Fortinet Document Library

Version:


Table of Contents

Symantec EPM (SEPM)

1.0.0
Copy Link

About the connector

Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Windows and Mac computers and servers in your network against malware. Symantec Endpoint Protection combines virus protection with advanced threat protection to proactively secure your computers against known and unknown threats. The Symantec Endpoint Protection client combines different types of scans to secure your computers against virus and spyware attacks.

This document provides information about the Symantec EPM (SEPM) connector, which facilitates automated interactions, with a Symantec EPM (SEPM) server using FortiSOAR™ playbooks. Add the Symantec EPM (SEPM) connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of groups configured on the device, or updating information of an existing domain.

 

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later

Compatibility with Symantec EPM (SEPM) Version: 14.1 and later

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL of the Symantec EPM (SEPM) server to which you will connect and perform the automated operations and credentials to access that server.
  • Ensure that port 8446 is open.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Symantec EPM (SEPM) connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the Symantec EPM (SEPM) server to which you will connect and perform the automated operations.
For example, https://<IPAddress>:8446/sepm/api/v1/
Username Username used for accessing the Symantec EPM (SEPM) server to which you will connect and perform the automated operations.
Password Encrypted password used for accessing the Symantec EPM (SEPM) server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
List Groups Retrieves details for all groups configured on the device from the Symantec EPM (SEPM) server. list_groups
Investigation
Get Group Information Retrieves information about a group, based on the group ID that you have specified, from the Symantec EPM (SEPM) server. group_info
Investigation
List Endpoints Retrieves details for all endpoints, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. list_sensors
Investigation
List Domains Retrieves details for all accessible domains from the Symantec EPM (SEPM) server. get_domains
Investigation
Create Domain Creates a domain, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. create_domain
Investigation
Get Domain Name Retrieves the domain name, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. get_domain_name
Investigation
Get Domain Information Retrieves details about a particular domain, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. get_domain_info
Investigation
Update Domain Updates information about an existing domain, based on the domain ID and other input parameters that you have specified, on the Symantec EPM (SEPM) server. updates_domain_info
Investigation
Delete Domain Deletes a particular domain, based on the input parameters that you have specified, from the Symantec EPM (SEPM) server. delete_domain
Investigation
Get Critical Events Information Retrieves details associated with critical events from the Symantec EPM (SEPM) server. critical_events_info
Investigation
Get Client Groups By Content Source Retrieves a list and count of client groups, filtered by content download sources, from the Symantec EPM (SEPM) server. list_client_groups_by_content_source
Investigation
List Client For Group By Content Version Retrieves a list of clients for a group, filtered by content version, from the Symantec EPM (SEPM) server. client_list_group_by_content_version
Investigation
List Infected Client Retrieves a list and count of infected clients, based on the time range and report type that you have specified, from the Symantec EPM (SEPM) server. list_infected_clients
Investigation
Get Malware Reporting Clients Retrieves a list of clients reporting malware events, based on the time range that you have specified, from the Symantec EPM (SEPM) server. client_list_reporting_malware_events
Investigation
Get Threat Status Retrieves details for all threat statistics from the Symantec EPM (SEPM) server. get_threat_stats
Investigation
Scan Endpoint Scans an endpoint to identify threats, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. scan_endpoint
Investigation
Quarantine Endpoints Quarantines groups or endpoints, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. isolate_endpoint
Containment
Unquarantine Endpoints Removes the quarantine (unquarantines) of groups or endpoints, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. unisolate_endpoint
Remediation
Get Command Status Retrieves the command status, based on the command ID that you have specified, from the Symantec EPM (SEPM) server. command_status
Investigation
Get Fingerprint List Information Retrieves the file fingerprint list as a set of hash values, based on the file fingerprint name that you have specified, from the Symantec EPM (SEPM) server. get_fingerprint_list
Investigation
Assign Fingerprint List To Group Assigns a file fingerprint list that you have specified to a group that you have specified on the Symantec EPM (SEPM) server. assign_fingerprint_to_group
Containment
Add Blacklist Add a blacklist as a file fingerprint list to the Symantec EPM (SEPM) server. add_blacklist
Containment
Update Blacklist Updates an existing blacklist, based on the input parameters, such as the file fingerprint file ID, that you have specified, from the Symantec EPM (SEPM) server. update_blacklist
Containment
Delete Blacklist Deletes an existing blacklist, based on the file fingerprint file ID that you have specified, from the Symantec EPM (SEPM) server. This operation also removes this blacklist from the group to which it applies. delete_blacklist
Miscellaneous

 

operation: List Groups

Input parameters

None.

