About the connector
Symantec Advanced Threat Protection (ATP) performs the critical security tasks that detect, protect, and respond to threats to your network.
This document provides information about the Symantec ATP connector, which facilitates automated interactions, with a Symantec ATP server using FortiSOAR™ playbooks. Add the Symantec ATP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving events, incidents, and files from the Symantec ATP server and isolating or rejoining an endpoint.
Version information
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-symantec-atp
For the detailed procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must have the URL of the Symantec ATP server to which you will connect and perform the automated operations.
- You must have the Client ID and the Client Secret pair that is used to access the Symantec ATP endpoint.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, select the Symantec ATP connector and click Configure to configure the following parameters:
| Parameter |
Description |
| Server URL |
URL of the Symantec ATP server to which you will connect and perform the automated operations. |
| Port |
Port of the Symantec ATP server. |
| Username |
Username of the Symantec ATP server to which you will connect and perform the automated operations. |
| Password |
Password of the Symantec ATP server to which you will connect and perform the automated operations. |
| Client ID |
Client ID that is used to access the Symantec ATP endpoint.
You can retrieve the client_id and client_secret pair from the ATP Manager after you have created an OAuth2 client. |
| Client Secret |
Client Secret that is used to access the Symantec ATP endpoint.
You can retrieve the client_id and client_secret pair from the ATP Manager after you have created an OAuth2 client. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Get Appliance Information |
Retrieves information about all appliances from the Symantec ATP server. |
get_information
Investigation |
| Get Events |
Retrieves information about all events, or events based on the input parameters that you have specified, from the Symantec ATP server. |
get_events
Investigation |
| Get Incidents |
Retrieves information about all incidents, or incidents based on the input parameters that you have specified, from the Symantec ATP server. |
get_incidents
Investigation |
| Get Incident Related Events |
Retrieves information about incidents related to particular event that you have specified from the Symantec ATP server. |
get_incidentevents
Investigation |
| Get File Details |
Retrieves information about a file based on the file hash that you have specified, from the Symantec ATP server. |
get_details
Investigation |
| Get Command State |
Retrieves state of the command based on the command ID that you have specified, from the Symantec ATP server. |
get_state
Investigation |
| Isolate Endpoint |
Isolates endpoints by cutting connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in list or csv format) that you have specified.
Isolating an endpoint keeps that computer(s) from infecting any other computers. ATP supports isolating endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later. |
isolate_endpoint
Investigation |
| Rejoin Endpoint |
Rejoins endpoints by re-establishing connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in list or csv format) that you have specified.
You can rejoin only those endpoints that have been isolated. ATP supports rejoining endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later. |
rejoin_endpoint
Investigation |
| Delete Endpoint Point |
Deletes a file, i.e. deletes all instances of the file, based on the file hash that you have specified from the endpoint that you have specified using the Device UID.
ATP supports deleting files on Symantec Endpoint Protection 12.1 RU6 MP3 and later. |
delete_file
Investigation |
| Get Blacklist |
Retrieves information about all blacklisted elements from the Symantec ATP server. |
get_blacklist
Investigation |
| Get Whitelist |
Retrieves information about all whitelisted elements from the Symantec ATP server. |
get_whitelist
Investigation |
| Add To Blacklist |
Adds an element to an existing blacklist on the Symantec ATP server. |
add_in_blacklist
Investigation |
| Add To Whitelist |
Adds an element to an existing whitelist on the Symantec ATP server. |
add_in_whitelist
Investigation |
| Remove From Blacklist |
Deletes an element from an existing blacklist on the Symantec ATP server. |
delete_from_blacklist
Investigation |
| Remove From Whitelist |
Deletes an element from an existing whitelist on the Symantec ATP server. |
delete_from_whitelist
Investigation |
operation: Get Appliance Information
Input parameters
None.
Output
The JSON output contains information about all appliances retrieved from the Symantec ATP server.
