Securonix

Details
Content
Dependencies
Version History

Use the Securonix integration to manage incidents, threats, lookup tables, whitelists and watchlists.

The Securonix platform collects massive volumes of data in real-time, detects advanced threats using innovative machine learning algorithms, enables you to quickly investigate the alerts that matter the most, and provides actionable security intelligence for an automated response.

Pack use-cases:

Ingest newly created incidents from Securonix.
Ingest newly created threats from Securonix.
Get, update and create Securonix incidents, add comments and perform actions on the Securonix incidents.
Get, update, create and delete records from the whitelist.
Get, update, create and delete records from the lookup table.
Get, update, and create records from the watchlist.

Note: Support for this pack was moved to Securonix as of 05/25/2022

Pack use-cases:

Ingest newly created incidents from Securonix.
Ingest newly created threats from Securonix.
Get, update and create Securonix incidents, add comments and perform actions on the Securonix incidents.
Get, update, create and delete records from the whitelist.
Get, update, create and delete records from the lookup table.
Get, update, and create records from the watchlist.

Note: Support for this pack was moved to Securonix as of 05/25/2022

Automations

Name	Description
UpdateSecuronixIncidentStatus	Update the status of the Securonix incident using the configuration provided in integration configuration.
SecuronixCloseHistoricalXSOARIncidents	Close historical XSOAR incidents that are already closed on Securonix. NOTE: This script will close all the XSOAR incidents which are created from Securonix integration and does not have incident type as "Securonix Incident" in the provided time frame.
SecuronixGetViolations	Gets a list of violations related to a specific threat from the context data and displays it in the layout.

Classifiers

Name	Description
Securonix Threat - Incoming Mapper	Securonix Threat Incoming Mapper
Securonix Incident - Incoming Mapper	Securonix incident incoming mapper.

Incident Fields

Name	Description
Securonix Entity ID	The entity ID.
Securonix Parent Case ID	Parent case ID of the incident.
Securonix ResourceGroup Name	Resource group name.
Securonix Case Event End Time	Case event end time.
Securonix Violation Count	Total number of Violations related to specific threat.
Securonix Status Completed
Securonix Risk Score	The incident risk score.
Securonix Violator Sub Text	Incident violator sub text.
Securonix Bulk Action Allowed	Whether bulk action is allowed or not.
Securonix Incident Type	Incident type.
Securonix Close Incident	Whether to close incident on Securonix after fetching it in XSOAR or not.
Securonix Category	Threat category.
Securonix Policies	List of policies violated.
Securonix Entity	The incident entity.
Securonix Resource Type	Resource type.
Securonix Watchlisted	Whether the incident is on a watchlist.
Securonix Is Whitelisted	Whether the incident is added to the allow list.
Securonix Policy Type	The incident policy type.
Securonix Case Create Time	Case event start time.
Securonix Tenant Color	Tenant color.
Securonix Workflow Name	The incident workflow name.
Securonix Incident Status	Incident status.
Securonix Tenant ID	Tenant ID.
Securonix Violator ID	Incident violator ID.
Securonix Sandbox Policy
Securonix Last Update Date	Last update date of the incident in Epoch time.
Securonix Incident ID	Incident ID.
Securonix Violator	Violator.
Securonix Tenant Short Code	Short code of the tenant.
Securonix Reason	The reason that the incident was created. Usually includes the policy name and/or possible threat name.
Securonix Violation Spotter Query	Spotter query to fetch the related violations.
Securonix Resource Name	Resource name.
Securonix Threat Generation Time	Time that the threat was generated in Securonix.
Securonix Violator Text	Incident violator text.

Incident Types

Name	Description
Securonix Incident
Securonix Threat

Integrations

Name	Description
Securonix (Partner Contribution)	Use the Securonix integration to manage incidents, threats, lookup tables, whitelists and watchlists.

Layouts

Name	Description
Securonix Incident Information	Securonix Incident Information
Securonix Threat	Layout for Securonix Threat Information.

Playbooks

Name	Description
Update Incident Status And Fetch Attachments - Securonix	This playbook fetches the attachments for the incident. Also, it updates the state of the Securonix incident based on the configuration provided in integration configuration.
Fetch All Violations - Securonix	Gets a list of violations with pagination using queryId parameter.
Fetch Violations - Securonix	Gets a list of violation data.

Automations

Name	Description
UpdateSecuronixIncidentStatus	Update the status of the Securonix incident using the configuration provided in integration configuration.
SecuronixCloseHistoricalXSOARIncidents	Close historical XSOAR incidents that are already closed on Securonix. NOTE: This script will close all the XSOAR incidents which are created from Securonix integration and does not have incident type as "Securonix Incident" in the provided time frame.
SecuronixCloseHistoricalXSOARAlerts	Close historical XSOAR alerts that are already closed on Securonix. NOTE: This script will close all the XSOAR alerts which are created from Securonix integration and does not have alert type as "Securonix Alert" in the provided time frame.
SecuronixGetViolations	Gets a list of violations related to a specific threat from the context data and displays it in the layout.