Output

The JSON output contains details for all groups configured on the device retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:

 

Sample output of the List Groups operation

 

operation: Get Group Information

Input parameters

 

Parameter Description
Group ID ID of the group whose details you want to retrieve from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains detailed information about the group based on the group ID that you have specified, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:

 

Sample output of the Get Group Information operation

 

operation: List Endpoints

Input parameters

 

Parameter Description
Domain ID Domain ID based on which you want to retrieve information for all associated endpoints from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains information for all endpoints that are associated with the Domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:

 

Sample output of the List Endpoints operation

 

operation: List Domains

Input parameters

None.

Output

The JSON output contains details for all accessible domains retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:

 

Sample output of the List Domains operation

 

operation: Create Domain

Input parameters

 

Parameter Description
Domain Name Name of the domain that you want to create on the Symantec EPM (SEPM) server.
Max Client Idle Time In Days (Optional) Number of days after which Symantec EPM (SEPM) deletes clients that have not connected.
Minimum Value is set as 1.
Max Npvdi Client Idle Time In Days (Optional) Number of days after which Symantec EPM (SEPM) deletes virtual desktop infrastructure (VDI) clients that have not connected.
Minimum Value is set as 1.
Delete Idle Clients (Optional) Select this option to delete clients that have not connected to Symantec EPM (SEPM) for a specified number of days.
By default, this is set to False.
Delete Idle Npvdi Clients (Optional) Select this option to delete virtual desktop infrastructure (VDI) clients that have not connected to Symantec EPM (SEPM) for a specified number of days.
By default, this is set to False.
Allow Saving Credentials (Optional) Select this option to allow users to save credentials when logging on to Symantec EPM (SEPM).
By default, this is set to False.
Allow Never Expiring Passwords (Optional) Select this option to allow passwords in the Symantec EPM (SEPM) domain to never expire.
By default, this is set to False.
Display Logon Banner (Optional) Select this option show a logon banner when an administrator logs on to this domain on Symantec EPM (SEPM).
By default, this is set to False.

 

Output

The JSON output contains details of the newly created domain on the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Create Domain operation

 

operation: Get Domain Name

Input parameters

 

Parameter Description
Domain ID ID of the domain whose name you want to retrieve from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains the domain name based on the domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Get Domain Name operation

 

operation: Get Domain Information

Input parameters

 

Parameter Description
Domain ID ID of the domain for which you want to retrieve details from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains detailed information about the domain based on the domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:

 

Sample output of the Get Domain Information operation

 

operation: Update Domain

Input parameters

 

Parameter Description
Domain ID ID of the domain that you want to update on the Symantec EPM (SEPM) server.
Domain Name Name of the domain that you want to update on the Symantec EPM (SEPM) server.
Max Client Idle Time In Days (Optional) Number of days after which Symantec EPM (SEPM) deletes clients that have not connected.
Minimum Value is set as 1.
Max Npvdi Client Idle Time In Days (Optional) Number of days after which Symantec EPM (SEPM) deletes virtual desktop infrastructure (VDI) clients that have not connected.
Minimum Value is set as 1.
Delete Idle Clients (Optional) Select this option to delete clients that have not connected to Symantec EPM (SEPM) for a specified number of days.
By default, this is set to False.
Delete Idle Npvdi Clients (Optional) Select this option to delete virtual desktop infrastructure (VDI) clients that have not connected to Symantec EPM (SEPM) for a specified number of days.
By default, this is set to False.
Allow Saving Credentials (Optional) Select this option to allow users to save credentials when logging on to Symantec EPM (SEPM).
By default, this is set to False.
Allow Never Expiring Passwords (Optional) Select this option to allow passwords in the Symantec EPM (SEPM) domain to never expire.
By default, this is set to False.
Display Logon Banner (Optional) Select this option show a logon banner when an administrator logs on to this domain on Symantec EPM (SEPM).
By default, this is set to False.

