WatchGuard Aether ESM
LAST UPDATED: 05/30/2024
Overview
WatchGuard Panda Aether endpoint security products protect your devices from security threats. Use the Aether Endpoint Security Management integration to monitor and manage devices that run these Panda Aether platform endpoint security products: Adaptive Defense and Adaptive Defense 360 Endpoint Protection and Endpoint Protection Plus.
WatchGuard Aether ESM is available for use in:
Connection
To connect to WatchGuard Aether ESM from D3 SOAR, please follow this part to collect the required information below:
Parameter | Description | Example |
Server URL | The server URL of the WatchGuard API. | https://api.*******************.com |
Access ID (Read-Write) | The read-write access ID to authenticate the API connection. | ********************** |
Password | The password to authenticate the API connection. | m13***************************Setf |
API Key | The API key to authenticate the connection. | Kc4***************************dQ1 |
Account ID | The account ID to authenticate the API connection. | acb***************************6a9 |
Managed Account | The managed account to submit API requests for. The is an optional parameter for users who are service providers. | wGi-*****************************6 |
API Version | The version of the API to use for the connection. | v1 |
Configuring WatchGuard Aether ESM to Work with D3 SOAR
To obtain your API key, log in to WatchGuard and navigate to Administration > Account > Managed Access. For more information, see WatchGuard Aether API Authorization.
Configuring D3 SOAR to Work with WatchGuard Aether ESM
Log in to D3 SOAR.
Find the WatchGuard Aether ESM integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type WatchGuard Aether ESM in the search box to find the integration, then click it to select it.
Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to WatchGuard Aether ESM.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the checkbox to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input your domain level Server URL. The default value is https://api.usa.cloud.watchguard.com.
2. Input the Access ID (Read-Write). This value can be obtained from the WatchGuard platform. It is recommended to use read-write access ID, as it allows you to run all commands.
3. Input your account Password.
4. Input your API Key.
5. Input your Account ID. This parameter is not mandatory to establish a connection, but it must be defined to execute commands.
6. (Optional) Input your Managed Account.
7. Input the API Version. The default value is v1. Currently, D3 SOAR supports v1 of WatchGuards API, which allows you to run all commands.Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
Click OK to close the alert window.
Click Add to create and add the configured connection.
Commands
WatchGuard Aether ESM includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the WatchGuard Aether ESM API, please refer to the WatchGuard Aether ESM API reference.
Get Device Protection Status
Retrieves a list of devices with their protection status and other device information.
Input
Input Parameter | Required/Optional | Description | Example |
Search | Optional | The full or partial text string defining the objects to include in the response data. For example, using "name" would return objects containing "hostname". The only supported search field is hostname. If this field is not specified, the protection status of all devices will be returned. | name |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Device Protection Status failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the WatchGuard Aether ESM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Invalid Search String. |
Error Sample Data Get Device Protection Status failed. Status Code: 400. Message: Invalid Search String. |
Isolate Devices
Isolates the specified devices. When you isolate a device, communication to and from the device is denied.
Reader Note
The parameter Device IDs is required to run this command.
Run the List Devices command to obtain Device IDs. The Device IDs can be found in the raw data at the path $.data[*].device_id.
Input
Input Parameter | Required/Optional | Description | Example |
Device IDs | Required | The IDs of the device(s) to isolate. Device IDs can be obtained using the List Devices command. | ["**********************"] |
Exclusion Programs | Optional | The programs to exclude from the isolation action. These programs are allowed to be able to communicate as usual. | [ "*****************.exe" ] |
Customized Message | Optional | The customized alert message to show on the isolated devices. | This computer has been isolated by an administrator. |
Hide Customized Alert | Optional | The option to hide customized alert messages on the isolated devices, when set to True. If this parameter is not defined, the default value is False. | True |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Isolate Devices failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the WatchGuard Aether ESM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Device ID not found. |
Error Sample Data Isolate Devices failed. Status Code: 404. Message: Device ID not found. |
List Devices
Retrieves a list of devices, and additional information, such as the device IP address and operating system.
Input
Input Parameter | Required/Optional | Description | Example |
Search | Optional | The full or partial text string defining the devices to include in the response data. For example, using "name" would return objects containing "hostname". The supported search field includes host name, description, IP address, and logged on user. If this field is not specified, all devices will be returned. | name |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Devices failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the WatchGuard Aether ESM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Invalid Search String. |
Error Sample Data List Devices failed. Status Code: 400. Message: Invalid Search String. |
List Unmanaged Devices
Retrieves a list of unmanaged devices discovered on the network.
Input
Input Parameter | Required/Optional | Description | Example |
Search | Optional | The full or partial text string defining the unmanaged devices to include in the response data. For example, using "name" would return objects containing "hostname". The supported search field includes host name, description, IP address, and logged on user. If this field is not specified, all discovered unmanaged devices will be returned. | name |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Unmanaged Devices failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the WatchGuard Aether ESM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Invalid Search String. |
Error Sample Data List Unmanaged Devices failed. Status Code: 400. Message: Invalid Search String. |
Reboot Devices
Initiates reboot action on the specified devices.
Reader Note
The parameter Device IDs is required to run this command.