Classifiers

Name	Description
Securonix Incident - Incoming Mapper	Securonix incident incoming mapper.
Securonix Threat - Incoming Mapper	Securonix Threat Incoming Mapper

Incident Fields

Name	Description
Securonix Threat Generation Time	Time that the threat was generated in Securonix.
Securonix Incident ID	Incident ID.
Securonix Workflow Name	The incident workflow name.
Securonix Policy Type	The incident policy type.
Securonix Policies	List of policies violated.
Securonix Violator Text	Incident violator text.
Securonix Is Whitelisted	Whether the incident is added to the allow list.
Securonix Incident Status	Incident status.
Securonix Violator ID	Incident violator ID.
Securonix Risk Score	The incident risk score.
Securonix Resource Name	Resource name.
Securonix Status Completed
Securonix Bulk Action Allowed	Whether bulk action is allowed or not.
Securonix Category	Threat category.
Securonix Last Update Date	Last update date of the incident in Epoch time.
Securonix Tenant ID	Tenant ID.
Securonix Tenant Color	Tenant color.
Securonix Close Incident	Whether to close incident on Securonix after fetching it in XSOAR or not.
Securonix Sandbox Policy
Securonix Reason	The reason that the incident was created. Usually includes the policy name and/or possible threat name.
Securonix Violator	Violator.
Securonix Violation Count	Total number of Violations related to specific threat.
Securonix ResourceGroup Name	Resource group name.
Securonix Case Event End Time	Case event end time.
Securonix Entity	The incident entity.
Securonix Watchlisted	Whether the incident is on a watchlist.
Securonix Violation Spotter Query	Spotter query to fetch the related violations.
Securonix Entity ID	The entity ID.
Securonix Tenant Short Code	Short code of the tenant.
Securonix Parent Case ID	Parent case ID of the incident.
Securonix Case Create Time	Case event start time.
Securonix Incident Type	Incident type.
Securonix Resource Type	Resource type.
Securonix Violator Sub Text	Incident violator sub text.

Incident Types

Name	Description
Securonix Threat
Securonix Incident

Integrations

Name	Description
Securonix (Partner Contribution)	Use the Securonix integration to manage incidents, threats, lookup tables, whitelists and watchlists.

Playbooks

Name	Description
Fetch All Violations - Securonix	Gets a list of violations with pagination using queryId parameter.
Update Alert Status And Fetch Attachments - Securonix	This playbook fetches the attachments for the alert. Also, it updates the state of the Securonix alert based on the configuration provided in integration configuration.
Fetch Violations - Securonix	Gets a list of violation data.

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (4)

Pack Name	Pack By
Filters And Transformers	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Base	By: Cortex XSOAR

2.0.21 - 1358619 (September 8, 2024)

Integrations

Updated the securonix-list-activity-data command to populate all the context fields coming from the API response.
Updated the Docker image to: demisto/python3:3.11.9.109226.

Related pull requests:
- 36165
- 36173

Download

2.0.20 - 998827 (May 6, 2024)

Incident Fields

New: Securonix Policy Type

Integrations

Securonix

Improved implementation logic for the query argument for the securonix-list-activity-data and securonix-list-violation-data commands by adding the support for the escape characters "\", "*", and "?" when passing them to the API. No action required by the customer.
Added a new argument "policy_type" to the securonix-list-violation-data command.
Updated the retry mechanism for the securonix-list-violation-data command to dynamically set the "to" argument to the current time based on the specified policy types: Land Speed, DIRECTIVE, BEACONING, TIER2.
Updated the securonix-list-activity-data command to support the optional index key in the query argument. If the index is not specified in the query, it will append and search in the activity index on the Spotter API by default.
Fixed an issue with the handling of special characters in the HR (Human Readable) for the following commands:
- securonix-list-incident
- securonix-get-incident
- securonix-list-violation-data
- securonix-list-activity-data
Updated the compatibility. Securonix XSOAR integration version 2.0.20 is compatible with 6.4_Apr2024_R1 onwards.
Updated the Docker image to: demisto/python3:3.10.14.92207.

Layouts

Securonix Incident Information
Added the Securonix Policy Type incident field in the layout.

Mappers

Securonix Incident - Incoming Mapper

Updated the mapper for the addition of Securonix Policy Type Incident Field.
Updated the mapper for the Securonix Violation Spotter Query Incident Field to preserve the "@" symbol in the field value.

Related pull requests:
- 33833
- 34199

Download

2.0.19 - 839519 (February 20, 2024)

Integrations

Securonix

Updated the Docker image to: demisto/python3:3.10.13.87159.

Related pull requests:
- 33007

Download

2.0.18 - 798475 (February 1, 2024)

Integrations

Securonix

Updated the Docker image to: demisto/python3:3.10.13.86272.

Related pull requests:
- 32533

Download

2.0.17 - 767481 (January 17, 2024)

Integrations

Securonix

Updated the Docker image to: demisto/python3:3.10.13.84405.

Related pull requests:
- 32259

Download

2.0.16 - 752611 (January 9, 2024)

Scripts

UpdateSecuronixIncidentStatus

Updated the Docker image to: demisto/python3:3.10.13.83255.

SecuronixCloseHistoricalXSOARIncidents

Updated the Docker image to: demisto/python3:3.10.13.83255.

SecuronixGetViolations

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 32030

Download

2.0.15 - 722180 (December 28, 2023)

Integrations

Securonix

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31828

Download

2.0.14 - R6950398 (November 21, 2023)

Integrations

Securonix

Updated the Docker image to: demisto/python3:3.10.13.80014.

Related pull requests:
- 30914

Download

2.0.13 - 6693172 (October 24, 2023)

Integrations

Securonix

Updated the securonix-get-incident and securonix-list-incidents commands to include the Spotter query in the human readable output and context by upgrading to the latest version of the API.
Updated the securonix-list-incidents command to include the Incident ID field in the human readable output column.
Updated the securonix-list-violation-data command, where the query argument now supports the auto inclusion of the "index" with a default value of "violation" if not provided.
Updated the Docker image to: demisto/python3:3.10.13.78960.

Mappers

Securonix Incident - Incoming Mapper

Updated the mapper for the Securonix Violation Spotter Query incident field.

UpdateSecuronixIncidentStatus

Updated the Docker image to: demisto/python3:3.10.12.63474.

SecuronixCloseHistoricalXSOARIncidents

Updated the Docker image to: demisto/python3:3.10.12.63474.

SecuronixGetViolations

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28017

Download

2.0.7 - R5692327 (July 5, 2023)

Integrations

Securonix

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27682

Download

2.0.6 - R5450895 (June 5, 2023)

Integrations

Securonix

Updated the Docker image to: demisto/python3:3.10.11.61265.

Related pull requests:
- 27215

Download

2.0.5 - 5318720 (May 21, 2023)

Scripts

SecuronixCloseHistoricalXSOARIncidents

Transform automation names from "incident" to "alert" in XSIAM.
Updated the Docker image to: demisto/python3:3.10.11.58677.

UpdateSecuronixIncidentStatus

Added the skipprepare attribute to prevent scripts and tasks containing the word incident from being replaced with the word alert.
Updated the Docker image to: demisto/python3:3.10.11.58677.

Related pull requests:
- 26365

Download

2.0.4 - 5304600 (May 19, 2023)

Integrations

Securonix

Upgraded the Docker image to: demisto/python3:3.10.11.59070.

Related pull requests:
- 26640

Download

2.0.3 - 5189071 (May 4, 2023)

Integrations

Securonix

Added support for handling invalid token error. If an invalid token error occurs, this will reset the integration cache and regenerate the new token on the subsequent execution.
Updated the Docker image to: demisto/python3:3.10.11.56857.

Scripts

SecuronixGetViolations

Updated the Docker image to: demisto/python3:3.10.11.56857.

SecuronixCloseHistoricalXSOARIncidents

Updated the Docker image to: demisto/python3:3.10.11.56857.

UpdateSecuronixIncidentStatus

Updated the Docker image to: demisto/python3:3.10.11.56857.

Related pull requests:
- 26276
- 26309

Download

2.0.2 - R5170573 (May 2, 2023)

Integrations

Securonix

Updated the Docker image to: demisto/python3:3.10.10.52956.

Related pull requests:
- 25745

Download

2.0.1 - R4954430 (April 2, 2023)

Incident Types

Securonix Threat
Updated the default violation playbook.

Integrations

Securonix

Added a new command securonix-lookup-table-entries-delete to delete specific entries from the lookup table.
Added support for specifying expiration time for a lookup table entry in the securonix-lookup-table-entry-add command.
Added support for 2 new parameters ‘sort’ and ‘order’ to sort the lookup table entries in the securonix-lookup-table-entries-list command.
Added support for pagination in fetching violations in the playbook.
Updated the Docker image to: demisto/python3:3.10.10.49934.

