Symantec Blue Coat ProxySG

Integration version: 4.0

Configure Symantec Blue Coat ProxySG integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
SSH Root String {ip address}:22 Yes SSH root of the Blue Coat ProxySG instance.
Username String N/A Yes Username of the Blue Coat ProxySG SSH account.
Password Password N/A Yes Base64 encoded CA certificate file.

Use Cases

  1. Enrich entities.
  2. Block entities.

Actions

Ping

Description

Test connectivity to Broadcom Symantec ProxySG with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

This action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the Broadcom Symantec ProxySG server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the Broadcom Symantec ProxySG server! Error is {0}".format(exception.stacktrace)"

General

Enrich Entities

Description

Enrich entities using information from Broadcom Symantec ProxySG. Supported entities: Hostname, IP Address, and URL.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Create Insight Checkbox Checked No If enabled, the action creates an insight containing all of the retrieved information about the entity.

Run On

This action runs on the following entities:

  • Hostname
  • IP Address
  • URL

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
{
    "raw_output": "{raw output from the console}",

    "categories": {
        "Policy": "none",
        "Blue Coat": "none",
        "IWF": "none",
        "Local": "unavailable",
        "Proventia": "unavailable"
    },
    "category_group": {
        "Blue_Coat": "none"
    },
    "risk level": 1,
    "Country": "Unavailable",
    "Official Host Name": "twitter.com",
    "Resolved Addresses": [
        "104.244.42.1",
        "104.244.42.65"
    ],
    "Cache TTL": "1231, cache HIT",
    "DNS Resolver Response": "Success"
}
Entity Enrichment
  • Enrichment Table for URL - Prefix BCProxySG_

    Enrichment Field Name Source (JSON Key) Logic - When to apply
    risk_level {risk_level} When available in JSON
    category_{categories.keys}

    {categories/values} one key

    Note: One value as entry.

    When available in JSON
    category_group_{category_group.keys} {category_group/values} When available in JSON
  • Enrichment Table for IP Address - Prefix BCProxySG_

    Enrichment Field Name Source (JSON Key) Logic - When to apply
    country {country} When available in JSON
  • Enrichment Table for Hostname - Prefix BCProxySG_

    Enrichment Field Name Source (JSON Key) Logic - When to apply
    official_hostname {Official Host Name} When available in JSON
    resolved_addresses CSV of "Resolved Addresses" When available in JSON
    cache_ttl Cache TTL When available in JSON
Insights

N/A

Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available for one entity (is_success=true): "Successfully enriched the following entities using information from Blue Coat ProxySG: {entity.identifier}."

If data is not available for one entity (is_success=true): "Action wasn't able to enrich the following entities using information from Blue Coat ProxySG: {entity.identifier}"

If data is not available for all entities (is_success=false): "None of the provided entities were enriched."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Title: {entity.identifier}

Table Columns:

  • Key
  • Value
Entity

Block Entities

Description

Block entities using Broadcom Symantec ProxySG. Supported entities: IP Address.

Parameters

N/A

Run On

The action runs on the IP Address entity.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
{
    "raw_output": "raw"
        "status": {success/failure}
}
Entity Enrichment

N/A

Insights

N/A

Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available for one entity (is_success=true): "Successfully blocked the following entities in Broadcom Symantec ProxySG: {entity.identifier}."

If data is not available for one entity (is_success=true): "Action wasn't able to block the following entities in Blue Coat ProxySG: {entity.identifier}."

If data is not available for all entities (is_success=false): "None of the provided entities were blocked."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

General