Symantec Advanced Threat Protection (ATP) performs the critical security tasks that detect, protect, and respond to threats to your network.
This document provides information about the Symantec ATP connector, which facilitates automated interactions, with a Symantec ATP server using FortiSOAR™ playbooks. Add the Symantec ATP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving events, incidents, and files from the Symantec ATP server and isolating or rejoining an endpoint.
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-symantec-atp
For the detailed procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Symantec ATP connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | URL of the Symantec ATP server to which you will connect and perform the automated operations. |
Port | Port of the Symantec ATP server. |
Username | Username of the Symantec ATP server to which you will connect and perform the automated operations. |
Password | Password of the Symantec ATP server to which you will connect and perform the automated operations. |
Client ID | Client ID that is used to access the Symantec ATP endpoint. You can retrieve the client_id and client_secret pair from the ATP Manager after you have created an OAuth2 client. |
Client Secret | Client Secret that is used to access the Symantec ATP endpoint. You can retrieve the client_id and client_secret pair from the ATP Manager after you have created an OAuth2 client. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Appliance Information | Retrieves information about all appliances from the Symantec ATP server. | get_information Investigation |
Get Events | Retrieves information about all events, or events based on the input parameters that you have specified, from the Symantec ATP server. | get_events Investigation |
Get Incidents | Retrieves information about all incidents, or incidents based on the input parameters that you have specified, from the Symantec ATP server. | get_incidents Investigation |
Get Incident Related Events | Retrieves information about incidents related to particular event that you have specified from the Symantec ATP server. | get_incidentevents Investigation |
Get File Details | Retrieves information about a file based on the file hash that you have specified, from the Symantec ATP server. | get_details Investigation |
Get Command State | Retrieves state of the command based on the command ID that you have specified, from the Symantec ATP server. | get_state Investigation |
Isolate Endpoint | Isolates endpoints by cutting connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in list or csv format) that you have specified. Isolating an endpoint keeps that computer(s) from infecting any other computers. ATP supports isolating endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later. |
isolate_endpoint Investigation |
Rejoin Endpoint | Rejoins endpoints by re-establishing connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in list or csv format) that you have specified. You can rejoin only those endpoints that have been isolated. ATP supports rejoining endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later. |
rejoin_endpoint Investigation |
Delete Endpoint Point | Deletes a file, i.e. deletes all instances of the file, based on the file hash that you have specified from the endpoint that you have specified using the Device UID. ATP supports deleting files on Symantec Endpoint Protection 12.1 RU6 MP3 and later. |
delete_file Investigation |
Get Blacklist | Retrieves information about all blacklisted elements from the Symantec ATP server. | get_blacklist Investigation |
Get Whitelist | Retrieves information about all whitelisted elements from the Symantec ATP server. | get_whitelist Investigation |
Add To Blacklist | Adds an element to an existing blacklist on the Symantec ATP server. | add_in_blacklist Investigation |
Add To Whitelist | Adds an element to an existing whitelist on the Symantec ATP server. | add_in_whitelist Investigation |
Remove From Blacklist | Deletes an element from an existing blacklist on the Symantec ATP server. | delete_from_blacklist Investigation |
Remove From Whitelist | Deletes an element from an existing whitelist on the Symantec ATP server. | delete_from_whitelist Investigation |
None.
The JSON output contains information about all appliances retrieved from the Symantec ATP server.
Following image displays a sample output:
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.
Parameter | Description |
---|---|
Start Time | DateTime from when you want to retrieve information about events from the Symantec ATP server. |
End Time | DateTime till when you want to retrieve information about events from the Symantec ATP server. |
Open Query | Query based on which you want to retrieve information about events from the Symantec ATP server."Log_time >= '2016-06-06T15:39:55.616Z' and log_time < '2016--Z' and ( type_id=4096 or type_id=4098 or type_id=4123)" |
Number of Events Limit | Maximum number of events you want this operation to return. |
Next | Link value of the next page. |
The JSON output contains information about all events, or events based on the input parameters that you have specified, retrieved from the Symantec ATP server.
Following image displays a sample output:
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.
