Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

 

About the connector

Symantec Advanced Threat Protection (ATP) performs the critical security tasks that detect, protect, and respond to threats to your network.

This document provides information about the Symantec ATP connector, which facilitates automated interactions, with a Symantec ATP server using FortiSOAR™ playbooks. Add the Symantec ATP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving events, incidents, and files from the Symantec ATP server and isolating or rejoining an endpoint.

Version information

Connector Version: 1.0.0

Authored By: Fortinet

Certified: No

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-symantec-atp

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

  • You must have the URL of the Symantec ATP server to which you will connect and perform the automated operations.
  • You must have the Client ID and the Client Secret pair that is used to access the Symantec ATP endpoint.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Symantec ATP connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the Symantec ATP server to which you will connect and perform the automated operations.
Port Port of the Symantec ATP server.
Username Username of the Symantec ATP server to which you will connect and perform the automated operations.
Password Password of the Symantec ATP server to which you will connect and perform the automated operations.
Client ID Client ID that is used to access the Symantec ATP endpoint.
You can retrieve the client_id and client_secret pair from the ATP Manager after you have created an OAuth2 client.
Client Secret Client Secret that is used to access the Symantec ATP endpoint.
You can retrieve the client_id and client_secret pair from the ATP Manager after you have created an OAuth2 client.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Appliance Information Retrieves information about all appliances from the Symantec ATP server. get_information
Investigation
Get Events Retrieves information about all events, or events based on the input parameters that you have specified, from the Symantec ATP server. get_events
Investigation
Get Incidents Retrieves information about all incidents, or incidents based on the input parameters that you have specified, from the Symantec ATP server. get_incidents
Investigation
Get Incident Related Events Retrieves information about incidents related to particular event that you have specified from the Symantec ATP server. get_incidentevents
Investigation
Get File Details Retrieves information about a file based on the file hash that you have specified, from the Symantec ATP server. get_details
Investigation
Get Command State Retrieves state of the command based on the command ID that you have specified, from the Symantec ATP server. get_state
Investigation
Isolate Endpoint Isolates endpoints by cutting connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in list or csv format) that you have specified.
Isolating an endpoint keeps that computer(s) from infecting any other computers. ATP supports isolating endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later.
isolate_endpoint
Investigation
Rejoin Endpoint Rejoins endpoints by re-establishing connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in list or csv format) that you have specified.
You can rejoin only those endpoints that have been isolated. ATP supports rejoining endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later.
rejoin_endpoint
Investigation
Delete Endpoint Point Deletes a file, i.e. deletes all instances of the file, based on the file hash that you have specified from the endpoint that you have specified using the Device UID.
ATP supports deleting files on Symantec Endpoint Protection 12.1 RU6 MP3 and later.
delete_file
Investigation
Get Blacklist Retrieves information about all blacklisted elements from the Symantec ATP server. get_blacklist
Investigation
Get Whitelist Retrieves information about all whitelisted elements from the Symantec ATP server. get_whitelist
Investigation
Add To Blacklist Adds an element to an existing blacklist on the Symantec ATP server. add_in_blacklist
Investigation
Add To Whitelist Adds an element to an existing whitelist on the Symantec ATP server. add_in_whitelist
Investigation
Remove From Blacklist Deletes an element from an existing blacklist on the Symantec ATP server. delete_from_blacklist
Investigation
Remove From Whitelist Deletes an element from an existing whitelist on the Symantec ATP server. delete_from_whitelist
Investigation

 

operation: Get Appliance Information

Input parameters

None.

Output

The JSON output contains information about all appliances retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Get Appliance Information operation

operation: Get Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

 

Parameter Description
Start Time DateTime from when you want to retrieve information about events from the Symantec ATP server.
End Time DateTime till when you want to retrieve information about events from the Symantec ATP server.
Open Query Query based on which you want to retrieve information about events from the Symantec ATP server.
"Log_time >= '2016-06-06T15:39:55.616Z' and log_time < '2016--{future}Z' and ( type_id=4096 or type_id=4098 or type_id=4123)"
Number of Events Limit Maximum number of events you want this operation to return.
Next Link value of the next page.

