Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

Symantec™ Cloud is a hosted service that filters Email messages and helps protect organizations from Malware (including targeted attacks and phishing), Spam, and unwanted bulk Email.

This document provides information about the Symantec Cloud connector, which facilitates automated interactions, with Symantec Cloud using FortiSOAR™ playbooks. Add the Symantec Cloud connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blacklisting or whitelisting of email addresses, domains, and IP addresses, and retrieving verdict information for emails from Symantec Cloud.

 

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL of Symantec Cloud on which you will perform the automated operations and the username and password configured for your account to access that Symantec Cloud.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Symantec Cloud connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of Symantec Cloud to which you will connect and perform automated operations.
Username Username for accessing Symantec Cloud to which you will connect and perform the automated operations.
Secret Key Encrypted Password for accessing Symantec Cloud to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
Defaults to True.

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Blacklist IP Blocks all emails that originate from the IP address that you have specified. block_ip
Containment
Whitelist IP Allows all emails that are coming in from the IP address that you have specified. allow_ip
Remediation
Blacklist Domain Blocks all emails that originate from the domain name that you have specified. block_domain
Containment
Whitelist Domain Allows all emails that are coming in from the domain name that you have specified. allow_domain
Remediation
Blacklist Email Address Blocks all emails that originate from the email address that you have specified. block_email
Containment
Whitelist Email Address Allows all emails that are coming in from the email address that you have specified. allow_email
Remediation
Get Threat Intelligence Feed Retrieves detailed information, including verdict information, for all emails that have been received within an organization, retrieved from Symantec Cloud, based on the type of feed you have specified. Verdict information specifies whether the email is tagged as malware, isolation, or clean.
You can fetch verdict information based on the following feeds: All (Malware + Clean), Malware, or Isolation URL.
get_feed
Miscellaneous

 

operation: Blacklist IP

Input parameters

 

Parameter Description
IP IP address based on which you want to block all originating emails.

 

Output

The JSON output returns a Success message if the IP that you have specified is successfully added to the Blocked list on Symantec Cloud.

Following image displays a sample output:
 

Sample output of the Blacklist IP operation
 

operation: Whitelist IP

Input parameters

 

Parameter Description
IP IP address based on which you want to allow all originating emails.

 

Output

The JSON output returns a Success message if the IP that you have specified is successfully added to the Approved list on Symantec Cloud.

Following image displays a sample output:
 

Sample output of the Whitelist IP operation
 

operation: Blacklist Domain

Input parameters

 

Parameter Description
Domain Domain name based on which you want to block all originating emails.

 

Output

The JSON output returns a Success message if the Domain that you have specified is successfully added to the Blocked list on Symantec Cloud.

Following image displays a sample output:
 

Sample output of the Blacklist Domain operation
 

operation: Whitelist Domain

Input parameters

 

Parameter Description
Domain Domain name based on which you want to allow all originating emails.

 

Output

The JSON output returns a Success message if the domain name that you have specified is successfully added to the Approved list on Symantec Cloud.

Following image displays a sample output:
 

Sample output of the Whitelist Domain operation
 

operation: Blacklist Email Address

Input parameters

 

Parameter Description
Email Email address based on which you want to block all originating emails.

 

Output

The JSON output returns a Success message if the email address that you have specified is successfully added to the Blocked list on Symantec Cloud.

Following image displays a sample output:
 

Sample output of the Blacklist Email Address operation

 

operation: Whitelist Email Address

Input parameters

 

Parameter Description
Email Email address based on which you want to allow all originating emails.

 

Output

The JSON output returns a Success message if the email address that you have specified is successfully added to the Approved list on Symantec Cloud.

Following image displays a sample output:
 

Sample output of the Whitelist Email Address operation
 

operation: Get Threat Intelligence Feed

Input parameters

 

Parameter Description
Feed Start Date Datetime from when you want to start retrieving feed (alert) information from Symantec Cloud.
Feed Type of feed based on which you want to retrieve email information (including verdict information) from Symantec Cloud. You can choose from the following options: All(Malware + Clean), Malware, or Isolation URL.

 

Output

The JSON output contains detailed information, including verdict information, for all emails that have been received within an organization, retrieved from Symantec Cloud. Verdict information specifies whether the email is tagged as malware, isolation, or clean.

Following image displays a sample output:
 

Sample output of the Get Threat Intelligence Feed operation
 

Included playbooks

The Sample - Symantec Cloud - 1.0.0 playbook collection comes bundled with the Symantec Cloud connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec Cloud connector.

  • Blacklist Domain
  • Blacklist Email Address
  • Blacklist IP
  • Get Threat Intelligence Feed
  • Whitelist Domain
  • Whitelist Email Address
  • Whitelist IP

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

Symantec™ Cloud is a hosted service that filters Email messages and helps protect organizations from Malware (including targeted attacks and phishing), Spam, and unwanted bulk Email.

This document provides information about the Symantec Cloud connector, which facilitates automated interactions, with Symantec Cloud using FortiSOAR™ playbooks. Add the Symantec Cloud connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blacklisting or whitelisting of email addresses, domains, and IP addresses, and retrieving verdict information for emails from Symantec Cloud.

 

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Symantec Cloud connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of Symantec Cloud to which you will connect and perform automated operations.
Username Username for accessing Symantec Cloud to which you will connect and perform the automated operations.
Secret Key Encrypted Password for accessing Symantec Cloud to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
Defaults to True.

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Blacklist IP Blocks all emails that originate from the IP address that you have specified. block_ip
Containment
Whitelist IP Allows all emails that are coming in from the IP address that you have specified. allow_ip
Remediation
Blacklist Domain Blocks all emails that originate from the domain name that you have specified. block_domain
Containment
Whitelist Domain Allows all emails that are coming in from the domain name that you have specified. allow_domain
Remediation
Blacklist Email Address Blocks all emails that originate from the email address that you have specified. block_email
Containment
Whitelist Email Address Allows all emails that are coming in from the email address that you have specified. allow_email
Remediation
Get Threat Intelligence Feed Retrieves detailed information, including verdict information, for all emails that have been received within an organization, retrieved from Symantec Cloud, based on the type of feed you have specified. Verdict information specifies whether the email is tagged as malware, isolation, or clean.
You can fetch verdict information based on the following feeds: All (Malware + Clean), Malware, or Isolation URL.
get_feed
Miscellaneous

 

operation: Blacklist IP

Input parameters

 

Parameter Description
IP IP address based on which you want to block all originating emails.

 

Output

The JSON output returns a Success message if the IP that you have specified is successfully added to the Blocked list on Symantec Cloud.

Following image displays a sample output:
 

Sample output of the Blacklist IP operation
 

operation: Whitelist IP

Input parameters

 

Parameter Description
IP IP address based on which you want to allow all originating emails.

 

Output

The JSON output returns a Success message if the IP that you have specified is successfully added to the Approved list on Symantec Cloud.

Following image displays a sample output:
 

Sample output of the Whitelist IP operation
 

operation: Blacklist Domain

Input parameters

 

Parameter Description
Domain Domain name based on which you want to block all originating emails.

 

Output

The JSON output returns a Success message if the Domain that you have specified is successfully added to the Blocked list on Symantec Cloud.

Following image displays a sample output:
 

Sample output of the Blacklist Domain operation
 

operation: Whitelist Domain

Input parameters

 

Parameter Description
Domain Domain name based on which you want to allow all originating emails.

 

Output

The JSON output returns a Success message if the domain name that you have specified is successfully added to the Approved list on Symantec Cloud.

Following image displays a sample output:
 

Sample output of the Whitelist Domain operation
 

operation: Blacklist Email Address

Input parameters

 

Parameter Description
Email Email address based on which you want to block all originating emails.

 

Output

The JSON output returns a Success message if the email address that you have specified is successfully added to the Blocked list on Symantec Cloud.

Following image displays a sample output:
 

Sample output of the Blacklist Email Address operation

 

operation: Whitelist Email Address

Input parameters

 

Parameter Description
Email Email address based on which you want to allow all originating emails.

 

Output

The JSON output returns a Success message if the email address that you have specified is successfully added to the Approved list on Symantec Cloud.

Following image displays a sample output:
 

Sample output of the Whitelist Email Address operation
 

operation: Get Threat Intelligence Feed

Input parameters

 

Parameter Description
Feed Start Date Datetime from when you want to start retrieving feed (alert) information from Symantec Cloud.
Feed Type of feed based on which you want to retrieve email information (including verdict information) from Symantec Cloud. You can choose from the following options: All(Malware + Clean), Malware, or Isolation URL.

 

Output

The JSON output contains detailed information, including verdict information, for all emails that have been received within an organization, retrieved from Symantec Cloud. Verdict information specifies whether the email is tagged as malware, isolation, or clean.

Following image displays a sample output:
 

Sample output of the Get Threat Intelligence Feed operation
 

Included playbooks

The Sample - Symantec Cloud - 1.0.0 playbook collection comes bundled with the Symantec Cloud connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec Cloud connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.