Symantec™ Endpoint Detection and Response (EDR) Cloud delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. Symantec EDR Cloud enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.
This document provides information about the Symantec EDR Cloud Connector, which facilitates automated interactions, with your Symantec EDR Cloud using FortiSOAR™ playbooks. Add the Symantec EDR Cloud Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as, retrieving alerts and reports from the Symantec EDR Cloud and adding a whitelist entry to Symantec EDR Cloud.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later
Compatibility with Symantec EDR Cloud Version: v3.2.0.84 and later
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-symantec-edr-cloud
For the detailed procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Symantec EDR Cloud connector and click Configure to configure the following parameters.
Parameter | Description |
---|---|
Server URL | URL of the Symantec EDR Cloud API to which you will connect and perform the automated operations. |
API Key | API key used to access the Symantec EDR Cloud to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Alerts | Retrieves a list and details of all alerts from the Symantec EDR Cloud, based on the category of alert and other parameters that you have specified. | get_alerts Investigation |
Get Report | Retrieves a detailed report for an alert from the Symantec EDR Cloud, based on the alert ID that you have specified. | get_report Investigation |
Add sha256 to whitelist | Adds a whitelist entry to Symantec EDR Cloud, based on the value of the sha256 hash that you have specified. | add_whitelist Remediation |
Get whitelist | Retrieves a list and details of all whitelisted sha256s from the Symantec EDR Cloud. | list_whitelist Investigation |
Delete sha256 from whitelist | Removes a whitelisted entry from Symantec EDR Cloud, based on the value of the sha256 hash that you have specified. | delete_whitelist Containment |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.
Parameter | Description |
---|---|
Duration | Duration or time range for which you want to retrieve alerts from EDR Cloud. You can choose from the following options: Today, Yesterday, Last 7 days, or Last 30 days. |
Remediation Status | Remediation Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Remediated, Not Remediated, or Both. |
Alert Status | Alert Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Alerted or Not Alerted. |
Read Status | Read Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Read or Unread. |
Sort | Filter the alerts that you retrieve from EDR Cloud based on the selected criterion. You can choose from the following options: Created Date, Name, or Score. |
Category | Category of the alert based on which you want to retrieve alerts from EDR Cloud. You can choose from the following options: EScribe Recording, Commercial Blacklist, Persistence, Temporal Analysis, Open Source Intelligence, Estate Statistics, Lateral Movement, Memory Injection, Machine Reasoning, Rootkit, or User Behavior. |
Sorting Order | Order in which the alerts are sorted once they are retrieved from EDR Cloud. You can choose from the following options: Ascending or Descending. |
The JSON output contains a list and details of alerts retrieved from Symantec EDR Cloud, based on the alert category and other parameters that your have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Alert ID | ID of the alert for which you want to retrieve a detailed report from Symantec EDR Cloud. |
The JSON output contains the detailed report for the specified alert retrieved from Symantec EDR Cloud, based on the alert ID that your have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
sha256 | Value of the sha256 hash that you want add as a whitelist entry in Symantec EDR Cloud. |
Description | Brief description of the sha256 that you want add as a whitelist entry in Symantec EDR Cloud. |
The JSON output contains a Success
message if the specified sha256 value is successfully added as a whitelist entry in Symantec EDR Cloud.
Following image displays a sample output:
None.
The JSON output contains a list and details of all whitelisted sha256s retrieved from the Symantec EDR Cloud.
Following image displays a sample output:
Parameter | Description |
---|---|
sha256 | Value of the sha256 hash that you want remove as a whitelist entry from Symantec EDR Cloud. |
ID | ID of the hash entry that you want remove as a whitelist entry from Symantec EDR Cloud. |
Note: You can specify either the sha256 or ID as the input parameter.
The JSON output contains a Success
message if the specified sha256 value is successfully removed as a whitelist entry from Symantec EDR Cloud.
Following image displays a sample output:
The Sample - Symantec-EDR-Cloud - 1.0.0
playbook collection comes bundled with the Symantec EDR Cloud connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EDR Cloud connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Symantec™ Endpoint Detection and Response (EDR) Cloud delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. Symantec EDR Cloud enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.