 

Output

The JSON output contains information about all events, or events based on the input parameters that you have specified, retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Get Events operation

operation: Get Incidents

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

 

Parameter Description
Start Time DateTime from when you want to retrieve information about incidents from the Symantec ATP server.
End Time DateTime till when you want to retrieve information about incidents from the Symantec ATP server.
Open Query Query based on which you want to retrieve information about incidents from the Symantec ATP server.
"Log_time >= '2016-06-06T15:39:55.616Z' and log_time < '2016--{future}Z' and ( type_id=4096 or type_id=4098 or type_id=4123)"
Number of Events Limit Maximum number of incidents you want this operation to return.
Next Link value of the next page.

 

Output

The JSON output contains information about all incidents, or incidents based on the input parameters that you have specified, retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Get Incidents operation

operation: Get Incident Related Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

 

Parameter Description
Start Time DateTime from when you want to retrieve information about incidents related to a particular event from the Symantec ATP server.
End Time DateTime till when you want to retrieve information about incidents related to a particular event type from the Symantec ATP server.
Open Query Query based on which you want to retrieve information about incidents related to a particular event from the Symantec ATP server.
"log_time >= '2016-06-06T15:39:55.616Z' and log_time < '2016--{future}Z' and ( type_id=4096 or type_id=4098 or type_id=4123)"
Number of Events Limit Maximum number of events you want this operation to return.
Next Link value of the next page.

 

Output

The JSON output contains information about incidents related to particular event ID types that you have specified retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Get Incident Related Events operation

operation: Get File Details

Input parameters

 

Parameter Description
Hash Value MD5 or SHA-256 value of the file whose details you want to retrieve from the Symantec ATP server.
Is MD5? Select this check box if you are specifying a MD5 value of the file.
If you do not select this check box then you must specify the SHA-256 value of the file.

 

Output

The JSON output contains the details of the file associated with the hash value that you have specified, retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Get File Details operation

operation: Get Command State

Input parameters

 

Parameter Description
Command ID ID of the command whose state you want to retrieve from the Symantec ATP server.

 

Output

The JSON output contains information about the state of the command based on the command ID that you have specified retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Get Command State operation

operation: Isolate Endpoint

Input parameters

 

Parameter Description
Endpoint ID (In CSV or List Format) ID(s) of the endpoint(s) that who want to isolate from the network.
You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8".

 

Output

The JSON output contains the Status message of the isolated endpoint operation retrieved from the Symantec ATP server. The JSON output also contains the ID of the command used to isolate the endpoint(s).

Following image displays a sample output:

Sample output of the Isolate Endpoint operation

operation: Rejoin Endpoint

Input parameters

 

Parameter Description
Endpoint ID (In CSV or List Format) ID(s) of the endpoint(s) that who want to rejoin to the network.
You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8".

 

Output

The JSON output contains the Status message of the rejoin endpoint operation retrieved from the Symantec ATP server. The JSON output also contains the ID of the command used to rejoin the endpoint(s).

Following image displays a sample output:

Sample output of the Rejoin Endpoint operation

operation: Delete Endpoint File

Input parameters

 

Parameter Description
File Hash SHA-256 value of the file that you want to delete from the specified device.
Device UID UID of the device from which you want to delete the specified file.

 

Output

The JSON output contains the Status message of the delete endpoint file operation retrieved from the Symantec ATP server. The JSON output also contains the ID of the command used to delete the endpoint file.

Following image displays a sample output:

Sample output of the Delete Endpoint File operation

operation: Get Blacklist

Input parameters

 

Parameter Description
Page Index Index number from which you want to retrieve data on that page.
Page Size Page Size for retrieving data.
Select Type (Optional) Type of the blacklist whose information you want to retrieve from the Symantec ATP server.
You can choose from the following values: IP, Domain, URL, SHA256, or MD5.
Value (Optional) Value of the type based on which you want to retrieve the blacklist information from the Symantec ATP server.
For example, if you have selected MD5, then you must enter an MD5 value in this field.

 

Output

The JSON output contains information about all blacklisted elements retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Get Blacklist operation

operation: Get Whitelist

Input parameters

 

Parameter Description
Page Index Index number from which you want to retrieve data on that page.
Page Size Page Size for retrieving data.
Select Type (Optional) Type of the whitelist whose information you want to retrieve from the Symantec ATP server.
You can choose from the following values: IP, Domain, URL, SHA256, or MD5.
Value (Optional) Value of the whitelist whose information you want to retrieve from the Symantec ATP server.
For example, if you have selected MD5, then you must enter an MD5 value in this field.

