Cloud Access Security Brokers (CASBs) serve as a critical control point to ensure the secure and compliant use of cloud apps and services. The Symantec CloudSOC platform enables companies to confidently leverage cloud applications and services while staying safe, secure, and compliant. It provides visibility into shadow IT, governance over data in cloud apps, and protection against threats that are targeting cloud accounts.
This document provides information about the Symantec CloudSOC connector, which facilitates automated interactions with Symantec CloudSOC using FortiSOAR™ playbooks. Add the Symantec CloudSOC connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving incident or event data using either detect or investigate from Symantec CloudSOC and retrieving a list of all data (audit) source objects from Symantec CloudSOC.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.11.0-1161
Authored By: Fortinet
Certified: Yes
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-symantec-cloudsoc
For the detailed procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Symantec CloudSOC connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
API Server URL | URL of the Symantec CloudSOC server to which you will connect and perform the automated operations. |
Key Identifier | API key that is configured for your account to access the Symantec CloudSOC endpoint. |
Key Secret | API password that is configured for your account to access the Symantec CloudSOC endpoint. |
Tenant Identifier | Tenant identifier that is configured for your account to access the Symantec CloudSOC endpoint. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Event Logs | Retrieves incident or event data using either the detect application or the investigate application from Symantec CloudSOC, based on the input parameters you have specified. | get_log Investigation |
Get Audit Sources | Retrieves a list of all data (audit) source objects from Symantec CloudSOC. | get_audit_data_source Investigation |
Get Audit Services | Retrieves a list of all services from Symantec CloudSOC, based on the input parameters you have specified. | get_audit_service Investigation |
Get Audit Users | Retrieves activity of all users across SAAS services from Symantec CloudSOC, based on the input parameters you have specified. | get_audit_user Investigation |
Get Audit Usernames | Retrieves usernames from Symantec CloudSOC, based on the user IDs you have specified. | get_audit_username Investigation |
Get Audit Summary | Retrieves audit summary for services, data sources, users, etc from Symantec CloudSOC, based on the input parameters you have specified. | get_audit_summary Investigation |
Get Content IQ Profile | Retrieves a list of ContentIQ profiles sorted alphabetically by profile name from Symantec CloudSOC. | get_content_iqprofile Investigation |
Get Protect Policies | Retrieves a list of Protect Policies that contains details such as Name, Type, and Status, from Symantec CloudSOC. | get_protect_policies Investigation |
Modify User Activation | Activates or Deactivates a user account on Symantec CloudSOC, based on the user email ID you have specified. | modify_account Containment |
Parameter | Description |
---|---|
APP | Application type based on which you want to retrieve incident and event logs from Symantec CloudSOC. You can choose one from the following options: investigate or detect. |
Subtype | Based on the application you have selected you can select one of the following:
|
Created Timestamp | (Optional) Timestamp when the event or incident was created. For application type as investigate, the created timestamp range must be less than 1 month from the date you have specified in the From parameter or less than a month from the current timestamp. For example, 2015-01-01T00:00: 00 Range example: 2015-01-01T00:00: 00,2015-02-01T00:00:00 |
User | (Optional) Comma-separated list of users for who you want to retrieve incident and event logs from Symantec CloudSOC. For example, In case of multiple users type: user1, user2. |
Service | (Optional) Comma-separated list of services for which you want to retrieve incident and event logs from Symantec CloudSOC. For example, Elastica, Box. |
Severity | (Optional) Severity based on which you want to retrieve incident and event logs from Symantec CloudSOC. You can choose one from the following options: informational, error, warning, critical, low, medium, or high. |
Inserted Timestamp | (Optional) Timestamp when the event or incident was inserted in Symantec CloudSOC. For application type as investigate, the inserted timestamp range must be less than 1 month from the date you have specified in the From parameter or less than a month from the current timestamp. For example, 2015-01-01T00:00: 00 Range example: 2015-01-01T00:00: 00,2015-02-01T00:00:00 |
Updated Timestamp | (Optional) Timestamp when the event or incident was updated in Symantec CloudSOC. For application type as investigate, the inserted timestamp range must be less than 1 month from the date you have specified in the From parameter or less than a month from the current timestamp. For example, 2015-01-01T00:00: 00 Range example: 2015-01-01T00:00: 00,2015-02-01T00:00:00 |
