Fortinet Document Library

Version:


Table of Contents

Symantec CloudSOC

1.0.0
Copy Link

About the connector

Cloud Access Security Brokers (CASBs) serve as a critical control point to ensure the secure and compliant use of cloud apps and services. The Symantec CloudSOC platform enables companies to confidently leverage cloud applications and services while staying safe, secure, and compliant. It provides visibility into shadow IT, governance over data in cloud apps, and protection against threats that are targeting cloud accounts.

This document provides information about the Symantec CloudSOC connector, which facilitates automated interactions with Symantec CloudSOC using FortiSOAR™ playbooks. Add the Symantec CloudSOC connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving incident or event data using either detect or investigate from Symantec CloudSOC and retrieving a list of all data (audit) source objects from Symantec CloudSOC.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 4.11.0-1161

Authored By: Fortinet

Certified: Yes

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-symantec-cloudsoc

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

  • You must have the URL of the Symantec CloudSOC server to which you will connect and perform the automated operations.
  • You must have the API key, password, and tenant identifies that is used to access the Symantec CloudSOC endpoint.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Symantec CloudSOC connector and click Configure to configure the following parameters:

Parameter Description
API Server URL URL of the Symantec CloudSOC server to which you will connect and perform the automated operations.
Key Identifier API key that is configured for your account to access the Symantec CloudSOC endpoint.
Key Secret API password that is configured for your account to access the Symantec CloudSOC endpoint.
Tenant Identifier Tenant identifier that is configured for your account to access the Symantec CloudSOC endpoint.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Event Logs Retrieves incident or event data using either the detect application or the investigate application from Symantec CloudSOC, based on the input parameters you have specified. get_log
Investigation
Get Audit Sources Retrieves a list of all data (audit) source objects from Symantec CloudSOC. get_audit_data_source
Investigation
Get Audit Services Retrieves a list of all services from Symantec CloudSOC, based on the input parameters you have specified. get_audit_service
Investigation
Get Audit Users Retrieves activity of all users across SAAS services from Symantec CloudSOC, based on the input parameters you have specified. get_audit_user
Investigation
Get Audit Usernames Retrieves usernames from Symantec CloudSOC, based on the user IDs you have specified. get_audit_username
Investigation
Get Audit Summary Retrieves audit summary for services, data sources, users, etc from Symantec CloudSOC, based on the input parameters you have specified. get_audit_summary
Investigation
Get Content IQ Profile Retrieves a list of ContentIQ profiles sorted alphabetically by profile name from Symantec CloudSOC. get_content_iqprofile
Investigation
Get Protect Policies Retrieves a list of Protect Policies that contains details such as Name, Type, and Status, from Symantec CloudSOC. get_protect_policies
Investigation
Modify User Activation Activates or Deactivates a user account on Symantec CloudSOC, based on the user email ID you have specified. modify_account
Containment

 

