About the connector
Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Windows and Mac computers and servers in your network against malware. Symantec Endpoint Protection combines virus protection with advanced threat protection to proactively secure your computers against known and unknown threats. The Symantec Endpoint Protection client combines different types of scans to secure your computers against virus and spyware attacks.
This document provides information about the Symantec EPM (SEPM) connector, which facilitates automated interactions, with a Symantec EPM (SEPM) server using FortiSOAR™ playbooks. Add the Symantec EPM (SEPM) connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of groups configured on the device, or updating information of an existing domain.
Version information
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later
Compatibility with Symantec EPM (SEPM) Version: 14.1 and later
Installing the connector
For the procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must have the URL of the Symantec EPM (SEPM) server to which you will connect and perform the automated operations and credentials to access that server.
- Ensure that port 8446 is open.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, select the Symantec EPM (SEPM) connector and click Configure to configure the following parameters:
| Parameter |
Description |
| Server URL |
URL of the Symantec EPM (SEPM) server to which you will connect and perform the automated operations.
For example, https://<ServerIPAddress>:8446 |
| Username |
Username used for accessing the Symantec EPM (SEPM) server to which you will connect and perform the automated operations. |
| Password |
Encrypted password used for accessing the Symantec EPM (SEPM) server to which you will connect and perform the automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| List Groups |
Retrieves details for all groups configured on the device from the Symantec EPM (SEPM) server. |
list_groups
Investigation |
| Get Group Information |
Retrieves information about a group, based on the group ID that you have specified, from the Symantec EPM (SEPM) server. |
group_info
Investigation |
| List Endpoints |
Retrieves details for all endpoints, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. |
list_sensors
Investigation |
| List Domains |
Retrieves details for all accessible domains from the Symantec EPM (SEPM) server. |
get_domains
Investigation |
| Create Domain |
Creates a domain, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. |
create_domain
Investigation |
| Get Domain Name |
Retrieves the domain name, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. |
get_domain_name
Investigation |
| Get Domain Information |
Retrieves details about a particular domain, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. |
get_domain_info
Investigation |
| Update Domain |
Updates information about an existing domain, based on the domain ID and other input parameters that you have specified, on the Symantec EPM (SEPM) server. |
updates_domain_info
Investigation |
| Delete Domain |
Deletes a particular domain, based on the input parameters that you have specified, from the Symantec EPM (SEPM) server. |
delete_domain
Investigation |
| Get Critical Events Information |
Retrieves details associated with critical events from the Symantec EPM (SEPM) server. |
critical_events_info
Investigation |
| Get Client Groups By Content Source |
Retrieves a list and count of client groups, filtered by content download sources, from the Symantec EPM (SEPM) server. |
list_client_groups_by_content_source
Investigation |
| List Client For Group By Content Version |
Retrieves a list of clients for a group, filtered by content version, from the Symantec EPM (SEPM) server. |
client_list_group_by_content_version
Investigation |
| List Infected Client |
Retrieves a list and count of infected clients, based on the time range and report type that you have specified, from the Symantec EPM (SEPM) server. |
list_infected_clients
Investigation |
| Get Malware Reporting Clients |
Retrieves a list of clients reporting malware events, based on the time range that you have specified, from the Symantec EPM (SEPM) server. |
client_list_reporting_malware_events
Investigation |
| Get Threat Status |
Retrieves details for all threat statistics from the Symantec EPM (SEPM) server. |
get_threat_stats
Investigation |
| Scan Endpoint |
Scans an endpoint to identify threats, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. |
scan_endpoint
Investigation |
| Quarantine Endpoints |
Quarantines groups or endpoints, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. |
isolate_endpoint
Containment |
| Unquarantine Endpoints |
Removes the quarantine (unquarantines) of groups or endpoints, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. |
unisolate_endpoint
Remediation |
| Get Command Status |
Retrieves the command status, based on the command ID that you have specified, from the Symantec EPM (SEPM) server. |
command_status
Investigation |
| Get Fingerprint List Information |
Retrieves the file fingerprint list as a set of hash values, based on the file fingerprint name that you have specified, from the Symantec EPM (SEPM) server. |
get_fingerprint_list
Investigation |
| Assign Fingerprint List To Group |
Assigns a file fingerprint list that you have specified to a group that you have specified on the Symantec EPM (SEPM) server. |
assign_fingerprint_to_group
Containment |
| Add Blacklist |
Add a blacklist as a file fingerprint list to the Symantec EPM (SEPM) server. |
add_blacklist
Containment |
| Update Blacklist |
Updates an existing blacklist, based on the input parameters, such as the file fingerprint file ID, that you have specified, from the Symantec EPM (SEPM) server. |
update_blacklist
Containment |
| Delete Blacklist |
Deletes an existing blacklist, based on the file fingerprint file ID that you have specified, from the Symantec EPM (SEPM) server. This operation also removes this blacklist from the group to which it applies. |
delete_blacklist
Miscellaneous |
operation: List Groups
Input parameters
None.
