Skip to content

Panda Security

Panda Security

PandaSecurity, a WatchGuard company, is a cybsersecurity vendor, delivering products designed to protect endpoints against outside threats.

This module provides actions and triggers to interact with the Watchguard Panda Aether platform to act on AD360 and EPP devices

Configuration

Name Type Description
base_url string WatchGuard Cloud base URL (ex. https://api.usa.cloud.watchguard.com)
account_id string Your WatchGuard Cloud account ID
api_key string The API key associated to your Watchguard Cloud account
access_id string The identifier of the access credential used to authorize the requests
access_secret string The secret of the access credential used to authorize the requests
audience string The identifier of the managed account for service provider

Triggers

Fetch Security Events

Fetch the last security events

Arguments

Name Type Description
frequency integer Batch frequency in seconds (default 12h)

Outputs

Name Type Description
events array A list of security events

Actions

Get Security Events

Retrieves a list of security events of the specified type for the specified device for a specific time period.

Arguments

Name Type Description
type integer Type of security event. Specify one of these values:
- 1 — Malware
- 2 — PUPs (Potentially Unwanted Programs)
- 3 — Blocked Programs
- 4 — Exploits
- 5 — Blocked by Advanced Security
- 6 — Virus
- 7 — Spyware
- 8 — Hacking Tools and PUPs detected by Antivirus
- 9 — Phishing
- 10 — Suspicious
- 11 — Dangerous Actions
- 12 — Tracking Cookies
- 13 — Malware URLs
- 14 — Other security event by Antivirus
- 15 — Intrusion Attempts
- 16 — Blocked Connections
- 17 — Blocked Devices
- 18 — Indicators of Attack
Example: 13
period integer Period of time to retrieve security events for. Specify one of these values:
- 1 - Previous 24 hours
- 7 - Previous 7 days
hostname string Host name (base-64 encoded) of the device you want to retrieve security events for.

