About the connector
Symantec™ Endpoint Detection and Response (EDR) Cloud delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. Symantec EDR Cloud enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.
This document provides information about the Symantec EDR Cloud Connector, which facilitates automated interactions, with your Symantec EDR Cloud using FortiSOAR™ playbooks. Add the Symantec EDR Cloud Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as, retrieving alerts and reports from the Symantec EDR Cloud and adding a whitelist entry to Symantec EDR Cloud.
Version information
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later
Compatibility with Symantec EDR Cloud Version: v3.2.0.84 and later
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-symantec-edr-cloud
For the detailed procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must have the URL of the Symantec EDR Cloud to which you will connect and perform automated operations and the API key to access that Symantec EDR Cloud.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, select the Symantec EDR Cloud connector and click Configure to configure the following parameters.
| Parameter |
Description |
| Server URL |
URL of the Symantec EDR Cloud API to which you will connect and perform the automated operations. |
| API Key |
API key used to access the Symantec EDR Cloud to which you will connect and perform the automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Get Alerts |
Retrieves a list and details of all alerts from the Symantec EDR Cloud, based on the category of alert and other parameters that you have specified. |
get_alerts
Investigation |
| Get Report |
Retrieves a detailed report for an alert from the Symantec EDR Cloud, based on the alert ID that you have specified. |
get_report
Investigation |
| Add sha256 to whitelist |
Adds a whitelist entry to Symantec EDR Cloud, based on the value of the sha256 hash that you have specified. |
add_whitelist
Remediation |
| Get whitelist |
Retrieves a list and details of all whitelisted sha256s from the Symantec EDR Cloud. |
list_whitelist
Investigation |
| Delete sha256 from whitelist |
Removes a whitelisted entry from Symantec EDR Cloud, based on the value of the sha256 hash that you have specified. |
delete_whitelist
Containment |
operation: Get Alerts
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.
| Parameter |
Description |
| Duration |
Duration or time range for which you want to retrieve alerts from EDR Cloud. You can choose from the following options: Today, Yesterday, Last 7 days, or Last 30 days. |
| Remediation Status |
Remediation Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Remediated, Not Remediated, or Both. |
| Alert Status |
Alert Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Alerted or Not Alerted. |
| Read Status |
Read Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Read or Unread. |
| Sort |
Filter the alerts that you retrieve from EDR Cloud based on the selected criterion. You can choose from the following options: Created Date, Name, or Score. |
| Category |
Category of the alert based on which you want to retrieve alerts from EDR Cloud. You can choose from the following options: EScribe Recording, Commercial Blacklist, Persistence, Temporal Analysis, Open Source Intelligence, Estate Statistics, Lateral Movement, Memory Injection, Machine Reasoning, Rootkit, or User Behavior. |
| Sorting Order |
Order in which the alerts are sorted once they are retrieved from EDR Cloud. You can choose from the following options: Ascending or Descending. |
Output
The JSON output contains a list and details of alerts retrieved from Symantec EDR Cloud, based on the alert category and other parameters that your have specified.
Following image displays a sample output:
operation: Get Report
Input parameters
| Parameter |
Description |
| Alert ID |
ID of the alert for which you want to retrieve a detailed report from Symantec EDR Cloud. |
Output
The JSON output contains the detailed report for the specified alert retrieved from Symantec EDR Cloud, based on the alert ID that your have specified.
Following image displays a sample output:
operation: Add sha256 to whitelist
Input parameters
| Parameter |
Description |
| sha256 |
Value of the sha256 hash that you want add as a whitelist entry in Symantec EDR Cloud. |
| Description |
Brief description of the sha256 that you want add as a whitelist entry in Symantec EDR Cloud. |
Output
The JSON output contains a Success message if the specified sha256 value is successfully added as a whitelist entry in Symantec EDR Cloud.
Following image displays a sample output:
operation: Get whitelist
Input parameters
None.
Output
The JSON output contains a list and details of all whitelisted sha256s retrieved from the Symantec EDR Cloud.
Following image displays a sample output:
operation: Delete sha256 from whitelist
Input parameters
| Parameter |
Description |
| sha256 |
Value of the sha256 hash that you want remove as a whitelist entry from Symantec EDR Cloud. |
| ID |
ID of the hash entry that you want remove as a whitelist entry from Symantec EDR Cloud. |
Note: You can specify either the sha256 or ID as the input parameter.
Output
The JSON output contains a Success message if the specified sha256 value is successfully removed as a whitelist entry from Symantec EDR Cloud.
Following image displays a sample output:
Included playbooks
The Sample - Symantec-EDR-Cloud - 1.0.0 playbook collection comes bundled with the Symantec EDR Cloud connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EDR Cloud connector.
- Add sha256 to whitelist
- Delete sha256 from whitelist
- Get Alerts
- Get Report
- Get whitelist
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