Following image displays a sample output:
operation: Get Events
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.
| Parameter |
Description |
| Start Time |
DateTime from when you want to retrieve information about events from the Symantec ATP server. |
| End Time |
DateTime till when you want to retrieve information about events from the Symantec ATP server. |
| Open Query |
Query based on which you want to retrieve information about events from the Symantec ATP server.
"Log_time >= '2016-06-06T15:39:55.616Z' and log_time < '2016--Z' and ( type_id=4096 or type_id=4098 or type_id=4123)" |
| Number of Events Limit |
Maximum number of events you want this operation to return. |
| Next |
Link value of the next page. |
Output
The JSON output contains information about all events, or events based on the input parameters that you have specified, retrieved from the Symantec ATP server.
Following image displays a sample output:
operation: Get Incidents
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.
| Parameter |
Description |
| Start Time |
DateTime from when you want to retrieve information about incidents from the Symantec ATP server. |
| End Time |
DateTime till when you want to retrieve information about incidents from the Symantec ATP server. |
| Open Query |
Query based on which you want to retrieve information about incidents from the Symantec ATP server.
"Log_time >= '2016-06-06T15:39:55.616Z' and log_time < '2016--Z' and ( type_id=4096 or type_id=4098 or type_id=4123)" |
| Number of Events Limit |
Maximum number of incidents you want this operation to return. |
| Next |
Link value of the next page. |
Output
The JSON output contains information about all incidents, or incidents based on the input parameters that you have specified, retrieved from the Symantec ATP server.
Following image displays a sample output:
operation: Get Incident Related Events
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.
| Parameter |
Description |
| Start Time |
DateTime from when you want to retrieve information about incidents related to a particular event from the Symantec ATP server. |
| End Time |
DateTime till when you want to retrieve information about incidents related to a particular event type from the Symantec ATP server. |
| Open Query |
Query based on which you want to retrieve information about incidents related to a particular event from the Symantec ATP server.
"log_time >= '2016-06-06T15:39:55.616Z' and log_time < '2016--Z' and ( type_id=4096 or type_id=4098 or type_id=4123)" |
| Number of Events Limit |
Maximum number of events you want this operation to return. |
| Next |
Link value of the next page. |
Output
The JSON output contains information about incidents related to particular event ID types that you have specified retrieved from the Symantec ATP server.
Following image displays a sample output:
operation: Get File Details
Input parameters
| Parameter |
Description |
| Hash Value |
MD5 or SHA-256 value of the file whose details you want to retrieve from the Symantec ATP server. |
| Is MD5? |
Select this check box if you are specifying a MD5 value of the file.
If you do not select this check box then you must specify the SHA-256 value of the file. |
Output
The JSON output contains the details of the file associated with the hash value that you have specified, retrieved from the Symantec ATP server.
Following image displays a sample output:
operation: Get Command State
Input parameters
| Parameter |
Description |
| Command ID |
ID of the command whose state you want to retrieve from the Symantec ATP server. |
Output
The JSON output contains information about the state of the command based on the command ID that you have specified retrieved from the Symantec ATP server.
Following image displays a sample output:
operation: Isolate Endpoint
Input parameters
| Parameter |
Description |
| Endpoint ID (In CSV or List Format) |
ID(s) of the endpoint(s) that who want to isolate from the network.
You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8". |
Output
The JSON output contains the Status message of the isolated endpoint operation retrieved from the Symantec ATP server. The JSON output also contains the ID of the command used to isolate the endpoint(s).
Following image displays a sample output:
operation: Rejoin Endpoint
Input parameters
| Parameter |
Description |
| Endpoint ID (In CSV or List Format) |
ID(s) of the endpoint(s) that who want to rejoin to the network.
You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8". |
Output
The JSON output contains the Status message of the rejoin endpoint operation retrieved from the Symantec ATP server. The JSON output also contains the ID of the command used to rejoin the endpoint(s).
