About the connector
Symantec ICDX unifies cloud and on-premises security to provide advanced threat protection and information protection across all endpoints, networks, email, and cloud applications.
This document provides information about the Symantec ICDX connector, which facilitates automated interactions, with a Symantec ICDX server using FortiSOAR™ playbooks. Add the Symantec ICDX connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving events using a search operation.
Version information
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-symantec-icdx
For the detailed procedure to install a connector, click here
Prerequisites to configuring the connector
- You must have the URL of the Symantec ICDX server to which you will connect and perform the automated operations and credentials (username-password pair) to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the connectors page, select the Symantec ICDX connector and click Configure to configure the following parameters:
| Parameter |
Description |
| Server URL |
URL of the Symantec ICDX server to which you will connect and perform the automated operations. |
| Port |
Port of the Symantec ICDX server. |
| Username |
Username that is used to access the Symantec ICDX server to which you will connect and perform the automated operations. |
| Password |
Password that is used to access the Symantec ICDX server to which you will connect and perform the automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from CyOPsTM release 4.10.0 and onwards:
| Function |
Description |
Annotation and Category |
| Search Events |
Searches for and retrieves information about events from the Symantec ICDX server, based on the input parameters or query that you have specified. |
search_events
Investigation |
operation: Search Events
Input parameters
| Parameter |
Description |
| Attribute |
Attribute of categories data based on which you want to retrieve information about events from the Symantec ICDX server.
You can choose from the following options: Category, Collect Name, Device Group, Device IP Address, Device Name, Device OS, Disposition, Feature Name, Feature Version, Product Name, Product Version, Severity, Type, Type String, or Username. |
| Attribute Value |
Value of the attribute based on the which you want to retrieve information about events from the Symantec ICDX server.
For example, if you have selected Product Name, then you can enter Symantec Web Security Service in this field. |
| Filter by Event Type |
(Optional) Search criteria for sorting data retrieved from the Symantec ICDX server. |
| Event Attribute |
(Optional) Attribute of event based on which you want to retrieve information about events from the Symantec ICDX server. Event attributes enable you to search for exact data on the Symantec ICDX server.
You can choose from the following options: Connection, Actor, BIOS Date, BIOS Manufacturer, BIOS Version, Category, Collected Time, Collector Details, Collector Device IP, Collector Device Name, Collector Name, Device Group, Device IP Address, Device Name, Device OS, Disposition, Feature Name, Feature Version, Product Name, Product Version, Severity, Type, Type String, or Username. |
| Attribute Value |
(Optional) Value of the event attribute based on the which you want to retrieve information about events from the Symantec ICDX server.
For example, if you have selected Severity, then you can enter severity of the event based on which you want to retrieve information about events from the Symantec ICDX server.
|
| Time Span |
Time range for which you want to retrieve information about events from the Symantec ICDX server.
You can choose from the following options: Last 24 Hours, Last 8 Hours, Last 4 Hours, Last 1 Hour, Last 30 Minutes, Last 10 Minutes, or Custom Time. If you choose Custom Time, then you have to specify the start date and time from when you want to retrieve information about events on the Symantec ICDX server and the end start and time till when you want to search for events on the Symantec ICDX server |
| Number of Records Limit |
(Optional) Maximum number of records you want this operation to return.
|
| Pagination ID |
(Optional) Link value of the next page. Specify this field only if you want to get results on the next page. |
| Advanced Query |
Complex query based on which you want to retrieve information about events from the Symantec ICDX server.
“@8007:product_name = "Symantec Web Security Service" AND @8007:collector_name = "ubuntu" @8060:collector_device_ip = "1.1.1.1"”
Note: If you provide an Open Query, then Search Criteria, Event Attribute, Event Attribute Value parameters are ignored. |
Output
The JSON output contains information about events based on the query and other input parameters that you have specified, retrieved from the Symantec ICDX server.
The output contains a non-dictionary value.
Included playbooks
The Sample - Symantec ICDX - 1.0.0 playbook collection comes bundled with the Symantec ICDX connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec ICDX connector.
- Search Events Example 1
- Search Events Example 2
- Search Events Example 3
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