operation: Get Event Logs

Input parameters

Parameter Description
APP Application type based on which you want to retrieve incident and event logs from Symantec CloudSOC.  
You can choose one from the following options: investigate or detect.
Subtype Based on the application you have selected you can select one of the following:  
  • all (when you select the application type as investigate)
  • incidents or threatscore (when you select the application type as detect)
Created Timestamp (Optional) Timestamp when the event or incident was created. For application type as investigate, the created timestamp range must be less than 1 month from the date you have specified in the From parameter or less than a month from the current timestamp.
For example, 2015-01-01T00:00: 00
Range example: 2015-01-01T00:00: 00,2015-02-01T00:00:00
User (Optional) Comma-separated list of users for who you want to retrieve incident and event logs from Symantec CloudSOC.
For example, In case of multiple users type: user1, user2.
Service (Optional) Comma-separated list of services for which you want to retrieve incident and event logs from Symantec CloudSOC.
For example, Elastica, Box.
Severity (Optional) Severity based on which you want to retrieve incident and event logs from Symantec CloudSOC.  
You can choose one from the following options: informational, error, warning, critical, low, medium, or high.
Inserted Timestamp (Optional) Timestamp when the event or incident was inserted in Symantec CloudSOC. For application type as investigate, the inserted timestamp range must be less than 1 month from the date you have specified in the From parameter or less than a month from the current timestamp.
For example, 2015-01-01T00:00: 00
Range example: 2015-01-01T00:00: 00,2015-02-01T00:00:00
Updated Timestamp (Optional) Timestamp when the event or incident was updated in Symantec CloudSOC. For application type as investigate, the inserted timestamp range must be less than 1 month from the date you have specified in the From parameter or less than a month from the current timestamp.  
For example, 2015-01-01T00:00: 00
Range example: 2015-01-01T00:00: 00,2015-02-01T00:00:00
Search (Optional) Search type based on which you want to retrieve incident and event logs from Symantec CloudSOC.    
For example, you can specify the search type as Login
From (Optional) Timestamp from when you want to you want to retrieve incident and event logs from Symantec CloudSOC.  
By default, this option is set to 0    
Limit (Optional) Maximum number of records that this operation should return.  
By default, this option is set as 100.
Sort Inserted Timestamp (Optional) Sort results based on the inserted timestamp in the ascending (asc) or descending (desc) manner.  
Note: Logs obtained for app=detect and subtype=threatscore are always sorted by updated_timestamp, and therefore in this condition, you must not specify the Sort Inserted Timestamp parameter.
If you do not specify the sort order, then sort is based on the default value.
Sort (Optional) Sort results based on the created timestamp in the ascending (asc) or descending (desc) manner.  
Note: Logs obtained for app=detect and subtype=threatscore are always sorted by updated_timestamp, and therefore in this condition, you must not specify the Sort Inserted Timestamp parameter.  
If you do not specify the sort order, then sort is based on the default value.
Threat Score (Optional) Threat score based on which you want to retrieve incident and event logs from Symantec CloudSOC.  
For example, 10
Range example: 10,15 (score range between 10 and 15 both inclusive)

 

Output

The JSON output contains the incident and event logs retrieved from Symantec CloudSOC, based on the input parameters you have specified.

Following image displays a sample output:

operation: Get Audit Sources

Input parameters

None.

Output

The JSON output contains the audit data source information retrieved from Symantec CloudSOC.

Following image displays a sample output:

 

 

 

 

 

 

 

operation: Get Audit Services

Input parameters

Parameter Description
Earliest Date Earliest Date from when you want to retrieve audit services from Symantec CloudSOC. You must enter the date format in Epoch time in seconds.
For example, 1470009600
Latest Date Latest Date till when you want to retrieve audit services from Symantec CloudSOC. You must enter the date format in Epoch time in seconds.
For example, 1501545599
Datasource IDs (Optional) Comma-separated list of data source IDs for which you want to retrieve audit services from Symantec CloudSOC.
Service Type (Optional) Service type based on which you want to retrieve audit services from Symantec CloudSOC.
You can choose one from the following options: enterprise, consumer, all, or prosumer.
Allowed (Optional) Select this check box, i.e., set it to True, to allow the user who has logged in to retrieve of audit services results.
By default, this option is set as True
Blocked (Optional) Select this check box, i.e., set it to True, to block the user who has logged from retrieving of audit services results.
By default, this option is set as False

Output

The JSON output contains the list of services retrieved from Symantec CloudSOC, based on the input parameters you have specified.

Following image displays a sample output:

 

operation: Get Audit Users

Input parameters

Parameter Description
Earliest Date Earliest Date from when you want to retrieve audit users from Symantec CloudSOC. You must enter the date format in Epoch time in seconds.
For example, 1470009600
Latest Date Latest Date till when you want to retrieve audit users from Symantec CloudSOC. You must enter the date format in Epoch time in seconds.
For example, 1501545599
Datasource IDs (Optional) Comma-separated list of data source IDs for which you want to retrieve audit users from Symantec CloudSOC.
Service Type (Optional) Service type based on which you want to retrieve audit users from Symantec CloudSOC.
You can choose one from the following options: enterprise, consumer, all, or prosumer.
Allowed (Optional) Select this check box, i.e., set it to True, to allow the user who has logged in to retrieve of audit user results.
By default, this option is set as True.
Blocked (Optional) Select this check box, i.e., set it to True, to block the user who has logged from retrieving of audit user results.
By default, this option is set as False.
Next Page (Optional) Link value (identifier) of the next page. Specify this field only if you want to get results on the next page.
Resolution (Optional) Rate of returning audit user records:  
You can choose one from the following options:
  • 3600: Returns hourly audit user records.
  • 86400: Returns daily audit user records.
  • 2592000 (Default value): Returns monthly audit user records.
Service Ids (Optional) Service ID based on which the identities of all of the service users are retrieved from Symantec CloudSOC.