Outputs

Name Type Description
accessed_data boolean Indicates if data has been accessed.
action integer Indicates the action performed. For Indicators Of Attack:
- 0: Undefined
- 1: Informed
- 2: Attack Blocked.
For other detections:
- 0: Allowed
- 1: Moved Quarantine
- 2: Blocked
- 3: Killed
- 4: Ignored
- 5: Cleaned
- 6: Deleted
- 7: Restored
- 8: Allowed By Whitelist
- 9: Write Blocked
- 10: User Pending
- 11: Uninstalled
- 13: After Process Blocked
- 14: Immediately Blocked
- 15: Allowed By User
- 16: Detected Restart Pending
- 17: Allowed By Administrator
- 18: AllowedSonGwInstaller
- 21: Suspend Process
- 1009: Informed
- 1010: Unquarantine
- 1011: Rename
- 1012: Block URL
alias string Alias name for device control detections.
count integer Number of occurrences in indicators of attack detections.
custom_group_folder_id string Identifier of the custom group folder assigned.
custom_group_folder_info string Hierarchical structure for the assigned group and its subgroups, in JSON format.
date string Date and time of detection.
description string Name of device description in antivirus detections.
detected_by `` Protection or technology in antivirus detections.
- 1: On Demand Scan
- 2: File Resident
- 3: Mail Resident
- 4: Firewall
- 5: Device Control
- 6: Exchange Mailbox
- 7: Exchange Transport
- 8: Exchange Antispam
- 9: Web Protection
- 10: Exchange Content
- 11: Minerva
- 12: Web Access Control
- 13: Anti-theft
- 14: Anti-tampering
- 15: Personal Information Tracking
- 16: Isolation
- 17: Data Search Control
- 18: Patch Management
- 19: Personal Information Inventory
- 20: Application Control
- 21: Encryption USB
- 22: Authorized Software
detection_technology string Name of detection technology in exploit detections.
device_id string Identifier of the device.
device_type `` Device type in antivirus and firewall detections.
- 0: Undefined
- 1: Workstation
- 2: Laptop
- 3: Server
- 4: Mobile
direction `` Direction of firewall blocked connections.
- 1: Incoming
- 2: Outgoing
- 3: Incoming and Outgoing
- 4: Internal
discard_motive `` Reason for discarding the knowledge sample.
- 0: Unknown
- 1: Other Reason
- 2: File Max Size
domain string Domain of device in antivirus detections.
dwell_time integer Dwell time in seconds.
endpoint_event_date string Endpoint event date in indicators of attack detections.
event_id integer Identifier of the event.
event_type `` Indicates the event type.
- 0: Malware
- 1: Exploit
- 2: Pups
- 3: Blocked item
- 6: Lock Plus Advanced Security
- 7: Lock Plus Application Control
- 8: Application Control
excluded boolean Indicates if the element has been excluded in antivirus detection.
exploit_technique string Exploit technique.
file_info_discard string Hash to identify the file in antivirus detections.
filed_date string Filed date in indicators of attack detections.
hash string Hash of element.
host_name string Name of the host.
id string Identifier in antivirus detections.
instance_id string Identifier of instance for device control detections.
ip_address string IP address of the device in antivirus and firewall detections.
is_excluded boolean Indicates if data has been excluded.
item_name string Name of threat.
like_lihood_of_being_malicious `` Indicates the likelihood of being malicious.
- 0: Low
- 1: Medium
- 2: High
- 3: Very High
local_endpoint `` Firewall blocked connections for a local endpoint, in JSON format: Mac Address, IP Address, Port, and IP Type.
- 0: Unknown
- 1: IpV4
- 2: IpV6
lock_plus_rule_id `` LockPlus Rule ID.
- 1: Obfuscated Params Powershell
- 2: User Executed Powershell
- 4: Unknown Scripts
- 5: Locally Built Programs
- 6: Documents With Macros
- 7: Windows Boot Registry
- 101: Forbidden Md5
- 102: Forbidden Program Name