 

Output

The JSON output contains the updated domain information, based on the domain ID and domain name you have specified, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Update Domain operation

 

operation: Delete Domain

Input parameters

 

Parameter Description
Domain ID ID of the domain that you want to delete from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains a Success message if the specified domain is successfully deleted from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Delete Domain operation

 

operation: Get Critical Events Information

Input parameters

None.

Output

The JSON output contains details associated with critical events retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Get Critical Events Information operation

 

operation: Get Client Groups By Content Source

Input parameters

None.

Output

The JSON output contains a list and count of client groups, filtered by content download sources, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Get Client Groups By Content Source operation

 

operation: List Client For Group By Content Version

Input parameters

None.

Output

The JSON output contains a list of clients for a group, filtered by content version, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the List Client For Group By Content Version operation

 

operation: List Infected Client

Input parameters

 

Parameter Description
Report Type Type of report based on which you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server.
You can choose from the following options: Hour, Day, Week, or Month.
By default, this is set as Day.
From DateTime from when you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server.
To DateTime till when you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains a list and count of infected clients, based on the time range and report type that you have specified, from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the List Infected Client operation

 

operation: Get Malware Reporting Clients

Input parameters

 

Parameter Description
Report Type Type of report based on which you want to retrieve a list of clients which have reported malware events from the Symantec EPM (SEPM) server.
You can choose from the following options: Hour, Day, Week, or Month.
By default, this is set as Day.
From DateTime from when you want to retrieve a list of clients which have reported malware events from the Symantec EPM (SEPM) server.
To DateTime till when you want to retrieve a list of clients which have reported malware events from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains a list of clients reporting malware events, based on the time range that you have specified, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:

 

Sample output of the Get Malware Reporting Clients operation

 

operation: Get Threat Status

Input parameters

None.

Output

The JSON output contains details for all threat statistics retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Get Threat Status operation

 

operation: Scan Endpoint

Input parameters

 

Parameter Description
Scan Groups or Computers Choose whether you want to perform the scan action on Groups or Computers.
By default, this is set as Computers.
IDs List of Computer IDs or Group IDs that you want to scan.
Body Evidence of compromise command in XML.

 

Output

The JSON output contains detailed information about the scan operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.

operation: Quarantine Endpoints

Input parameters

 

Parameter Description
Apply Quarantine Choose whether you want to perform the quarantine action on Groups or Computers.
By default, this is set as Computers.
IDs List of Computer IDs or Group IDs that you want to quarantine.

 

Output

The JSON output contains detailed information about the quarantine operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Quarantine Endpoints operation
 

operation: Unquarantine Endpoints

Input parameters

 

Parameter Description
Apply Unquarantine Choose whether you want to perform the unquarantine action on Groups or Computers.
By default, this is set as Computers.
IDs List of Computer IDs or Group IDs that you want to unquarantine.

 

Output

The JSON output contains detailed information about the unquarantine operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
Sample output of the Unquarantine Endpoints operation

operation: Get Command Status

Input parameters

 

Parameter Description
Command ID ID of the command whose status you want to retrieve from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains information about the status of the command based on the command ID that you have specified retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Get Command State operation
 

operation: Get Fingerprint List Information

Input parameters

 

Parameter Description
Name ID of the file fingerprint based on which you want to retrieve the file fingerprint list from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains the file fingerprint list as a set of hash values, based on the file fingerprint name that you have specified, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Get Fingerprint List Information operation
 

operation: Assign Fingerprint List To Group

Input parameters

 

Parameter Description
Fingerprint ID ID of the file fingerprint list that you want to assign to a group on the Symantec EPM (SEPM) server.
Group ID ID of the group to which you want to assign the file fingerprint list on the Symantec EPM (SEPM) server.

 

Output

The JSON output contains a Success message if the specified file fingerprint list is successfully assigned to the specified group on the Symantec EPM (SEPM) server.