Playbooks

New: Fetch Violations - Securonix

Added a playbook to get a list of violation data. (Available from Cortex XSOAR 6.5.0).

New: Fetch All Violations - Securonix

Added a playbook to get a list of violations with pagination using queryId parameter. (Available from Cortex XSOAR 6.5.0).

Scripts

SecuronixGetViolations

Updated the script to show the latest 200 violation events in the "Violation Events" panel of the "Securonix Threat" incident type's layout.
Updated the Docker image to: demisto/python3:3.10.10.49934.

SecuronixCloseHistoricalXSOARIncidents

Updated the description of the script.
Updated the Docker image to: demisto/python3:3.10.10.49934.

Related pull requests:
- 25374
- 25263

Download

2.0.0 - 4746941 (March 5, 2023)

Incident Fields

Securonix Risk Score
Securonix Category
Securonix Case Create Time
Securonix Tenant Color
Securonix Resource Name
Securonix Violation Count
Securonix Incident ID
Securonix Bulk Action Allowed
Securonix Parent Case ID
Securonix Entity ID
Securonix Policies
Securonix Sandbox Policy
Securonix Watchlisted
Securonix Incident Type
Securonix ResourceGroup Name
Securonix Status Completed
Securonix Case Event End Time
Securonix Reason
Securonix Last Update Date
Securonix Close Incident
Securonix Violator
Securonix Violation Spotter Query
Securonix Is Whitelisted
Securonix Tenant ID
Securonix Tenant Short Code
Securonix Entity
Securonix Workflow Name
Securonix Violator Text
Securonix Threat Generation Time
Securonix Violator ID
Securonix Violator Sub Text
Securonix Incident Status
Securonix Resource Type

Incident Types

Securonix Incident
Securonix Threat

Integrations

Securonix

Added support for Incident Mirroring. With version, 2.0.0 users can mirror the incidents comments, attachments & states across the platforms(Securonix & XSOAR).
Added support for fetching threats from Securonix which will fetch Securonix Threats (with related violations) as XSOAR Incidents.
Added a configurable retry mechanism for fetching incidents and performing actions using commands.
Improved implementation of the token re-generation logic, now will generate a token every 24 hours instead of generating it for each API call.
Added support for CRUD operation on Securonix Whitelist.
securonix-whitelists-get
securonix-whitelist-entry-list
securonix-whitelist-entry-add
securonix-whitelist-entry-delete
securonix-whitelist-create
Added support for CRUD operation on Securonix Lookup tables.
securonix-lookup-table-config-and-data-delete
securonix-lookup-tables-list
securonix-lookup-table-entry-add
securonix-lookup-table-entries-list
securonix-lookup-table-create
Updated the Docker image to: demisto/python3:3.10.10.48392.

Layouts

New: Securonix Incident Information
Added a layout for Securonix Incident Information. (Available from Cortex XSOAR 6.5.0).
New: Securonix Threat
Added a layout for Securonix Threat Information. (Available from Cortex XSOAR 6.5.0).

Mappers

New: Securonix Threat - Incoming Mapper

Added a mapper to map the Securonix threat fields with custom fields. (Available from Cortex XSOAR 6.5.0).

New: Securonix Incident - Incoming Mapper

Added a mapper to map the Securonix incident fields with custom fields. (Available from Cortex XSOAR 6.5.0).

Playbooks

New: Update Incident Status And Fetch Attachments - Securonix

Added a playbook to fetch the attachments for the incident. Also, it updates the state of the Securonix incident based on the configuration provided in integration configuration. (Available from Cortex XSOAR 6.5.0).

New: Fetch Threat Violations - Securonix

Added a playbook to fetch violations related to threat. (Available from Cortex XSOAR 6.5.0).

Scripts

New: SecuronixCloseHistoricalXSOARIncidents

Added an automation script to close historical XSOAR incidents that are already closed on Securonix. (Available from Cortex XSOAR 6.5.0).

New: SecuronixGetViolations

Added an automation script to get a list of violations related to a specific threat from the context data and displays it in the layout. (Available from Cortex XSOAR 6.5.0).

New: UpdateSecuronixIncidentStatus

Added an automation script to update the status of the Securonix incident using the configuration provided in integration configuration. (Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 24771
- 24989

Download

1.2.0 - R4718798 (March 1, 2023)

Integrations

Securonix

Updated the incident name created in the fetch-incidents command.
The incident name will be according to the Threat Model field. If it does not exist, it will be according to the Policy field.
If neither field exists, the incident name will be the incident ID combined with the violator ID.
This update is due to a change in the Securonix API and suggestions from the Securonix support team.
Updated the Docker image to: demisto/python3:3.10.4.30607.

Related pull requests:
- 19697

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	September 9, 2020
Last Release	September 8, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.