Axonius

Integration version: 4.0

Use Cases

Perform enrichment actions.

Configure Axonius integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
API Root String https://{root} Yes Axonius API root
API Key String N/A Yes Axonius API Key
API Secret Password N/A Yes Axonius API Secret
Verify SSL Checkbox Checked Yes If enabled, verifies that the SSL certificate for the connection to the Axonius server is valid.

Actions

Ping

Description

Test connectivity to Axonius with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Run On

The action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the Axonius server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the Axonius server! Error is {0}".format(exception.stacktrace)

General

Enrich Entities

Description

Enrich entities using information from Axonius. Supported entities: Hostname, IP, Mac Address, User, Email Addresses (User entities that match email regex).

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Create Endpoint Insight Checkbox True No If enabled, action will create an insight containing information about the endpoints.
Create User Insight Checkbox True No If enabled, action will create an insight containing information about the user.
Max Notes To Return Integer 50 No Specify how many notes to show in the case wall table.

Run On

This action runs on the following entities:

  • Hostname
  • IP Address
  • Mac Address
  • User
  • Email

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True

JSON Result - for Endpoint:

{
    "adapters": [
        {
            "accurate_for_datetime": "Sun, 21 Mar 2021 03:44:19 GMT",
            "client_used": "xxxxxxxxx_xxxx\\axoniusSvc",
            "raw": {
                "ad_distinguished_name": "CN=DESKTOP-xxxxxxx,OU=Computers,DC=demo,DC=local",
                "ad_object_class": [
                    "top",
                    "person",
                    "organizationalperson",
                    "user",
                    "computer"
                ],
                "ad_sAMAccountName": "",
                "ad_site_location": "Richmond",
                "ad_site_name": "",
                "device_disabled": false,
                "device_managed_by": "William Saari",
                "domain": "xxxx.xxxxx",
                "hostname": "xxxxx-xxxxxx-xxxxx-xxx",
                "id": "CN=xxxxxx-xxxxxxx,OU=Computers,DC=demo,DC=local",
                "last_seen": "Tue, 16 Mar 2021 19:44:05 GMT",
                "name": "xxxxxxx-xxxxxxxx",
                "network_interfaces": [
                    {
                        "ips": [
                            "xx.xxx.xxx.xx"
                        ],
                        "ips_raw": [
                            xxxxxxxx
                        ],
                        "ips_v4": [
                            "xx.x.x.xx"
                        ],
                        "ips_v4_raw": [
                            xxxxxxxx
                        ]
                    }
                ],
                "os": {
                    "bitness": 64,
                    "distribution": "10",
                    "is_windows_server": false,
                    "os_str": "windows 10 pro 64-bit",
                    "type": "Windows",
                    "type_distribution": "Windows 10"
                },
                "part_of_domain": true
            },
            "plugin_name": "",
            "plugin_type": "Adapter",
            "plugin_unique_name": "",
            "quick_id": "active_directory_adapter_0!CN=xxxxxx-xxxxxxx,OU=xxxxxx,DC=xxxxx,DC=xxxxx",
            "type": "entitydata"
        },
        {
            "accurate_for_datetime": "Sun, 21 Mar 2021 03:43:52 GMT",
            "client_used": "https://xxxxx.xxxx.xxxx",
            "raw": {
                "hostname": "xxxxxx-xxxxxx",
                "id": "xxxxx-xx.x.x.xx",
                "last_seen": "Sun, 21 Mar 2021 01:50:28 GMT",
                "name": "xxxxxxxx-xxxxxxxx",
                "network_id": "xxxxx.xxxx",
                "network_interfaces": [
                    {
                        "ips": [
                            "xx.x.xxx.xx"
                        ],
                        "ips_raw": [
                            xxxxxxxx
                        ],
                        "ips_v4": [
                            "xx.x.xxx.xx"
                        ],
                        "ips_v4_raw": [
                            xxxxxxxx
                        ],
                        "mac": "xx:xx:xx:xx",
                        "manufacturer": "(Intel Corporate)"
                    }
                ]
            },
            "plugin_name": "xxxxxx_xxxxxx_xxxxxx",
            "plugin_type": "Adapter",
            "plugin_unique_name": "xxxx_xxxxx_xxxxx_xxx",
            "quick_id": "xxxxx_xxxxx_xxxxx_x!xxxxxx-xx.x.xxx.xx",
            "type": "entitydata"
        }
    ],
"Notes": [],
    "internal_axon_id": "",
    "labels": []
}

JSON Result - for Users:

