Fortinet Document Library

Version:


Table of Contents

Symantec EDR Cloud

1.0.0
Copy Link

 

About the connector

Symantec™ Endpoint Detection and Response (EDR) Cloud delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. Symantec EDR Cloud enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.

This document provides information about the Symantec EDR Cloud Connector, which facilitates automated interactions, with your Symantec EDR Cloud using FortiSOAR™ playbooks. Add the Symantec EDR Cloud Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as, retrieving alerts and reports from the Symantec EDR Cloud and adding a whitelist entry to Symantec EDR Cloud.

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later

Compatibility with Symantec EDR Cloud Version: v3.2.0.84 and later

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-symantec-edr-cloud

For the detailed procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL of the Symantec EDR Cloud to which you will connect and perform automated operations and the API key to access that Symantec EDR Cloud.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Symantec EDR Cloud connector and click Configure to configure the following parameters.

 

Parameter Description
Server URL URL of the Symantec EDR Cloud API to which you will connect and perform the automated operations.
API Key API key used to access the Symantec EDR Cloud to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Alerts Retrieves a list and details of all alerts from the Symantec EDR Cloud, based on the category of alert and other parameters that you have specified. get_alerts
Investigation
Get Report Retrieves a detailed report for an alert from the Symantec EDR Cloud, based on the alert ID that you have specified. get_report
Investigation
Add sha256 to whitelist Adds a whitelist entry to Symantec EDR Cloud, based on the value of the sha256 hash that you have specified. add_whitelist
Remediation
Get whitelist Retrieves a list and details of all whitelisted sha256s from the Symantec EDR Cloud. list_whitelist
Investigation
Delete sha256 from whitelist Removes a whitelisted entry from Symantec EDR Cloud, based on the value of the sha256 hash that you have specified. delete_whitelist
Containment

 

operation: Get Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

 

Parameter Description
Duration Duration or time range for which you want to retrieve alerts from EDR Cloud. You can choose from the following options: Today, Yesterday, Last 7 days, or Last 30 days.
Remediation Status Remediation Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Remediated, Not Remediated, or Both.
Alert Status Alert Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Alerted or Not Alerted.
Read Status Read Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Read or Unread.
Sort Filter the alerts that you retrieve from EDR Cloud based on the selected criterion. You can choose from the following options: Created Date, Name, or Score.
Category Category of the alert based on which you want to retrieve alerts from EDR Cloud. You can choose from the following options: EScribe Recording, Commercial Blacklist, Persistence, Temporal Analysis, Open Source Intelligence, Estate Statistics, Lateral Movement, Memory Injection, Machine Reasoning, Rootkit, or User Behavior.
Sorting Order Order in which the alerts are sorted once they are retrieved from EDR Cloud. You can choose from the following options: Ascending or Descending.

 

Output

The JSON output contains a list and details of alerts retrieved from Symantec EDR Cloud, based on the alert category and other parameters that your have specified.

Following image displays a sample output:

Sample output of the Get Alerts

operation: Get Report

Input parameters

 

Parameter Description
Alert ID ID of the alert for which you want to retrieve a detailed report from Symantec EDR Cloud.

 

Output

The JSON output contains the detailed report for the specified alert retrieved from Symantec EDR Cloud, based on the alert ID that your have specified.

Following image displays a sample output:

Sample output of the Get Report

operation: Add sha256 to whitelist

Input parameters

 

Parameter Description
sha256 Value of the sha256 hash that you want add as a whitelist entry in Symantec EDR Cloud.
Description Brief description of the sha256 that you want add as a whitelist entry in Symantec EDR Cloud.

 

Output

The JSON output contains a Success message if the specified sha256 value is successfully added as a whitelist entry in Symantec EDR Cloud.

Following image displays a sample output:

Sample output of the Add sha256 to whitelist operation

operation: Get whitelist

Input parameters

None.

Output

The JSON output contains a list and details of all whitelisted sha256s retrieved from the Symantec EDR Cloud.

Following image displays a sample output:

Sample output of the Get whitelist operation

operation: Delete sha256 from whitelist

Input parameters

 

Parameter Description
sha256 Value of the sha256 hash that you want remove as a whitelist entry from Symantec EDR Cloud.
ID ID of the hash entry that you want remove as a whitelist entry from Symantec EDR Cloud.

 

Note: You can specify either the sha256 or ID as the input parameter.

Output

The JSON output contains a Success message if the specified sha256 value is successfully removed as a whitelist entry from Symantec EDR Cloud.

Following image displays a sample output:

Sample output of the Delete sha256 from whitelist operation

Included playbooks

The Sample - Symantec-EDR-Cloud - 1.0.0 playbook collection comes bundled with the Symantec EDR Cloud connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EDR Cloud connector.

