Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

Symantec Content and Malware Analysis protects against advanced threats through file reputation, multiple antimalware techniques, and sophisticated sandbox detonation. Content Analysis takes a layered approach to protect against web and mail threats. It uses both Symantec and other leading security vendors for whitelisting/blacklisting and file reputation services, dual antimalware engines, static code analysis, and deep inspection and detonation through on-box or cloud sandboxing. Together, this fusion of content and malware analysis is the best protection against targeted malware attacks

This document provides information about the Symantec CAS (Content Analysis Service) Connector, which facilitates automated interactions, with a Symantec Content Analysis Service server using FortiSOAR™ playbooks. Add the Symantec CAS Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as, creating tasks, retrieving reports and task statistics, detonating files, and submitting sample files or URLs.

 

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later

Compatibility with Symantec Content Analysis Service server Version: 2.3.1.2 and later

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL of the Symantec Content Analysis server to which you will connect and perform the automated operations.
  • You must either have the API key that is used to access the Symantec Content Analysis endpoint or the username and password with appropriate permissions to connect to the Symantec Content Analysis server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Symantec CAS connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the Symantec Content Analysis Service server to which you will connect and perform the automated operations.
API Key Authentication token bearing required scopes used to access the Symantec Content Analysis Service server.
You must specify the API key or the Username and Password.
Username Username used to access the Symantec Content Analysis Service server to which you will connect and perform the automated operations.
Password Password used to access the Symantec Content Analysis Service server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Create Task Creates a new task, i.e, executes a sample file in the environment you have specified, for a file or URL that you have specified, on the Symantec Content Analysis Service server. create_task
Investigation
Submit URL Submits a URL to the Symantec Content Analysis Service server for analyzes. submit_url
Investigation
Submit Sample Submits a file from the FortiSOAR™ Attachments module to the Symantec Content Analysis Service server for analyzes. submit_file
Investigation
Detonate File Executes the submitted file in the Symantec CAS environment and fetches the analyzes results from the to the Symantec Content Analysis Service server. detonate_file
Investigation
Get Report Retrieves a report containing the analyzes of a completed task (detonation) from the Symantec Content Analysis Service server. get_report
Investigation
Get Task Statistics Retrieves statistics for a completed task (detonation) from the Symantec Content Analysis Service server. get_stats
Investigation
Get Samples Task Retrieves tasks associated with a sample, based on the Sample ID that you have specified, from the Symantec Content Analysis Service server. get_task
Investigation
Get Risk Score Retrieves the risk score associated with the completed task, based on the task ID that you have specified, from the Symantec Content Analysis Service server. get_report
Investigation

 

operation: Create Task

Input parameters

 

Parameter Description
Sample ID ID of the sample file or URL for which you want to create a task
Environment (Optional) Environment in which you want to create the task. You can choose from the following options: IntelliVM, Sandbox, or Mobile IntelliVM.
By default, this is set as IntelliVM.
Priority (Optional) Priority of the task that you want to create. You can choose from the following options: High, Medium, or Low.
By default, this is set as High.
Profile (Optional) ID or short name of the profile in which you want to detonate the file. This parameter is required if the environment is set to IntelliVM.
Primary Resource (Optional) ID or Name of the Primary Resource, if you want to override the default execution resource.

 

Output

The JSON output contains information of the newly created task such as task state, task id, task execution arguments, task state id, task global risk score, sample id, sample source, and sample description.

Following image displays a sample output:
 

Sample output of the Create Task operation
 

operation: Submit URL

Input parameters

 

Parameter Description
URL of Sample URL that you want to submit to the Symantec Content Analysis Service server for analyzes.
Owner Owner of the URL you have submitted.
By default, this is set to the username that you have set in the connector configuration.
Source (Optional) Source of the URL you have submitted to the Symantec Content Analysis Service server.
By default, this is set to CyberSponse.
Execution Arguments (Optional) Arguments that you want to pass while executing the operation.
Label (Optional) Label to be given to the URL you have submitted to the Symantec Content Analysis Service server.
Source (Optional) Source of the URL you have submitted to the Symantec Content Analysis Service server.
By default, this is set to CyberSponse.
Description (Optional) Description to be given to the URL you have submitted to the Symantec Content Analysis Service server.

 

Output

The JSON output contains information of the URL submitted to the Symantec Content Analysis Service server, such as sample id, sample source, sample label, sample url, and sample date added.

