Symantec MSS

Symantec MSS v1.0.0

Home FortiSOAR Connectors Symantec MSS

Symantec MSS v1.0.0

1.0.0

Copy Link

Copy Doc ID 21df412f-e814-466a-8e69-3958b29711f4:1

About the connector

Symantec™ Managed Security Services (MSS) provides round-the-clock security monitoring powered by big data analytics, equipping you with the strategic insights you need to prioritize and respond to critical incidents—as well as build the strategies required to protect your organization’s assets, reputation, and viability.

This document provides information about the Symantec MSS connector, which facilitates automated interactions, with a Symantec MSS server using FortiSOAR™ playbooks. Add the Symantec MSS connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of all organizations and persons within each organization from Symantec MSS or retrieving a list of security incidents from Symantec MSS based on the search parameters you have specified.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 5.1.1-69

Authored By: Fortinet

Certified: Yes

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™repository and run the yum command as a root user to install connectors:

yum install cyops-connector-symantec-mss

Prerequisites to configuring the connector

You must have the URL of Symantec MSS server to which you will connect and perform automated operations and the certificate file to access that server.
To use the Symantec MSS connector, you must be assigned at least one of the following roles in Symantec MSS: Administrator, Incident Manager, Incident Reviewer or Asset Manager.
To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Symantec MSS connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter	Description
Server URL	Server URL where your SWS (Secure Web Service) is installed.
Certificate File	Certificate .pem file used to connect to the Symantec MSS server.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function	Description	Annotation and Category
Get Organizations and Person List	Retrieves a list of all organizations and persons within each organization from Symantec MSS.	get_incident_organization Investigation
Get List of Incident	Retrieves a list of security incidents from Symantec MSS based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return incidents matching all values.	incident_get_list Investigation
Query Incident	Retrieves details of a specific incident either with or without the workflow information from Symantec MSS based on the incident ID and other input parameters you have specified.	incident_query Investigation
Get Incident Attachment	Retrieves the contents of a specific attachment associated with a specific incident from Symantec MSS based on the incident ID and attachment ID you have specified.	incident_get_attachment Investigation
Incident Add Attachment	Adds an attachment to a specific incident in Symantec MSS based on the incident ID and other input parameters you have specified.	incident_add_attachment Investigation
Update Incident Workflow	Updates the incident workflow in Symantec MSS based on the incident ID, status, resolution, severity, and other input parameters you have specified.	update_incident_workflow Investigation
Get User Devices	Retrieves a list of all the devices that you are able to see under your organizational hierarchy from Symantec MSS.	user_get_devices Investigation
Get Ticket List	Retrieves a list of tickets from Symantec MSS based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return incidents matching all values.	ticket_get_list Investigation
Query Ticket	Retrieves details of a specific ticket from Symantec MSS based on the ticket ID or client reference you have specified.	ticket_query Investigation
Get List of Ticket Attachment	Retrieves a list of attachments i.e., only retrieves the FileName and AttachmentOID from Symantec MSS based on ticket ID you have specified.	ticket_get_attachment_list Investigation
Get Ticket Attachment	Retrieves the contents of a specific attachment associated with a specific ticket from Symantec MSS based on the ticket ID and attachment OID you have specified.	ticket_get_attachment_contents Investigation
Delete Ticket Attachments	Deletes specific attachments from a specific ticket in Symantec MSS based on the ticket ID, attachment OID, and other input parameters you have specified.	ticket_delete_attachments

operation: Get Organizations and Person List

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"Persons": {
"Person": []
},
"OrganizationName": ""
}