Following image displays a sample output:

 

Sample output of the Assign Fingerprint List To Group operation

 

operation: Add Blacklist

Input parameters

 

Parameter Description
Blacklist Name Name of the blacklist that you want to add in the Symantec EPM (SEPM) server.
Hash Type Blacklist file's hash type. You can choose between MD5 or SHA256
By default, this is set as MD5.
Hash Value File hashes that you want to add in blacklist as a file fingerprint list on the Symantec EPM (SEPM) server.
Domain ID Domain ID to which the blacklist file will be applied to on the Symantec EPM (SEPM) server.
Description Description of the blacklist file that you want to add to the Symantec EPM (SEPM) server.

 

Output

The JSON output contains details of the blacklist file added on the Symantec EPM (SEPM) server.

Following image displays a sample output:

 

Sample output of the Add Blacklists operation

 

operation: Update Blacklist

Input parameters

 

Parameter Description
Fingerprint ID ID of the file fingerprint list that you want to update on the Symantec EPM (SEPM) server.
Blacklist Name Name of the blacklist whose details you want to update in the Symantec EPM (SEPM) server.
Hash Type Blacklist file's hash type. You can choose between MD5 or SHA256
By default, this is set as MD5.
Hash Value File hashes that you want to update in blacklist as a file fingerprint list on the Symantec EPM (SEPM) server.
Domain ID Domain ID to which the blacklist file will be applied to on the Symantec EPM (SEPM) server.
Description Description of the blacklist file that you want to add to the Symantec EPM (SEPM) server.

 

OUTPUT

The JSON output contains details of the updated blacklist from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Update Blacklist operation

 

operation: Delete Blacklist

Input parameters

 

Parameter Description
Fingerprint ID ID of the file fingerprint list that you want to delete from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains a Success message if the specified blacklist file is successfully deleted from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Delete Blacklist operation

 

Included playbooks

The Sample - Symantec-EPM (SEPM) - 1.0.0 playbook collection comes bundled with the Symantec EPM (SEPM) connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EPM (SEPM) connector.

  • Add Blacklist
  • Assign Fingerprint List To Group
  • Create Domain
  • Delete Blacklist
  • Delete Domain
  • Get Client Groups By Content Source
  • Get Command Status
  • Get Critical Events Information
  • Get Domain Information
  • Get Domain Name
  • Get Fingerprint List Information
  • Get Group Information
  • Get Malware Reporting Clients
  • Get Threat Status
  • List Client For Group By Content Version
  • List Domains
  • List Endpoints
  • List Infected Client
  • List Groups
  • Scan Endpoint
  • Quarantine Endpoints
  • Unquarantine Endpoints
  • Update Blacklist
  • Update Domain

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

 

 

 

About the connector

Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Windows and Mac computers and servers in your network against malware. Symantec Endpoint Protection combines virus protection with advanced threat protection to proactively secure your computers against known and unknown threats. The Symantec Endpoint Protection client combines different types of scans to secure your computers against virus and spyware attacks.

This document provides information about the Symantec EPM (SEPM) connector, which facilitates automated interactions, with a Symantec EPM (SEPM) server using FortiSOAR™ playbooks. Add the Symantec EPM (SEPM) connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of groups configured on the device, or updating information of an existing domain.

 

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later

Compatibility with Symantec EPM (SEPM) Version: 14.1 and later

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Symantec EPM (SEPM) connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the Symantec EPM (SEPM) server to which you will connect and perform the automated operations.
For example, https://<IPAddress>:8446/sepm/api/v1/
Username Username used for accessing the Symantec EPM (SEPM) server to which you will connect and perform the automated operations.
Password Encrypted password used for accessing the Symantec EPM (SEPM) server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
List Groups Retrieves details for all groups configured on the device from the Symantec EPM (SEPM) server. list_groups
Investigation
Get Group Information Retrieves information about a group, based on the group ID that you have specified, from the Symantec EPM (SEPM) server. group_info
Investigation
List Endpoints Retrieves details for all endpoints, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. list_sensors
Investigation
List Domains Retrieves details for all accessible domains from the Symantec EPM (SEPM) server. get_domains
Investigation
Create Domain Creates a domain, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. create_domain
Investigation
Get Domain Name Retrieves the domain name, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. get_domain_name
Investigation
Get Domain Information Retrieves details about a particular domain, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. get_domain_info
Investigation
Update Domain Updates information about an existing domain, based on the domain ID and other input parameters that you have specified, on the Symantec EPM (SEPM) server. updates_domain_info
Investigation
Delete Domain Deletes a particular domain, based on the input parameters that you have specified, from the Symantec EPM (SEPM) server. delete_domain
Investigation
Get Critical Events Information Retrieves details associated with critical events from the Symantec EPM (SEPM) server. critical_events_info
Investigation
Get Client Groups By Content Source Retrieves a list and count of client groups, filtered by content download sources, from the Symantec EPM (SEPM) server. list_client_groups_by_content_source
Investigation
List Client For Group By Content Version Retrieves a list of clients for a group, filtered by content version, from the Symantec EPM (SEPM) server. client_list_group_by_content_version
Investigation
List Infected Client Retrieves a list and count of infected clients, based on the time range and report type that you have specified, from the Symantec EPM (SEPM) server. list_infected_clients
Investigation
Get Malware Reporting Clients Retrieves a list of clients reporting malware events, based on the time range that you have specified, from the Symantec EPM (SEPM) server. client_list_reporting_malware_events
Investigation
Get Threat Status Retrieves details for all threat statistics from the Symantec EPM (SEPM) server. get_threat_stats
Investigation
Scan Endpoint Scans an endpoint to identify threats, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. scan_endpoint
Investigation
Quarantine Endpoints Quarantines groups or endpoints, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. isolate_endpoint
Containment
Unquarantine Endpoints Removes the quarantine (unquarantines) of groups or endpoints, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. unisolate_endpoint
Remediation
Get Command Status Retrieves the command status, based on the command ID that you have specified, from the Symantec EPM (SEPM) server. command_status
Investigation
Get Fingerprint List Information Retrieves the file fingerprint list as a set of hash values, based on the file fingerprint name that you have specified, from the Symantec EPM (SEPM) server. get_fingerprint_list
Investigation
Assign Fingerprint List To Group Assigns a file fingerprint list that you have specified to a group that you have specified on the Symantec EPM (SEPM) server. assign_fingerprint_to_group
Containment
Add Blacklist Add a blacklist as a file fingerprint list to the Symantec EPM (SEPM) server. add_blacklist
Containment
Update Blacklist Updates an existing blacklist, based on the input parameters, such as the file fingerprint file ID, that you have specified, from the Symantec EPM (SEPM) server. update_blacklist
Containment
Delete Blacklist Deletes an existing blacklist, based on the file fingerprint file ID that you have specified, from the Symantec EPM (SEPM) server. This operation also removes this blacklist from the group to which it applies. delete_blacklist
Miscellaneous

 

operation: List Groups

Input parameters

None.

Output

The JSON output contains details for all groups configured on the device retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:

 

Sample output of the List Groups operation

 

operation: Get Group Information

Input parameters

 

Parameter Description
Group ID ID of the group whose details you want to retrieve from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains detailed information about the group based on the group ID that you have specified, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:

 

Sample output of the Get Group Information operation

 

operation: List Endpoints

Input parameters

 

Parameter Description
Domain ID Domain ID based on which you want to retrieve information for all associated endpoints from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains information for all endpoints that are associated with the Domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:

 

Sample output of the List Endpoints operation

 

operation: List Domains

Input parameters

None.

Output

The JSON output contains details for all accessible domains retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:

 

Sample output of the List Domains operation

 

operation: Create Domain

Input parameters

 

Parameter Description
Domain Name Name of the domain that you want to create on the Symantec EPM (SEPM) server.
Max Client Idle Time In Days (Optional) Number of days after which Symantec EPM (SEPM) deletes clients that have not connected.
Minimum Value is set as 1.
Max Npvdi Client Idle Time In Days (Optional) Number of days after which Symantec EPM (SEPM) deletes virtual desktop infrastructure (VDI) clients that have not connected.
Minimum Value is set as 1.
Delete Idle Clients (Optional) Select this option to delete clients that have not connected to Symantec EPM (SEPM) for a specified number of days.
By default, this is set to False.
Delete Idle Npvdi Clients (Optional) Select this option to delete virtual desktop infrastructure (VDI) clients that have not connected to Symantec EPM (SEPM) for a specified number of days.
By default, this is set to False.
Allow Saving Credentials (Optional) Select this option to allow users to save credentials when logging on to Symantec EPM (SEPM).
By default, this is set to False.
Allow Never Expiring Passwords (Optional) Select this option to allow passwords in the Symantec EPM (SEPM) domain to never expire.
By default, this is set to False.
Display Logon Banner (Optional) Select this option show a logon banner when an administrator logs on to this domain on Symantec EPM (SEPM).
By default, this is set to False.