Output

The JSON output contains the details of audit users retrieved from Symantec CloudSOC, based on the input parameters you have specified.

Following image displays a sample output:

 

operation: Get Audit Usernames

Input parameters

Parameter Description
User IDs Comma-separated list of user IDs for which you want to retrieve usernames from Symantec CloudSOC.
Limit (Optional) Maximum number of users out of the given user ids that should be resolved.  
By default, this is set as 1000. If you specify a limit that is higher than 1000, then this operation will fail.

Output

The JSON output contains the details of audit usernames retrieved from Symantec CloudSOC, based on the user IDs you have specified.

operation: Get Audit Summary

Input parameters

Parameter Description
Earliest Date Earliest Date from when you want to retrieve audit summary from Symantec CloudSOC. You must enter the date format in Epoch time in seconds.
For example, 1470009600
Latest Date Latest Date till when you want to retrieve audit summary from Symantec CloudSOC. You must enter the date format in Epoch time in seconds.
For example, 1501545599
Datasource IDs (Optional) Comma-separated list of data source IDs for which you want to retrieve audit summary from Symantec CloudSOC.
Service Type (Optional) Service type based on which you want to retrieve audit summary from Symantec CloudSOC.
You can choose one from the following options: enterprise, consumer, all, or prosumer.
Allowed (Optional) Select this check box, i.e., set it to True, to allow the user who has logged in to retrieve of audit summary results.
By default, this option is set as True.
Blocked (Optional) Select this check box, i.e., set it to True, to block the user who has logged from retrieving of audit summary results.
By default, this option is set as False.
Resolution (Optional) Rate of returning audit summary records:  
You can choose one from the following options:  
  • 3600: Returns hourly audit summary records.
  • 86400: Returns daily audit summary records.
  • 2592000 (Default value): Returns monthly user records.

Output

The JSON output contains the details of audit summary retrieved from Symantec CloudSOC, based on the input parameters you have specified.

Following image displays a sample output:

operation: Get Content IQ Profile

Input parameters

Parameter Description
Profile Name (Optional) Name of the profile for which you want to retrieve ContentIQ profiles from Symantec CloudSOC.  
Note: If you do not specify any profile name, then all the ContentIQ profiles sorted alphabetically are retrieved from Symantec CloudSOC.
API Enabled (Optional) Select this check box, i.e., set it to True, to get the Securlet scan status for ContentIQ profile.  
By default, this option is set as False.

Output

The JSON output contains the details of Content IQ Profiles retrieved from Symantec CloudSOC, based on the input parameters you have specified.

operation: Get Protect Policies

Input parameters

Parameter Description
Policy Name (Optional) Name of the policy for which you want to retrieve Protect policies from Symantec CloudSOC.  
Note: If you do not specify any profile name, then all the Protect policies are retrieved from Symantec CloudSOC.
Policy Type (Optional) Type of the policy for which you want to retrieve protect policies from Symantec CloudSOC.    
You can choose one from the following options: documentshareapi (Data Exposure via Securlets), documentshare (File Sharing via Gatelets), filexfer (File Transfer via Gatelets), accessenforcement (Access Enforcement via Gatelets), anomalydetect (ThreatScore policy), or accessenforceapi (Access Monitoring via Securlets).
Is Action (Optional) Select this checkbox, i.e., set it to True, to retrieve only active retrieve protect policies from Symantec CloudSOC.  
By default, this option is set as True.

Output

The JSON output contains the details of Protect Policies retrieved from Symantec CloudSOC, based on the input parameters you have specified.

 

operation: Modify User Activation

Input parameters

Parameter Description
User Email-ID (Optional) Email ID of the user whose user activation you want to modify on Symantec CloudSOC.
Action Type of user activation you want to perform on Symantec CloudSOC.  
You can choose one from the following options: Activate or Deactivate User.

Output

The JSON output contains the status of the user activation action performed on Symantec CloudSOC.

Included playbooks

The Sample - Symantec CloudSOC - 1.0.0 playbook collection comes bundled with the Symantec CloudSOC connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec CloudSOC connector.