  • Add sha256 to whitelist
  • Delete sha256 from whitelist
  • Get Alerts
  • Get Report
  • Get whitelist

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

Symantec™ Endpoint Detection and Response (EDR) Cloud delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. Symantec EDR Cloud enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.

This document provides information about the Symantec EDR Cloud Connector, which facilitates automated interactions, with your Symantec EDR Cloud using FortiSOAR™ playbooks. Add the Symantec EDR Cloud Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as, retrieving alerts and reports from the Symantec EDR Cloud and adding a whitelist entry to Symantec EDR Cloud.

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later

Compatibility with Symantec EDR Cloud Version: v3.2.0.84 and later

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-symantec-edr-cloud

For the detailed procedure to install a connector, click here.

 

Prerequisites to configuring the connector

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Symantec EDR Cloud connector and click Configure to configure the following parameters.

 

Parameter Description
Server URL URL of the Symantec EDR Cloud API to which you will connect and perform the automated operations.
API Key API key used to access the Symantec EDR Cloud to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Alerts Retrieves a list and details of all alerts from the Symantec EDR Cloud, based on the category of alert and other parameters that you have specified. get_alerts
Investigation
Get Report Retrieves a detailed report for an alert from the Symantec EDR Cloud, based on the alert ID that you have specified. get_report
Investigation
Add sha256 to whitelist Adds a whitelist entry to Symantec EDR Cloud, based on the value of the sha256 hash that you have specified. add_whitelist
Remediation
Get whitelist Retrieves a list and details of all whitelisted sha256s from the Symantec EDR Cloud. list_whitelist
Investigation
Delete sha256 from whitelist Removes a whitelisted entry from Symantec EDR Cloud, based on the value of the sha256 hash that you have specified. delete_whitelist
Containment

 

operation: Get Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

 

Parameter Description
Duration Duration or time range for which you want to retrieve alerts from EDR Cloud. You can choose from the following options: Today, Yesterday, Last 7 days, or Last 30 days.
Remediation Status Remediation Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Remediated, Not Remediated, or Both.
Alert Status Alert Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Alerted or Not Alerted.
Read Status Read Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Read or Unread.
Sort Filter the alerts that you retrieve from EDR Cloud based on the selected criterion. You can choose from the following options: Created Date, Name, or Score.
Category Category of the alert based on which you want to retrieve alerts from EDR Cloud. You can choose from the following options: EScribe Recording, Commercial Blacklist, Persistence, Temporal Analysis, Open Source Intelligence, Estate Statistics, Lateral Movement, Memory Injection, Machine Reasoning, Rootkit, or User Behavior.
Sorting Order Order in which the alerts are sorted once they are retrieved from EDR Cloud. You can choose from the following options: Ascending or Descending.

 

Output

The JSON output contains a list and details of alerts retrieved from Symantec EDR Cloud, based on the alert category and other parameters that your have specified.

Following image displays a sample output:

Sample output of the Get Alerts

operation: Get Report

Input parameters

 

Parameter Description
Alert ID ID of the alert for which you want to retrieve a detailed report from Symantec EDR Cloud.

 

Output

The JSON output contains the detailed report for the specified alert retrieved from Symantec EDR Cloud, based on the alert ID that your have specified.

Following image displays a sample output:

Sample output of the Get Report

operation: Add sha256 to whitelist

Input parameters

 

Parameter Description
sha256 Value of the sha256 hash that you want add as a whitelist entry in Symantec EDR Cloud.
Description Brief description of the sha256 that you want add as a whitelist entry in Symantec EDR Cloud.

 

Output

The JSON output contains a Success message if the specified sha256 value is successfully added as a whitelist entry in Symantec EDR Cloud.

Following image displays a sample output:

Sample output of the Add sha256 to whitelist operation

operation: Get whitelist

Input parameters

None.

Output

The JSON output contains a list and details of all whitelisted sha256s retrieved from the Symantec EDR Cloud.

Following image displays a sample output:

Sample output of the Get whitelist operation

operation: Delete sha256 from whitelist

Input parameters

 

Parameter Description
sha256 Value of the sha256 hash that you want remove as a whitelist entry from Symantec EDR Cloud.
ID ID of the hash entry that you want remove as a whitelist entry from Symantec EDR Cloud.

 

Note: You can specify either the sha256 or ID as the input parameter.

Output

The JSON output contains a Success message if the specified sha256 value is successfully removed as a whitelist entry from Symantec EDR Cloud.

Following image displays a sample output:

Sample output of the Delete sha256 from whitelist operation

Included playbooks

The Sample - Symantec-EDR-Cloud - 1.0.0 playbook collection comes bundled with the Symantec EDR Cloud connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EDR Cloud connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.