Search | (Optional) Search type based on which you want to retrieve incident and event logs from Symantec CloudSOC. For example, you can specify the search type as Login |
From | (Optional) Timestamp from when you want to you want to retrieve incident and event logs from Symantec CloudSOC. By default, this option is set to 0 |
Limit | (Optional) Maximum number of records that this operation should return. By default, this option is set as 100. |
Sort Inserted Timestamp | (Optional) Sort results based on the inserted timestamp in the ascending (asc) or descending (desc) manner. Note: Logs obtained for app=detect and subtype=threatscore are always sorted by updated_timestamp, and therefore in this condition, you must not specify the Sort Inserted Timestamp parameter. If you do not specify the sort order, then sort is based on the default value. |
Sort | (Optional) Sort results based on the created timestamp in the ascending (asc) or descending (desc) manner. Note: Logs obtained for app=detect and subtype=threatscore are always sorted by updated_timestamp, and therefore in this condition, you must not specify the Sort Inserted Timestamp parameter. If you do not specify the sort order, then sort is based on the default value. |
Threat Score | (Optional) Threat score based on which you want to retrieve incident and event logs from Symantec CloudSOC. For example, 10 Range example: 10,15 (score range between 10 and 15 both inclusive) |
The JSON output contains the incident and event logs retrieved from Symantec CloudSOC, based on the input parameters you have specified.
Following image displays a sample output:
None.
The JSON output contains the audit data source information retrieved from Symantec CloudSOC.
Following image displays a sample output:
Parameter | Description |
---|---|
Earliest Date | Earliest Date from when you want to retrieve audit services from Symantec CloudSOC. You must enter the date format in Epoch time in seconds. For example, 1470009600 |
Latest Date | Latest Date till when you want to retrieve audit services from Symantec CloudSOC. You must enter the date format in Epoch time in seconds. For example, 1501545599 |
Datasource IDs | (Optional) Comma-separated list of data source IDs for which you want to retrieve audit services from Symantec CloudSOC. |
Service Type | (Optional) Service type based on which you want to retrieve audit services from Symantec CloudSOC. You can choose one from the following options: enterprise, consumer, all, or prosumer. |
Allowed | (Optional) Select this check box, i.e., set it to True, to allow the user who has logged in to retrieve of audit services results. By default, this option is set as True |
Blocked | (Optional) Select this check box, i.e., set it to True, to block the user who has logged from retrieving of audit services results. By default, this option is set as False |
Output
The JSON output contains the list of services retrieved from Symantec CloudSOC, based on the input parameters you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Earliest Date | Earliest Date from when you want to retrieve audit users from Symantec CloudSOC. You must enter the date format in Epoch time in seconds. For example, 1470009600 |
Latest Date | Latest Date till when you want to retrieve audit users from Symantec CloudSOC. You must enter the date format in Epoch time in seconds. For example, 1501545599 |
Datasource IDs | (Optional) Comma-separated list of data source IDs for which you want to retrieve audit users from Symantec CloudSOC. |
Service Type | (Optional) Service type based on which you want to retrieve audit users from Symantec CloudSOC. You can choose one from the following options: enterprise, consumer, all, or prosumer. |
Allowed | (Optional) Select this check box, i.e., set it to True, to allow the user who has logged in to retrieve of audit user results. By default, this option is set as True. |
Blocked | (Optional) Select this check box, i.e., set it to True, to block the user who has logged from retrieving of audit user results. By default, this option is set as False. |
Next Page | (Optional) Link value (identifier) of the next page. Specify this field only if you want to get results on the next page. |
Resolution | (Optional) Rate of returning audit user records: You can choose one from the following options:
|
Service Ids | (Optional) Service ID based on which the identities of all of the service users are retrieved from Symantec CloudSOC. |
The JSON output contains the details of audit users retrieved from Symantec CloudSOC, based on the input parameters you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
User IDs | Comma-separated list of user IDs for which you want to retrieve usernames from Symantec CloudSOC. |
Limit | (Optional) Maximum number of users out of the given user ids that should be resolved. By default, this is set as 1000. If you specify a limit that is higher than 1000, then this operation will fail. |
The JSON output contains the details of audit usernames retrieved from Symantec CloudSOC, based on the user IDs you have specified.
