Automox

Integration version: 3.0

Configure Automox integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
API Root String https://#123;#123;api_root#125;#125; Yes API root of the Automox instance.
API Key Password N/A No API key of the Automox instance.
Verify SSL Checkbox Checked Yes If enabled, verifies that the SSL certificate for the connection to the Automox is valid.

How to generate API key

For more information on how to generate an API key, see the Find your API key in the console step available within the Newbie's Guide to Getting Started with Automox API document.

Actions

Enrich Entities

Description

Enrich entities using information from Automox.

Parameters

Parameter Name Type Default Value Is Mandatory Description
Return Patches Checkbox Checked No

If enabled, the action returns a list of patches that need to be updated on the machine.

Note: The action doesn't return patches that were installed or the ones that are currently ignored.

Max Patches To Return Integer 50 No Specify the number of patches to return. If nothing is provided, the action returns 50 patches.

Run on

This action runs on the following entities:

  • IP Address
  • Hostname

Action Results

Script Result
Script result name Value options Example
is_success True/False is_success=False
JSON Result
{
    "id": 2263017,
    "agent_version": "1.41.125",
    "commands": [],
    "compatibility_checks": {
        "missing_wmi_integrity_check": false,
        "missing_powershell": false,
        "low_diskspace": false
    },
    "compliant": true,
    "connected": false,
    "create_time": "2022-10-24T09:14:12+0000",
    "custom_name": "",
    "deleted": false,
    "detail": {
        "IPS": [
            "172.30.201.176",
            "fe80::c1a:ab8:f8c2:f83f"
        ],
        "UPDATE_SOURCE_CHECK": {
            "CONNECTED": "True",
            "ERROR": "Succeeded"
        },
        "MDM_SERVER": null,
        "FQDNS": [
            "DESKTOP-65M05SE.WORKGROUP"
        ],
        "RAM": "8589934592",
        "SECURE_TOKEN_ACCOUNT": null,
        "LAST_USER_LOGON": {
            "SRC": "DESKTOP-65M05SE",
            "USER": "DESKTOP-65M05SE\\Admin",
            "TIME": "10/24/2022 2:59:45 AM"
        },
        "VOLUME": [
            {
                "IS_SYSTEM_DISK": "True",
                "VOLUME": "C:",
                "FSTYPE": "NTFS",
                "LABEL": "Local Disk",
                "AVAIL": "63766056960",
                "FREE": "39201988608"
            }
        ],
        "DISTINGUISHED_NAME": "",
        "MODEL": "VMware7,1",
        "CPU": "Intel(R) Xeon(R) CPU E5-2698 v3 @ 2.30GHz",
        "MDM_PROFILE_INSTALLED": null,
        "VENDOR": "VMware, Inc.",
        "AUTO_UPDATE_OPTIONS": {
            "OPTIONS": "off",
            "ENABLED": "1"
        },
        "SERVICETAG": "No Asset Tag",
        "PS_VERSION": "5.1.19041.1682",
        "WSUS_CONFIG": {
            "WSUS_REACHABLE": "1",
            "WSUS_MANAGED": "0",
            "WSUS_SERVER": ""
        },
        "SERIAL": "VMware-42 22 84 8f 4f 90 1c 8a-4e e5 ac 32 6d 53 71 1b",
        "NICS": [
            {
                "VENDOR": "Intel(R) 82574L Gigabit Network Connection",
                "DEVICE": "Ethernet0",
                "TYPE": "enet",
                "MAC": "00:50:56:A2:09:02",
                "IPS": [
                    "172.30.201.176",
                    "fe80::c1a:ab8:f8c2:f83f"
                ],
                "CONNECTED": true
            },
            {
                "IPS": [],
                "CONNECTED": false,
                "VENDOR": "WAN Miniport (IP)",
                "DEVICE": "",
                "TYPE": "enet",
                "MAC": "F2:A3:20:52:41:53"
            },
            {
                "VENDOR": "WAN Miniport (IPv6)",
                "DEVICE": "",
                "TYPE": "enet",
                "MAC": "F6:28:20:52:41:53",
                "IPS": [],
                "CONNECTED": false
            },
            {
                "CONNECTED": false,
                "VENDOR": "WAN Miniport (Network Monitor)",