Output
The JSON output contains details for all groups configured on the device retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMListGroups.png)
operation: Get Group Information
Input parameters
| Parameter |
Description |
| Group ID |
ID of the group whose details you want to retrieve from the Symantec EPM (SEPM) server. |
Output
The JSON output contains detailed information about the group based on the group ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMGetGroupInfo.png)
operation: List Endpoints
Input parameters
| Parameter |
Description |
| Domain ID |
Domain ID based on which you want to retrieve information for all associated endpoints from the Symantec EPM (SEPM) server. |
Output
The JSON output contains information for all endpoints that are associated with the Domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMListEndpoint.png)
operation: List Domains
Input parameters
None.
Output
The JSON output contains details for all accessible domains retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMListDomains.png)
operation: Create Domain
Input parameters
| Parameter |
Description |
| Domain Name |
Name of the domain that you want to create on the Symantec EPM (SEPM) server. |
| Max Client Idle Time In Days |
(Optional) Number of days after which Symantec EPM (SEPM) deletes clients that have not connected.
Minimum Value is set as 1. |
| Max Npvdi Client Idle Time In Days |
(Optional) Number of days after which Symantec EPM (SEPM) deletes virtual desktop infrastructure (VDI) clients that have not connected.
Minimum Value is set as 1. |
| Delete Idle Clients |
(Optional) Select this option to delete clients that have not connected to Symantec EPM (SEPM) for a specified number of days.
By default, this is set to False. |
| Delete Idle Npvdi Clients |
(Optional) Select this option to delete virtual desktop infrastructure (VDI) clients that have not connected to Symantec EPM (SEPM) for a specified number of days.
By default, this is set to False. |
| Allow Saving Credentials |
(Optional) Select this option to allow users to save credentials when logging on to Symantec EPM (SEPM).
By default, this is set to False. |
| Allow Never Expiring Passwords |
(Optional) Select this option to allow passwords in the Symantec EPM (SEPM) domain to never expire.
By default, this is set to False. |
| Display Logon Banner |
(Optional) Select this option show a logon banner when an administrator logs on to this domain on Symantec EPM (SEPM).
By default, this is set to False. |
Output
The JSON output contains details of the newly created domain on the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMCreatesDomain.png)
operation: Get Domain Name
Input parameters
| Parameter |
Description |
| Domain ID |
ID of the domain whose name you want to retrieve from the Symantec EPM (SEPM) server. |
Output
The JSON output contains the domain name based on the domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMGetDomainName.png)
operation: Get Domain Information
Input parameters
| Parameter |
Description |
| Domain ID |
ID of the domain for which you want to retrieve details from the Symantec EPM (SEPM) server. |
Output
The JSON output contains detailed information about the domain based on the domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMGetDomainInfo.png)
operation: Update Domain
Input parameters
| Parameter |
Description |
| Domain ID |
ID of the domain that you want to update on the Symantec EPM (SEPM) server. |
| Domain Name |
Name of the domain that you want to update on the Symantec EPM (SEPM) server. |
| Max Client Idle Time In Days |
(Optional) Number of days after which Symantec EPM (SEPM) deletes clients that have not connected.
