Symantec ICA is an advanced cyber risk analytics solution that helps organizations identify and act on risks.
This document provides information about the Symantec ICA connector, which facilitates automated interactions with Symantec ICA using FortiSOAR™ playbooks. Add the Symantec ICA connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving risk scores for entities such as users, IPs, and hosts from Symantec ICA.
Connector Version: 1.0.0
Authored By: Bay Dynamics
Certified: No
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-symantec-ica
For the detailed procedure to install a connector, click here.
For the procedure to configure a connector, click here.
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Host Risk | Retrieves the latest risk score for a host from Symantec ICA, based on the hostname you have specified. | get_host_risk Investigation |
Get IP Risk | Retrieves the latest risk score for an IP address from Symantec ICA, based on the IP address you have specified. | get_ip_risk Investigation |
Get User Risk | Retrieves the latest risk score for a user from Symantec ICA, based on the username you have specified. | get_user_risk Investigation |
Get Risk Model Instances | Retrieves the details for risk model instances from Symantec ICA. | get_risk_model_instances Investigation |
Get Risk Model Instance | Retrieves the details for a risk model instance from Symantec ICA, based on the risk model instance ID you have specified. | get_risk_model_details Investigation |
Get Action Plans | Retrieves the details for action plans from Symantec ICA. | get_action_plans Investigation |
Create Comment on Action Plan | Creates a comment on an action plan in Symantec ICA, based on the risk model action plan GUID you have specified. | set_action_plan_comment Investigation |
Set Event Classifications | Sets classifications for events in Symantec ICA, based on the risk model instance ID, Card Instance ID, and Focus Entity ID you have specified. | set_event_classifications Investigation |
Set Event Mitigations | Sets mitigations for events in Symantec ICA, based on the risk model instance ID, Card Instance ID, and Focus Entity ID you have specified. | set_event_mitigations Investigation |
The Sample - Symantec-ICA - 1.0.0
playbook collection comes bundled with the Symantec ICA connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec ICA connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Checkout this video for additional understanding:
Symantec ICA is an advanced cyber risk analytics solution that helps organizations identify and act on risks.
This document provides information about the Symantec ICA connector, which facilitates automated interactions with Symantec ICA using FortiSOAR™ playbooks. Add the Symantec ICA connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving risk scores for entities such as users, IPs, and hosts from Symantec ICA.
Connector Version: 1.0.0
Authored By: Bay Dynamics
Certified: No
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-symantec-ica
For the detailed procedure to install a connector, click here.
For the procedure to configure a connector, click here.
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Host Risk | Retrieves the latest risk score for a host from Symantec ICA, based on the hostname you have specified. | get_host_risk Investigation |
Get IP Risk | Retrieves the latest risk score for an IP address from Symantec ICA, based on the IP address you have specified. | get_ip_risk Investigation |
Get User Risk | Retrieves the latest risk score for a user from Symantec ICA, based on the username you have specified. | get_user_risk Investigation |
Get Risk Model Instances | Retrieves the details for risk model instances from Symantec ICA. | get_risk_model_instances Investigation |
Get Risk Model Instance | Retrieves the details for a risk model instance from Symantec ICA, based on the risk model instance ID you have specified. | get_risk_model_details Investigation |
Get Action Plans | Retrieves the details for action plans from Symantec ICA. | get_action_plans Investigation |
Create Comment on Action Plan | Creates a comment on an action plan in Symantec ICA, based on the risk model action plan GUID you have specified. | set_action_plan_comment Investigation |
Set Event Classifications | Sets classifications for events in Symantec ICA, based on the risk model instance ID, Card Instance ID, and Focus Entity ID you have specified. | set_event_classifications Investigation |
Set Event Mitigations | Sets mitigations for events in Symantec ICA, based on the risk model instance ID, Card Instance ID, and Focus Entity ID you have specified. | set_event_mitigations Investigation |
The Sample - Symantec-ICA - 1.0.0
playbook collection comes bundled with the Symantec ICA connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec ICA connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Checkout this video for additional understanding: