Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Windows and Mac computers and servers in your network against malware. Symantec Endpoint Protection combines virus protection with advanced threat protection to proactively secure your computers against known and unknown threats. The Symantec Endpoint Protection client combines different types of scans to secure your computers against virus and spyware attacks.
This document provides information about the Symantec EPM (SEPM) connector, which facilitates automated interactions, with a Symantec EPM (SEPM) server using FortiSOAR™ playbooks. Add the Symantec EPM (SEPM) connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of groups configured on the device, or updating information of an existing domain.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later
Compatibility with Symantec EPM (SEPM) Version: 14.1 and later
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Symantec EPM (SEPM) connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | URL of the Symantec EPM (SEPM) server to which you will connect and perform the automated operations. For example, https://<ServerIPAddress>:8446 |
Username | Username used for accessing the Symantec EPM (SEPM) server to which you will connect and perform the automated operations. |
Password | Encrypted password used for accessing the Symantec EPM (SEPM) server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
List Groups | Retrieves details for all groups configured on the device from the Symantec EPM (SEPM) server. | list_groups Investigation |
Get Group Information | Retrieves information about a group, based on the group ID that you have specified, from the Symantec EPM (SEPM) server. | group_info Investigation |
List Endpoints | Retrieves details for all endpoints, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. | list_sensors Investigation |
List Domains | Retrieves details for all accessible domains from the Symantec EPM (SEPM) server. | get_domains Investigation |
Create Domain | Creates a domain, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. | create_domain Investigation |
Get Domain Name | Retrieves the domain name, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. | get_domain_name Investigation |
Get Domain Information | Retrieves details about a particular domain, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. | get_domain_info Investigation |
Update Domain | Updates information about an existing domain, based on the domain ID and other input parameters that you have specified, on the Symantec EPM (SEPM) server. | updates_domain_info Investigation |
Delete Domain | Deletes a particular domain, based on the input parameters that you have specified, from the Symantec EPM (SEPM) server. | delete_domain Investigation |
Get Critical Events Information | Retrieves details associated with critical events from the Symantec EPM (SEPM) server. | critical_events_info Investigation |
Get Client Groups By Content Source | Retrieves a list and count of client groups, filtered by content download sources, from the Symantec EPM (SEPM) server. | list_client_groups_by_content_source Investigation |
List Client For Group By Content Version | Retrieves a list of clients for a group, filtered by content version, from the Symantec EPM (SEPM) server. | client_list_group_by_content_version Investigation |
List Infected Client | Retrieves a list and count of infected clients, based on the time range and report type that you have specified, from the Symantec EPM (SEPM) server. | list_infected_clients Investigation |
Get Malware Reporting Clients | Retrieves a list of clients reporting malware events, based on the time range that you have specified, from the Symantec EPM (SEPM) server. | client_list_reporting_malware_events Investigation |
Get Threat Status | Retrieves details for all threat statistics from the Symantec EPM (SEPM) server. | get_threat_stats Investigation |
Scan Endpoint | Scans an endpoint to identify threats, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. | scan_endpoint Investigation |
Quarantine Endpoints | Quarantines groups or endpoints, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. | isolate_endpoint Containment |
Unquarantine Endpoints | Removes the quarantine (unquarantines) of groups or endpoints, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. | unisolate_endpoint Remediation |
Get Command Status | Retrieves the command status, based on the command ID that you have specified, from the Symantec EPM (SEPM) server. | command_status Investigation |
Get Fingerprint List Information | Retrieves the file fingerprint list as a set of hash values, based on the file fingerprint name that you have specified, from the Symantec EPM (SEPM) server. | get_fingerprint_list Investigation |
Assign Fingerprint List To Group | Assigns a file fingerprint list that you have specified to a group that you have specified on the Symantec EPM (SEPM) server. | assign_fingerprint_to_group Containment |
Add Blacklist | Add a blacklist as a file fingerprint list to the Symantec EPM (SEPM) server. | add_blacklist Containment |
Update Blacklist | Updates an existing blacklist, based on the input parameters, such as the file fingerprint file ID, that you have specified, from the Symantec EPM (SEPM) server. | update_blacklist Containment |
Delete Blacklist | Deletes an existing blacklist, based on the file fingerprint file ID that you have specified, from the Symantec EPM (SEPM) server. This operation also removes this blacklist from the group to which it applies. | delete_blacklist Miscellaneous |
None.