made_external_connections boolean Indicates if malware made external connections.
malware_category `` Malware category in antivirus detections.
- 1: Virus
- 2: Spyware
- 3: HackingPpnd
- 4: Phishing
- 5: Suspicious
- 6: Blocked Operations
- 7: Tracking Cookies
- 8: Malware URL
- 9: Others
malware_name string Malware name in antivirus detections.
malware_type `` Malware type in antivirus detections.
- 21: Nereus Heuritic
- 22: Beta trace Heuritic
- 23: Smart Clean Heuritic
- 24: Cloud Heuritic
- 25: 1N
- 26: Behavioral
- 31: Confirmed Goodware
- 32: Not Confirmed Goodware
- 33: Unwanted Goodware
- 34: Ranked
- 35: Digital Signature
- 101: Virus
- 102: Worm
- 103: Trojan
- 104: TrojanPwdeal
- 105: Dialer
- 106: Joke
- 107: Security Risk
- 108: Spyware
- 109: Adware
- 110: WormFakefrom
- 111: Tracking Cookie
- 112: Pup
- 113: Hacking Tool
- 114: Vulnerability
- 115: Max Size
- 116: ZipOfDeath
- 117: PackerOfDeath
- 118: Hoax
- 119: Phis Fraud
- 120: Rootkit
- 121: Backdoor
- 122: Virus Constructor
- 123: Malicious URL
- 201: Advertising
- 202: Toolbar
- 203: NetTool
- 204: Advert Popup
- 219: Illegal
- 223: Internet Tools
- 227: Offensive
- 236: Society Education
- 241: Content Filter
network_activity_type `` Network activity type in firewall detections.
- 1: IcmpAttack
- 2: UdpPortScan
- 3: HeaderLengths
- 4: UdpFlood
- 5: TcpFlagsCheck
- 6: SmartWins
- 7: IpExplicitPath
- 8: LandAttack
- 9: SmartDns
- 10: IcmpFilterEchoRequest
- 11: OsDetection
- 12: SmartDhcp
- 13: SynFlood
- 14: SmartArp
- 15: TcpPortScan
number_of_occurrences integer Number of occurrences in antivirus detections.
path string Name of threat path.
platform_id `` Platform of affected device.
- 0: Undefined
- 1: Windows
- 2: Linux
- 3: Mac
- 4: Android
- 5: IOS
protection_mode `` Indicates the protection mode.
- 0: Undefined
- 1: Audit
- 2: Hardening
- 3: Lock
protocol `` Protocol of firewall blocked connections.
- 1: Tcp
- 2: Udp
- 3: TcpUdp
- 4: Icmp
- 5: IP
- 6: All
reclassified_to_type `` Indicates the type to which it has been reclassified.
- 0: Blocked
- 1: Malware
- 3: Pup
- 6: Goodware
- 11: Removed From List
remote_endpoint `` Firewall blocked connections for a remote endpoint, in JSON format: Mac Address, IP Address, Port, and IP Type.
- 0: Unknown
- 1: IpV4
- 2: IpV6
risk boolean Indicates if it is a risk exploit.
rule_configuration_id string Identifier of rule configuration in firewall blocked connections.
rule_id string Identifier of rule in firewall blocked connections and in indicators of attack detections.
rule_mitre string Array with JSON pairs of the attack tactic and technique in indicators of attack detections.
rule_name string Rule name for firewall blocked connections and for indicators of attack detections.
rule_obsolete boolean Indicates if rule is obsolete in firewall blocked connections.
rule_risk `` Indicates the rule risk for indicators of attack detections.
- 0: Undefined
- 1: Critical
- 2: High
- 3: Medium
- 4: Low
- 1000: Unknown
security_event_date string Security event date and time for antivirus, firewall, and device control detections.
since_until_filed string Time since the filed date in indicators of attack detections.
site_id string Identifier of the site.
site_name string Site name in antivirus and firewall detections.
source_ip string Name of source IP.
source_machine_name string Name of source device name.
source_user string Source username.
status `` Indicates the status in indicators of attack detections.
- 0: Undefined
- 1: Pending
- 2: Filed
type `` Type of device for device control detections.
- 0: Undefined
- 1: Removable Storage
- 2: Image Capture
- 3: Optical Storage
- 4: Bluetooth
- 5: Modem
- 6: Mobile
user_name string Username.
was_run boolean Indicates if the item has been executed.