Parameter | Description |
---|---|
Earliest Date | Earliest Date from when you want to retrieve audit summary from Symantec CloudSOC. You must enter the date format in Epoch time in seconds. For example, 1470009600 |
Latest Date | Latest Date till when you want to retrieve audit summary from Symantec CloudSOC. You must enter the date format in Epoch time in seconds. For example, 1501545599 |
Datasource IDs | (Optional) Comma-separated list of data source IDs for which you want to retrieve audit summary from Symantec CloudSOC. |
Service Type | (Optional) Service type based on which you want to retrieve audit summary from Symantec CloudSOC. You can choose one from the following options: enterprise, consumer, all, or prosumer. |
Allowed | (Optional) Select this check box, i.e., set it to True, to allow the user who has logged in to retrieve of audit summary results. By default, this option is set as True. |
Blocked | (Optional) Select this check box, i.e., set it to True, to block the user who has logged from retrieving of audit summary results. By default, this option is set as False. |
Resolution | (Optional) Rate of returning audit summary records: You can choose one from the following options:
|
The JSON output contains the details of audit summary retrieved from Symantec CloudSOC, based on the input parameters you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Profile Name | (Optional) Name of the profile for which you want to retrieve ContentIQ profiles from Symantec CloudSOC. Note: If you do not specify any profile name, then all the ContentIQ profiles sorted alphabetically are retrieved from Symantec CloudSOC. |
API Enabled | (Optional) Select this check box, i.e., set it to True, to get the Securlet scan status for ContentIQ profile. By default, this option is set as False. |
The JSON output contains the details of Content IQ Profiles retrieved from Symantec CloudSOC, based on the input parameters you have specified.
Parameter | Description |
---|---|
Policy Name | (Optional) Name of the policy for which you want to retrieve Protect policies from Symantec CloudSOC. Note: If you do not specify any profile name, then all the Protect policies are retrieved from Symantec CloudSOC. |
Policy Type | (Optional) Type of the policy for which you want to retrieve protect policies from Symantec CloudSOC. You can choose one from the following options: documentshareapi (Data Exposure via Securlets), documentshare (File Sharing via Gatelets), filexfer (File Transfer via Gatelets), accessenforcement (Access Enforcement via Gatelets), anomalydetect (ThreatScore policy), or accessenforceapi (Access Monitoring via Securlets). |
Is Action | (Optional) Select this checkbox, i.e., set it to True, to retrieve only active retrieve protect policies from Symantec CloudSOC. By default, this option is set as True. |
The JSON output contains the details of Protect Policies retrieved from Symantec CloudSOC, based on the input parameters you have specified.
Parameter | Description |
---|---|
User Email-ID | (Optional) Email ID of the user whose user activation you want to modify on Symantec CloudSOC. |
Action | Type of user activation you want to perform on Symantec CloudSOC. You can choose one from the following options: Activate or Deactivate User. |
The JSON output contains the status of the user activation action performed on Symantec CloudSOC.