Minimum Value is set as 1. |
| Max Npvdi Client Idle Time In Days |
(Optional) Number of days after which Symantec EPM (SEPM) deletes virtual desktop infrastructure (VDI) clients that have not connected.
Minimum Value is set as 1. |
| Delete Idle Clients |
(Optional) Select this option to delete clients that have not connected to Symantec EPM (SEPM) for a specified number of days.
By default, this is set to False. |
| Delete Idle Npvdi Clients |
(Optional) Select this option to delete virtual desktop infrastructure (VDI) clients that have not connected to Symantec EPM (SEPM) for a specified number of days.
By default, this is set to False. |
| Allow Saving Credentials |
(Optional) Select this option to allow users to save credentials when logging on to Symantec EPM (SEPM).
By default, this is set to False. |
| Allow Never Expiring Passwords |
(Optional) Select this option to allow passwords in the Symantec EPM (SEPM) domain to never expire.
By default, this is set to False. |
| Display Logon Banner |
(Optional) Select this option show a logon banner when an administrator logs on to this domain on Symantec EPM (SEPM).
By default, this is set to False. |
Output
The JSON output contains the updated domain information, based on the domain ID and domain name you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMUpdatesDomain.png)
operation: Delete Domain
Input parameters
| Parameter |
Description |
| Domain ID |
ID of the domain that you want to delete from the Symantec EPM (SEPM) server. |
Output
The JSON output contains a Success message if the specified domain is successfully deleted from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMDeleteDomain.png)
operation: Get Critical Events Information
Input parameters
None.
Output
The JSON output contains details associated with critical events retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMGetCriticalEventsInfo.png)
operation: Get Client Groups By Content Source
Input parameters
None.
Output
The JSON output contains a list and count of client groups, filtered by content download sources, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMGetClientGroupsByContentSource.png)
operation: List Client For Group By Content Version
Input parameters
None.
Output
The JSON output contains a list of clients for a group, filtered by content version, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMListClientForGroupByContentVersion.png)
operation: List Infected Client
Input parameters
| Parameter |
Description |
| Report Type |
Type of report based on which you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server.
You can choose from the following options: Hour, Day, Week, or Month.
By default, this is set as Day. |
| From |
DateTime from when you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server. |
| To |
DateTime till when you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server. |
Output
The JSON output contains a list and count of infected clients, based on the time range and report type that you have specified, from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMListInfectedClient.png)
operation: Get Malware Reporting Clients
Input parameters
| Parameter |
Description |
| Report Type |
Type of report based on which you want to retrieve a list of clients which have reported malware events from the Symantec EPM (SEPM) server.
You can choose from the following options: Hour, Day, Week, or Month.
By default, this is set as Day. |
| From |
DateTime from when you want to retrieve a list of clients which have reported malware events from the Symantec EPM (SEPM) server. |
| To |
DateTime till when you want to retrieve a list of clients which have reported malware events from the Symantec EPM (SEPM) server. |
Output
The JSON output contains a list of clients reporting malware events, based on the time range that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMClientListReportingMalwareEvents.png)
operation: Get Threat Status
Input parameters
None.
Output
The JSON output contains details for all threat statistics retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMGetThreatStatus.png)
operation: Scan Endpoint
Input parameters
| Parameter |
Description |
| Scan Groups or Computers |
Choose whether you want to perform the scan action on Groups or Computers.
By default, this is set as Computers. |
| IDs |
List of Computer IDs or Group IDs that you want to scan. |
| Body |
Evidence of compromise command in XML. |
Output
The JSON output contains detailed information about the scan operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.
operation: Quarantine Endpoints
Input parameters
| Parameter |
Description |
| Apply Quarantine |
Choose whether you want to perform the quarantine action on Groups or Computers.
By default, this is set as Computers. |
| IDs |
List of Computer IDs or Group IDs that you want to quarantine. |
Output
The JSON output contains detailed information about the quarantine operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMQuarantineEndpoints.png)
operation: Unquarantine Endpoints
Input parameters
| Parameter |
Description |
| Apply Unquarantine |
Choose whether you want to perform the unquarantine action on Groups or Computers.