 

Output

The JSON output contains information about all whitelisted elements retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Get Whitelist operation

operation: Add To Blacklist

Input parameters

 

Parameter Description
Select Type Type of the blacklist element that you want to add to an existing blacklist on the Symantec ATP server.
You can choose from the following values: IP, Domain, URL, SHA256, or MD5.
Value Value of the blacklist element that you want to add to an existing blacklist, based on the type you have selected.
For example, if you have selected MD5, then you must add the value of the blacklist element in the MD5 format.
Comment Comment about the blacklist element that you want to add.

 

Output

The JSON output contains the Status message of the Add in Blacklist operation retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Add To Blacklist operation

operation: Add To Whitelist

Input parameters

 

Parameter Description
Select Type Type of the whitelist element that you want to add to an existing whitelist on the Symantec ATP server.
You can choose from the following values: IP, Domain, URL, SHA256, or MD5.
Value Value of the whitelist element that you want to add to an existing whitelist, based on the type you have selected.
For example, if you have selected MD5, then you must add the value of the whitelist element in the MD5 format.
Comment Comment about the whitelist element that you want to add.

 

Output

The JSON output contains the Status message of the add in Whitelist operation retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Add To Whitelist operation

operation: Remove From Blacklist

Input parameters

 

Parameter Description
ID ID of the blacklisted element that you want to delete from the Symantec ATP server.

 

Output

The JSON output contains the Status message of the Delete From Blacklist operation retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Remove From Blacklist operation

operation: Remove From Whitelist

Input parameters

 

Parameter Description
ID ID of the whitelisted element that you want to delete from the Symantec ATP server.

 

Output

The JSON output contains the Status message of the Delete From Whitelist operation retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Remove From Whitelist operation

Included playbooks

The Sample - Symantec ATP - 1.0.0 playbook collection comes bundled with the Symantec ATP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec ATP connector.

  • Add To Blacklist
  • Add To Whitelist
  • Delete Endpoint File
  • Get Appliance Information
  • Get Blacklist
  • Get Command State
  • Get Events
  • Get File Details
  • Get Incident Related Events
  • Get Incidents
  • Get Whitelist
  • Isolate Endpoint
  • Rejoin Endpoint
  • Remove From Blacklist
  • Remove From Whitelist

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

 

 

About the connector

Symantec Advanced Threat Protection (ATP) performs the critical security tasks that detect, protect, and respond to threats to your network.

This document provides information about the Symantec ATP connector, which facilitates automated interactions, with a Symantec ATP server using FortiSOAR™ playbooks. Add the Symantec ATP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving events, incidents, and files from the Symantec ATP server and isolating or rejoining an endpoint.

Version information

Connector Version: 1.0.0

Authored By: Fortinet

Certified: No

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-symantec-atp

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Symantec ATP connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the Symantec ATP server to which you will connect and perform the automated operations.
Port Port of the Symantec ATP server.
Username Username of the Symantec ATP server to which you will connect and perform the automated operations.
Password Password of the Symantec ATP server to which you will connect and perform the automated operations.
Client ID Client ID that is used to access the Symantec ATP endpoint.
You can retrieve the client_id and client_secret pair from the ATP Manager after you have created an OAuth2 client.
Client Secret Client Secret that is used to access the Symantec ATP endpoint.
You can retrieve the client_id and client_secret pair from the ATP Manager after you have created an OAuth2 client.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Appliance Information Retrieves information about all appliances from the Symantec ATP server. get_information
Investigation
Get Events Retrieves information about all events, or events based on the input parameters that you have specified, from the Symantec ATP server. get_events
Investigation
Get Incidents Retrieves information about all incidents, or incidents based on the input parameters that you have specified, from the Symantec ATP server. get_incidents
Investigation
Get Incident Related Events Retrieves information about incidents related to particular event that you have specified from the Symantec ATP server. get_incidentevents
Investigation
Get File Details Retrieves information about a file based on the file hash that you have specified, from the Symantec ATP server. get_details
Investigation
Get Command State Retrieves state of the command based on the command ID that you have specified, from the Symantec ATP server. get_state
Investigation
Isolate Endpoint Isolates endpoints by cutting connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in list or csv format) that you have specified.
Isolating an endpoint keeps that computer(s) from infecting any other computers. ATP supports isolating endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later.
isolate_endpoint
Investigation
Rejoin Endpoint Rejoins endpoints by re-establishing connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in list or csv format) that you have specified.
You can rejoin only those endpoints that have been isolated. ATP supports rejoining endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later.
rejoin_endpoint
Investigation
Delete Endpoint Point Deletes a file, i.e. deletes all instances of the file, based on the file hash that you have specified from the endpoint that you have specified using the Device UID.
ATP supports deleting files on Symantec Endpoint Protection 12.1 RU6 MP3 and later.
delete_file
Investigation
Get Blacklist Retrieves information about all blacklisted elements from the Symantec ATP server. get_blacklist
Investigation
Get Whitelist Retrieves information about all whitelisted elements from the Symantec ATP server. get_whitelist
Investigation
Add To Blacklist Adds an element to an existing blacklist on the Symantec ATP server. add_in_blacklist
Investigation
Add To Whitelist Adds an element to an existing whitelist on the Symantec ATP server. add_in_whitelist
Investigation
Remove From Blacklist Deletes an element from an existing blacklist on the Symantec ATP server. delete_from_blacklist
Investigation
Remove From Whitelist Deletes an element from an existing whitelist on the Symantec ATP server. delete_from_whitelist
Investigation