The JSON output contains details for all groups configured on the device retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Group ID | ID of the group whose details you want to retrieve from the Symantec EPM (SEPM) server. |
The JSON output contains detailed information about the group based on the group ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain ID | Domain ID based on which you want to retrieve information for all associated endpoints from the Symantec EPM (SEPM) server. |
The JSON output contains information for all endpoints that are associated with the Domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
None.
The JSON output contains details for all accessible domains retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain Name | Name of the domain that you want to create on the Symantec EPM (SEPM) server. |
Max Client Idle Time In Days | (Optional) Number of days after which Symantec EPM (SEPM) deletes clients that have not connected. Minimum Value is set as 1 . |
Max Npvdi Client Idle Time In Days | (Optional) Number of days after which Symantec EPM (SEPM) deletes virtual desktop infrastructure (VDI) clients that have not connected. Minimum Value is set as 1 . |
Delete Idle Clients | (Optional) Select this option to delete clients that have not connected to Symantec EPM (SEPM) for a specified number of days. By default, this is set to False . |
Delete Idle Npvdi Clients | (Optional) Select this option to delete virtual desktop infrastructure (VDI) clients that have not connected to Symantec EPM (SEPM) for a specified number of days. By default, this is set to False . |
Allow Saving Credentials | (Optional) Select this option to allow users to save credentials when logging on to Symantec EPM (SEPM). By default, this is set to False . |
Allow Never Expiring Passwords | (Optional) Select this option to allow passwords in the Symantec EPM (SEPM) domain to never expire. By default, this is set to False . |
Display Logon Banner | (Optional) Select this option show a logon banner when an administrator logs on to this domain on Symantec EPM (SEPM). By default, this is set to False . |
The JSON output contains details of the newly created domain on the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain ID | ID of the domain whose name you want to retrieve from the Symantec EPM (SEPM) server. |
The JSON output contains the domain name based on the domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain ID | ID of the domain for which you want to retrieve details from the Symantec EPM (SEPM) server. |
The JSON output contains detailed information about the domain based on the domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain ID | ID of the domain that you want to update on the Symantec EPM (SEPM) server. |
Domain Name | Name of the domain that you want to update on the Symantec EPM (SEPM) server. |
Max Client Idle Time In Days | (Optional) Number of days after which Symantec EPM (SEPM) deletes clients that have not connected. Minimum Value is set as 1 . |
Max Npvdi Client Idle Time In Days | (Optional) Number of days after which Symantec EPM (SEPM) deletes virtual desktop infrastructure (VDI) clients that have not connected. Minimum Value is set as 1 . |
Delete Idle Clients | (Optional) Select this option to delete clients that have not connected to Symantec EPM (SEPM) for a specified number of days. By default, this is set to False . |
Delete Idle Npvdi Clients | (Optional) Select this option to delete virtual desktop infrastructure (VDI) clients that have not connected to Symantec EPM (SEPM) for a specified number of days. By default, this is set to False . |
Allow Saving Credentials | (Optional) Select this option to allow users to save credentials when logging on to Symantec EPM (SEPM). By default, this is set to False . |
Allow Never Expiring Passwords | (Optional) Select this option to allow passwords in the Symantec EPM (SEPM) domain to never expire. By default, this is set to False . |
Display Logon Banner | (Optional) Select this option show a logon banner when an administrator logs on to this domain on Symantec EPM (SEPM). By default, this is set to False . |
The JSON output contains the updated domain information, based on the domain ID and domain name you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain ID | ID of the domain that you want to delete from the Symantec EPM (SEPM) server. |
The JSON output contains a Success
message if the specified domain is successfully deleted from the Symantec EPM (SEPM) server.
Following image displays a sample output:
None.
The JSON output contains details associated with critical events retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
None.
The JSON output contains a list and count of client groups, filtered by content download sources, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
None.