  • Get API Logs
  • Get Audit Services
  • Get Audit Sources
  • Get Audit Summary
  • Get Audit Usernames
  • Get Audit Users
  • Get Content IQ Profile
  • Get Protect Policies
  • Modify User Activation

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

Cloud Access Security Brokers (CASBs) serve as a critical control point to ensure the secure and compliant use of cloud apps and services. The Symantec CloudSOC platform enables companies to confidently leverage cloud applications and services while staying safe, secure, and compliant. It provides visibility into shadow IT, governance over data in cloud apps, and protection against threats that are targeting cloud accounts.

This document provides information about the Symantec CloudSOC connector, which facilitates automated interactions with Symantec CloudSOC using FortiSOAR™ playbooks. Add the Symantec CloudSOC connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving incident or event data using either detect or investigate from Symantec CloudSOC and retrieving a list of all data (audit) source objects from Symantec CloudSOC.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 4.11.0-1161

Authored By: Fortinet

Certified: Yes

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-symantec-cloudsoc

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Symantec CloudSOC connector and click Configure to configure the following parameters:

Parameter Description
API Server URL URL of the Symantec CloudSOC server to which you will connect and perform the automated operations.
Key Identifier API key that is configured for your account to access the Symantec CloudSOC endpoint.
Key Secret API password that is configured for your account to access the Symantec CloudSOC endpoint.
Tenant Identifier Tenant identifier that is configured for your account to access the Symantec CloudSOC endpoint.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Event Logs Retrieves incident or event data using either the detect application or the investigate application from Symantec CloudSOC, based on the input parameters you have specified. get_log
Investigation
Get Audit Sources Retrieves a list of all data (audit) source objects from Symantec CloudSOC. get_audit_data_source
Investigation
Get Audit Services Retrieves a list of all services from Symantec CloudSOC, based on the input parameters you have specified. get_audit_service
Investigation
Get Audit Users Retrieves activity of all users across SAAS services from Symantec CloudSOC, based on the input parameters you have specified. get_audit_user
Investigation
Get Audit Usernames Retrieves usernames from Symantec CloudSOC, based on the user IDs you have specified. get_audit_username
Investigation
Get Audit Summary Retrieves audit summary for services, data sources, users, etc from Symantec CloudSOC, based on the input parameters you have specified. get_audit_summary
Investigation
Get Content IQ Profile Retrieves a list of ContentIQ profiles sorted alphabetically by profile name from Symantec CloudSOC. get_content_iqprofile
Investigation
Get Protect Policies Retrieves a list of Protect Policies that contains details such as Name, Type, and Status, from Symantec CloudSOC. get_protect_policies
Investigation
Modify User Activation Activates or Deactivates a user account on Symantec CloudSOC, based on the user email ID you have specified. modify_account
Containment

 