Parameter | Description |
---|---|
Start Time | DateTime from when you want to retrieve information about incidents from the Symantec ATP server. |
End Time | DateTime till when you want to retrieve information about incidents from the Symantec ATP server. |
Open Query | Query based on which you want to retrieve information about incidents from the Symantec ATP server."Log_time >= '2016-06-06T15:39:55.616Z' and log_time < '2016--Z' and ( type_id=4096 or type_id=4098 or type_id=4123)" |
Number of Events Limit | Maximum number of incidents you want this operation to return. |
Next | Link value of the next page. |
The JSON output contains information about all incidents, or incidents based on the input parameters that you have specified, retrieved from the Symantec ATP server.
Following image displays a sample output:
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.
Parameter | Description |
---|---|
Start Time | DateTime from when you want to retrieve information about incidents related to a particular event from the Symantec ATP server. |
End Time | DateTime till when you want to retrieve information about incidents related to a particular event type from the Symantec ATP server. |
Open Query | Query based on which you want to retrieve information about incidents related to a particular event from the Symantec ATP server."log_time >= '2016-06-06T15:39:55.616Z' and log_time < '2016--Z' and ( type_id=4096 or type_id=4098 or type_id=4123)" |
Number of Events Limit | Maximum number of events you want this operation to return. |
Next | Link value of the next page. |
The JSON output contains information about incidents related to particular event ID types that you have specified retrieved from the Symantec ATP server.
Following image displays a sample output:
Parameter | Description |
---|---|
Hash Value | MD5 or SHA-256 value of the file whose details you want to retrieve from the Symantec ATP server. |
Is MD5? | Select this check box if you are specifying a MD5 value of the file. If you do not select this check box then you must specify the SHA-256 value of the file. |
The JSON output contains the details of the file associated with the hash value that you have specified, retrieved from the Symantec ATP server.
Following image displays a sample output:
Parameter | Description |
---|---|
Command ID | ID of the command whose state you want to retrieve from the Symantec ATP server. |
The JSON output contains information about the state of the command based on the command ID that you have specified retrieved from the Symantec ATP server.
Following image displays a sample output:
Parameter | Description |
---|---|
Endpoint ID (In CSV or List Format) | ID(s) of the endpoint(s) that who want to isolate from the network. You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8" . |
The JSON output contains the Status
message of the isolated endpoint operation retrieved from the Symantec ATP server. The JSON output also contains the ID of the command used to isolate the endpoint(s).
Following image displays a sample output:
Parameter | Description |
---|---|
Endpoint ID (In CSV or List Format) | ID(s) of the endpoint(s) that who want to rejoin to the network. You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8" . |
The JSON output contains the Status
message of the rejoin endpoint operation retrieved from the Symantec ATP server. The JSON output also contains the ID of the command used to rejoin the endpoint(s).
Following image displays a sample output:
Parameter | Description |
---|---|
File Hash | SHA-256 value of the file that you want to delete from the specified device. |
Device UID | UID of the device from which you want to delete the specified file. |
The JSON output contains the Status
message of the delete endpoint file operation retrieved from the Symantec ATP server. The JSON output also contains the ID of the command used to delete the endpoint file.
Following image displays a sample output:
Parameter | Description |
---|---|
Page Index | Index number from which you want to retrieve data on that page. |
Page Size | Page Size for retrieving data. |
Select Type | (Optional) Type of the blacklist whose information you want to retrieve from the Symantec ATP server. You can choose from the following values: IP, Domain, URL, SHA256, or MD5. |
Value | (Optional) Value of the type based on which you want to retrieve the blacklist information from the Symantec ATP server. For example, if you have selected MD5, then you must enter an MD5 value in this field. |
The JSON output contains information about all blacklisted elements retrieved from the Symantec ATP server.
Following image displays a sample output:
Parameter | Description |
---|---|
Page Index | Index number from which you want to retrieve data on that page. |
Page Size | Page Size for retrieving data. |
Select Type | (Optional) Type of the whitelist whose information you want to retrieve from the Symantec ATP server. You can choose from the following values: IP, Domain, URL, SHA256, or MD5. |
Value | (Optional) Value of the whitelist whose information you want to retrieve from the Symantec ATP server. For example, if you have selected MD5, then you must enter an MD5 value in this field. |
The JSON output contains information about all whitelisted elements retrieved from the Symantec ATP server.