operation: Get List of Incident

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter	Description
Severity	Select the severity based on which you want to retrieve a list of incidents from Symantec MSS, or specify a comma-delimited list of valid security incident severities that are set by MSS and based on which you want to retrieve the list of incidents from Symantec MSS. This operation uses the get_incident_severities API Operation. This parameter makes an API call named "get_incident_severities" to dynamically populate its drop-down selections. You can choose from the following options: Informational, Warning, Critical, or Emergency.
Source Organization	Comma-delimited list of valid source organizations based on which you want to retrieve a list of incidents from Symantec MSS. You can retrieve source organization information using the "Get Organizations and Person List" operation.
Destination Organization	Comma-delimited list of valid destination organizations based on which you want to retrieve a list of incidents from Symantec MSS. You can retrieve destination organization information using the "Get Organizations and Person List" operation.
Max Incidents	Maximum number of incidents that this operation should return.
Source IP	Comma-delimited list of valid source IP addresses based on which you want to retrieve a list of incidents from Symantec MSS.
Category	Select the category based on which you want to retrieve a list of incidents from Symantec MSS, or specify a comma-delimited list of valid security incident categories that are set by MSS and based on which you want to retrieve the list of incidents from Symantec MSS. This operation uses the get_incident_categories API Operation. This parameter makes an API call named "get_incident_categories" to dynamically populate its drop-down selections. You can choose from options such as Unassigned, Authorized Scanning/Penetration Testing, Denial of Service, or Emerging Threats, etc.
Exclude Category	Select the category that you want to exclude from the list of incidents retrieved from Symantec MSS, or specify a comma-delimited list of valid security incident categories that are set by MSS, which you want to exclude from the list of incidents retrieved from Symantec MSS. This operation uses the get_incident_categories API Operation. This parameter makes an API call named "get_incident_categories" to dynamically populate its drop-down selections. You can choose from options such as Unassigned, Authorized Scanning/Penetration Testing, Denial of Service, or Emerging Threats, etc.
Get List of Recent Incident	Searches for list of latest incidents in Symantec MSS based on the created timestamp, updated timestamp, or LatestKeyEvent timestamp of the incidents. If you select this checkbox, i.e. set it to true, then you must specify the following parameter: Start Time: Specific DateTime or created timestamp from when you want to return incidents created in Symantec MSS. If you clear this checkbox, i.e. set it to false, then you must specify the following parameter: Start Time: Specific DateTime or created timestamp from when you want to return incidents created in Symantec MSS. Customer Severity: Comma-delimited list of valid security incident severities set by customers.
End Time	Datetime or created timestamp till when you want to return incidents created in Symantec MSS.

Output

The output contains the following populated JSON schema:
{
"SourceIPString": "",
"FirstSeenGlobally": "",
"LatestKeyEvent": "",
"UpdateTimestampGMT": "",
"FirstSeenInLast30Days": "",
"Correlation": "",
"DaysSeenGlobally": "",
"CountryCode": "",
"TimeCreated": "",
"Severity": "",
"Classification": "",
"DestOrganizationName": "",
"CountryName": "",
"GlobalLookbackDays": "",
"UserList": "",
"SourceOrganizationName": "",
"PrevalenceGlobally": "",
"CountryOfOrigin": "",
"CustomerSeverity": "",
"IncidentNumber": "",
"Category": "",
"DaysSeenInLast30Days": "",
"HostNameList": "",
"IsInternalExternal": ""
}

operation: Query Incident

Input parameters

Parameter	Description
Incident ID	ID of the incident in the SOC whose details you want to retrieve from Symantec MSS.
Max Signatures	(Optional) Maximum number of signatures to be retrieved for the specific incident from Symantec MSS.
Get Incident Workflow	Select this option to retrieves incident details with workflow information for the specified incident number.