The Sample - Symantec CloudSOC - 1.0.0
playbook collection comes bundled with the Symantec CloudSOC connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec CloudSOC
connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Cloud Access Security Brokers (CASBs) serve as a critical control point to ensure the secure and compliant use of cloud apps and services. The Symantec CloudSOC platform enables companies to confidently leverage cloud applications and services while staying safe, secure, and compliant. It provides visibility into shadow IT, governance over data in cloud apps, and protection against threats that are targeting cloud accounts.
This document provides information about the Symantec CloudSOC connector, which facilitates automated interactions with Symantec CloudSOC using FortiSOAR™ playbooks. Add the Symantec CloudSOC connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving incident or event data using either detect or investigate from Symantec CloudSOC and retrieving a list of all data (audit) source objects from Symantec CloudSOC.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.11.0-1161
Authored By: Fortinet
Certified: Yes
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-symantec-cloudsoc
For the detailed procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Symantec CloudSOC connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
API Server URL | URL of the Symantec CloudSOC server to which you will connect and perform the automated operations. |
Key Identifier | API key that is configured for your account to access the Symantec CloudSOC endpoint. |
Key Secret | API password that is configured for your account to access the Symantec CloudSOC endpoint. |
Tenant Identifier | Tenant identifier that is configured for your account to access the Symantec CloudSOC endpoint. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Event Logs | Retrieves incident or event data using either the detect application or the investigate application from Symantec CloudSOC, based on the input parameters you have specified. | get_log Investigation |
Get Audit Sources | Retrieves a list of all data (audit) source objects from Symantec CloudSOC. | get_audit_data_source Investigation |
Get Audit Services | Retrieves a list of all services from Symantec CloudSOC, based on the input parameters you have specified. | get_audit_service Investigation |
Get Audit Users | Retrieves activity of all users across SAAS services from Symantec CloudSOC, based on the input parameters you have specified. | get_audit_user Investigation |
Get Audit Usernames | Retrieves usernames from Symantec CloudSOC, based on the user IDs you have specified. | get_audit_username Investigation |
Get Audit Summary | Retrieves audit summary for services, data sources, users, etc from Symantec CloudSOC, based on the input parameters you have specified. | get_audit_summary Investigation |
Get Content IQ Profile | Retrieves a list of ContentIQ profiles sorted alphabetically by profile name from Symantec CloudSOC. | get_content_iqprofile Investigation |
Get Protect Policies | Retrieves a list of Protect Policies that contains details such as Name, Type, and Status, from Symantec CloudSOC. | get_protect_policies Investigation |
Modify User Activation | Activates or Deactivates a user account on Symantec CloudSOC, based on the user email ID you have specified. | modify_account Containment |
Parameter | Description |
---|---|
APP | Application type based on which you want to retrieve incident and event logs from Symantec CloudSOC. You can choose one from the following options: investigate or detect. |
Subtype | Based on the application you have selected you can select one of the following:
|
Created Timestamp | (Optional) Timestamp when the event or incident was created. For application type as investigate, the created timestamp range must be less than 1 month from the date you have specified in the From parameter or less than a month from the current timestamp. For example, 2015-01-01T00:00: 00 Range example: 2015-01-01T00:00: 00,2015-02-01T00:00:00 |
User | (Optional) Comma-separated list of users for who you want to retrieve incident and event logs from Symantec CloudSOC. For example, In case of multiple users type: user1, user2. |
Service | (Optional) Comma-separated list of services for which you want to retrieve incident and event logs from Symantec CloudSOC. For example, Elastica, Box. |
Severity | (Optional) Severity based on which you want to retrieve incident and event logs from Symantec CloudSOC. You can choose one from the following options: informational, error, warning, critical, low, medium, or high. |
Inserted Timestamp | (Optional) Timestamp when the event or incident was inserted in Symantec CloudSOC. For application type as investigate, the inserted timestamp range must be less than 1 month from the date you have specified in the From parameter or less than a month from the current timestamp. For example, 2015-01-01T00:00: 00 Range example: 2015-01-01T00:00: 00,2015-02-01T00:00:00 |
Updated Timestamp | (Optional) Timestamp when the event or incident was updated in Symantec CloudSOC. For application type as investigate, the inserted timestamp range must be less than 1 month from the date you have specified in the From parameter or less than a month from the current timestamp. For example, 2015-01-01T00:00: 00 Range example: 2015-01-01T00:00: 00,2015-02-01T00:00:00 |