The JSON output contains a list of clients for a group, filtered by content version, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Report Type | Type of report based on which you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server. You can choose from the following options: Hour, Day, Week, or Month. By default, this is set as Day . |
From | DateTime from when you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server. |
To | DateTime till when you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server. |
The JSON output contains a list and count of infected clients, based on the time range and report type that you have specified, from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Report Type | Type of report based on which you want to retrieve a list of clients which have reported malware events from the Symantec EPM (SEPM) server. You can choose from the following options: Hour, Day, Week, or Month. By default, this is set as Day . |
From | DateTime from when you want to retrieve a list of clients which have reported malware events from the Symantec EPM (SEPM) server. |
To | DateTime till when you want to retrieve a list of clients which have reported malware events from the Symantec EPM (SEPM) server. |
The JSON output contains a list of clients reporting malware events, based on the time range that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
None.
The JSON output contains details for all threat statistics retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Scan Groups or Computers | Choose whether you want to perform the scan action on Groups or Computers. By default, this is set as Computers . |
IDs | List of Computer IDs or Group IDs that you want to scan. |
Body | Evidence of compromise command in XML. |
The JSON output contains detailed information about the scan operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.
Parameter | Description |
---|---|
Apply Quarantine | Choose whether you want to perform the quarantine action on Groups or Computers. By default, this is set as Computers . |
IDs | List of Computer IDs or Group IDs that you want to quarantine. |
The JSON output contains detailed information about the quarantine operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Apply Unquarantine | Choose whether you want to perform the unquarantine action on Groups or Computers. By default, this is set as Computers . |
IDs | List of Computer IDs or Group IDs that you want to unquarantine. |
The JSON output contains detailed information about the unquarantine operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Command ID | ID of the command whose status you want to retrieve from the Symantec EPM (SEPM) server. |
The JSON output contains information about the status of the command based on the command ID that you have specified retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Name | ID of the file fingerprint based on which you want to retrieve the file fingerprint list from the Symantec EPM (SEPM) server. |
The JSON output contains the file fingerprint list as a set of hash values, based on the file fingerprint name that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Fingerprint ID | ID of the file fingerprint list that you want to assign to a group on the Symantec EPM (SEPM) server. |
Group ID | ID of the group to which you want to assign the file fingerprint list on the Symantec EPM (SEPM) server. |
The JSON output contains a Success
message if the specified file fingerprint list is successfully assigned to the specified group on the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Blacklist Name | Name of the blacklist that you want to add in the Symantec EPM (SEPM) server. |
Hash Type | Blacklist file's hash type. You can choose between MD5 or SHA256 By default, this is set as MD5 . |
Hash Value | File hashes that you want to add in blacklist as a file fingerprint list on the Symantec EPM (SEPM) server. |
Domain ID | Domain ID to which the blacklist file will be applied to on the Symantec EPM (SEPM) server. |
Description | Description of the blacklist file that you want to add to the Symantec EPM (SEPM) server. |
The JSON output contains details of the blacklist file added on the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Fingerprint ID | ID of the file fingerprint list that you want to update on the Symantec EPM (SEPM) server. |
Blacklist Name | Name of the blacklist whose details you want to update in the Symantec EPM (SEPM) server. |
Hash Type | Blacklist file's hash type. You can choose between MD5 or SHA256 By default, this is set as MD5 . |
Hash Value | File hashes that you want to update in blacklist as a file fingerprint list on the Symantec EPM (SEPM) server. |
Domain ID | Domain ID to which the blacklist file will be applied to on the Symantec EPM (SEPM) server. |
Description | Description of the blacklist file that you want to add to the Symantec EPM (SEPM) server. |
The JSON output contains details of the updated blacklist from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Fingerprint ID | ID of the file fingerprint list that you want to delete from the Symantec EPM (SEPM) server. |
The JSON output contains a Success
message if the specified blacklist file is successfully deleted from the Symantec EPM (SEPM) server.
Following image displays a sample output:
The Sample - Symantec-EPM (SEPM) - 1.0.0
playbook collection comes bundled with the Symantec EPM (SEPM) connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EPM (SEPM) connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Windows and Mac computers and servers in your network against malware. Symantec Endpoint Protection combines virus protection with advanced threat protection to proactively secure your computers against known and unknown threats. The Symantec Endpoint Protection client combines different types of scans to secure your computers against virus and spyware attacks.