 

Output

The JSON output contains details of the newly created domain on the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Create Domain operation

 

operation: Get Domain Name

Input parameters

 

Parameter Description
Domain ID ID of the domain whose name you want to retrieve from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains the domain name based on the domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Get Domain Name operation

 

operation: Get Domain Information

Input parameters

 

Parameter Description
Domain ID ID of the domain for which you want to retrieve details from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains detailed information about the domain based on the domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:

 

Sample output of the Get Domain Information operation

 

operation: Update Domain

Input parameters

 

Parameter Description
Domain ID ID of the domain that you want to update on the Symantec EPM (SEPM) server.
Domain Name Name of the domain that you want to update on the Symantec EPM (SEPM) server.
Max Client Idle Time In Days (Optional) Number of days after which Symantec EPM (SEPM) deletes clients that have not connected.
Minimum Value is set as 1.
Max Npvdi Client Idle Time In Days (Optional) Number of days after which Symantec EPM (SEPM) deletes virtual desktop infrastructure (VDI) clients that have not connected.
Minimum Value is set as 1.
Delete Idle Clients (Optional) Select this option to delete clients that have not connected to Symantec EPM (SEPM) for a specified number of days.
By default, this is set to False.
Delete Idle Npvdi Clients (Optional) Select this option to delete virtual desktop infrastructure (VDI) clients that have not connected to Symantec EPM (SEPM) for a specified number of days.
By default, this is set to False.
Allow Saving Credentials (Optional) Select this option to allow users to save credentials when logging on to Symantec EPM (SEPM).
By default, this is set to False.
Allow Never Expiring Passwords (Optional) Select this option to allow passwords in the Symantec EPM (SEPM) domain to never expire.
By default, this is set to False.
Display Logon Banner (Optional) Select this option show a logon banner when an administrator logs on to this domain on Symantec EPM (SEPM).
By default, this is set to False.

 

Output

The JSON output contains the updated domain information, based on the domain ID and domain name you have specified, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Update Domain operation

 

operation: Delete Domain

Input parameters

 

Parameter Description
Domain ID ID of the domain that you want to delete from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains a Success message if the specified domain is successfully deleted from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Delete Domain operation

 

operation: Get Critical Events Information

Input parameters

None.

Output

The JSON output contains details associated with critical events retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Get Critical Events Information operation

 

operation: Get Client Groups By Content Source

Input parameters

None.

Output

The JSON output contains a list and count of client groups, filtered by content download sources, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Get Client Groups By Content Source operation

 

operation: List Client For Group By Content Version

Input parameters

None.

Output

The JSON output contains a list of clients for a group, filtered by content version, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the List Client For Group By Content Version operation

 

operation: List Infected Client

Input parameters

 

Parameter Description
Report Type Type of report based on which you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server.
You can choose from the following options: Hour, Day, Week, or Month.
By default, this is set as Day.
From DateTime from when you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server.
To DateTime till when you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains a list and count of infected clients, based on the time range and report type that you have specified, from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the List Infected Client operation

 

operation: Get Malware Reporting Clients

Input parameters

 

Parameter Description
Report Type Type of report based on which you want to retrieve a list of clients which have reported malware events from the Symantec EPM (SEPM) server.
You can choose from the following options: Hour, Day, Week, or Month.
By default, this is set as Day.
From DateTime from when you want to retrieve a list of clients which have reported malware events from the Symantec EPM (SEPM) server.
To DateTime till when you want to retrieve a list of clients which have reported malware events from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains a list of clients reporting malware events, based on the time range that you have specified, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:

 

Sample output of the Get Malware Reporting Clients operation

 

operation: Get Threat Status

Input parameters

None.

Output

The JSON output contains details for all threat statistics retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Get Threat Status operation

 

operation: Scan Endpoint

Input parameters

 

Parameter Description
Scan Groups or Computers Choose whether you want to perform the scan action on Groups or Computers.
By default, this is set as Computers.
IDs List of Computer IDs or Group IDs that you want to scan.
Body Evidence of compromise command in XML.

 

Output

The JSON output contains detailed information about the scan operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.

operation: Quarantine Endpoints

Input parameters

 

Parameter Description
Apply Quarantine Choose whether you want to perform the quarantine action on Groups or Computers.
By default, this is set as Computers.
IDs List of Computer IDs or Group IDs that you want to quarantine.

 

Output

The JSON output contains detailed information about the quarantine operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Quarantine Endpoints operation
 

operation: Unquarantine Endpoints

Input parameters

 

Parameter Description
Apply Unquarantine Choose whether you want to perform the unquarantine action on Groups or Computers.
By default, this is set as Computers.
IDs List of Computer IDs or Group IDs that you want to unquarantine.

 

Output

The JSON output contains detailed information about the unquarantine operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
Sample output of the Unquarantine Endpoints operation

operation: Get Command Status

Input parameters

 

Parameter Description
Command ID ID of the command whose status you want to retrieve from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains information about the status of the command based on the command ID that you have specified retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Get Command State operation
 

operation: Get Fingerprint List Information

Input parameters

 

Parameter Description
Name ID of the file fingerprint based on which you want to retrieve the file fingerprint list from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains the file fingerprint list as a set of hash values, based on the file fingerprint name that you have specified, retrieved from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Get Fingerprint List Information operation
 

operation: Assign Fingerprint List To Group

Input parameters

 

Parameter Description
Fingerprint ID ID of the file fingerprint list that you want to assign to a group on the Symantec EPM (SEPM) server.
Group ID ID of the group to which you want to assign the file fingerprint list on the Symantec EPM (SEPM) server.

 

Output

The JSON output contains a Success message if the specified file fingerprint list is successfully assigned to the specified group on the Symantec EPM (SEPM) server.

Following image displays a sample output:

 

Sample output of the Assign Fingerprint List To Group operation

 

operation: Add Blacklist

Input parameters

 

Parameter Description
Blacklist Name Name of the blacklist that you want to add in the Symantec EPM (SEPM) server.
Hash Type Blacklist file's hash type. You can choose between MD5 or SHA256
By default, this is set as MD5.
Hash Value File hashes that you want to add in blacklist as a file fingerprint list on the Symantec EPM (SEPM) server.
Domain ID Domain ID to which the blacklist file will be applied to on the Symantec EPM (SEPM) server.
Description Description of the blacklist file that you want to add to the Symantec EPM (SEPM) server.

 

Output

The JSON output contains details of the blacklist file added on the Symantec EPM (SEPM) server.

Following image displays a sample output:

 

Sample output of the Add Blacklists operation

 

operation: Update Blacklist

Input parameters

 

Parameter Description
Fingerprint ID ID of the file fingerprint list that you want to update on the Symantec EPM (SEPM) server.
Blacklist Name Name of the blacklist whose details you want to update in the Symantec EPM (SEPM) server.
Hash Type Blacklist file's hash type. You can choose between MD5 or SHA256
By default, this is set as MD5.
Hash Value File hashes that you want to update in blacklist as a file fingerprint list on the Symantec EPM (SEPM) server.
Domain ID Domain ID to which the blacklist file will be applied to on the Symantec EPM (SEPM) server.
Description Description of the blacklist file that you want to add to the Symantec EPM (SEPM) server.

 

OUTPUT

The JSON output contains details of the updated blacklist from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Update Blacklist operation

 

operation: Delete Blacklist

Input parameters

 

Parameter Description
Fingerprint ID ID of the file fingerprint list that you want to delete from the Symantec EPM (SEPM) server.

 

Output

The JSON output contains a Success message if the specified blacklist file is successfully deleted from the Symantec EPM (SEPM) server.

Following image displays a sample output:
 

Sample output of the Delete Blacklist operation

 

Included playbooks

The Sample - Symantec-EPM (SEPM) - 1.0.0 playbook collection comes bundled with the Symantec EPM (SEPM) connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EPM (SEPM) connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.