Search | (Optional) Search type based on which you want to retrieve incident and event logs from Symantec CloudSOC. For example, you can specify the search type as Login |
From | (Optional) Timestamp from when you want to you want to retrieve incident and event logs from Symantec CloudSOC. By default, this option is set to 0 |
Limit | (Optional) Maximum number of records that this operation should return. By default, this option is set as 100. |
Sort Inserted Timestamp | (Optional) Sort results based on the inserted timestamp in the ascending (asc) or descending (desc) manner. Note: Logs obtained for app=detect and subtype=threatscore are always sorted by updated_timestamp, and therefore in this condition, you must not specify the Sort Inserted Timestamp parameter. If you do not specify the sort order, then sort is based on the default value. |
Sort | (Optional) Sort results based on the created timestamp in the ascending (asc) or descending (desc) manner. Note: Logs obtained for app=detect and subtype=threatscore are always sorted by updated_timestamp, and therefore in this condition, you must not specify the Sort Inserted Timestamp parameter. If you do not specify the sort order, then sort is based on the default value. |
Threat Score | (Optional) Threat score based on which you want to retrieve incident and event logs from Symantec CloudSOC. For example, 10 Range example: 10,15 (score range between 10 and 15 both inclusive) |
The JSON output contains the incident and event logs retrieved from Symantec CloudSOC, based on the input parameters you have specified.
Following image displays a sample output:
None.
The JSON output contains the audit data source information retrieved from Symantec CloudSOC.
Following image displays a sample output:
Parameter | Description |
---|---|
Earliest Date | Earliest Date from when you want to retrieve audit services from Symantec CloudSOC. You must enter the date format in Epoch time in seconds. For example, 1470009600 |
Latest Date | Latest Date till when you want to retrieve audit services from Symantec CloudSOC. You must enter the date format in Epoch time in seconds. For example, 1501545599 |
Datasource IDs | (Optional) Comma-separated list of data source IDs for which you want to retrieve audit services from Symantec CloudSOC. |
Service Type | (Optional) Service type based on which you want to retrieve audit services from Symantec CloudSOC. You can choose one from the following options: enterprise, consumer, all, or prosumer. |
Allowed | (Optional) Select this check box, i.e., set it to True, to allow the user who has logged in to retrieve of audit services results. By default, this option is set as True |
Blocked | (Optional) Select this check box, i.e., set it to True, to block the user who has logged from retrieving of audit services results. By default, this option is set as False |
Output
The JSON output contains the list of services retrieved from Symantec CloudSOC, based on the input parameters you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Earliest Date | Earliest Date from when you want to retrieve audit users from Symantec CloudSOC. You must enter the date format in Epoch time in seconds. For example, 1470009600 |
Latest Date | Latest Date till when you want to retrieve audit users from Symantec CloudSOC. You must enter the date format in Epoch time in seconds. For example, 1501545599 |
Datasource IDs | (Optional) Comma-separated list of data source IDs for which you want to retrieve audit users from Symantec CloudSOC. |
Service Type | (Optional) Service type based on which you want to retrieve audit users from Symantec CloudSOC. You can choose one from the following options: enterprise, consumer, all, or prosumer. |
Allowed | (Optional) Select this check box, i.e., set it to True, to allow the user who has logged in to retrieve of audit user results. By default, this option is set as True. |
Blocked | (Optional) Select this check box, i.e., set it to True, to block the user who has logged from retrieving of audit user results. By default, this option is set as False. |
Next Page | (Optional) Link value (identifier) of the next page. Specify this field only if you want to get results on the next page. |
Resolution | (Optional) Rate of returning audit user records: You can choose one from the following options:
|
Service Ids | (Optional) Service ID based on which the identities of all of the service users are retrieved from Symantec CloudSOC. |
The JSON output contains the details of audit users retrieved from Symantec CloudSOC, based on the input parameters you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
User IDs | Comma-separated list of user IDs for which you want to retrieve usernames from Symantec CloudSOC. |
Limit | (Optional) Maximum number of users out of the given user ids that should be resolved. By default, this is set as 1000. If you specify a limit that is higher than 1000, then this operation will fail. |
The JSON output contains the details of audit usernames retrieved from Symantec CloudSOC, based on the user IDs you have specified.