Output

The output contains the following populated JSON schema:
{
"SecurityIncident": {
"AnalystAssessment": "",
"Description": "",
"CountryCode": "",
"Correlation": "",
"SourceOrganizationList": {
"Organization": {
"OrganizationName": ""
}
},
"ActivityLogs": {
"Activity": [
{
"NewValue": "",
"ActivityBy": "",
"ActivityDateGMT": "",
"OldValue": "",
"FieldName": ""
}
]
},
"@xmlns:xsi": "",
"TimeCreated": "",
"RelatedTickets": "",
"Severity": "",
"DestinationOrganizationList": {
"Organization": {
"OrganizationName": ""
}
},
"WorkFlowDetail": {
"Resolution": "",
"Status": "",
"AssignedPerson": "",
"AssignedOrganization": "",
"Reference": "-"
},
"CountryName": "",
"IncidentNumber": "",
"IncidentAttachmentItems": {
"IncidentAttachmentItem": [
{
"UploadBy": "",
"Comment": "",
"AttachmentName": "",
"UploadDateGMT": "",
"AttachmentNumber": ""
}
]
},
"IsGroupIncidentAvailable": "",
"IncidentComments": {
"IncidentComment": [
{
"CommentedBy": "",
"Comment": "",
"CommentedTimeStampGMT": ""
}
]
},
"@xmlns": "",
"@xmlns:xsd": "",
"NumberOfAnalyzedSignatures": "",
"Classification": "",
"SignatureList": {
"Signature": [
{
"SourceIPString": "",
"FirstSeenGlobally": "",
"FirstSeenInLast30Days": "",
"SourceOrganizationList": "",
"CountryCode": "",
"CountryName": "",
"TimeCreated": "",
"CorrelatedEvent": "",
"FileDetails": "",
"DestinationOrganizationList": "",
"SourceIPAddressBinary": "",
"Classification": "",
"ReportingDeviceList": "",
"NumberNotBlocked": "",
"VendorSignature": "",
"GlobalLookbackDays": "",
"CorrelatedEventList": "",
"HostName": "",
"PrevalenceGlobally": "",
"SourceHostDetailList": "",
"SourceIPAddressBinarySQL": "",
"AffectedAssetList": "",
"NumberBlocked": "",
"Category": "",
"SignatureNumber": "",
"Outcome": "",
"NetworkRanges": {
"NetworkRange": {
"NetworkRangeName": "",
"NetworkRangeIPs": ""
}
},
"DaysSeenGlobally": "",
"DaysSeenInLast30Days": "",
"IsKey": "true",
"SignatureName": ""
}
]
},
"RelatedIncidents": ""
}
}
{
"SecurityIncident": {
"AnalystAssessment": "",
"Description": "",
"CountryCode": "",
"Severity": "",
"Correlation": "",
"SourceOrganizationList": {
"Organization": {
"OrganizationName": ""
}
},
"@xmlns:xsi": "",
"TimeCreated": "",
"RelatedTickets": "",
"@xmlns": "",
"DestinationOrganizationList": {
"Organization": {
"OrganizationName": ""
}
},
"@xmlns:xsd": "",
"Classification": "",
"NumberOfAnalyzedSignatures": "",
"CountryName": "",
"IncidentNumber": "",
"SignatureList": {
"Signature": [
{
"SourceIPString": "",
"FirstSeenGlobally": "",
"SourceHostDetailList": "",
"DaysSeenGlobally": "",
"CountryCode": "",
"TimeCreated": "",
"NumberNotBlocked": "",
"FileDetails": "",
"SignatureNumber": "",
"Outcome": "",
"DaysSeenInLast30Days": "",
"ReportingDeviceList": "",
"CountryName": "",
"GlobalLookbackDays": "",
"CorrelatedEventList": "",
"HostName": "",
"AffectedAssetList": "",
"VendorSignature": "",
"SourceIPAddressBinarySQL": "",
"PrevalenceGlobally": "",
"NumberBlocked": "",
"Category": "",
"SourceOrganizationList": "",
"DestinationOrganizationList": "",
"FirstSeenInLast30Days": "",
"NetworkRanges": {
"NetworkRange": {
"NetworkRangeIPs": "",
"NetworkRangeName": ""
}
},
"CorrelatedEvent": "",
"SourceIPAddressBinary": "",
"Classification": "",
"IsKey": "",
"SignatureName": ""
}
]
}
}
}

operation: Get Incident Attachment

Input parameters

Parameter	Description
Incident ID	ID of the incident in the SOC whose associated attachment contents you want to retrieve from Symantec MSS.
Attachment ID	ID of the attachment that you want to download from Symantec MSS. To get the Attachment ID for the incident, refer to the Query Incident operations's output > `SecurityIncident-> IncidentAttachmentItems -> IncidentAttachmentItem -> AttachmentNumber`.

Output

The output contains the following populated JSON schema:

{
"file_iri": "",
"attachments_iri": ""
}

operation: Incident Add Attachment

Input parameters

Parameter	Description
Incident ID	ID of the incident in the SOC to which you want to add an attachment.
Reference ID	UUID value of the attachment that you want to add to the specified incident. Supported attachment types are: .doc, .docx, .pdf, .txt, .ppt, .pptx, .xls, .xlsx, .csv, .jpg, .png, .jpeg, .bmp. This list is subject to change at our discretion to better serve our customers. Attachment size must be less than or equal to 15 MB.
Attachment Comment	(Optional) Comment that you want to associate with the attachment.
File Details	Selecting this checkbox, i.e, setting it to true, retrieves the attached file details or get the Attachment ID. Clearing this checkbox, i.e, setting it to false, provides the successfully uploaded attachment(s) count.