Following image displays a sample output:
operation: Delete Endpoint File
Input parameters
| Parameter |
Description |
| File Hash |
SHA-256 value of the file that you want to delete from the specified device. |
| Device UID |
UID of the device from which you want to delete the specified file. |
Output
The JSON output contains the Status message of the delete endpoint file operation retrieved from the Symantec ATP server. The JSON output also contains the ID of the command used to delete the endpoint file.
Following image displays a sample output:
operation: Get Blacklist
Input parameters
| Parameter |
Description |
| Page Index |
Index number from which you want to retrieve data on that page. |
| Page Size |
Page Size for retrieving data. |
| Select Type |
(Optional) Type of the blacklist whose information you want to retrieve from the Symantec ATP server.
You can choose from the following values: IP, Domain, URL, SHA256, or MD5. |
| Value |
(Optional) Value of the type based on which you want to retrieve the blacklist information from the Symantec ATP server.
For example, if you have selected MD5, then you must enter an MD5 value in this field. |
Output
The JSON output contains information about all blacklisted elements retrieved from the Symantec ATP server.
Following image displays a sample output:
operation: Get Whitelist
Input parameters
| Parameter |
Description |
| Page Index |
Index number from which you want to retrieve data on that page. |
| Page Size |
Page Size for retrieving data. |
| Select Type |
(Optional) Type of the whitelist whose information you want to retrieve from the Symantec ATP server.
You can choose from the following values: IP, Domain, URL, SHA256, or MD5. |
| Value |
(Optional) Value of the whitelist whose information you want to retrieve from the Symantec ATP server.
For example, if you have selected MD5, then you must enter an MD5 value in this field. |
Output
The JSON output contains information about all whitelisted elements retrieved from the Symantec ATP server.
Following image displays a sample output:
operation: Add To Blacklist
Input parameters
| Parameter |
Description |
| Select Type |
Type of the blacklist element that you want to add to an existing blacklist on the Symantec ATP server.
You can choose from the following values: IP, Domain, URL, SHA256, or MD5. |
| Value |
Value of the blacklist element that you want to add to an existing blacklist, based on the type you have selected.
For example, if you have selected MD5, then you must add the value of the blacklist element in the MD5 format. |
| Comment |
Comment about the blacklist element that you want to add. |
Output
The JSON output contains the Status message of the Add in Blacklist operation retrieved from the Symantec ATP server.
Following image displays a sample output:
operation: Add To Whitelist
Input parameters
| Parameter |
Description |
| Select Type |
Type of the whitelist element that you want to add to an existing whitelist on the Symantec ATP server.
You can choose from the following values: IP, Domain, URL, SHA256, or MD5. |
| Value |
Value of the whitelist element that you want to add to an existing whitelist, based on the type you have selected.
For example, if you have selected MD5, then you must add the value of the whitelist element in the MD5 format. |
| Comment |
Comment about the whitelist element that you want to add. |
Output
The JSON output contains the Status message of the add in Whitelist operation retrieved from the Symantec ATP server.
Following image displays a sample output:
operation: Remove From Blacklist
Input parameters
| Parameter |
Description |
| ID |
ID of the blacklisted element that you want to delete from the Symantec ATP server. |
Output
The JSON output contains the Status message of the Delete From Blacklist operation retrieved from the Symantec ATP server.
Following image displays a sample output:
operation: Remove From Whitelist
Input parameters
| Parameter |
Description |
| ID |
ID of the whitelisted element that you want to delete from the Symantec ATP server. |
Output
The JSON output contains the Status message of the Delete From Whitelist operation retrieved from the Symantec ATP server.
Following image displays a sample output:
Included playbooks
The Sample - Symantec ATP - 1.0.0 playbook collection comes bundled with the Symantec ATP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec ATP connector.
- Add To Blacklist
- Add To Whitelist
- Delete Endpoint File
- Get Appliance Information
- Get Blacklist
- Get Command State
- Get Events
- Get File Details
- Get Incident Related Events
- Get Incidents
- Get Whitelist
- Isolate Endpoint
- Rejoin Endpoint
- Remove From Blacklist
- Remove From Whitelist
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