This document provides information about the Symantec EPM (SEPM) connector, which facilitates automated interactions, with a Symantec EPM (SEPM) server using FortiSOAR™ playbooks. Add the Symantec EPM (SEPM) connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of groups configured on the device, or updating information of an existing domain.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later
Compatibility with Symantec EPM (SEPM) Version: 14.1 and later
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Symantec EPM (SEPM) connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | URL of the Symantec EPM (SEPM) server to which you will connect and perform the automated operations. For example, https://<ServerIPAddress>:8446 |
Username | Username used for accessing the Symantec EPM (SEPM) server to which you will connect and perform the automated operations. |
Password | Encrypted password used for accessing the Symantec EPM (SEPM) server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
List Groups | Retrieves details for all groups configured on the device from the Symantec EPM (SEPM) server. | list_groups Investigation |
Get Group Information | Retrieves information about a group, based on the group ID that you have specified, from the Symantec EPM (SEPM) server. | group_info Investigation |
List Endpoints | Retrieves details for all endpoints, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. | list_sensors Investigation |
List Domains | Retrieves details for all accessible domains from the Symantec EPM (SEPM) server. | get_domains Investigation |
Create Domain | Creates a domain, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. | create_domain Investigation |
Get Domain Name | Retrieves the domain name, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. | get_domain_name Investigation |
Get Domain Information | Retrieves details about a particular domain, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. | get_domain_info Investigation |
Update Domain | Updates information about an existing domain, based on the domain ID and other input parameters that you have specified, on the Symantec EPM (SEPM) server. | updates_domain_info Investigation |
Delete Domain | Deletes a particular domain, based on the input parameters that you have specified, from the Symantec EPM (SEPM) server. | delete_domain Investigation |
Get Critical Events Information | Retrieves details associated with critical events from the Symantec EPM (SEPM) server. | critical_events_info Investigation |
Get Client Groups By Content Source | Retrieves a list and count of client groups, filtered by content download sources, from the Symantec EPM (SEPM) server. | list_client_groups_by_content_source Investigation |
List Client For Group By Content Version | Retrieves a list of clients for a group, filtered by content version, from the Symantec EPM (SEPM) server. | client_list_group_by_content_version Investigation |
List Infected Client | Retrieves a list and count of infected clients, based on the time range and report type that you have specified, from the Symantec EPM (SEPM) server. | list_infected_clients Investigation |
Get Malware Reporting Clients | Retrieves a list of clients reporting malware events, based on the time range that you have specified, from the Symantec EPM (SEPM) server. | client_list_reporting_malware_events Investigation |
Get Threat Status | Retrieves details for all threat statistics from the Symantec EPM (SEPM) server. | get_threat_stats Investigation |
Scan Endpoint | Scans an endpoint to identify threats, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. | scan_endpoint Investigation |
Quarantine Endpoints | Quarantines groups or endpoints, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. | isolate_endpoint Containment |
Unquarantine Endpoints | Removes the quarantine (unquarantines) of groups or endpoints, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. | unisolate_endpoint Remediation |
Get Command Status | Retrieves the command status, based on the command ID that you have specified, from the Symantec EPM (SEPM) server. | command_status Investigation |
Get Fingerprint List Information | Retrieves the file fingerprint list as a set of hash values, based on the file fingerprint name that you have specified, from the Symantec EPM (SEPM) server. | get_fingerprint_list Investigation |
Assign Fingerprint List To Group | Assigns a file fingerprint list that you have specified to a group that you have specified on the Symantec EPM (SEPM) server. | assign_fingerprint_to_group Containment |
Add Blacklist | Add a blacklist as a file fingerprint list to the Symantec EPM (SEPM) server. | add_blacklist Containment |
Update Blacklist | Updates an existing blacklist, based on the input parameters, such as the file fingerprint file ID, that you have specified, from the Symantec EPM (SEPM) server. | update_blacklist Containment |
Delete Blacklist | Deletes an existing blacklist, based on the file fingerprint file ID that you have specified, from the Symantec EPM (SEPM) server. This operation also removes this blacklist from the group to which it applies. | delete_blacklist Miscellaneous |
None.
The JSON output contains details for all groups configured on the device retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Group ID | ID of the group whose details you want to retrieve from the Symantec EPM (SEPM) server. |
The JSON output contains detailed information about the group based on the group ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain ID | Domain ID based on which you want to retrieve information for all associated endpoints from the Symantec EPM (SEPM) server. |
The JSON output contains information for all endpoints that are associated with the Domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
None.
The JSON output contains details for all accessible domains retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain Name | Name of the domain that you want to create on the Symantec EPM (SEPM) server. |
Max Client Idle Time In Days | (Optional) Number of days after which Symantec EPM (SEPM) deletes clients that have not connected. Minimum Value is set as 1 . |
Max Npvdi Client Idle Time In Days | (Optional) Number of days after which Symantec EPM (SEPM) deletes virtual desktop infrastructure (VDI) clients that have not connected. Minimum Value is set as 1 . |
Delete Idle Clients | (Optional) Select this option to delete clients that have not connected to Symantec EPM (SEPM) for a specified number of days. By default, this is set to False . |
Delete Idle Npvdi Clients | (Optional) Select this option to delete virtual desktop infrastructure (VDI) clients that have not connected to Symantec EPM (SEPM) for a specified number of days. By default, this is set to False . |
Allow Saving Credentials | (Optional) Select this option to allow users to save credentials when logging on to Symantec EPM (SEPM). By default, this is set to False . |
Allow Never Expiring Passwords | (Optional) Select this option to allow passwords in the Symantec EPM (SEPM) domain to never expire. By default, this is set to False . |
Display Logon Banner | (Optional) Select this option show a logon banner when an administrator logs on to this domain on Symantec EPM (SEPM). By default, this is set to False . |
The JSON output contains details of the newly created domain on the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain ID | ID of the domain whose name you want to retrieve from the Symantec EPM (SEPM) server. |
The JSON output contains the domain name based on the domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain ID | ID of the domain for which you want to retrieve details from the Symantec EPM (SEPM) server. |
The JSON output contains detailed information about the domain based on the domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain ID | ID of the domain that you want to update on the Symantec EPM (SEPM) server. |
Domain Name | Name of the domain that you want to update on the Symantec EPM (SEPM) server. |
Max Client Idle Time In Days | (Optional) Number of days after which Symantec EPM (SEPM) deletes clients that have not connected. Minimum Value is set as 1 . |
Max Npvdi Client Idle Time In Days | (Optional) Number of days after which Symantec EPM (SEPM) deletes virtual desktop infrastructure (VDI) clients that have not connected. Minimum Value is set as 1 . |
Delete Idle Clients | (Optional) Select this option to delete clients that have not connected to Symantec EPM (SEPM) for a specified number of days. By default, this is set to False . |
Delete Idle Npvdi Clients | (Optional) Select this option to delete virtual desktop infrastructure (VDI) clients that have not connected to Symantec EPM (SEPM) for a specified number of days. By default, this is set to False . |
Allow Saving Credentials | (Optional) Select this option to allow users to save credentials when logging on to Symantec EPM (SEPM). By default, this is set to False . |
Allow Never Expiring Passwords | (Optional) Select this option to allow passwords in the Symantec EPM (SEPM) domain to never expire. By default, this is set to False . |
Display Logon Banner | (Optional) Select this option show a logon banner when an administrator logs on to this domain on Symantec EPM (SEPM). By default, this is set to False . |
The JSON output contains the updated domain information, based on the domain ID and domain name you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain ID | ID of the domain that you want to delete from the Symantec EPM (SEPM) server. |
The JSON output contains a Success
message if the specified domain is successfully deleted from the Symantec EPM (SEPM) server.
Following image displays a sample output:
None.
The JSON output contains details associated with critical events retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
None.
The JSON output contains a list and count of client groups, filtered by content download sources, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
None.