Following image displays a sample output:
Parameter | Description |
---|---|
Select Type | Type of the blacklist element that you want to add to an existing blacklist on the Symantec ATP server. You can choose from the following values: IP, Domain, URL, SHA256, or MD5. |
Value | Value of the blacklist element that you want to add to an existing blacklist, based on the type you have selected. For example, if you have selected MD5, then you must add the value of the blacklist element in the MD5 format. |
Comment | Comment about the blacklist element that you want to add. |
The JSON output contains the Status
message of the Add in Blacklist operation retrieved from the Symantec ATP server.
Following image displays a sample output:
Parameter | Description |
---|---|
Select Type | Type of the whitelist element that you want to add to an existing whitelist on the Symantec ATP server. You can choose from the following values: IP, Domain, URL, SHA256, or MD5. |
Value | Value of the whitelist element that you want to add to an existing whitelist, based on the type you have selected. For example, if you have selected MD5, then you must add the value of the whitelist element in the MD5 format. |
Comment | Comment about the whitelist element that you want to add. |
The JSON output contains the Status
message of the add in Whitelist operation retrieved from the Symantec ATP server.
Following image displays a sample output:
Parameter | Description |
---|---|
ID | ID of the blacklisted element that you want to delete from the Symantec ATP server. |
The JSON output contains the Status
message of the Delete From Blacklist operation retrieved from the Symantec ATP server.
Following image displays a sample output:
Parameter | Description |
---|---|
ID | ID of the whitelisted element that you want to delete from the Symantec ATP server. |
The JSON output contains the Status
message of the Delete From Whitelist operation retrieved from the Symantec ATP server.
Following image displays a sample output:
The Sample - Symantec ATP - 1.0.0
playbook collection comes bundled with the Symantec ATP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec ATP connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Symantec Advanced Threat Protection (ATP) performs the critical security tasks that detect, protect, and respond to threats to your network.
This document provides information about the Symantec ATP connector, which facilitates automated interactions, with a Symantec ATP server using FortiSOAR™ playbooks. Add the Symantec ATP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving events, incidents, and files from the Symantec ATP server and isolating or rejoining an endpoint.
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-symantec-atp
For the detailed procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Symantec ATP connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | URL of the Symantec ATP server to which you will connect and perform the automated operations. |
Port | Port of the Symantec ATP server. |
Username | Username of the Symantec ATP server to which you will connect and perform the automated operations. |
Password | Password of the Symantec ATP server to which you will connect and perform the automated operations. |
Client ID | Client ID that is used to access the Symantec ATP endpoint. You can retrieve the client_id and client_secret pair from the ATP Manager after you have created an OAuth2 client. |
Client Secret | Client Secret that is used to access the Symantec ATP endpoint. You can retrieve the client_id and client_secret pair from the ATP Manager after you have created an OAuth2 client. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Appliance Information | Retrieves information about all appliances from the Symantec ATP server. | get_information Investigation |
Get Events | Retrieves information about all events, or events based on the input parameters that you have specified, from the Symantec ATP server. | get_events Investigation |
Get Incidents | Retrieves information about all incidents, or incidents based on the input parameters that you have specified, from the Symantec ATP server. | get_incidents Investigation |
Get Incident Related Events | Retrieves information about incidents related to particular event that you have specified from the Symantec ATP server. | get_incidentevents Investigation |
Get File Details | Retrieves information about a file based on the file hash that you have specified, from the Symantec ATP server. | get_details Investigation |
Get Command State | Retrieves state of the command based on the command ID that you have specified, from the Symantec ATP server. | get_state Investigation |
Isolate Endpoint | Isolates endpoints by cutting connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in list or csv format) that you have specified. Isolating an endpoint keeps that computer(s) from infecting any other computers. ATP supports isolating endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later. |
isolate_endpoint Investigation |
