Securonix SNYPR

SNYPR is a security analytics platform that transforms Big Data into actionable security intelligence. It delivers the proven power of Securonix analytics with the speed, scale, and affordable, long-term storage of Hadoop in a single, out-of-the box solution.

Integration with LogicHub

Connecting with Securonix SNYPR

To connect to Securonix SNYPR following details are required:

  • Label: Connection name.
  • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
  • URL: URL to your SNYPR instance. Example: 'https://www.example.com/Snypr'.
  • Tenant (Optional): SNYPR Tenant. Default "Securonix".
  • Username: Username for the SNYPR account.
  • Password: Password for the SNYPR account.

Actions with Securonix SNYPR

Get Activity Data

Get Activity Data (also known as "event data") for a specific Datasource by running a Spotter query on Activity selection. For activity data, querying is allowed only for a 24-hour time range window. You can add additional conditions to the query for custom results.

Inputs to this Action:

  • Additional Query conditions (Optional): Jinja-templated text containing additional query conditions.
  • Event Time Start Range (Optional): Start Range of event time. The column value should be in the format 'MM/dd/yyyy HH:mm:ss' in the application timezone. (Default is flow-start-time)
  • Event Time End Range (Optional): End Range of event time. The column value should be in the format 'MM/dd/yyyy HH:mm:ss' in the application timezone. (Default is flow-end-time)
  • Split Rows (Optional): Split events into separate rows. Select 'Yes' to split or 'No' to get raw results. (Default 'Yes')

Output of Action:
if Split Rows is selected, events in separate rows are displayed in json format:

  • has_error: True/False
  • error: message/null
  • other fields of an Event data

else a single row containing an array of events is displayed:

  • has_error: True/False
  • error: message/null
  • events: array of Activity Events json data

List Resources

Displays a list of all users, peer groups, resource groups, or policies.

Inputs to this Action:

  • List Type: Select the type of List to be listed. Policies/Resource Groups/Users/Peer Groups.

Output of Action:
json rows containing following items:

  • has_error: True/False
  • error: message/null
  • resource json of either of Policies/Resource Groups/Users/Peer Groups

Search Users

Search users in your organization.

Inputs to this Action:

  • User Attribute Filter (Optional): Enter Jinja-templatized text to filter users by attribute(s). Sample attributes: companycode, costcentername, country, department, employeeid, employeetype, employeetypedescription, firstname, lastname, hiredate, jobcode, lanid, location, manageremployeeid, status, statusdescription, title, workemail, networkid, approveremployeeid, mobile, usercriticality, managerfirstname, managerlastname, companynumber, orgunitnumber, regtempin, hierarchy, fulltimeparttimein, userriskscore, costcentercode, usertimezoneoffset. Example: location="{{location_column}}" AND lastname="{{lastname_column}}".
  • Split Rows (Optional): Split events into separate rows. Select 'Yes' to split or 'No' to get raw results. (Default 'Yes')

Output of Action:
if Split Rows is selected, users in separate rows are displayed in json format:

  • has_error: True/False
  • error: message/null
  • other fields of User data

else a single row containing an array of users is displayed:

  • has_error: True/False
  • error: message/null
  • events: array of User json data

Search Watchlist

Search watchlists in your organization.

Inputs to this Action:

  • User Attribute Filter (Optional): Enter Jinja-templatized text to filter watchlists by attribute(s). Sample attributes: companycode, costcentername, country, department, employeeid, employeetype, employeetypedescription, firstname, lastname, hiredate, jobcode, lanid, location, manageremployeeid, status, statusdescription, title, workemail, confidencefactor, decayflag, entityname, expired, expirydate, reason, type, watchlistname, watchlistuniquekey. Eg: location="{{location_column}}" AND lastname="{{lastname_column}}".
  • Split Rows (Optional): Split events into separate rows. Select 'Yes' to split or 'No' to get raw results. (Default 'Yes')

Output of Action:
if Split Rows is selected, watchlists in separate rows are displayed in json format:

  • has_error: True/False
  • error: message/null
  • other fields of Watchlist data

else a single row containing an array of users is displayed:

  • has_error: True/False
  • error: message/null
  • events: array of Watchlist json data

Get Violations

Get violations in violation collection.

Inputs to this Action:

  • User Attribute Filter (Optional): Jinja-templated text containing additional query conditions.
  • From (Optional): Generation-time From. The column value should be in the format 'MM/dd/yyyy HH:mm:ss' in the application timezone. (Default is flow-start-time)
  • To (Optional): Generation-time To. The column value should be in the format 'MM/dd/yyyy HH:mm:ss' in the application timezone. (Default is flow-end-time)
  • Split Rows (Optional): Split events into separate rows. Select 'Yes' to split or 'No' to get raw results. (Default 'Yes')

Output of Action:
if Split Rows is selected, violations data in separate rows are displayed in json format:

  • has_error: True/False
  • error: message/null
  • other fields of a Violation data

else a single row containing an array of violations is displayed:

  • has_error: True/False
  • error: message/null
  • events: array of Violation json data

Risk Scorecard/History

List the user's risk scorecard or history data.

Inputs to this Action:

  • Risk Data: Select the required Risk Data. Risk Score/Risk History
  • User Attribute Filter (Optional): Enter Jinja-templatized text to filter risks by attribute(s). Sample attributes: violator, companycode, costcentername, country, department, division, employeeid, employeetype, employeetypedescription, firstname, lastname, hiredate, jobcode, lanid, location, manageremployeeid, status, statusdescription, title, userid, workemail, workphone. Eg: location="{{location_column}}" AND lastname="{{lastname_column}}".
  • Split Rows (Optional): Split events into separate rows. Select 'Yes' to split or 'No' to get raw results. (Default 'Yes')

Output of Action:
if Split Rows is selected, risk data in separate rows are displayed in json format:

  • has_error: True/False
  • error: message/null
  • other fields of an Risk data

else a single row containing an array of risk is displayed:

  • has_error: True/False
  • error: message/null
  • events: array of Risk json data

Run Spotter Query

Run generic Spotter Query on your SNYPR Instance.

Inputs to this Action:

  • Query String: Enter Jinja-templatized query string. Eg: 'index=users AND location="Dallas" AND lastname="OGWA"'.
  • Split Rows (Optional): Split events into separate rows. Select 'Yes' to split or 'No' to get raw results. (Default 'Yes')

Output of Action:
if Split Rows is selected, results in separate rows are displayed in json format:

  • has_error: True/False
  • error: message/null
  • other fields of result data

else a single row containing an array of users is displayed:

  • has_error: True/False
  • error: message/null
  • events: array of json results

Add Comment to Violation

Adds a comment to a SNYPR Violation.

Inputs to this Action:

  • Violation Name: Enter Jinja-templatized violation policy name.
  • Datasource Name: Enter Jinja-templatized resource group name.
  • Entity Type: Select column containing the value for entity type. Valid values are "Users", "Activityaccount", "RGActivityaccount", "Resources", "Activityip".
  • Entity Name: Enter Jinja-templatized account name associated with the violation.
  • Comment: Enter Jinja-templatized comment that you want to add.
  • Status Action: Select column containing the value for action to perform. Example: "Non-Concern".
  • Resource Name (Optional): Enter Jinja-templatized resource name. It is mandatory to provide a resource name if the entity type is Activityaccount.
  • Employee Id (Optional): Enter Jinja-templatized employee id.

Output of Action:
json rows containing following items:

  • has_error: True/False
  • error: message/null
  • other fields of result data

Did this page help you?