": [
                        {
                            "level": "info",
                            "code": "E_OK",
                            "message": "Changes made."
                        }
                    ]
                }
            }
        }
    ]
}

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration

The API returned an error message

No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

RemoveSuccessfulCount	1
RemoveFailedCount	1

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Remove IPs From Address Group failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: IPs do not exist in the URI list.

Error Sample Data

Remove IPs From Address Group failed.

Status Code: 404.

Message: IPs do not exist in the URI list.

Remove Keywords

Removes keywords from the specified URI list. The configuration change is committed when the command runs successfully.

Reader Note

URI List Name is a required parameter to run this command.

Run the List URI Objects command to obtain URI List Names. URI List Names can be obtained from the returned raw data at the path $.content_filter.uri_list_object[*].name.

Alert

Attempting to remove keywords that do not exist on the specified URI list will result in an error.

Input

Input Parameter	Required/Optional	Description	Example
URI List Name	Required	The name of the URI list to remove keywords. URI List Name can be obtained using the List URI Objects command.	Path URI
Keywords	Required	The keywords to remove from the specified URI list.	[ "example", "test" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "keywords": {
        "uriListName": "Path URI",
        "keywords": [
            "example"
        ],
        "message": "Keywords have been removed successfully."
    },
    "errors": [
        {
            "uriListName": "Path URI",
            "keyword": "test",
            "failedAction": "Remove keyword from URI list failed.",
            "statusCode": 404,
            "reason": "notfound",
            "message": {
                "status": {
                    "success": false,
                    "cli": {
                        "depth": 1,
                        "mode": "config_mode",
                        "configuring": false,
                        "pending_config": true,
                        "restart_required": "FALSE"
                    },
                    "info": [
                        {
                            "level": "info",
                            "code": "E_OK",
                            "message": "Changes made."
                        }
                    ]
                }
            }
        }
    ]
}

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration

The API returned an error message

No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

RemoveSuccessfulCount	1
RemoveFailedCount	1

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Remove Keywords failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Keywords do not exist in the URI list.

Error Sample Data

Remove Keywords failed.

Status Code: 404.

Message: Keywords do not exist in the URI list.

Remove URLs

Removes URLs from the specified URI list. The configuration change is committed when the command runs successfully.

Reader Note

URI List Name is a required parameter to run this command.

Run the List URI Objects command to obtain URI List Names. URI List Names can be obtained from the returned raw data at the path $.content_filter.uri_list_object[*].name.

Alert

Attempting to remove URLs that are not on the specified URI list will result in an error. Additionally, the URI list type must be "URI" for the operation to succeed; otherwise, an error will occur.

Input

Input Parameter	Required/Optional	Description	Example
URI List Name	Required	The name of the URI list to remove URLs. URI List Name can be obtained using the List URI Objects command.	Path URI
URLs	Required	The URLs to remove from the specified URI list.	[ "example.com/test", "store.club/test" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "urls": {
        "uriListName": "Path URI",
        "urls": [
            "example.com/test"
        ],
        "message": "URLs have been removed successfully."
    },
    "errors": [
        {
            "uriListName": "Path URI",
            "url": "store.club/test",
            "failedAction": "Remove URL from URI list failed.",
            "statusCode": 404,
            "reason": "notfound",
            "message": {
                "status": {
                    "success": false,
                    "cli": {
                        "depth": 1,
                        "mode": "config_mode",
                        "configuring": false,
                        "pending_config": true,
                        "restart_required": "FALSE"
                    },
                    "info": [
                        {
                            "level": "info",
                            "code": "E_OK",
                            "message": "Changes made."
                        }
                    ]
                }
            }
        }
    ]
}

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration

The API returned an error message

No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

RemoveSuccessfulCount	1
RemoveFailedCount	1

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Remove URLs failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: URL does not exist in the URI list.

Error Sample Data

Remove URLs failed.

Status Code: 404.

Message: URL does not exist in the URI list.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration

The API returned an error message

No response from the API

You can view more details about an error in the Error tab.

SAMPLE DATA

CODE

Successful

Error Handling

If the Return Data is failed, an Error tab will appear in the Test Result window.

The error tab contains the responses from the third-party API calls including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Test Connection failed. Failed to check the connector.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SonicWall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message:Unauthorized, incorrect name/password.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 401.

Message: Unauthorized, incorrect name/password.