Following image displays a sample output:
 

Sample output of the Submit URL operation

 

operation: Submit Sample

Input parameters

 

Parameter Description
File Reference Type of file reference that you are submitting to the Symantec Content Analysis Service server for analyzes. You can choose from Attachment IRI or File IRI.
Reference ID Reference ID that is used to access the file directly from the FortiSOAR™ Attachments module. This should be the file that you want to submit to the Symantec Content Analysis Service server for analyzes.
In the playbook, this defaults to the {{vars.attachment_id}} if you have selected Attachment IRI as the file reference or the {{vars.file_iri}} value if you have selected File IRI as the file reference.
Owner Owner of the file you have submitted.
By default, this is set to the username that you have set in the connector configuration.
Source (Optional) Source of the file you have submitted to the Symantec Content Analysis Service server.
By default, this is set to CyberSponse.
Label (Optional) Label to be given to the file you have submitted to the Symantec Content Analysis Service server.
Target Name (Optional) Target name of the file, if you want to override the file name.
Description (Optional) Description to be given to the file you have submitted to the Symantec Content Analysis Service server.
Extension (Optional) Extension of the file, if you want to override the default file extension.
Resource ID (Optional) Resource ID used to create the sample using the existing sample resource.
Execution Arguments (Optional) Arguments that you want to pass while executing the operation.

 

Output

The JSON output contains information the file submitted to the Symantec Content Analysis Service server, such as sample id, sample source, sample label, sample url, and sample date added.

Following image displays a sample output:
 

Sample output of the Submit Sample operation

 

operation: Detonate File

Input parameters

 

Parameter Description
File Reference Type of file reference that you want to detonate on the Symantec Content Analysis Service server. You can choose from Attachment IRI or File IRI.
Reference ID Reference ID that is used to access the file directly from the FortiSOAR™ Attachments module. This should be the file that you want to detonate on the Symantec Content Analysis Service server.
In the playbook, this defaults to the {{vars.attachment_id}} if you have selected Attachment IRI as the file reference or the {{vars.file_iri}} value if you have selected File IRI as the file reference.
Owner (Optional) Owner of the file you want to detonate on the Symantec Content Analysis Service server.
By default, this is set to the username that you have set in the connector configuration.
Environment Environment in which you want to detonate the file. You can choose from the following options: IntelliVM, Sandbox, or Mobile IntelliVM.
By default, this is set as IntelliVM.
Priority Priority of this operation. You can choose from the following options: High, Medium, or Low.
By default, this is set as High.
Detonate Timeout Detonate timeout in minutes. This timeout applies to task execution.
The task must be completed within the timeout time so that the task execution report can be retrieved from the Symantec Content Analysis Service server. If the task is not completed within the time set then the report needs to retrieved later using the Get Report action or from the Symantec Content Analysis Service server.
Profile (Optional) ID or short name of the profile in which you want to detonate the file. This parameter is required if the environment is set to IntelliVM.
Source (Optional) Source of the file you have that you want to detonate on the Symantec Content Analysis Service server.
By default, this is set to CyberSponse.
Label (Optional)Label to be given to the file that you want to detonate on the Symantec Content Analysis Service server.
Description (Optional) Description to be given to the file you have that you want to detonate on the Symantec Content Analysis Service server.

 

Output

The JSON output contains the analysis report of the Detonate File operation retrieved from the Symantec Content Analysis Service server.

Following image displays a sample output:
 

Sample output of the Detonate File operation

 

operation: Get Report

Input parameters

 

Parameter Description
Task ID Unique ID of the task whose analysis report you want to retrieve from the Symantec Content Analysis Service server.

 

Output

The JSON output contains the analysis report, based on the task ID that you have specified, retrieved from the Symantec Content Analysis Service server.

Following image displays a sample output:
 

Sample output of the Get Report operation

 

operation: Get Task Statistics

Input parameters

 

Parameter Description
Task ID Unique ID of the task whose statistics information you want to retrieve from the Symantec Content Analysis Service server.

 

Output

The JSON output contains the statistics information, based on the task ID that you have specified, retrieved from the Symantec Content Analysis Service server.

Following image displays a sample output:
 

Sample output of the Get Task Statistics operation

 

operation: Get Samples Task

Input parameters

 

Parameter Description
Sample ID ID of the uploaded sample for which you want to retrieve associated tasks from the Symantec Content Analysis Service server.

 

Output

The JSON output contains the task information, based on the sample ID that you have specified, retrieved from the Symantec Content Analysis Service server.

Following image displays a sample output:
 

Sample output of the Get Samples Task operation

 

operation: Get Risk Score

Input parameters

 

Parameter Description
Task ID Unique ID of the completes task (detonation) whose risk score you want to retrieve from the Symantec Content Analysis Service server.

 

Output

The JSON output contains the risk score information, based on the task ID that you have specified, retrieved from the Symantec Content Analysis Service server.

Following image displays a sample output:
 

Sample output of the Get Risk Score operation

 

Included playbooks

The Sample - Symantec CAS - 1.0.0 playbook collection comes bundled with the Symantec CAS connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec CAS connector.

  • Create Task
  • Detonate File
  • Get Report
  • Get Risk Score
  • Get Samples's Task
  • Get Task Statistics
  • Submit Sample
  • Submit URL

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

Symantec Content and Malware Analysis protects against advanced threats through file reputation, multiple antimalware techniques, and sophisticated sandbox detonation. Content Analysis takes a layered approach to protect against web and mail threats. It uses both Symantec and other leading security vendors for whitelisting/blacklisting and file reputation services, dual antimalware engines, static code analysis, and deep inspection and detonation through on-box or cloud sandboxing. Together, this fusion of content and malware analysis is the best protection against targeted malware attacks

This document provides information about the Symantec CAS (Content Analysis Service) Connector, which facilitates automated interactions, with a Symantec Content Analysis Service server using FortiSOAR™ playbooks. Add the Symantec CAS Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as, creating tasks, retrieving reports and task statistics, detonating files, and submitting sample files or URLs.

 

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later

Compatibility with Symantec Content Analysis Service server Version: 2.3.1.2 and later

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Symantec CAS connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the Symantec Content Analysis Service server to which you will connect and perform the automated operations.
API Key Authentication token bearing required scopes used to access the Symantec Content Analysis Service server.
You must specify the API key or the Username and Password.
Username Username used to access the Symantec Content Analysis Service server to which you will connect and perform the automated operations.
Password Password used to access the Symantec Content Analysis Service server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Create Task Creates a new task, i.e, executes a sample file in the environment you have specified, for a file or URL that you have specified, on the Symantec Content Analysis Service server. create_task
Investigation
Submit URL Submits a URL to the Symantec Content Analysis Service server for analyzes. submit_url
Investigation
Submit Sample Submits a file from the FortiSOAR™ Attachments module to the Symantec Content Analysis Service server for analyzes. submit_file
Investigation
Detonate File Executes the submitted file in the Symantec CAS environment and fetches the analyzes results from the to the Symantec Content Analysis Service server. detonate_file
Investigation
Get Report Retrieves a report containing the analyzes of a completed task (detonation) from the Symantec Content Analysis Service server. get_report
Investigation
Get Task Statistics Retrieves statistics for a completed task (detonation) from the Symantec Content Analysis Service server. get_stats
Investigation
Get Samples Task Retrieves tasks associated with a sample, based on the Sample ID that you have specified, from the Symantec Content Analysis Service server. get_task
Investigation
Get Risk Score Retrieves the risk score associated with the completed task, based on the task ID that you have specified, from the Symantec Content Analysis Service server. get_report
Investigation

 

operation: Create Task

Input parameters

 

Parameter Description
Sample ID ID of the sample file or URL for which you want to create a task
Environment (Optional) Environment in which you want to create the task. You can choose from the following options: IntelliVM, Sandbox, or Mobile IntelliVM.
By default, this is set as IntelliVM.
Priority (Optional) Priority of the task that you want to create. You can choose from the following options: High, Medium, or Low.
By default, this is set as High.
Profile (Optional) ID or short name of the profile in which you want to detonate the file. This parameter is required if the environment is set to IntelliVM.
Primary Resource (Optional) ID or Name of the Primary Resource, if you want to override the default execution resource.

 

Output

The JSON output contains information of the newly created task such as task state, task id, task execution arguments, task state id, task global risk score, sample id, sample source, and sample description.

Following image displays a sample output:
 

Sample output of the Create Task operation
 

operation: Submit URL

Input parameters

 

Parameter Description
URL of Sample URL that you want to submit to the Symantec Content Analysis Service server for analyzes.
Owner Owner of the URL you have submitted.
By default, this is set to the username that you have set in the connector configuration.
Source (Optional) Source of the URL you have submitted to the Symantec Content Analysis Service server.
By default, this is set to CyberSponse.
Execution Arguments (Optional) Arguments that you want to pass while executing the operation.
Label (Optional) Label to be given to the URL you have submitted to the Symantec Content Analysis Service server.
Source (Optional) Source of the URL you have submitted to the Symantec Content Analysis Service server.
By default, this is set to CyberSponse.
Description (Optional) Description to be given to the URL you have submitted to the Symantec Content Analysis Service server.

 

Output

The JSON output contains information of the URL submitted to the Symantec Content Analysis Service server, such as sample id, sample source, sample label, sample url, and sample date added.

