Securonix SNYPR

Update Securonix SNYPR

Identify or create credentials to access Securonix with read access, at minimum.

API Calls

The following API calls are used by the Validation Platform.

Update the Security Validation Platform

Prerequisites

Information to gather before you start:

• Identify the hostname used to access Securonix SNYPR

• Identify the port used for Securonix communication

• Identify the username and password for your Securonix account

Configuration

To add the Securonix SNYPR integration

1. Go to Settings > Integrations.

2. Click Add Integration > Securonix SNYPR.

3. Enter information for the Host, Port, Protocol, Username and Password or API Token.

4. Review and update the Query as needed.
   The %ACTOR_IPS% variable can be used in all queries. This improves event matching.
   

   Securonix SNYPER Integration

5. Expand Advanced options.

6. (Optional) Update Query time, if necessary.

7. (Optional) Update the Page size, if necesary.

8. (Optional) Enable Verify SSL, if necessary.

9. (Optional) Select Enable query for Malicious DNS Actions and configure the Query. This query will only be used when you run Malicious DNS Actions or Captive DNS Actions.

10. (Optional) Select Enable query for Email Actions and configure the Query. This query will only be used when you run Email Actions.

11. (Optional) Select Enable query for Host CLI Actions and configure the Query. This query will only be used when you run Host CLI Actions.

    If you enable the Host CLI Actions query and use the %HOST_CLI_ACTOR_HOSTNAMES% variable, the platform will substitute the plain hostname and the information from the Alternate Hostname field on the Actor configuration page.

12. Identify the field name mappings for the following (there could be multiple of each, depending on log sources and configuration):

    • Source IP
    • Destination IP
    • Source Port
    • Destination
    • Port
    • Event Source Host
    • Host
    • Event Start Time (timestamp)
    • Event Unique ID
    • Event Signature ID
    • Event Description
    • Email Sender
    • Email Recipient
    • Email Subject
    • URL
    • Username

13. Modify the Query Interval and Event Time Adjustment, if necessary.

14. (Optional) Update Query time and Delay time.

    The Query time is the amount of time (minutes) before and after the query runs that the platform looks for events, while the Delay time is the amount of time (minutes) that the platform waits to run the first query after a Job Action starts. For example, you configure your integration with the following values: Query time = 5, Query interval = 30 seconds, and Delay time = 0. When a Job Actions starts at 12:00:00, the first time the query runs, the platform looks for events from 11:55:00 to 12:00:00. Then 30 seconds later, it looks for events from 11:55:30 to 12:00:30. This interval continues, with the last query looking from 12:00:00 to 12:05:00. If you instead configured the Delay time to equal 10, it would run the same query, but it wouldn't start that query until 12:10:00.
    If your monitors are set to run more frequently than the query time, this configuration impacts the pass/fail results for AEDA monitors.

15. (Optional) Assign a Name.

16. (Optional) Choose Yes to save suspicious events.

17. Click Submit.

Securonix SNYPER Integration - advanced options

Set up Proxy Assignment

If all outbound connections go through a proxy, you may want to set up a proxy definition and assignment for your integration. For information on setting up your proxy rules, see Proxy Rules.

Verify connectivity

To verify connectivity to Securonix SNYPR

Click Test to verify that:

• The Director can communicate with the integration host on the port and protocol specified.
• The integration credentials are valid and working.