Isolate Devices

Isolates the specified devices. When you isolate a device, communication to and from the device is denied.

Arguments

Name Type Description
device_ids array List of IDs of devices to isolate.
Example: "cb509c17-7b88-461a-ba3b-3d43e29e6cd4","2c13685e-7d1f-4726-9ad3-5c8fa7718bab"
exclusion_programs array List of programs to exclude from isolation and allow to communicate normally.
customized_message string Text to show in an alert message on the isolated devices
hide_customized_alert boolean Indicates whether to hide the customized alert message on isolated devices.

Outputs

Name Type Description
processed_device_ids array List of IDs of the isolated devices

Links devices to a specified configuration.

Arguments

Name Type Description
config_id string Identifier of the managed configuration to associate with the devices.
Example: 2836d89d-1e98-4377-92b7-0a76ac2a7699
type integer Type of configuration. Currently, only option 2 is supported.
- 2 — Workstations and servers.
Example: 2
device_ids array List of IDs of devices to link to the specified managed configuration..
Example: cb509c17-7b88-461a-ba3b-3d43e29e6cd4,2c13685e-7d1f-4726-9ad3-5c8fa7718bab

Retrieve Devices

Retrieves a list of devices, and additional information, such as the device IP address and operating system.

Arguments

Name Type Description
$top integer Specifies the number of objects to retrieve.
Example: 5
$skip integer Bypasses the specified number of objects in the results returned.
For example, if you specify 10, the results start at object 11.
Example: 5
$search string Returns only objects that include the specified text string. For example, "name" returns objects that include "hostname" and "username".
The supported search fields depend on the endpoint:
- Devices: Host name, description, IP address, logged on user
- DeviceProtectionStatus: Host name
- ManagedConfigurations: Name, description
Example: name
$count boolean Indicates whether to return a counter that shows the total number of objects in the total_items response parameter.
Example: true
$orderby string Specifies how to order results. You can order by any parameter in the response and sort results in ascending or descending order.
Specify a parameter name with any underscores removed, followed by a + (plus sign) and either asc (ascending) or desc (descending).
For example, to order results by the host_name parameter in descending order, specify hostname+desc. If you do not specify a field to order by, the API will use the order in the database.
Example: hostname+desc
$config boolean Indicates whether the security configuration name and ID are returned. The default value is true.
Example: true

Outputs

Name Type Description
total_items integer Total number of devices.
If the count request parameter is true, total_items displays the total number of devices. If count is false, then total_items displays null.
Example: 42
data array Array of device data

Retrieve Managed Configurations

Retrieves a list of the specified type of managed configurations associated with your WatchGuard Cloud account.

Arguments

Name Type Description
type integer Type of configuration to return. Specify one of these values:
- 1 — Deployment settings
- 2 — Workstations and servers
- 3 — Android
Example: 2
$top integer Specifies the number of objects to retrieve.
Example: 5
$skip integer Bypasses the specified number of objects in the results returned.
For example, if you specify 10, the results start at object 11.
Example: 5
$search string Returns only objects that include the specified text string. For example, "name" returns objects that include "hostname" and "username".
The supported search fields depend on the endpoint:
- Devices: Host name, description, IP address, logged on user
- DeviceProtectionStatus: Host name
- ManagedConfigurations: Name, description
Example: name
$count boolean Indicates whether to return a counter that shows the total number of objects in the total_items response parameter.
Example: true
$orderby string Specifies how to order results. You can order by any parameter in the response and sort results in ascending or descending order.
Specify a parameter name with any underscores removed, followed by a + (plus sign) and either asc (ascending) or desc (descending).
For example, to order results by the host_name parameter in descending order, specify hostname+desc. If you do not specify a field to order by, the API will use the order in the database.
Example: hostname+desc

Outputs

Name Type Description
total_items integer Total number of devices.
If the count request parameter is true, total_items displays the total number of devices. If count is false, then total_items displays null.
Example: 42
data array List of managed configurations.

Retrieve unmanaged devices

Retrieves a list of unmanaged devices discovered on the network.

Arguments

Name Type Description
$top integer Specifies the number of objects to retrieve.
Example: 5
$skip integer Bypasses the specified number of objects in the results returned.
For example, if you specify 10, the results start at object 11.
Example: 5
$search string Returns only objects that include the specified text string. For example, "name" returns objects that include "hostname" and "username".
The supported search fields depend on the endpoint:
- Devices: Host name, description, IP address, logged on user
- DeviceProtectionStatus: Host name
- ManagedConfigurations: Name, description
Example: name
$count boolean Indicates whether to return a counter that shows the total number of objects in the total_items response parameter.
Example: true
$orderby string Specifies how to order results. You can order by any parameter in the response and sort results in ascending or descending order.
Specify a parameter name with any underscores removed, followed by a + (plus sign) and either asc (ascending) or desc (descending).
For example, to order results by the host_name parameter in descending order, specify hostname+desc. If you do not specify a field to order by, the API will use the order in the database.
Example: hostname+desc

Outputs

Name Type Description
total_items integer Total number of devices.
If the count request parameter is true, total_items displays the total number of devices. If count is false, then total_items displays null.
Example: 42
data array Array of device data

Count Security Events

Retrieves counts of detected security events for the specified types.