Following image displays a sample output:
 

Sample output of the Submit URL operation

 

operation: Submit Sample

Input parameters

 

Parameter Description
File Reference Type of file reference that you are submitting to the Symantec Content Analysis Service server for analyzes. You can choose from Attachment IRI or File IRI.
Reference ID Reference ID that is used to access the file directly from the FortiSOAR™ Attachments module. This should be the file that you want to submit to the Symantec Content Analysis Service server for analyzes.
In the playbook, this defaults to the {{vars.attachment_id}} if you have selected Attachment IRI as the file reference or the {{vars.file_iri}} value if you have selected File IRI as the file reference.
Owner Owner of the file you have submitted.
By default, this is set to the username that you have set in the connector configuration.
Source (Optional) Source of the file you have submitted to the Symantec Content Analysis Service server.
By default, this is set to CyberSponse.
Label (Optional) Label to be given to the file you have submitted to the Symantec Content Analysis Service server.
Target Name (Optional) Target name of the file, if you want to override the file name.
Description (Optional) Description to be given to the file you have submitted to the Symantec Content Analysis Service server.
Extension (Optional) Extension of the file, if you want to override the default file extension.
Resource ID (Optional) Resource ID used to create the sample using the existing sample resource.
Execution Arguments (Optional) Arguments that you want to pass while executing the operation.

 

Output

The JSON output contains information the file submitted to the Symantec Content Analysis Service server, such as sample id, sample source, sample label, sample url, and sample date added.

Following image displays a sample output:
 

Sample output of the Submit Sample operation

 

operation: Detonate File

Input parameters

 

Parameter Description
File Reference Type of file reference that you want to detonate on the Symantec Content Analysis Service server. You can choose from Attachment IRI or File IRI.
Reference ID Reference ID that is used to access the file directly from the FortiSOAR™ Attachments module. This should be the file that you want to detonate on the Symantec Content Analysis Service server.
In the playbook, this defaults to the {{vars.attachment_id}} if you have selected Attachment IRI as the file reference or the {{vars.file_iri}} value if you have selected File IRI as the file reference.
Owner (Optional) Owner of the file you want to detonate on the Symantec Content Analysis Service server.
By default, this is set to the username that you have set in the connector configuration.
Environment Environment in which you want to detonate the file. You can choose from the following options: IntelliVM, Sandbox, or Mobile IntelliVM.
By default, this is set as IntelliVM.
Priority Priority of this operation. You can choose from the following options: High, Medium, or Low.
By default, this is set as High.
Detonate Timeout Detonate timeout in minutes. This timeout applies to task execution.
The task must be completed within the timeout time so that the task execution report can be retrieved from the Symantec Content Analysis Service server. If the task is not completed within the time set then the report needs to retrieved later using the Get Report action or from the Symantec Content Analysis Service server.
Profile (Optional) ID or short name of the profile in which you want to detonate the file. This parameter is required if the environment is set to IntelliVM.
Source (Optional) Source of the file you have that you want to detonate on the Symantec Content Analysis Service server.
By default, this is set to CyberSponse.
Label (Optional)Label to be given to the file that you want to detonate on the Symantec Content Analysis Service server.
Description (Optional) Description to be given to the file you have that you want to detonate on the Symantec Content Analysis Service server.

 

Output

The JSON output contains the analysis report of the Detonate File operation retrieved from the Symantec Content Analysis Service server.

Following image displays a sample output:
 

Sample output of the Detonate File operation

 

operation: Get Report

Input parameters

 

Parameter Description
Task ID Unique ID of the task whose analysis report you want to retrieve from the Symantec Content Analysis Service server.

 

Output

The JSON output contains the analysis report, based on the task ID that you have specified, retrieved from the Symantec Content Analysis Service server.

Following image displays a sample output:
 

Sample output of the Get Report operation

 

operation: Get Task Statistics

Input parameters

 

Parameter Description
Task ID Unique ID of the task whose statistics information you want to retrieve from the Symantec Content Analysis Service server.

 

Output

The JSON output contains the statistics information, based on the task ID that you have specified, retrieved from the Symantec Content Analysis Service server.

Following image displays a sample output:
 

Sample output of the Get Task Statistics operation

 

operation: Get Samples Task

Input parameters

 

Parameter Description
Sample ID ID of the uploaded sample for which you want to retrieve associated tasks from the Symantec Content Analysis Service server.

 

Output

The JSON output contains the task information, based on the sample ID that you have specified, retrieved from the Symantec Content Analysis Service server.

Following image displays a sample output:
 

Sample output of the Get Samples Task operation

 

operation: Get Risk Score

Input parameters

 

Parameter Description
Task ID Unique ID of the completes task (detonation) whose risk score you want to retrieve from the Symantec Content Analysis Service server.

 

Output

The JSON output contains the risk score information, based on the task ID that you have specified, retrieved from the Symantec Content Analysis Service server.

Following image displays a sample output:
 

Sample output of the Get Risk Score operation

 

Included playbooks

The Sample - Symantec CAS - 1.0.0 playbook collection comes bundled with the Symantec CAS connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec CAS connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.