operation: Get Event Logs

Input parameters

Parameter Description
APP Application type based on which you want to retrieve incident and event logs from Symantec CloudSOC.  
You can choose one from the following options: investigate or detect.
Subtype Based on the application you have selected you can select one of the following:  
  • all (when you select the application type as investigate)
  • incidents or threatscore (when you select the application type as detect)
Created Timestamp (Optional) Timestamp when the event or incident was created. For application type as investigate, the created timestamp range must be less than 1 month from the date you have specified in the From parameter or less than a month from the current timestamp.
For example, 2015-01-01T00:00: 00
Range example: 2015-01-01T00:00: 00,2015-02-01T00:00:00
User (Optional) Comma-separated list of users for who you want to retrieve incident and event logs from Symantec CloudSOC.
For example, In case of multiple users type: user1, user2.
Service (Optional) Comma-separated list of services for which you want to retrieve incident and event logs from Symantec CloudSOC.
For example, Elastica, Box.
Severity (Optional) Severity based on which you want to retrieve incident and event logs from Symantec CloudSOC.  
You can choose one from the following options: informational, error, warning, critical, low, medium, or high.
Inserted Timestamp (Optional) Timestamp when the event or incident was inserted in Symantec CloudSOC. For application type as investigate, the inserted timestamp range must be less than 1 month from the date you have specified in the From parameter or less than a month from the current timestamp.
For example, 2015-01-01T00:00: 00
Range example: 2015-01-01T00:00: 00,2015-02-01T00:00:00
Updated Timestamp (Optional) Timestamp when the event or incident was updated in Symantec CloudSOC. For application type as investigate, the inserted timestamp range must be less than 1 month from the date you have specified in the From parameter or less than a month from the current timestamp.  
For example, 2015-01-01T00:00: 00
Range example: 2015-01-01T00:00: 00,2015-02-01T00:00:00
Search (Optional) Search type based on which you want to retrieve incident and event logs from Symantec CloudSOC.    
For example, you can specify the search type as Login
From (Optional) Timestamp from when you want to you want to retrieve incident and event logs from Symantec CloudSOC.  
By default, this option is set to 0    
Limit (Optional) Maximum number of records that this operation should return.  
By default, this option is set as 100.
Sort Inserted Timestamp (Optional) Sort results based on the inserted timestamp in the ascending (asc) or descending (desc) manner.  
Note: Logs obtained for app=detect and subtype=threatscore are always sorted by updated_timestamp, and therefore in this condition, you must not specify the Sort Inserted Timestamp parameter.
If you do not specify the sort order, then sort is based on the default value.
Sort (Optional) Sort results based on the created timestamp in the ascending (asc) or descending (desc) manner.  
Note: Logs obtained for app=detect and subtype=threatscore are always sorted by updated_timestamp, and therefore in this condition, you must not specify the Sort Inserted Timestamp parameter.  
If you do not specify the sort order, then sort is based on the default value.
Threat Score (Optional) Threat score based on which you want to retrieve incident and event logs from Symantec CloudSOC.  
For example, 10
Range example: 10,15 (score range between 10 and 15 both inclusive)

 

Output

The JSON output contains the incident and event logs retrieved from Symantec CloudSOC, based on the input parameters you have specified.

Following image displays a sample output:

operation: Get Audit Sources

Input parameters

None.

Output

The JSON output contains the audit data source information retrieved from Symantec CloudSOC.

Following image displays a sample output:

 

 

 

 

 

 

 

operation: Get Audit Services

Input parameters

Parameter Description
Earliest Date Earliest Date from when you want to retrieve audit services from Symantec CloudSOC. You must enter the date format in Epoch time in seconds.
For example, 1470009600
Latest Date Latest Date till when you want to retrieve audit services from Symantec CloudSOC. You must enter the date format in Epoch time in seconds.
For example, 1501545599
Datasource IDs (Optional) Comma-separated list of data source IDs for which you want to retrieve audit services from Symantec CloudSOC.
Service Type (Optional) Service type based on which you want to retrieve audit services from Symantec CloudSOC.
You can choose one from the following options: enterprise, consumer, all, or prosumer.
Allowed (Optional) Select this check box, i.e., set it to True, to allow the user who has logged in to retrieve of audit services results.
By default, this option is set as True
Blocked (Optional) Select this check box, i.e., set it to True, to block the user who has logged from retrieving of audit services results.
By default, this option is set as False

Output

The JSON output contains the list of services retrieved from Symantec CloudSOC, based on the input parameters you have specified.

Following image displays a sample output:

 

operation: Get Audit Users

Input parameters

Parameter Description
Earliest Date Earliest Date from when you want to retrieve audit users from Symantec CloudSOC. You must enter the date format in Epoch time in seconds.
For example, 1470009600
Latest Date Latest Date till when you want to retrieve audit users from Symantec CloudSOC. You must enter the date format in Epoch time in seconds.
For example, 1501545599
Datasource IDs (Optional) Comma-separated list of data source IDs for which you want to retrieve audit users from Symantec CloudSOC.
Service Type (Optional) Service type based on which you want to retrieve audit users from Symantec CloudSOC.
You can choose one from the following options: enterprise, consumer, all, or prosumer.
Allowed (Optional) Select this check box, i.e., set it to True, to allow the user who has logged in to retrieve of audit user results.
By default, this option is set as True.
Blocked (Optional) Select this check box, i.e., set it to True, to block the user who has logged from retrieving of audit user results.
By default, this option is set as False.
Next Page (Optional) Link value (identifier) of the next page. Specify this field only if you want to get results on the next page.
Resolution (Optional) Rate of returning audit user records:  
You can choose one from the following options:
  • 3600: Returns hourly audit user records.
  • 86400: Returns daily audit user records.
  • 2592000 (Default value): Returns monthly audit user records.
Service Ids (Optional) Service ID based on which the identities of all of the service users are retrieved from Symantec CloudSOC.