Run the List Devices command to obtain Device IDs. The Device IDs can be found in the raw data at the path $.data[*].device_id.
Input
Input Parameter | Required/Optional | Description | Example |
Device IDs | Required | The IDs of the devices to reboot. Device IDs can be obtained using the List Devices command. | [ "******************" ] |
Count Down Time | Required | Select the amount of time to count down to reboot devices. The duration of the countdown before rebooting devices. | Two hours |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Reboot Devices failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the WatchGuard Aether ESM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Invalid Device IDs submitted. |
Error Sample Data Reboot Devices failed. Status Code: 400. Message: Invalid Device IDs submitted. |
Retrieve Security Events
Retrieves a list of security events filtered by event type, time period and host names.
Reader Note
The parameter Host Names is optional to run this command.
Run the List Devices command to obtain Host Names. The Host Names can be found in the raw data at the path $.data[*].host_name.
Input
Input Parameter | Required/Optional | Description | Example |
Event Type | Required | The type of security events to retrieve. | Malware URLs |
Period | Required | The timeframe to retrieve security events. The available options are Previous 24 hours and Previous 7 days. | Previous 7 days |
Host Names | Optional | The names of the hosts to retrieve associated security events. If this parameter is not specified, security events associated with all hosts will be returned. The Host Names can be obtained from the List Devices command. | ["**********************"] |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Retrieve Security Events failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the WatchGuard Aether ESM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Invalid Event Type. |
Error Sample Data Retrieve Security Events failed. Status Code: 400. Message: Invalid Event Type. |
Scan Devices
Starts a task to scan the specified devices immediately.
Reader Note
The parameter Device IDs is required to run this command.
Run the List Devices command to obtain Device IDs. The Device IDs can be found in the raw data at the path $.data[*].device_id.
Input
Input Parameter | Required/Optional | Description | Example |
Device IDs | Required | The IDs of the devices to scan. Device IDs can be obtained using the List Devices command. | [ "*********************" ] |
Task Name | Required | The name of the scan task. | Routine scan |
Task Description | Optional | The description for the scan task. | Windows 8 machines only. |
Scan Scope | Optional | The scope of the scan task. If this parameter is not defined, the default scope is Whole Computer. | Whole Computer |
Specified Items To Scan | Optional | The locations or items to scan. All specified locations and/or items will be scanned. Note: This parameter is only valid when the Scan Scope parameter is set to Specified Items. | ["C:\Downloads", "C:\Documents"] |
Detect Hacking Tools | Optional | The option to enable hacking tool detection for the scan. This detects potentially unwanted programs, as well as programs used by adversaries. If this parameter is not defined, the default value is False. | False |
Detect Suspicious Files | Optional | The option to enable suspicious file detection for the scan. During scheduled scans, the tool will scan the computer's software without executing it. Some threats may have a lower chance of detection. Setting this parameter to True will enable the scan to use heuristic algorithms to improve detection rates. If this parameter is not defined, the default value is False. | True |
Scan Compressed Files | Optional | The option to scan compressed files. When enabled, compressed files will be decompressed and their contents will be scanned. If this parameter is not defined, the default value is False. | True |
Apply Exclusions On Scan | Optional | The option to enable certain items, including specific files, file extensions, or directory to be excluded from the scan. If this parameter is not defined, the default value is True. | True |
Extensions To Exclude | Optional | The list of file extensions to exclude from the scan. This parameter is only valid when the Apply Exclusions On Scan parameter is set to True. | ["exe", "pdf"] |
Files To Exclude | Optional | The list of file names (with their extensions) to exclude from the scan. This parameter is only valid when the Apply Exclusions On Scan parameter is set to True. | ["**************.exe", "**************.exe" ] |
Folders To Exclude | Optional | The list of full folder paths to exclude from the scan. This parameter is only valid when the Apply Exclusions On Scan parameter is set to True. | ["D:/***/***"] |
Execution Window Expiration | Optional | The duration for the scan to complete before it times out. This value is defined in the format of [Days].[Hours]:[Minutes]:[Seconds]. The default value is 7 days. For example, 8.07:06:05 denotes a duration of 8 days, 7 hours, 6 minutes, and 5 seconds. | ***.***:***:*** |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Scan Devices failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the WatchGuard Aether ESM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Device ID not found |
Error Sample Data Scan Devices failed. Status Code: 404. Message: Device ID not found |
Unisolate Devices
Stops isolating the specified devices.
Reader Note
The parameter Device IDs is required to run this command.
Run the List Devices command to obtain Device IDs. The Device IDs can be found in the raw data at the path $.data[*].device_id.
Input
Input Parameter | Required/Optional | Description | Example |
Device IDs | Required | The IDs of the devices to stop isolating. Device IDs can be obtained using the List Devices command. | ["**********************"] |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Unisolate Devices failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the WatchGuard Aether ESM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Device ID not found. |
Error Sample Data Unisolate Devices failed. Status Code: 404. Message: Device ID not found. |
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the responses from the third-party API calls including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. Failed to check the connector. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the WatchGuard Aether ESM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: access denied, authorization failed. |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 403. Message: access denied, authorization failed. |