                "DEVICE": "",
                "TYPE": "enet",
                "MAC": "F8:D2:20:52:41:53",
                "IPS": []
            }
        ],
        "WMI_INTEGRITY_CHECK": "True",
        "VERSION": "440BX Desktop Reference Platform",
        "DISKS": [
            {
                "TYPE": "VMware Virtual disk SCSI Disk Device",
                "SIZE": "64420392960"
            }
        ]
    },
    "display_name": "DESKTOP-65M05SE",
    "exception": false,
    "instance_id": "",
    "ip_addrs": [
        "185.180.102.139"
    ],
    "ip_addrs_private": [
        "172.30.201.176",
        "fe80::c1a:ab8:f8c2:f83f"
    ],
    "is_compatible": true,
    "is_delayed_by_notification": false,
    "is_delayed_by_user": false,
    "last_disconnect_time": "2022-10-25T09:19:29+0000",
    "last_logged_in_user": "DESKTOP-65M05SE\\Admin",
    "last_process_time": "2022-10-25T08:19:24+0000",
    "last_refresh_time": "2022-10-25T08:23:48+0000",
    "last_scan_failed": false,
    "last_update_time": "2022-10-25T08:22:14+0000",
    "mdm": null,
    "name": "DESKTOP-65M05SE",
    "needs_attention": false,
    "needs_reboot": false,
    "next_patch_time": null,
    "notification_count": 0,
    "organization_id": 104513,
    "organizational_unit": "",
    "os_family": "Windows",
    "os_name": "10 Enterprise Evaluation",
    "os_version": "10.0.19043",
    "os_version_id": 4876,
    "patch_deferral_count": 0,
    "patches": 1,
    "pending": false,
    "pending_patches": 0,
    "policy_status": [
        {
            "id": 316123693,
            "organization_id": 104513,
            "policy_id": 245687,
            "server_id": 2263017,
            "policy_name": "Apply All Patches",
            "policy_type_name": "patch",
            "status": 1,
            "result": "{}",
            "create_time": "2022-10-25T08:23:48+0000",
            "will_reboot": false,
            "pending_count": 0,
            "next_remediation": null
        }
    ],
    "reboot_deferral_count": 0,
    "reboot_is_delayed_by_notification": false,
    "reboot_is_delayed_by_user": false,
    "reboot_notification_count": 0,
    "refresh_interval": 1440,
    "serial_number": "VMware-42 22 84 8f 4f 90 1c 8a-4e e5 ac 32 6d 53 71 1b",
    "server_group_id": 145150,
    "server_policies": [],
    "status": {
        "device_status": "not-ready",
        "agent_status": "disconnected",
        "policy_status": "compliant",
        "policy_statuses": [
            {
                "id": 245687,
                "compliant": true
            },
            {
                "id": 245688,
                "compliant": true
            }
        ]
    },
    "tags": [
        "Recently Added"
    ],
    "timezone": "UTC-0700",
    "total_count": 1,
    "uptime": "1872",
    "uuid": "822028da-7b53-4a1c-81e5-ea33b930932e",
    "list_of_patches": [
        {
            "id": 2077952013,
            "server_id": 2263017,
            "package_id": 227229243,
            "software_id": 167943,
            "installed": true,
            "ignored": false,
            "group_ignored": false,
            "deferred_until": null,
            "group_deferred_until": null,
            "name": "07609d43-d518-4e77-856e-d1b316d1b8a8",
            "display_name": "MSXML 6.0 RTM Security Update  (925673)",
            "version": "103",
            "repo": "WindowsUpdate",
            "cves": [],
            "cve_score": "9.0",
            "agent_severity": "9.0",
            "severity": "critical",
            "package_version_id": 233355423,
            "os_name": "10 Enterprise Evaluation",
            "os_version": "10.0.19043",
            "os_version_id": 4876,
            "create_time": "2021-06-28T15:45:57+0000",
            "requires_reboot": true,
            "patch_classification_category_id": 8,
            "patch_scope": "important",
            "is_uninstallable": false,
            "secondary_id": null,
            "is_managed": true,
            "impact": 0,
            "organization_id": 104513
        }
    ]