This document provides information about the Symantec EDR Cloud Connector, which facilitates automated interactions, with your Symantec EDR Cloud using FortiSOAR™ playbooks. Add the Symantec EDR Cloud Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as, retrieving alerts and reports from the Symantec EDR Cloud and adding a whitelist entry to Symantec EDR Cloud.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later
Compatibility with Symantec EDR Cloud Version: v3.2.0.84 and later
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-symantec-edr-cloud
For the detailed procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Symantec EDR Cloud connector and click Configure to configure the following parameters.
Parameter | Description |
---|---|
Server URL | URL of the Symantec EDR Cloud API to which you will connect and perform the automated operations. |
API Key | API key used to access the Symantec EDR Cloud to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Alerts | Retrieves a list and details of all alerts from the Symantec EDR Cloud, based on the category of alert and other parameters that you have specified. | get_alerts Investigation |
Get Report | Retrieves a detailed report for an alert from the Symantec EDR Cloud, based on the alert ID that you have specified. | get_report Investigation |
Add sha256 to whitelist | Adds a whitelist entry to Symantec EDR Cloud, based on the value of the sha256 hash that you have specified. | add_whitelist Remediation |
Get whitelist | Retrieves a list and details of all whitelisted sha256s from the Symantec EDR Cloud. | list_whitelist Investigation |
Delete sha256 from whitelist | Removes a whitelisted entry from Symantec EDR Cloud, based on the value of the sha256 hash that you have specified. | delete_whitelist Containment |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.
Parameter | Description |
---|---|
Duration | Duration or time range for which you want to retrieve alerts from EDR Cloud. You can choose from the following options: Today, Yesterday, Last 7 days, or Last 30 days. |
Remediation Status | Remediation Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Remediated, Not Remediated, or Both. |
Alert Status | Alert Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Alerted or Not Alerted. |
Read Status | Read Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Read or Unread. |
Sort | Filter the alerts that you retrieve from EDR Cloud based on the selected criterion. You can choose from the following options: Created Date, Name, or Score. |
Category | Category of the alert based on which you want to retrieve alerts from EDR Cloud. You can choose from the following options: EScribe Recording, Commercial Blacklist, Persistence, Temporal Analysis, Open Source Intelligence, Estate Statistics, Lateral Movement, Memory Injection, Machine Reasoning, Rootkit, or User Behavior. |
Sorting Order | Order in which the alerts are sorted once they are retrieved from EDR Cloud. You can choose from the following options: Ascending or Descending. |
The JSON output contains a list and details of alerts retrieved from Symantec EDR Cloud, based on the alert category and other parameters that your have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Alert ID | ID of the alert for which you want to retrieve a detailed report from Symantec EDR Cloud. |
The JSON output contains the detailed report for the specified alert retrieved from Symantec EDR Cloud, based on the alert ID that your have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
sha256 | Value of the sha256 hash that you want add as a whitelist entry in Symantec EDR Cloud. |
Description | Brief description of the sha256 that you want add as a whitelist entry in Symantec EDR Cloud. |
The JSON output contains a Success
message if the specified sha256 value is successfully added as a whitelist entry in Symantec EDR Cloud.
Following image displays a sample output:
None.
The JSON output contains a list and details of all whitelisted sha256s retrieved from the Symantec EDR Cloud.
Following image displays a sample output:
Parameter | Description |
---|---|
sha256 | Value of the sha256 hash that you want remove as a whitelist entry from Symantec EDR Cloud. |
ID | ID of the hash entry that you want remove as a whitelist entry from Symantec EDR Cloud. |
Note: You can specify either the sha256 or ID as the input parameter.
The JSON output contains a Success
message if the specified sha256 value is successfully removed as a whitelist entry from Symantec EDR Cloud.
Following image displays a sample output:
The Sample - Symantec-EDR-Cloud - 1.0.0
playbook collection comes bundled with the Symantec EDR Cloud connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EDR Cloud connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.