Output

The JSON output contains the details of audit users retrieved from Symantec CloudSOC, based on the input parameters you have specified.

Following image displays a sample output:

 

operation: Get Audit Usernames

Input parameters

Parameter Description
User IDs Comma-separated list of user IDs for which you want to retrieve usernames from Symantec CloudSOC.
Limit (Optional) Maximum number of users out of the given user ids that should be resolved.  
By default, this is set as 1000. If you specify a limit that is higher than 1000, then this operation will fail.

Output

The JSON output contains the details of audit usernames retrieved from Symantec CloudSOC, based on the user IDs you have specified.

operation: Get Audit Summary

Input parameters

Parameter Description
Earliest Date Earliest Date from when you want to retrieve audit summary from Symantec CloudSOC. You must enter the date format in Epoch time in seconds.
For example, 1470009600
Latest Date Latest Date till when you want to retrieve audit summary from Symantec CloudSOC. You must enter the date format in Epoch time in seconds.
For example, 1501545599
Datasource IDs (Optional) Comma-separated list of data source IDs for which you want to retrieve audit summary from Symantec CloudSOC.
Service Type (Optional) Service type based on which you want to retrieve audit summary from Symantec CloudSOC.
You can choose one from the following options: enterprise, consumer, all, or prosumer.
Allowed (Optional) Select this check box, i.e., set it to True, to allow the user who has logged in to retrieve of audit summary results.
By default, this option is set as True.
Blocked (Optional) Select this check box, i.e., set it to True, to block the user who has logged from retrieving of audit summary results.
By default, this option is set as False.
Resolution (Optional) Rate of returning audit summary records:  
You can choose one from the following options:  
  • 3600: Returns hourly audit summary records.
  • 86400: Returns daily audit summary records.
  • 2592000 (Default value): Returns monthly user records.

Output

The JSON output contains the details of audit summary retrieved from Symantec CloudSOC, based on the input parameters you have specified.

Following image displays a sample output:

operation: Get Content IQ Profile

Input parameters

Parameter Description
Profile Name (Optional) Name of the profile for which you want to retrieve ContentIQ profiles from Symantec CloudSOC.  
Note: If you do not specify any profile name, then all the ContentIQ profiles sorted alphabetically are retrieved from Symantec CloudSOC.
API Enabled (Optional) Select this check box, i.e., set it to True, to get the Securlet scan status for ContentIQ profile.  
By default, this option is set as False.

Output

The JSON output contains the details of Content IQ Profiles retrieved from Symantec CloudSOC, based on the input parameters you have specified.

operation: Get Protect Policies

Input parameters

Parameter Description
Policy Name (Optional) Name of the policy for which you want to retrieve Protect policies from Symantec CloudSOC.  
Note: If you do not specify any profile name, then all the Protect policies are retrieved from Symantec CloudSOC.
Policy Type (Optional) Type of the policy for which you want to retrieve protect policies from Symantec CloudSOC.    
You can choose one from the following options: documentshareapi (Data Exposure via Securlets), documentshare (File Sharing via Gatelets), filexfer (File Transfer via Gatelets), accessenforcement (Access Enforcement via Gatelets), anomalydetect (ThreatScore policy), or accessenforceapi (Access Monitoring via Securlets).
Is Action (Optional) Select this checkbox, i.e., set it to True, to retrieve only active retrieve protect policies from Symantec CloudSOC.  
By default, this option is set as True.

Output

The JSON output contains the details of Protect Policies retrieved from Symantec CloudSOC, based on the input parameters you have specified.

 

operation: Modify User Activation

Input parameters

Parameter Description
User Email-ID (Optional) Email ID of the user whose user activation you want to modify on Symantec CloudSOC.
Action Type of user activation you want to perform on Symantec CloudSOC.  
You can choose one from the following options: Activate or Deactivate User.

Output

The JSON output contains the status of the user activation action performed on Symantec CloudSOC.

Included playbooks

The Sample - Symantec CloudSOC - 1.0.0 playbook collection comes bundled with the Symantec CloudSOC connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec CloudSOC connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.