Axonius
Integration version: 1.0
Use Cases
Perform enrichment actions.
Configure Axonius integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | https://{root} | Yes | Axonius API root |
| API Key | String | N/A | Yes | Axonius API Key |
| API Secret | Password | N/A | Yes | Axonius API Secret |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verifies that the SSL certificate for the connection to the Axonius server is valid. |
Actions
Ping
Description
Test connectivity to Axonius with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Run On
The action doesn't run on entities, nor has mandatory input parameters.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Axonius server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the Axonius server! Error is {0}".format(exception.stacktrace) |
General |
Enrich Entities
Description
Enrich entities using information from Axonius. Supported entities: Hostname, IP, Mac Address, User, Email Addresses (User entities that match email regex).
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Create Endpoint Insight | Checkbox | True | No | If enabled, action will create an insight containing information about the endpoints. |
| Create User Insight | Checkbox | True | No | If enabled, action will create an insight containing information about the user. |
| Max Notes To Return | Integer | 50 | No | Specify how many notes to show in the case wall table. |
Run On
This action runs on the following entities:
- Hostname
- IP Address
- Mac Address
- User
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result - for Endpoint:
{
"adapters": [
{
"accurate_for_datetime": "Sun, 21 Mar 2021 03:44:19 GMT",
"client_used": "xxxxxxxxx_xxxx\\axoniusSvc",
"raw": {
"ad_distinguished_name": "CN=DESKTOP-xxxxxxx,OU=Computers,DC=demo,DC=local",
"ad_object_class": [
"top",
"person",
"organizationalperson",
"user",
"computer"
],
"ad_sAMAccountName": "",
"ad_site_location": "Richmond",
"ad_site_name": "",
"device_disabled": false,
"device_managed_by": "William Saari",
"domain": "xxxx.xxxxx",
"hostname": "xxxxx-xxxxxx-xxxxx-xxx",
"id": "CN=xxxxxx-xxxxxxx,OU=Computers,DC=demo,DC=local",
"last_seen": "Tue, 16 Mar 2021 19:44:05 GMT",
"name": "xxxxxxx-xxxxxxxx",
"network_interfaces": [
{
"ips": [
"xx.xxx.xxx.xx"
],
"ips_raw": [
xxxxxxxx
],
"ips_v4": [
"xx.x.x.xx"
],
"ips_v4_raw": [
xxxxxxxx
]
}
],
"os": {
"bitness": 64,
"distribution": "10",
"is_windows_server": false,
"os_str": "windows 10 pro 64-bit",
"type": "Windows",
"type_distribution": "Windows 10"
},
"part_of_domain": true
},
"plugin_name": "",
"plugin_type": "Adapter",
"plugin_unique_name": "",
"quick_id": "active_directory_adapter_0!CN=xxxxxx-xxxxxxx,OU=xxxxxx,DC=xxxxx,DC=xxxxx",
"type": "entitydata"
},
{
"accurate_for_datetime": "Sun, 21 Mar 2021 03:43:52 GMT",
"client_used": "https://xxxxx.xxxx.xxxx",
"raw": {
"hostname": "xxxxxx-xxxxxx",
"id": "xxxxx-xx.x.x.xx",
"last_seen": "Sun, 21 Mar 2021 01:50:28 GMT",
"name": "xxxxxxxx-xxxxxxxx",
"network_id": "xxxxx.xxxx",
"network_interfaces": [
{
"ips": [
"xx.x.xxx.xx"
],
"ips_raw": [
xxxxxxxx
],
"ips_v4": [
"xx.x.xxx.xx"
],
"ips_v4_raw": [
xxxxxxxx
],
"mac": "xx:xx:xx:xx",
"manufacturer": "(Intel Corporate)"
}
]
},
"plugin_name": "xxxxxx_xxxxxx_xxxxxx",
"plugin_type": "Adapter",
"plugin_unique_name": "xxxx_xxxxx_xxxxx_xxx",
"quick_id": "xxxxx_xxxxx_xxxxx_x!xxxxxx-xx.x.xxx.xx",
"type": "entitydata"
}
],
"Notes": [],
"internal_axon_id": "",
"labels": []
}
JSON Result - for Users:
{
"adapters": [
{
"accurate_for_datetime": "Sun, 21 Mar 2021 03:45:01 GMT",
"client_used": "demo.local_DEMO\\axoniusSvc",
"raw": {
"account_disabled": false,
"ad_display_name": "",
"ad_distinguished_name": "CN=xxxxx.xxxxx,CN=xxxxx,DC=xxxx,DC=xxxxx",
"ad_sid": "S-1-5-21-70119-3234025",
"ad_uac_dont_expire_password": false,
"ad_uac_password_not_required": false,
"display_name": "",
"domain": "xxxx.xxxxx",
"employee_id": "xxxxxx",
"first_name": "xxxxx",
"id": "CN=xxxx.xxxxx,CN=xxxxxx,DC=xxxxx,DC=xxxxx",
"is_admin": false,
"is_local": false,
"is_locked": false,
"last_name": "xxxxxx",
"last_password_change": "Wed, 17 Mar 2021 09:12:11 GMT",
"last_seen": "Thu, 18 Mar 2021 09:25:08 GMT",
"mail": "xxxxx.xxxxxx@xxxxx.xxxxx",
"password_never_expires": false,
"password_not_required": false,
"user_city": "Boston",
"user_telephone_number": "+x-xxx-xxxx-xxxx",
"username": "xxxx.xxxxx@xxxxx.xxxxx"
},
"user_city": "Boston",
"user_telephone_number": "+x-xxx-xxxx-xxx",
"username": "xxxx.xxxxx@xxxx.xxxx",
"plugin_name": "active_directory_adapter",
"plugin_type": "Adapter",
"plugin_unique_name": "active_directory_adapter_0",
"quick_id": "active_directory_adapter_0!CN=xxxxx.xxxxx,CN=xxxxx,DC=xxxx,DC=xxxxx",
"type": "entitydata"
}
],
"Notes": [],
"internal_axon_id": "",
"labels": []
}
Entity Enrichment - for Endpoints:
| Enrichment Field Name | Logic - When to apply |
|---|---|
| object_classes | When available in JSON |
| site_name | When available in JSON |
| device_disabled | When available in JSON |