Rejoin Endpoint | Rejoins endpoints by re-establishing connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in list or csv format) that you have specified. You can rejoin only those endpoints that have been isolated. ATP supports rejoining endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later. |
rejoin_endpoint Investigation |
Delete Endpoint Point | Deletes a file, i.e. deletes all instances of the file, based on the file hash that you have specified from the endpoint that you have specified using the Device UID. ATP supports deleting files on Symantec Endpoint Protection 12.1 RU6 MP3 and later. |
delete_file Investigation |
Get Blacklist | Retrieves information about all blacklisted elements from the Symantec ATP server. | get_blacklist Investigation |
Get Whitelist | Retrieves information about all whitelisted elements from the Symantec ATP server. | get_whitelist Investigation |
Add To Blacklist | Adds an element to an existing blacklist on the Symantec ATP server. | add_in_blacklist Investigation |
Add To Whitelist | Adds an element to an existing whitelist on the Symantec ATP server. | add_in_whitelist Investigation |
Remove From Blacklist | Deletes an element from an existing blacklist on the Symantec ATP server. | delete_from_blacklist Investigation |
Remove From Whitelist | Deletes an element from an existing whitelist on the Symantec ATP server. | delete_from_whitelist Investigation |
None.
The JSON output contains information about all appliances retrieved from the Symantec ATP server.
Following image displays a sample output:
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.
Parameter | Description |
---|---|
Start Time | DateTime from when you want to retrieve information about events from the Symantec ATP server. |
End Time | DateTime till when you want to retrieve information about events from the Symantec ATP server. |
Open Query | Query based on which you want to retrieve information about events from the Symantec ATP server."Log_time >= '2016-06-06T15:39:55.616Z' and log_time < '2016--Z' and ( type_id=4096 or type_id=4098 or type_id=4123)" |
Number of Events Limit | Maximum number of events you want this operation to return. |
Next | Link value of the next page. |
The JSON output contains information about all events, or events based on the input parameters that you have specified, retrieved from the Symantec ATP server.
Following image displays a sample output:
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.
Parameter | Description |
---|---|
Start Time | DateTime from when you want to retrieve information about incidents from the Symantec ATP server. |
End Time | DateTime till when you want to retrieve information about incidents from the Symantec ATP server. |
Open Query | Query based on which you want to retrieve information about incidents from the Symantec ATP server."Log_time >= '2016-06-06T15:39:55.616Z' and log_time < '2016--Z' and ( type_id=4096 or type_id=4098 or type_id=4123)" |
Number of Events Limit | Maximum number of incidents you want this operation to return. |
Next | Link value of the next page. |
The JSON output contains information about all incidents, or incidents based on the input parameters that you have specified, retrieved from the Symantec ATP server.
Following image displays a sample output:
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.
Parameter | Description |
---|---|
Start Time | DateTime from when you want to retrieve information about incidents related to a particular event from the Symantec ATP server. |
End Time | DateTime till when you want to retrieve information about incidents related to a particular event type from the Symantec ATP server. |
Open Query | Query based on which you want to retrieve information about incidents related to a particular event from the Symantec ATP server."log_time >= '2016-06-06T15:39:55.616Z' and log_time < '2016--Z' and ( type_id=4096 or type_id=4098 or type_id=4123)" |
Number of Events Limit | Maximum number of events you want this operation to return. |
Next | Link value of the next page. |
The JSON output contains information about incidents related to particular event ID types that you have specified retrieved from the Symantec ATP server.
Following image displays a sample output:
Parameter | Description |
---|---|
Hash Value | MD5 or SHA-256 value of the file whose details you want to retrieve from the Symantec ATP server. |
Is MD5? | Select this check box if you are specifying a MD5 value of the file. If you do not select this check box then you must specify the SHA-256 value of the file. |
The JSON output contains the details of the file associated with the hash value that you have specified, retrieved from the Symantec ATP server.
Following image displays a sample output:
Parameter | Description |
---|---|
Command ID | ID of the command whose state you want to retrieve from the Symantec ATP server. |
The JSON output contains information about the state of the command based on the command ID that you have specified retrieved from the Symantec ATP server.