 

operation: Get Appliance Information

Input parameters

None.

Output

The JSON output contains information about all appliances retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Get Appliance Information operation

operation: Get Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

 

Parameter Description
Start Time DateTime from when you want to retrieve information about events from the Symantec ATP server.
End Time DateTime till when you want to retrieve information about events from the Symantec ATP server.
Open Query Query based on which you want to retrieve information about events from the Symantec ATP server.
"Log_time >= '2016-06-06T15:39:55.616Z' and log_time < '2016--{future}Z' and ( type_id=4096 or type_id=4098 or type_id=4123)"
Number of Events Limit Maximum number of events you want this operation to return.
Next Link value of the next page.

 

Output

The JSON output contains information about all events, or events based on the input parameters that you have specified, retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Get Events operation

operation: Get Incidents

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

 

Parameter Description
Start Time DateTime from when you want to retrieve information about incidents from the Symantec ATP server.
End Time DateTime till when you want to retrieve information about incidents from the Symantec ATP server.
Open Query Query based on which you want to retrieve information about incidents from the Symantec ATP server.
"Log_time >= '2016-06-06T15:39:55.616Z' and log_time < '2016--{future}Z' and ( type_id=4096 or type_id=4098 or type_id=4123)"
Number of Events Limit Maximum number of incidents you want this operation to return.
Next Link value of the next page.

 

Output

The JSON output contains information about all incidents, or incidents based on the input parameters that you have specified, retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Get Incidents operation

operation: Get Incident Related Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

 

Parameter Description
Start Time DateTime from when you want to retrieve information about incidents related to a particular event from the Symantec ATP server.
End Time DateTime till when you want to retrieve information about incidents related to a particular event type from the Symantec ATP server.
Open Query Query based on which you want to retrieve information about incidents related to a particular event from the Symantec ATP server.
"log_time >= '2016-06-06T15:39:55.616Z' and log_time < '2016--{future}Z' and ( type_id=4096 or type_id=4098 or type_id=4123)"
Number of Events Limit Maximum number of events you want this operation to return.
Next Link value of the next page.

 

Output

The JSON output contains information about incidents related to particular event ID types that you have specified retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Get Incident Related Events operation

operation: Get File Details

Input parameters

 

Parameter Description
Hash Value MD5 or SHA-256 value of the file whose details you want to retrieve from the Symantec ATP server.
Is MD5? Select this check box if you are specifying a MD5 value of the file.
If you do not select this check box then you must specify the SHA-256 value of the file.

 

Output

The JSON output contains the details of the file associated with the hash value that you have specified, retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Get File Details operation

operation: Get Command State

Input parameters

 

Parameter Description
Command ID ID of the command whose state you want to retrieve from the Symantec ATP server.

 

Output

The JSON output contains information about the state of the command based on the command ID that you have specified retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Get Command State operation

operation: Isolate Endpoint

Input parameters

 

Parameter Description
Endpoint ID (In CSV or List Format) ID(s) of the endpoint(s) that who want to isolate from the network.
You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8".

