Symantec Blue Coat ProxySG

Integration version: 3.0

Configure Symantec Blue Coat ProxySG integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
SSH Root	String	{ip address}:22	Yes	SSH root of the Blue Coat ProxySG instance.
Username	String	N/A	Yes	Username of the Blue Coat ProxySG SSH account.
Password	Password	N/A	Yes	Base64 encoded CA certificate file.

Use Cases

Enrich entities.
Block entities.

Actions

Ping

Description

Test connectivity to Broadcom Symantec ProxySG with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

This action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success=False

JSON Result

N/A

Entity Enrichment

N/A

Insights

N/A

Case Wall

Result type	Value/Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Broadcom Symantec ProxySG server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the Broadcom Symantec ProxySG server! Error is {0}".format(exception.stacktrace)"	General

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the Broadcom Symantec ProxySG server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the Broadcom Symantec ProxySG server! Error is {0}".format(exception.stacktrace)"

General

Enrich Entities

Description

Enrich entities using information from Broadcom Symantec ProxySG. Supported entities: Hostname, IP Address, and URL.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Create Insight	Checkbox	Checked	No	If enabled, the action creates an insight containing all of the retrieved information about the entity.

Run On

This action runs on the following entities:

Hostname
IP Address
URL

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success=False

JSON Result

{
    "raw_output": "{raw output from the console}",

    "categories": {
        "Policy": "none",
        "Blue Coat": "none",
        "IWF": "none",
        "Local": "unavailable",
        "Proventia": "unavailable"
    },
    "category_group": {
        "Blue_Coat": "none"
    },
    "risk level": 1,
    "Country": "Unavailable",
    "Official Host Name": "twitter.com",
    "Resolved Addresses": [
        "104.244.42.1",
        "104.244.42.65"
    ],
    "Cache TTL": "1231, cache HIT",
    "DNS Resolver Response": "Success"
}

Entity Enrichment

Enrichment Table for URL - Prefix BCProxySG_

Enrichment Field Name	Source (JSON Key)	Logic - When to apply
risk_level	{risk_level}	When available in JSON
category_{categories.keys}	{categories/values} one key Note: One value as entry.	When available in JSON
category_group_{category_group.keys}	{category_group/values}	When available in JSON

Enrichment Field Name

Source (JSON Key)

Logic - When to apply

risk_level

{risk_level}

When available in JSON

category_{categories.keys}

{categories/values} one key

Note: One value as entry.

When available in JSON

category_group_{category_group.keys}

{category_group/values}

When available in JSON

Enrichment Table for IP Address - Prefix BCProxySG_

Enrichment Field Name Source (JSON Key) Logic - When to apply

country {country} When available in JSON

Enrichment Field Name	Source (JSON Key)	Logic - When to apply
country	{country}	When available in JSON

Enrichment Table for Hostname - Prefix BCProxySG_

Enrichment Field Name	Source (JSON Key)	Logic - When to apply
official_hostname	{Official Host Name}	When available in JSON
resolved_addresses	CSV of "Resolved Addresses"	When available in JSON
cache_ttl	Cache TTL	When available in JSON

Insights

N/A

Case Wall

Result type	Value/Description	Type
Output message*	The action should not fail nor stop a playbook execution: If data is available for one entity (is_success=true): "Successfully enriched the following entities using information from Blue Coat ProxySG: {entity.identifier}." If data is not available for one entity (is_success=true): "Action wasn't able to enrich the following entities using information from Blue Coat ProxySG: {entity.identifier}" If data is not available for all entities (is_success=false): "None of the provided entities were enriched." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)	General
Case Wall Table	Table Title: {entity.identifier} Table Columns: Key Value	Entity

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If data is available for one entity (is_success=true): "Successfully enriched the following entities using information from Blue Coat ProxySG: {entity.identifier}."

If data is not available for one entity (is_success=true): "Action wasn't able to enrich the following entities using information from Blue Coat ProxySG: {entity.identifier}"

If data is not available for all entities (is_success=false): "None of the provided entities were enriched."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

Table Title: {entity.identifier}

Table Columns:

Key
Value

Entity

Block Entities

Description

Block entities using Broadcom Symantec ProxySG. Supported entities: IP Address.

Parameters

N/A

Run On

The action runs on the IP Address entity.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success=False

JSON Result

{
    "raw_output": "raw"
        "status": {success/failure}
}

Entity Enrichment

N/A

Insights

N/A

Case Wall

Result type	Value/Description	Type
Output message*	The action should not fail nor stop a playbook execution: If data is available for one entity (is_success=true): "Successfully blocked the following entities in Broadcom Symantec ProxySG: {entity.identifier}." If data is not available for one entity (is_success=true): "Action wasn't able to block the following entities in Blue Coat ProxySG: {entity.identifier}." If data is not available for all entities (is_success=false): "None of the provided entities were blocked." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)	General

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If data is available for one entity (is_success=true): "Successfully blocked the following entities in Broadcom Symantec ProxySG: {entity.identifier}."

If data is not available for one entity (is_success=true): "Action wasn't able to block the following entities in Blue Coat ProxySG: {entity.identifier}."

If data is not available for all entities (is_success=false): "None of the provided entities were blocked."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

General