SolarWinds Orion

Integration version: 4.0

Use Cases

Perform active actions - execute SQL queries to get more information about the endpoint.

Configure SolarWinds Orion integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
IP Address String x.x.x.x:17778 Yes IP address of the SolarWinds Orion instance.
Username String N/A Yes Username of the SolarWinds Orion account.
Password Password N/A Yes Password of the SolarWinds Orion account.
Verify SSL Checkbox Unchecked No If enabled, verify the SSL certificate for the connection to the SolarWinds Orion server is valid.
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Ping

Description

‌Test connectivity to the SolarWinds Orion with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Run On

This action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_succeed:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful:

Print "Successfully connected to the SolarWinds Orion server with the provided connection parameters!"

The action should fail and stop a playbook execution:
If not successful:

Print "Failed to connect to the SolarWinds Orion server! Error is {0}".format(exception.stacktrace)

General

Execute Query

Description‌

Execute query in SolarWinds Orion.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Query String N/A Yes Specify the query that needs to be executed. Note: SolarWind queries don't support "*" notation.
Max Results To Return Integer 100 No Specify how many results should be returned.

Run On

This action doesn't run on entities, nor has mandatory input parameters.

‌Action Results

Script Result
Script Result Name Value Options Example
is_succeed True/False is_succeed:False
JSON Result
{
    "results": [
        {
            "DisplayName": "orion"
        }
    ]
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If not status code 400 (is_success = true):

Print "Successfully executed query and retrieved results from SolarWinds Orion".

If status code 400 (is_success = false):

Print "Action wasn't able to successfully execute query and retrieve results from SolarWinds Orion. Reason: {0}".format(message)

The action should fail and stop a playbook execution:
If fatal error, like wrong credentials, no connection to server, other:

Print "Error executing action "Execute Query". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Name: "Results"

All of the columns from the response will be used as table columns.

General

Execute Entity Query

Description

Execute query in SolarWinds Orion based on the IP and Hostname entities.

How to work with action parameters

This action gives an ability to easily retrieve information about the endpoints based on the IP and Hostname entities.

Imagine a situation where you want to retrieve the uptime of the endpoints. First endpoint has IP '172.30.230.130' and the second endpoint has hostname 'DC001'. In this case our query would need to look like this:

SELECT IpAddress, DisplayName, SystemUpTime FROM Orion.Nodes WHERE IpAddress='172.30.203.130' OR DisplayName='DC001'

In order to create the same query using "Execute Entity Query" action, you need to fill out the action parameters in the following way:

Query SELECT IpAddress, DisplayName, SystemUpTime FROM Orion.Nodes
IP Entity Key IpAddress
Hostname Entity Key DisplayName

WHERE clause will be prepared automatically.

Table Schema Documentation

http://solarwinds.github.io/OrionSDK/2020.2/schema/Orion.Nodes.html

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Query String N/A Yes Specify the query that needs to be executed. Note: SolarWind queries don't support "*" notation and you shouldn't have a WHERE clause in the query, because it is added by the action. Please refer to the action documentation for details.
IP Entity Key String IpAddress No

Specify what key should be used with IP entities in the WHERE clause of the query. Please refer to the action documentation for details. Default:

IpAddress

Hostname Entity Key String Hostname No

Specify what key should be used with Hostname entities in the WHERE clause of the query. Please refer to the action documentation for details. Default:

Hostname

Max Results To Return Integer 100 No Specify how many results should be returned.

Run On

This action runs on the following entities:

  • IP Address
  • Host

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "results": [
        {
            "DisplayName": "orion"
        }
    ]
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If not status code 400 (is_success = true):

Print "Successfully executed query and retrieved results from SolarWinds Orion".

If status code 400 (is_success = false):

Print "Action wasn't able to successfully execute query and retrieve results from SolarWinds Orion. Reason: {0}".format(message)

If no entities in the scope (is_success = false)

Print "No entities were found in the scope."

The action should fail and stop a playbook execution:
If fatal error, like wrong credentials, no connection to server, other:

Print "Error executing action "Execute Entity Query". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Name: "Results"

All of the columns from the response will be used as table columns.

General

Enrich Endpoint

Description

Fetch endpoint's system information by its hostname or IP address.

Run On

This action runs on the following entities:

  • IP Address
  • Host

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Entity Enrichment

For entity enrichment, every field from the response will be used. The prefix will be SLRWORION

For example, SLRW_ORION_CPULoad is mapped from CPULoad

JSON Result
{
    "results": [
        {
            "IpAddress": "172.30.203.130",
            "DisplayName": "orion",
            "NodeDescription": "Hardware: Intel64 Family 6 Model 63 Stepping 2 AT/AT COMPATIBLE - Software: Windows Version 10.0 (Build 17763 Multiprocessor Free)",
            "ObjectSubType": "Agent",
            "Description": "Windows 2019 Server",
            "SysName": "ORION",
            "Caption": "orion",
            "DNS": "orion",
            "Contact": "",
            "Status": 1,
            "StatusDescription": "Node status is Up.",
            "IOSImage": "",
            "IOSVersion": "10.0 (Build 17763 Multiprocessor Free)",
            "GroupStatus": "Up.gif                                  ",
            "LastBoot": "2020-10-26T11:06:00.0000000",
            "SystemUpTime": 76135.1171875,
            "AvgResponseTime": 4,
            "CPULoad": 0,
            "PercentMemoryUsed": 76,
            "MemoryAvailable": 3.08503347E+09,
            "Severity": 0,
            "Category": 2,
            "EntityType": "Orion.Nodes",
            "IsServer": true,
            "IsOrionServer": false
        }
    ]
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one of the provided entities were enriched (is_success = true):

Print "Successfully enriched the following endpoints from SolarWinds Orion: \n {0}".format(entity.identifier list)

If fail to enrich specific entities(is_success = true):

Print "Action was not able to enrich the following endpoints from SolarWinds Orion \n: {0}".format([entity.identifier])

If fail to enrich for all entities (is_success = false):

Print "No entities were enriched."

The action should fail and stop a playbook execution:
If fatal error, like wrong credentials, no connection to server, other:

Print "Error executing action "Enrich Endpoint". Reason: {0}''.format(error.Stacktrace)

General