 

Output

The JSON output contains the Status message of the isolated endpoint operation retrieved from the Symantec ATP server. The JSON output also contains the ID of the command used to isolate the endpoint(s).

Following image displays a sample output:

Sample output of the Isolate Endpoint operation

operation: Rejoin Endpoint

Input parameters

 

Parameter Description
Endpoint ID (In CSV or List Format) ID(s) of the endpoint(s) that who want to rejoin to the network.
You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8".

 

Output

The JSON output contains the Status message of the rejoin endpoint operation retrieved from the Symantec ATP server. The JSON output also contains the ID of the command used to rejoin the endpoint(s).

Following image displays a sample output:

Sample output of the Rejoin Endpoint operation

operation: Delete Endpoint File

Input parameters

 

Parameter Description
File Hash SHA-256 value of the file that you want to delete from the specified device.
Device UID UID of the device from which you want to delete the specified file.

 

Output

The JSON output contains the Status message of the delete endpoint file operation retrieved from the Symantec ATP server. The JSON output also contains the ID of the command used to delete the endpoint file.

Following image displays a sample output:

Sample output of the Delete Endpoint File operation

operation: Get Blacklist

Input parameters

 

Parameter Description
Page Index Index number from which you want to retrieve data on that page.
Page Size Page Size for retrieving data.
Select Type (Optional) Type of the blacklist whose information you want to retrieve from the Symantec ATP server.
You can choose from the following values: IP, Domain, URL, SHA256, or MD5.
Value (Optional) Value of the type based on which you want to retrieve the blacklist information from the Symantec ATP server.
For example, if you have selected MD5, then you must enter an MD5 value in this field.

 

Output

The JSON output contains information about all blacklisted elements retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Get Blacklist operation

operation: Get Whitelist

Input parameters

 

Parameter Description
Page Index Index number from which you want to retrieve data on that page.
Page Size Page Size for retrieving data.
Select Type (Optional) Type of the whitelist whose information you want to retrieve from the Symantec ATP server.
You can choose from the following values: IP, Domain, URL, SHA256, or MD5.
Value (Optional) Value of the whitelist whose information you want to retrieve from the Symantec ATP server.
For example, if you have selected MD5, then you must enter an MD5 value in this field.

 

Output

The JSON output contains information about all whitelisted elements retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Get Whitelist operation

operation: Add To Blacklist

Input parameters

 

Parameter Description
Select Type Type of the blacklist element that you want to add to an existing blacklist on the Symantec ATP server.
You can choose from the following values: IP, Domain, URL, SHA256, or MD5.
Value Value of the blacklist element that you want to add to an existing blacklist, based on the type you have selected.
For example, if you have selected MD5, then you must add the value of the blacklist element in the MD5 format.
Comment Comment about the blacklist element that you want to add.

 

Output

The JSON output contains the Status message of the Add in Blacklist operation retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Add To Blacklist operation

operation: Add To Whitelist

Input parameters

 

Parameter Description
Select Type Type of the whitelist element that you want to add to an existing whitelist on the Symantec ATP server.
You can choose from the following values: IP, Domain, URL, SHA256, or MD5.
Value Value of the whitelist element that you want to add to an existing whitelist, based on the type you have selected.
For example, if you have selected MD5, then you must add the value of the whitelist element in the MD5 format.
Comment Comment about the whitelist element that you want to add.

 

Output

The JSON output contains the Status message of the add in Whitelist operation retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Add To Whitelist operation

operation: Remove From Blacklist

Input parameters

 

Parameter Description
ID ID of the blacklisted element that you want to delete from the Symantec ATP server.

 

Output

The JSON output contains the Status message of the Delete From Blacklist operation retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Remove From Blacklist operation

operation: Remove From Whitelist

Input parameters

 

Parameter Description
ID ID of the whitelisted element that you want to delete from the Symantec ATP server.

 

Output

The JSON output contains the Status message of the Delete From Whitelist operation retrieved from the Symantec ATP server.

Following image displays a sample output:

Sample output of the Remove From Whitelist operation

Included playbooks

The Sample - Symantec ATP - 1.0.0 playbook collection comes bundled with the Symantec ATP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec ATP connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.