REST APIs for third-party integration with Security Operations
The Security Operations base system includes a series of scripted REST APIs that allow customers and partners to easily integrate with an existing Security Operations deployment. The APIs allow you to gather data from outside of your system (for example, a Python script is used to receive data from VirusTotal) and send it back to your instance.
Scripts written in almost any language (Python, for example) can be used with the APIs to
perform customer-specific processes. The scripts must be written in a language able to make an
outside-facing HTTP Post call. For example, if you have a Java application, you must use a
library, such as the java.net.HttpUrlConnection package, to construct an HTTP
call and pass in a JSON string as Body for the message.
The API is solely used to add data that was gathered outside of our system. For example, if you entered VT python script and received data from VT, you could send that data back to the SN instance.
Authentication
All operations within the API definitions use platform authentication provided by the Scripted REST APIs operation feature. To access, navigate to and locate the SecOps Integration Capabilities API.
The user and the user’s domain are readily available within the context of the API. Records can be tied to a user, an audit path to be established, and domain separation accomplished. Also, since you are authenticated as a specific user, you can use Using GlideRecordSecure to prevent any unauthorized access to data.
Authorization
To protect the record creation process from users outside of the Security Operations application, you must have the sn_sec_cmn.api_write role. Only users with this role can access the APIs.
Configuration request parameters
| Name | Default | Description |
|---|---|---|
| ignore_mandatory_fields | false | If set to true, the record persists even if mandatory fields are not filled in. |
| include_wrap | false | If set to true, the response includes the instance-provided standard wrapper for Scripted REST APIs. |
| simple_response | false | If set to true, the response includes only whether the operation was successful. |
Error responses
| Error message | When does it occur? | Solution |
|---|---|---|
| Insufficient access | User does not have the sn_sec_cmn.api_write role. | Add the role to the user. |
| Invalid post body | Request body is empty or an empty object. | Conform to the API definition. |
| No fields supplied | Data fields provided to persist are empty. | Conform to the API definition. |
| Mandatory fields missing: x,y,z | Mandatory fields are missing. | Conform to the table definition of the target table or set ignore_mandatory_fields to true. |
| Unable to persist record | Unable to persist parsed record. | GlideRecord insert() failed, further analysis is required. |
| Unknown error | Occurs if no known error path has been followed. | Further analysis is required. |
CI enrichment use case
Using your third-party scripts, you can write to the Configuration Item Enrichment [sn_sec_cmn_ci_enrichment_result] table for CI enrichment. The enrichment records are based on existing capabilities that provide detailed information about a record from a third-party source.
Sample request and responses for the CI enrichment use case are shown here.
Observable enrichment use case
Using your third-party scripts, you can write to the Observable Enrichment Result
[sn_ti_observable_enrichment_result] table for observable enrichment. The
enrichment records are based on existing capabilities that provide detailed information
about a record from a third-party source.
Sample request and responses for the observable enrichment use case are shown here.
Threat lookup use case
Using your third-party scripts, you can write to the Threat Lookup Result [sn_ti_lookup_result] table for threat lookup results. The lookup records are based on existing capabilities that provide detailed information about a record from a third-party source.
Sample request and responses for the threat lookup use case are shown here.