}
Entity Enrichment
Enrichment Field Name Logic - When to apply
id When available in JSON
agent_version When available in JSON
compliant When available in JSON
connected When available in JSON
create_time When available in JSON
custom_name When available in JSON
ip_addrs_private When available in JSON
last_disconnect_time When available in JSON
last_logged_in_user When available in JSON
last_update_time When available in JSON
os When available in JSON
pending_patches When available in JSON
tags When available in JSON
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available for one entity (is_success=true): "Successfully enriched the following entities using information from Automox: {entity.identifier}".

If data is not available for one entity (is_success=true): "Action wasn't able to enrich the following entities using information from Automox: {entity.identifier}"

If data is not available for all entities (is_success=false): "None of the provided entities were enriched."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Title: {entity.identifier}

Columns:

  • Key
  • Value
Entity

Execute Device Command

Description

Execute a command on the endpoint in Automox.

Parameters

Parameter Name Type Default Value Is Mandatory Description
Command DDL

Scan Device

Possible Values:

  • Scan Device
  • Install Specific Patches
  • Install All Available Patches
  • Restart Device
No

Specify a command that needs to be executed on the device.

Note: If "Install Specific Patches" is selected, the "Patch Names" parameter is mandatory.

Patch Names CSV N/A No Specify a comma-separated list of patches that need to be installed.

Run on

This action runs on the following entities:

  • IP Address
  • Hostname

Action Results

Script Result
Script result name Value options Example
is_success True/False is_success=False
JSON Result
{
    "id": 8527028217,
    "server_id": 2263017,
    "command_id": 164850699,
    "organization_id": 104513,
    "args": "ASD",
    "reboot": 0,
    "exec_time": "2022-10-25T08:02:43+0000",
    "response": [
        "0",
        "Installing MS updates: ASD\\r\\nCouldn't find update for ASD, skipping.\\r\\nNothing left to do",
        null
    ],
    "response_time": "2022-10-25T08:22:14+0000",
    "policy_id": null,
    "agent_command_type": 0,
    "command_type_name": "InstallUpdate"
}
{
    "reason": "Device is offline. Please check the connectivity."
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If the device is found and it's connected (is_success=true): "Successfully executed command "{Command}" on the following entities in Automox: {entity.identifier}. Please check the JSON result to be sure that the command executed correctly."

If the device is not found or it's connected for one entity (is_success=true): "Action wasn't able to execute command "{Command}" on the following entities in Automox: {entity.identifier}. Please check the spelling and connectivity."

If the device is not found or it's connected for all entities (is_success=false): "No commands were executed on the provided entities. Please check the spelling and connectivity."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Execute Device Command". Reason: {0}''.format(error.Stacktrace)

General

Execute Policy

Description

Execute a policy in Automox.

Parameters

Parameter Name Type Default Value Is Mandatory Description
Remediation Scope DDL

All Devices

Possible values:

  • Only Entities
  • All Devices
No

Specify the remediation scope for the action.

If "Only Entities" is selected, the action executes policies only on the valid entities in the scope.

If "All Devices" is selected, the action executes the policy on all devices in the organization.

Policy Name String N/A No Specify the name of the policy that needs to be executed.