| device_managed_by | When available in JSON |
| hostname | When available in JSON |
| ad_distinguished_name | When available in JSON |
| asset_name | When available in JSON |
| ips | When available in JSON |
| os | When available in JSON |
| id | When available in JSON |
| link | When available in JSON |
Entity Enrichment - for Users:
| Enrichment Field Name | Logic - When to apply |
|---|---|
| account_disabled | When available in JSON |
| ad_display_name | When available in JSON |
| ad_distinguished_name | When available in JSON |
| ad_sid | When available in JSON |
| employee_id | When available in JSON |
| is_admin | When available in JSON |
| is_local | When available in JSON |
| is_locked | When available in JSON |
| When available in JSON | |
| user_telephone_number | When available in JSON |
| id | When available in JSON |
| link | When available in JSON |
Case Wall
| Result type | Value/Description | Type (Entity \ General) |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If enriched some(is_success = true): "Successfully enriched the following entities using Axonius:\n".format(entity.identifier) If didn't enrich some (is_success = true): "Action wasn't able to enriche the following entities using Axonius:\n".format(entity.identifier)< If didn't enrich all (is_success = false): "No entities were enriched". The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace) |
General |
| Entity Table | Entity | |
Case Wall Table (if attributes/data/data list has values) |
Name: {entity.identifier}: Notes Column:
|
General |
Add Note
Description
Add a note to entities in Axonius. Supported entities: Hostname, IP, Mac Address, User, Email Addresses (User entities that match email regex).
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Note | String | N/A | Yes | Specify what note needs to be added. |
Run On
This action runs on the following entities:
- Hostname
- IP Address
- Mac Address
- User
- Email Address
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"data": {
"attributes": {
"accurate_for_datetime": "2021-03-21T15:55:10.876568+00:00",
"note": "qqweqwen",
"user_id": "",
"user_name": "internal/apixxxxx",
"uuid": ""
},
"type": "notes_details_schema"
}
}
Case Wall
| Result type | Value/Description | Type (Entity \ General) |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If at least success for one(is_success = true): "Successfully added note to the following entities in Axonius: {0}".format(entities) If at least fail for one(is_success = true): "Action wasn't able to add a note to the following entities in Axonius: {0}".format(entities) If fail for all (is_success = false): "Note wasn't added to the provided entities.". The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other: "Error executing action "Add Note". Reason: {0}''.format(error.Stacktrace) |
General |
Add Tags
Description
Add tags to entities in Axonius. Supported entities: Hostname, IP, Mac Address, User, Email Addresses (User entities that match email regex).
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Tags | CSV | Yes | Specify a comma-separated list of tags that need to be added to the entities. |
Run On
This action runs on the following entities:
- Hostname
- IP Address
- Mac Address
- User
- Email Address
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result type | Value/Description | Type (Entity \ General) |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If at least success for one(is_success = true): "Successfully added tags to the following entities in Axonius: {0}".format(entities) If at least fail for one(is_success = true): "Action wasn't able to add tags to the following entities in Axonius: {0}".format(entities) If fail for all (is_success = false): "Tags weren't added to the provided entities.". The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Add Tags". Reason: {0}''.format(error.Stacktrace) |
General |
Remove Tags
Description
Remove tags from entities in Axonius. Supported entities: Hostname, IP, Mac Address, User, Email Addresses (User entities that match email regex).
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Tags | CSV | Yes | Specify a comma-separated list of tags that need to be removed from the entities. |
Run On
This action runs on the following entities:
- Hostname
- IP Address
- Mac Address
- User
- Email Address
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result type | Value/Description | Type (Entity \ General) |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If at least success for one(is_success = true): "Successfully removed tags from the following entities in Axonius: {0}".format(entities) if at least fail for one(is_success = true): "Action wasn't able to remove tags from the following entities in Axonius: {0}".format(entities) If fail for all (is_success = false): "Tags weren't removed from the provided entities.". The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Remove Tags". Reason: {0}''.format(error.Stacktrace) |
General |