Following image displays a sample output:
Parameter | Description |
---|---|
Endpoint ID (In CSV or List Format) | ID(s) of the endpoint(s) that who want to isolate from the network. You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8" . |
The JSON output contains the Status
message of the isolated endpoint operation retrieved from the Symantec ATP server. The JSON output also contains the ID of the command used to isolate the endpoint(s).
Following image displays a sample output:
Parameter | Description |
---|---|
Endpoint ID (In CSV or List Format) | ID(s) of the endpoint(s) that who want to rejoin to the network. You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8" . |
The JSON output contains the Status
message of the rejoin endpoint operation retrieved from the Symantec ATP server. The JSON output also contains the ID of the command used to rejoin the endpoint(s).
Following image displays a sample output:
Parameter | Description |
---|---|
File Hash | SHA-256 value of the file that you want to delete from the specified device. |
Device UID | UID of the device from which you want to delete the specified file. |
The JSON output contains the Status
message of the delete endpoint file operation retrieved from the Symantec ATP server. The JSON output also contains the ID of the command used to delete the endpoint file.
Following image displays a sample output:
Parameter | Description |
---|---|
Page Index | Index number from which you want to retrieve data on that page. |
Page Size | Page Size for retrieving data. |
Select Type | (Optional) Type of the blacklist whose information you want to retrieve from the Symantec ATP server. You can choose from the following values: IP, Domain, URL, SHA256, or MD5. |
Value | (Optional) Value of the type based on which you want to retrieve the blacklist information from the Symantec ATP server. For example, if you have selected MD5, then you must enter an MD5 value in this field. |
The JSON output contains information about all blacklisted elements retrieved from the Symantec ATP server.
Following image displays a sample output:
Parameter | Description |
---|---|
Page Index | Index number from which you want to retrieve data on that page. |
Page Size | Page Size for retrieving data. |
Select Type | (Optional) Type of the whitelist whose information you want to retrieve from the Symantec ATP server. You can choose from the following values: IP, Domain, URL, SHA256, or MD5. |
Value | (Optional) Value of the whitelist whose information you want to retrieve from the Symantec ATP server. For example, if you have selected MD5, then you must enter an MD5 value in this field. |
The JSON output contains information about all whitelisted elements retrieved from the Symantec ATP server.
Following image displays a sample output:
Parameter | Description |
---|---|
Select Type | Type of the blacklist element that you want to add to an existing blacklist on the Symantec ATP server. You can choose from the following values: IP, Domain, URL, SHA256, or MD5. |
Value | Value of the blacklist element that you want to add to an existing blacklist, based on the type you have selected. For example, if you have selected MD5, then you must add the value of the blacklist element in the MD5 format. |
Comment | Comment about the blacklist element that you want to add. |
The JSON output contains the Status
message of the Add in Blacklist operation retrieved from the Symantec ATP server.
Following image displays a sample output:
Parameter | Description |
---|---|
Select Type | Type of the whitelist element that you want to add to an existing whitelist on the Symantec ATP server. You can choose from the following values: IP, Domain, URL, SHA256, or MD5. |
Value | Value of the whitelist element that you want to add to an existing whitelist, based on the type you have selected. For example, if you have selected MD5, then you must add the value of the whitelist element in the MD5 format. |
Comment | Comment about the whitelist element that you want to add. |
The JSON output contains the Status
message of the add in Whitelist operation retrieved from the Symantec ATP server.
Following image displays a sample output:
Parameter | Description |
---|---|
ID | ID of the blacklisted element that you want to delete from the Symantec ATP server. |
The JSON output contains the Status
message of the Delete From Blacklist operation retrieved from the Symantec ATP server.
Following image displays a sample output:
Parameter | Description |
---|---|
ID | ID of the whitelisted element that you want to delete from the Symantec ATP server. |
The JSON output contains the Status
message of the Delete From Whitelist operation retrieved from the Symantec ATP server.
Following image displays a sample output:
The Sample - Symantec ATP - 1.0.0
playbook collection comes bundled with the Symantec ATP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec ATP connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.