SolarWinds Orion

Integration version: 3.0

Use Cases

Perform active actions - execute SQL queries to get more information about the endpoint.

Configure SolarWinds Orion integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Instance Name	String	N/A	No	Name of the Instance you intend to configure integration for.
Description	String	N/A	No	Description of the Instance.
IP Address	String	x.x.x.x:17778	Yes	IP address of the SolarWinds Orion instance.
Username	String	N/A	Yes	Username of the SolarWinds Orion account.
Password	Password	N/A	Yes	Password of the SolarWinds Orion account.
Verify SSL	Checkbox	Unchecked	No	If enabled, verify the SSL certificate for the connection to the SolarWinds Orion server is valid.
Run Remotely	Checkbox	Unchecked	No	Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Ping

Description

‌Test connectivity to the SolarWinds Orion with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Run On

This action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_succeed:False

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful: Print "Successfully connected to the SolarWinds Orion server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: Print "Failed to connect to the SolarWinds Orion server! Error is {0}".format(exception.stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful:

Print "Successfully connected to the SolarWinds Orion server with the provided connection parameters!"

The action should fail and stop a playbook execution:
If not successful:

Print "Failed to connect to the SolarWinds Orion server! Error is {0}".format(exception.stacktrace)

General

Execute Query

Description‌

Execute query in SolarWinds Orion.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Query	String	N/A	Yes	Specify the query that needs to be executed. Note: SolarWind queries don't support "*" notation.
Max Results To Return	Integer	100	No	Specify how many results should be returned.

Run On

This action doesn't run on entities, nor has mandatory input parameters.

‌Action Results

Script Result

Script Result Name	Value Options	Example
is_succeed	True/False	is_succeed:False

JSON Result

{
    "results": [
        {
            "DisplayName": "orion"
        }
    ]
}

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If not status code 400 (is_success = true): Print "Successfully executed query and retrieved results from SolarWinds Orion". If status code 400 (is_success = false): Print "Action wasn't able to successfully execute query and retrieve results from SolarWinds Orion. Reason: {0}".format(message) The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other: Print "Error executing action "Execute Query". Reason: {0}''.format(error.Stacktrace)	General
Case Wall Table	Table Name: "Results" All of the columns from the response will be used as table columns.	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If not status code 400 (is_success = true):

Print "Successfully executed query and retrieved results from SolarWinds Orion".

If status code 400 (is_success = false):

Print "Action wasn't able to successfully execute query and retrieve results from SolarWinds Orion. Reason: {0}".format(message)

The action should fail and stop a playbook execution:
If fatal error, like wrong credentials, no connection to server, other:

Print "Error executing action "Execute Query". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

Table Name: "Results"

All of the columns from the response will be used as table columns.

General

Execute Entity Query

Description

Execute query in SolarWinds Orion based on the IP and Hostname entities.

How to work with action parameters

This action gives an ability to easily retrieve information about the endpoints based on the IP and Hostname entities.

Imagine a situation where you want to retrieve the uptime of the endpoints. First endpoint has IP '172.30.230.130' and the second endpoint has hostname 'DC001'. In this case our query would need to look like this:

SELECT IpAddress, DisplayName, SystemUpTime FROM Orion.Nodes WHERE IpAddress='172.30.203.130' OR DisplayName='DC001'

In order to create the same query using "Execute Entity Query" action, you need to fill out the action parameters in the following way:

Query	SELECT IpAddress, DisplayName, SystemUpTime FROM Orion.Nodes
IP Entity Key	IpAddress
Hostname Entity Key	DisplayName

WHERE clause will be prepared automatically.

Table Schema Documentation

http://solarwinds.github.io/OrionSDK/2020.2/schema/Orion.Nodes.html

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Query	String	N/A	Yes	Specify the query that needs to be executed. Note: SolarWind queries don't support "*" notation and you shouldn't have a WHERE clause in the query, because it is added by the action. Please refer to the action documentation for details.
IP Entity Key	String	IpAddress	No	Specify what key should be used with IP entities in the WHERE clause of the query. Please refer to the action documentation for details. Default: IpAddress
Hostname Entity Key	String	Hostname	No	Specify what key should be used with Hostname entities in the WHERE clause of the query. Please refer to the action documentation for details. Default: Hostname
Max Results To Return	Integer	100	No	Specify how many results should be returned.