The JSON output contains a list of clients for a group, filtered by content version, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Report Type | Type of report based on which you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server. You can choose from the following options: Hour, Day, Week, or Month. By default, this is set as Day . |
From | DateTime from when you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server. |
To | DateTime till when you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server. |
The JSON output contains a list and count of infected clients, based on the time range and report type that you have specified, from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Report Type | Type of report based on which you want to retrieve a list of clients which have reported malware events from the Symantec EPM (SEPM) server. You can choose from the following options: Hour, Day, Week, or Month. By default, this is set as Day . |
From | DateTime from when you want to retrieve a list of clients which have reported malware events from the Symantec EPM (SEPM) server. |
To | DateTime till when you want to retrieve a list of clients which have reported malware events from the Symantec EPM (SEPM) server. |
The JSON output contains a list of clients reporting malware events, based on the time range that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
None.
The JSON output contains details for all threat statistics retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Scan Groups or Computers | Choose whether you want to perform the scan action on Groups or Computers. By default, this is set as Computers . |
IDs | List of Computer IDs or Group IDs that you want to scan. |
Body | Evidence of compromise command in XML. |
The JSON output contains detailed information about the scan operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.
Parameter | Description |
---|---|
Apply Quarantine | Choose whether you want to perform the quarantine action on Groups or Computers. By default, this is set as Computers . |
IDs | List of Computer IDs or Group IDs that you want to quarantine. |
The JSON output contains detailed information about the quarantine operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Apply Unquarantine | Choose whether you want to perform the unquarantine action on Groups or Computers. By default, this is set as Computers . |
IDs | List of Computer IDs or Group IDs that you want to unquarantine. |
The JSON output contains detailed information about the unquarantine operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Command ID | ID of the command whose status you want to retrieve from the Symantec EPM (SEPM) server. |
The JSON output contains information about the status of the command based on the command ID that you have specified retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Name | ID of the file fingerprint based on which you want to retrieve the file fingerprint list from the Symantec EPM (SEPM) server. |
The JSON output contains the file fingerprint list as a set of hash values, based on the file fingerprint name that you have specified, retrieved from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Fingerprint ID | ID of the file fingerprint list that you want to assign to a group on the Symantec EPM (SEPM) server. |
Group ID | ID of the group to which you want to assign the file fingerprint list on the Symantec EPM (SEPM) server. |
The JSON output contains a Success
message if the specified file fingerprint list is successfully assigned to the specified group on the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Blacklist Name | Name of the blacklist that you want to add in the Symantec EPM (SEPM) server. |
Hash Type | Blacklist file's hash type. You can choose between MD5 or SHA256 By default, this is set as MD5 . |
Hash Value | File hashes that you want to add in blacklist as a file fingerprint list on the Symantec EPM (SEPM) server. |
Domain ID | Domain ID to which the blacklist file will be applied to on the Symantec EPM (SEPM) server. |
Description | Description of the blacklist file that you want to add to the Symantec EPM (SEPM) server. |
The JSON output contains details of the blacklist file added on the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Fingerprint ID | ID of the file fingerprint list that you want to update on the Symantec EPM (SEPM) server. |
Blacklist Name | Name of the blacklist whose details you want to update in the Symantec EPM (SEPM) server. |
Hash Type | Blacklist file's hash type. You can choose between MD5 or SHA256 By default, this is set as MD5 . |
Hash Value | File hashes that you want to update in blacklist as a file fingerprint list on the Symantec EPM (SEPM) server. |
Domain ID | Domain ID to which the blacklist file will be applied to on the Symantec EPM (SEPM) server. |
Description | Description of the blacklist file that you want to add to the Symantec EPM (SEPM) server. |
The JSON output contains details of the updated blacklist from the Symantec EPM (SEPM) server.
Following image displays a sample output:
Parameter | Description |
---|---|
Fingerprint ID | ID of the file fingerprint list that you want to delete from the Symantec EPM (SEPM) server. |
The JSON output contains a Success
message if the specified blacklist file is successfully deleted from the Symantec EPM (SEPM) server.
Following image displays a sample output:
The Sample - Symantec-EPM (SEPM) - 1.0.0
playbook collection comes bundled with the Symantec EPM (SEPM) connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EPM (SEPM) connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.