Parameter | Description |
---|---|
Earliest Date | Earliest Date from when you want to retrieve audit summary from Symantec CloudSOC. You must enter the date format in Epoch time in seconds. For example, 1470009600 |
Latest Date | Latest Date till when you want to retrieve audit summary from Symantec CloudSOC. You must enter the date format in Epoch time in seconds. For example, 1501545599 |
Datasource IDs | (Optional) Comma-separated list of data source IDs for which you want to retrieve audit summary from Symantec CloudSOC. |
Service Type | (Optional) Service type based on which you want to retrieve audit summary from Symantec CloudSOC. You can choose one from the following options: enterprise, consumer, all, or prosumer. |
Allowed | (Optional) Select this check box, i.e., set it to True, to allow the user who has logged in to retrieve of audit summary results. By default, this option is set as True. |
Blocked | (Optional) Select this check box, i.e., set it to True, to block the user who has logged from retrieving of audit summary results. By default, this option is set as False. |
Resolution | (Optional) Rate of returning audit summary records: You can choose one from the following options:
|
The JSON output contains the details of audit summary retrieved from Symantec CloudSOC, based on the input parameters you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Profile Name | (Optional) Name of the profile for which you want to retrieve ContentIQ profiles from Symantec CloudSOC. Note: If you do not specify any profile name, then all the ContentIQ profiles sorted alphabetically are retrieved from Symantec CloudSOC. |
API Enabled | (Optional) Select this check box, i.e., set it to True, to get the Securlet scan status for ContentIQ profile. By default, this option is set as False. |
The JSON output contains the details of Content IQ Profiles retrieved from Symantec CloudSOC, based on the input parameters you have specified.
Parameter | Description |
---|---|
Policy Name | (Optional) Name of the policy for which you want to retrieve Protect policies from Symantec CloudSOC. Note: If you do not specify any profile name, then all the Protect policies are retrieved from Symantec CloudSOC. |
Policy Type | (Optional) Type of the policy for which you want to retrieve protect policies from Symantec CloudSOC. You can choose one from the following options: documentshareapi (Data Exposure via Securlets), documentshare (File Sharing via Gatelets), filexfer (File Transfer via Gatelets), accessenforcement (Access Enforcement via Gatelets), anomalydetect (ThreatScore policy), or accessenforceapi (Access Monitoring via Securlets). |
Is Action | (Optional) Select this checkbox, i.e., set it to True, to retrieve only active retrieve protect policies from Symantec CloudSOC. By default, this option is set as True. |
The JSON output contains the details of Protect Policies retrieved from Symantec CloudSOC, based on the input parameters you have specified.
Parameter | Description |
---|---|
User Email-ID | (Optional) Email ID of the user whose user activation you want to modify on Symantec CloudSOC. |
Action | Type of user activation you want to perform on Symantec CloudSOC. You can choose one from the following options: Activate or Deactivate User. |
The JSON output contains the status of the user activation action performed on Symantec CloudSOC.
The Sample - Symantec CloudSOC - 1.0.0
playbook collection comes bundled with the Symantec CloudSOC connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec CloudSOC
connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.