By default, this is set as Computers. |
| IDs |
List of Computer IDs or Group IDs that you want to unquarantine. |
Output
The JSON output contains detailed information about the unquarantine operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/sHz0XfM2RDRj-APX5punhiH8PmGgzey2Mg.png)
operation: Get Command Status
Input parameters
| Parameter |
Description |
| Command ID |
ID of the command whose status you want to retrieve from the Symantec EPM (SEPM) server. |
Output
The JSON output contains information about the status of the command based on the command ID that you have specified retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMGetCommandState.png)
operation: Get Fingerprint List Information
Input parameters
| Parameter |
Description |
| Name |
ID of the file fingerprint based on which you want to retrieve the file fingerprint list from the Symantec EPM (SEPM) server. |
Output
The JSON output contains the file fingerprint list as a set of hash values, based on the file fingerprint name that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMGetFingerprintLists.png)
operation: Assign Fingerprint List To Group
Input parameters
| Parameter |
Description |
| Fingerprint ID |
ID of the file fingerprint list that you want to assign to a group on the Symantec EPM (SEPM) server. |
| Group ID |
ID of the group to which you want to assign the file fingerprint list on the Symantec EPM (SEPM) server. |
Output
The JSON output contains a Success message if the specified file fingerprint list is successfully assigned to the specified group on the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/u1p_3czE7-uL-R7m0duMiC5KW7q0lHbs8Q.png)
operation: Add Blacklist
Input parameters
| Parameter |
Description |
| Blacklist Name |
Name of the blacklist that you want to add in the Symantec EPM (SEPM) server. |
| Hash Type |
Blacklist file's hash type. You can choose between MD5 or SHA256
By default, this is set as MD5. |
| Hash Value |
File hashes that you want to add in blacklist as a file fingerprint list on the Symantec EPM (SEPM) server. |
| Domain ID |
Domain ID to which the blacklist file will be applied to on the Symantec EPM (SEPM) server. |
| Description |
Description of the blacklist file that you want to add to the Symantec EPM (SEPM) server. |
Output
The JSON output contains details of the blacklist file added on the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMAddBlacklist.png)
operation: Update Blacklist
Input parameters
| Parameter |
Description |
| Fingerprint ID |
ID of the file fingerprint list that you want to update on the Symantec EPM (SEPM) server. |
| Blacklist Name |
Name of the blacklist whose details you want to update in the Symantec EPM (SEPM) server. |
| Hash Type |
Blacklist file's hash type. You can choose between MD5 or SHA256
By default, this is set as MD5. |
| Hash Value |
File hashes that you want to update in blacklist as a file fingerprint list on the Symantec EPM (SEPM) server. |
| Domain ID |
Domain ID to which the blacklist file will be applied to on the Symantec EPM (SEPM) server. |
| Description |
Description of the blacklist file that you want to add to the Symantec EPM (SEPM) server. |
OUTPUT
The JSON output contains details of the updated blacklist from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMUpdateBlacklist.png)
operation: Delete Blacklist
Input parameters
| Parameter |
Description |
| Fingerprint ID |
ID of the file fingerprint list that you want to delete from the Symantec EPM (SEPM) server. |
Output
The JSON output contains a Success message if the specified blacklist file is successfully deleted from the Symantec EPM (SEPM) server.
Following image displays a sample output:
/Symantec%20EPM%20(SEPM)%20v1.0.0/SEPMDeleteBlacklist.png)
Included playbooks
The Sample - Symantec-EPM (SEPM) - 1.0.0 playbook collection comes bundled with the Symantec EPM (SEPM) connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EPM (SEPM) connector.
- Add Blacklist
- Assign Fingerprint List To Group
- Create Domain
- Delete Blacklist
- Delete Domain
- Get Client Groups By Content Source
- Get Command Status
- Get Critical Events Information
- Get Domain Information
- Get Domain Name
- Get Fingerprint List Information
- Get Group Information
- Get Malware Reporting Clients
- Get Threat Status
- List Client For Group By Content Version
- List Domains
- List Endpoints
- List Infected Client
- List Groups
- Scan Endpoint
- Quarantine Endpoints
- Unquarantine Endpoints
- Update Blacklist
- Update Domain
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