{
    "adapters": [
        {
            "accurate_for_datetime": "Sun, 21 Mar 2021 03:45:01 GMT",
            "client_used": "demo.local_DEMO\\axoniusSvc",
            "raw": {
                "account_disabled": false,
                "ad_display_name": "",
                "ad_distinguished_name": "CN=xxxxx.xxxxx,CN=xxxxx,DC=xxxx,DC=xxxxx",
                "ad_sid": "S-1-5-21-70119-3234025",
                "ad_uac_dont_expire_password": false,
                "ad_uac_password_not_required": false,
                "display_name": "",
                "domain": "xxxx.xxxxx",
                "employee_id": "xxxxxx",
                "first_name": "xxxxx",
                "id": "CN=xxxx.xxxxx,CN=xxxxxx,DC=xxxxx,DC=xxxxx",
                "is_admin": false,
                "is_local": false,
                "is_locked": false,
                "last_name": "xxxxxx",
                "last_password_change": "Wed, 17 Mar 2021 09:12:11 GMT",
                "last_seen": "Thu, 18 Mar 2021 09:25:08 GMT",
                "mail": "xxxxx.xxxxxx@xxxxx.xxxxx",
                "password_never_expires": false,
                "password_not_required": false,
                "user_city": "Boston",
                "user_telephone_number": "+x-xxx-xxxx-xxxx",
                "username": "xxxx.xxxxx@xxxxx.xxxxx"
            },
            "user_city": "Boston",
            "user_telephone_number": "+x-xxx-xxxx-xxx",
            "username": "xxxx.xxxxx@xxxx.xxxx",
            "plugin_name": "active_directory_adapter",
            "plugin_type": "Adapter",
            "plugin_unique_name": "active_directory_adapter_0",
            "quick_id": "active_directory_adapter_0!CN=xxxxx.xxxxx,CN=xxxxx,DC=xxxx,DC=xxxxx",
            "type": "entitydata"
        }
    ],
"Notes": [],
    "internal_axon_id": "",
    "labels": []
}

Entity Enrichment - for Endpoints:

Enrichment Field Name Logic - When to apply
object_classes When available in JSON
site_name When available in JSON
device_disabled When available in JSON
device_managed_by When available in JSON
hostname When available in JSON
ad_distinguished_name When available in JSON
asset_name When available in JSON
ips When available in JSON
os When available in JSON
id When available in JSON
link When available in JSON

Entity Enrichment - for Users:

Enrichment Field Name Logic - When to apply
account_disabled When available in JSON
ad_display_name When available in JSON
ad_distinguished_name When available in JSON
ad_sid When available in JSON
employee_id When available in JSON
is_admin When available in JSON
is_local When available in JSON
is_locked When available in JSON
mail When available in JSON
user_telephone_number When available in JSON
id When available in JSON
link When available in JSON
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

The action should not fail nor stop a playbook execution:

If enriched some(is_success = true): "Successfully enriched the following entities using Axonius:\n".format(entity.identifier)

If didn't enrich some (is_success = true): "Action wasn't able to enriche the following entities using Axonius:\n".format(entity.identifier)<

If didn't enrich all (is_success = false): "No entities were enriched".

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

General
Entity Table Entity

Case Wall Table

(if attributes/data/data list has values)

Name: {entity.identifier}: Notes

Column:

  • Username
  • Note
  • Time
General

Add Note

Description

Add a note to entities in Axonius. Supported entities: Hostname, IP, Mac Address, User, Email Addresses (User entities that match email regex).

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Note String N/A Yes Specify what note needs to be added.

Run On

This action runs on the following entities:

  • Hostname
  • IP Address
  • Mac Address
  • User
  • Email Address

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True

JSON Result

{
    "data": {
        "attributes": {
            "accurate_for_datetime": "2021-03-21T15:55:10.876568+00:00",
            "note": "qqweqwen",
            "user_id": "",
            "user_name": "internal/apixxxxx",
            "uuid": ""
        },
        "type": "notes_details_schema"
    }
}
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

The action should not fail nor stop a playbook execution:

If at least success for one(is_success = true): "Successfully added note to the following entities in Axonius: {0}".format(entities)

If at least fail for one(is_success = true): "Action wasn't able to add a note to the following entities in Axonius: {0}".format(entities)

If fail for all (is_success = false): "Note wasn't added to the provided entities.".

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other: "Error executing action "Add Note". Reason: {0}''.format(error.Stacktrace)

General

Add Tags

Description

Add tags to entities in Axonius. Supported entities: Hostname, IP, Mac Address, User, Email Addresses (User entities that match email regex).

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Tags CSV Yes Specify a comma-separated list of tags that need to be added to the entities.

Run On

This action runs on the following entities:

  • Hostname
  • IP Address
  • Mac Address
  • User
  • Email Address

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

The action should not fail nor stop a playbook execution:

If at least success for one(is_success = true): "Successfully added tags to the following entities in Axonius: {0}".format(entities)

If at least fail for one(is_success = true): "Action wasn't able to add tags to the following entities in Axonius: {0}".format(entities)

If fail for all (is_success = false): "Tags weren't added to the provided entities.".

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Add Tags". Reason: {0}''.format(error.Stacktrace)

General

Remove Tags

Description

Remove tags from entities in Axonius. Supported entities: Hostname, IP, Mac Address, User, Email Addresses (User entities that match email regex).

Parameters
Parameter Display Name Type Default Value Is Mandatory Description
Tags CSV Yes Specify a comma-separated list of tags that need to be removed from the entities.

Run On

This action runs on the following entities:

  • Hostname
  • IP Address
  • Mac Address
  • User
  • Email Address

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

The action should not fail nor stop a playbook execution:

If at least success for one(is_success = true): "Successfully removed tags from the following entities in Axonius: {0}".format(entities)

if at least fail for one(is_success = true): "Action wasn't able to remove tags from the following entities in Axonius: {0}".format(entities)

If fail for all (is_success = false): "Tags weren't removed from the provided entities.".

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Remove Tags". Reason: {0}''.format(error.Stacktrace)

General