Arguments

Name Type Description
type integer Types of security event counters to retrieve. This parameter is a mask. Add the values of the security event counter types you want to retrieve.
For example, if you want to retrieve only programs blocked, specify 8. If you want to retrieve both PUPs and programs blocked, specify 10 because 8 (programs blocked) + 2 (PUPs) = 10.
- 1 - Malware
- 2 PUPs (Potentially Unwanted Programs)
- 4 - Exploits
- 8 - Programs Blocked
- 16 - Threats detected by AV
- 255 - All counters
Example: 10
filter string Filters the security event counters by date
Specify the type of security event:
- 33001 — Antivirus
- 32001 — Other types
Specify the length of the time period in the format [x, y] where x is the number of units and y is the unit of time:
- 1 — Years
- 2 - Months
- 3 - Days
- 4 - Hours
For example, this retrieves threats detected by AV for the last 7 days: filter=33001%20AmongTheLast%20[7,3].
This retrieves security event counters for the other types for the last 3 months: filter=32001%20AmongTheLast%20[3,2].
If you do not specify a filter, the API returns all of the security events for the last 30 days.
Example: 33001%20AmongTheLast%20[7,3]

Outputs

Name Type Description
exploit_counters object
malware_counters object
program_blocked_counters object
pups_counters object
threats_by_av_counters object

Retrieve Device Protection Status

Retrieves a list of devices with their protection status and other device information.

Arguments

Name Type Description
$top integer Specifies the number of objects to retrieve.
Example: 5
$skip integer Bypasses the specified number of objects in the results returned.
For example, if you specify 10, the results start at object 11.
Example: 5
$search string Returns only objects that include the specified text string. For example, "name" returns objects that include "hostname" and "username".
The supported search fields depend on the endpoint:
- Devices: Host name, description, IP address, logged on user
- DeviceProtectionStatus: Host name
- ManagedConfigurations: Name, description
Example: name
$count boolean Indicates whether to return a counter that shows the total number of objects in the total_items response parameter.
Example: true
$orderby string Specifies how to order results. You can order by any parameter in the response and sort results in ascending or descending order.
Specify a parameter name with any underscores removed, followed by a + (plus sign) and either asc (ascending) or desc (descending).
For example, to order results by the host_name parameter in descending order, specify hostname+desc. If you do not specify a field to order by, the API will use the order in the database.
Example: hostname+desc

Outputs

Name Type Description
total_items integer Total number of devices.
If the count request parameter is true, total_items displays the total number of devices. If count is false, then total_items displays null.
Example: 42
data array Array of device data

Retrieve Full Encryption Module Status

Retrieves Full Encryption statistics.

Outputs

Name Type Description
total_supported_devices integer Total number of devices that support Full Encryption.
with_decrypting_drives integer Number of devices with at least one disk currently in the decryption process.
with_encrypted_by_user_drives integer Number of devices where a user encrypted some or all of the disks.
with_encrypted_drives integer Number of devices with Full Encryption on all disks.
with_encrypted_partially_by_user_drives integer Number of devices where a user encrypted some or all of the disks. Full Encryption encrypts or decrypts the remainder.
with_encrypted_partially_drives integer Number of devices with at least one disk with Full Encryption complete.
with_encrypting_drives integer Number of devices with at least one disk currently in the encryption process.
with_non_encrypted_drives integer Number of devices with no disks encrypted by the user or Full Encryption.
with_unknown_encryption_status integer Number of devices with disks encrypted with an authentication method that Full Encryption does not support.

Retrieve Patch Management Module Status

Retrieves Patch Management statistics.

Outputs

Name Type Description
non_security_other_patches integer Number of other currently available patches that are not related to security.
security_critical integer Number of currently available critical security patches.
security_important integer Number of currently available security patches classified as important.
security_low integer Number of currently available security patches classified as low importance.
security_moderate integer Number of currently available security patches classified as moderate importance.
security_not_classified integer Number of security patches that do not have a severity classification.
service_pack integer Number of currently available service packs.
total_supported_devices integer Total number of devices that support Patch Management.

Retrieve Security overview

Retrieves counters for security overview.