Run on

This action runs on the following entities:

  • IP Address
  • Hostname

Action Results

Script Result
Script result name Value options Example
is_success True/False is_success=False
JSON Result
{
"status": "done/failure if entity not found"
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If remediated the server and successful for one entity (is_success=true): "Successfully executed policy {Policy} on the following entities in Automox: {entity.identifier}."

If remediated the server and one server is not found (is_success=true): "Action wasn't able to execute policy {Policy} on the following entities in Automox: {entity.identifier}."

If remediated the server and all servers are not found (is_success=false): "No entities were found. Policy {Policy} wasn't executed."

If remediate all servers (is_success=true): "Successfully executed policy {Policy} in Automox."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Execute Policy". Reason: {0}''.format(error.Stacktrace)

If the policy is not found: "Error executing action "Execute Policy". Reason: policy "{policy name}" wasn't found in Automox. Please check the spelling.''

General

List Policies

Description

List available policies in Automox.

Parameters

Parameter Name Type Default Value Is Mandatory Description
Filter Key DDL

Select One

Possible values:

  • Name
  • ID
  • Policy Type Name
  • Status
No Specify the key that needs to be used to filter policy.
Filter Logic DDL

Not Specified

Possible values:

  • Not Specified
  • Equal
  • Contains
No

Specify the filter logic that should be applied.

Filtering logic works based on the value provided in the "Filter Key" parameter.

Filter Value String N/A No

Specify the value that should be used in the filter.

If "Equal" is selected, the action tries to find the exact match among results and if "Contains" is selected, the action tries to find results that contain that substring.

If nothing is provided in this parameter, the filter is not applied.

Filtering logic works based on the value provided in the "Filter Key" parameter.

Max Records To Return Integer 50 No Specify the number of records to return. If nothing is provided, the action returns 50 records.

Run on

This action doesn't run on entities.

Action Results

Script Result
Script result name Value options Example
is_success True/False is_success=False
JSON Result
[
    {
        "id": 245687,
        "name": "Apply All Patches",
        "policy_type_name": "patch",
        "organization_id": 104513,
        "configuration": {
            "auto_patch": false,
            "patch_rule": "all",
            "auto_reboot": false,
            "notify_user": false,
            "include_optional": true,
            "notify_reboot_user": true,
            "missed_patch_window": true,
            "custom_notification_max_delays": 3,
            "custom_notification_deferment_periods": [
                1,
                2,
                4
            ]
        },
        "schedule_days": 254,
        "schedule_weeks_of_month": 62,
        "schedule_months": 8190,
        "schedule_time": "17:00",
        "notes": "",
        "create_time": "2022-10-24T08:44:37+0000",
        "server_groups": [
            145150
        ],
        "server_count": 1,
        "status": "inactive"
    }
]
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available (is_success=true): "Successfully found policies for the provided criteria in Automox".

If data is not available (is_success=false): "No policies were found for the provided criteria in Automox."

If the "Filter Value" parameter is empty (is_success=true): "The filter was not applied, because parameter "Filter Value" has an empty value."

If the "Filter Logic" parameter is set to "Not Specified" (is_success=true): "The filter was not applied, because parameter "Filter Logic" is not specified."

The action should fail and stop a playbook execution:

If the "Filter Key" parameter is set "Select One" and the "Filter Logic" is set to "Equal" or "Contains": "Error executing action "{action name}". Reason: you need to select a field from the "Filter Key" parameter."

If an invalid value is provided for the "Max Records to Return" parameter: "Error executing action "{action name}". Reason: "Invalid value was provided for "Max Records to Return": . Positive number should be provided"."

If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "List Policies". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table name: Available Policies

Table columns:

  • Name - name
  • Type - policy_type_name
  • ID - id
  • Status - status
  • Notes - notes
General

Ping

Description

Test connectivity to Automox with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run on

The action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result
Script result name Value options Example
is_success True/False is_success=False
JSON Result
N/A
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the Automox server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the Automox server! Error is {0}".format(exception.stacktrace)

General