Run On

This action runs on the following entities:

IP Address
Host

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

{
    "results": [
        {
            "DisplayName": "orion"
        }
    ]
}

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If not status code 400 (is_success = true): Print "Successfully executed query and retrieved results from SolarWinds Orion". If status code 400 (is_success = false): Print "Action wasn't able to successfully execute query and retrieve results from SolarWinds Orion. Reason: {0}".format(message) If no entities in the scope (is_success = false) Print "No entities were found in the scope." The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other: Print "Error executing action "Execute Entity Query". Reason: {0}''.format(error.Stacktrace)	General
Case Wall Table	Table Name: "Results" All of the columns from the response will be used as table columns.	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If not status code 400 (is_success = true):

Print "Successfully executed query and retrieved results from SolarWinds Orion".

If status code 400 (is_success = false):

Print "Action wasn't able to successfully execute query and retrieve results from SolarWinds Orion. Reason: {0}".format(message)

If no entities in the scope (is_success = false)

Print "No entities were found in the scope."

The action should fail and stop a playbook execution:
If fatal error, like wrong credentials, no connection to server, other:

Print "Error executing action "Execute Entity Query". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

Table Name: "Results"

All of the columns from the response will be used as table columns.

General

Enrich Endpoint

Description

Fetch endpoint's system information by its hostname or IP address.

Run On

This action runs on the following entities:

IP Address
Host

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

Entity Enrichment

For entity enrichment, every field from the response will be used. The prefix will be SLRWORION

For example, SLRW_ORION_CPULoad is mapped from CPULoad

JSON Result

{
    "results": [
        {
            "IpAddress": "172.30.203.130",
            "DisplayName": "orion",
            "NodeDescription": "Hardware: Intel64 Family 6 Model 63 Stepping 2 AT/AT COMPATIBLE - Software: Windows Version 10.0 (Build 17763 Multiprocessor Free)",
            "ObjectSubType": "Agent",
            "Description": "Windows 2019 Server",
            "SysName": "ORION",
            "Caption": "orion",
            "DNS": "orion",
            "Contact": "",
            "Status": 1,
            "StatusDescription": "Node status is Up.",
            "IOSImage": "",
            "IOSVersion": "10.0 (Build 17763 Multiprocessor Free)",
            "GroupStatus": "Up.gif                                  ",
            "LastBoot": "2020-10-26T11:06:00.0000000",
            "SystemUpTime": 76135.1171875,
            "AvgResponseTime": 4,
            "CPULoad": 0,
            "PercentMemoryUsed": 76,
            "MemoryAvailable": 3.08503347E+09,
            "Severity": 0,
            "Category": 2,
            "EntityType": "Orion.Nodes",
            "IsServer": true,
            "IsOrionServer": false
        }
    ]
}

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one of the provided entities were enriched (is_success = true): Print "Successfully enriched the following endpoints from SolarWinds Orion: \n {0}".format(entity.identifier list) If fail to enrich specific entities(is_success = true): Print "Action was not able to enrich the following endpoints from SolarWinds Orion \n: {0}".format([entity.identifier]) If fail to enrich for all entities (is_success = false): Print "No entities were enriched." The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other: Print "Error executing action "Enrich Endpoint". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one of the provided entities were enriched (is_success = true):

Print "Successfully enriched the following endpoints from SolarWinds Orion: \n {0}".format(entity.identifier list)

If fail to enrich specific entities(is_success = true):

Print "Action was not able to enrich the following endpoints from SolarWinds Orion \n: {0}".format([entity.identifier])

If fail to enrich for all entities (is_success = false):

Print "No entities were enriched."

The action should fail and stop a playbook execution:
If fatal error, like wrong credentials, no connection to server, other:

Print "Error executing action "Enrich Endpoint". Reason: {0}''.format(error.Stacktrace)

General