Arguments

Name Type Description
period integer Period of time to retrieve security event counters for. Specify one of these values:
- 1 - Previous 24 hours
- 7 - Previous 7 days
- 30 - Previous 30 days
Example: 7

Outputs

Name Type Description
exploits ``
indicators_of_attack_counters ``
malware ``
programs_blocked ``
pups ``
threats_by_av_counters ``
total_devices integer Total number of devices.
total_unmanaged_devices integer Total number of unmanaged devices.

Scan devices

Starts a task to scan the specified devices immediately.

Arguments

Name Type Description
device_ids array List of IDs of devices to scan.
Example: "cb509c17-7b88-461a-ba3b-3d43e29e6cd4","2c13685e-7d1f-4726-9ad3-5c8fa7718bab"
task_name string Name of the scan task.
Example: Routine scan
task_description string Description of the scan task.
Example: Windows 8 machines only
scan_scope integer Scope of the scan task. Specify one of these values:
- 0 - Whole computer
- 1 - Critical areas
- 2 - Specified items
Example: 0
specified_items_to_scan string List of specific locations or items to scan. All folders and files in the specified locations are scanned.
Works only when scan_scope is 2.
Example: "C:\Downloads", "C:\Documents"
detect_hacking_tools boolean Indicates whether to detect hacking tools. This detects potentially unwanted programs, as well as programs used by hackers.
Example: false
detect_suspicious_files boolean Indicates whether to detect suspicious files. In scheduled scans, the tool scans computer software but does not run it. Some types of threats have a lower chance of detection. Set this option to true to scan with heuristic algorithms and improve detection rates.
Example: true
scan_compressed_files boolean Indicates whether to scan compressed files. This decompresses compressed files and scans their contents.
Example: true
apply_exclusions_on_scan boolean Indicates whether to exclude items from the scan, such as specific files, files with a specific extension, or a specific directory.
Example: false
extensions_to_exclude string List of file extensions to exclude from the scan.
Works only when apply_exclusions_on_scan is true.
Example: "exe","pdf"
files_to_exclude string List of file names (with their extensions) to exclude from the scan.
Works only when apply_exclusions_on_scan is true.
Example: "Chrome.exe", "Explorer.exe"
folders_to_exclude string List of folders to exclude from the scan. You must include the full path.
Works only when apply_exclusions_on_scan is true.
Example: "D:/shared_drive/documents"
execution_window_expiration string Time period in which the scan must run before it times out. The default is 7 days.
Example: 8.07:06:05 specifies 8 days, 7 hours, 6 minutes, and 5 seconds

Outputs

Name Type Description
no_executed_by_not_found_device_ids array
task_id string ID of the completed scan task.

Send action

Initiates an action on the specified devices. For example, send an action to reboot a device.

Arguments

Name Type Description
device_ids array List of IDs of devices to reboot.
Example: "cb509c17-7b88-461a-ba3b-3d43e29e6cd4","2c13685e-7d1f-4726-9ad3-5c8fa7718bab"
action_type integer Type of action to initiate on the device. Specify one of these values:
- 1 - Reboot
count_down_type integer Amount of time to count down to the action. Specify one of these values:
- 1 - Immediate
- 2 - Fifteen minutes
- 3 - Thirty minutes
- 4 - One hour
- 5 - Two hours
- 6 - Four hours
- 7 - Eight hours

Outputs

Name Type Description
processed_device_ids array List of IDs of the rebooted devices

Stop devices isolation

Stops isolation on the specified devices.

Arguments

Name Type Description
device_ids array List of IDs of devices to remove from isolation.
Example: "cb509c17-7b88-461a-ba3b-3d43e29e6cd4","2c13685e-7d1f-4726-9ad3-5c8fa7718bab"

Outputs

Name Type Description
processed_device_ids array List of IDs of the devices removed from isolation

Uninstall protection from devices

Uninstalls protection from the specified devices.

Arguments

Name Type Description
device_ids array List of IDs of devices to remove the protection.
Example: "cb509c17-7b88-461a-ba3b-3d43e29e6cd4","2c13685e-7d1f-4726-9ad3-5c8fa7718bab"

Extra

Module Panda Security v1.23.1