Output

The output contains the following populated JSON schema:
{
"Incident": {
"@xmlns": "",
"FilesRejected": "",
"IncidentNumber": "",
"FilesAttached": {
"File": {
"Name": "",
"AttachmentID": ""
}
}
}
}

operation: Update Incident Workflow

Input parameters

Parameter	Description
Incident ID	ID of the incident in the SOC whose workflow you want to update in Symantec MSS.
Status	Select the status that you want to set for the specific incident in Symantec MSS, or specify a comma-delimited list of valid security incident statuses that are set by MSS and based on which you want to update the specific incident workflow in Symantec MSS. This operation uses the get_incident_status API Operation. This parameter makes an API call named "get_incident_status" to dynamically populate its drop-down selections. You can choose from the following options: New, In Progress, or Closed.
Resolution	Select the resolution that you want to set for the specific incident in Symantec MSS, or specify a comma-delimited list of valid security incident resolutions that are set by MSS and based on which you want to update the specific incident workflow in Symantec MSS. This operation uses the get_incident_status_resolution API Operation. This parameter makes an API call named "get_incident_status_resolution" to dynamically populate its drop-down selections. You can choose from the following options: False Postive, Resolved, Deferred or No Action.
Severity	Select the severity that you want to set for the specific incident in Symantec MSS, or specify a comma-delimited list of valid security incident severities that are set by MSS and based on which you want to update the specific incident workflow in Symantec MSS. This operation uses the get_incident_severities API Operation. This parameter makes an API call named "get_incident_severities" to dynamically populate its drop-down selections. You can choose from the following options: Informational, Warning, Critical, or Emergency.
Is Group Update	Select this option to update the workflow changes of the specific incident to related incidents. Note: This is applicable only if related incidents are available. To know if any related incident is associated to this Incident, refer to the Query Incident operations' output or the IncidentQuery API -> SecurityIncident -> IsGroupIncidentAvailable
Assigned to Organization	(Optional) Updates the incident assignment to the specified organization. To know the organization details for changing the incident assignment to an organization, use the Get the Organization list from "Get Organizations and Person List" action -> `IncidentAssignOrganization-> OrganizationName`. Note: You must specify either Assigned to Organization or Assigned to Person for this operation.
Assigned to Person	(Optional) Updates the incident assignment to the specified Person (user) To know the organization details for changing the incident assignment to a person, use the Get the person list from "Get Organizations and Person List" action -> `IncidentAssignOrganization-> OrganizationName- > Persons-> Person`. Note: You must specify either Assigned to Organization or Assigned to Person for this operation.
Comments	(Optional) Comments that you want to associate with this update.
Reference	(Optional) References that you want to associate with this update.

Output

The output contains the following populated JSON schema:
{
"soap:Envelope": {
"soap:Body": {
"UpdateIncidentWorkflowResponse": {
"UpdateIncidentWorkflowResult": "",
"@xmlns": ""
}
},
"@xmlns:xsd": "",
"@xmlns:soap": "",
"@xmlns:xsi": ""
}
}

operation: Get User Devices

Input parameters

None.

Output

The output contains the following populated JSON schema:

{
"SearchCode": "",
"Status": "",
"LastLogReceived": "",
"DeviceName": "",
"OwnerOrganization": "",
"ChangeManager": ""
}

operation: Get Ticket List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter	Description
Start Time	Start Datetime (created time or modified time) from when you want to retrieve tickets from Symantec MSS.
End Time	End Datetime (created time or modified time) till when you want to retrieve tickets from Symantec MSS.
Status	Select the status based on which you want to retrieve a list of tickets from Symantec MSS, or specify a comma-delimited list of valid ticket statuses that are set by MSS and based on which you want to retrieve the list of tickets from Symantec MSS. This operation uses the ticket_get_statuses API Operation. This parameter makes an API call named "ticket_get_statuses" to dynamically populate its drop-down selections. You can choose from options such as Approved, Assigned, Awaiting Approval, Informed, Internal Escalation, etc.
Ticket Category	Select the category based on which you want to retrieve a list of tickets from Symantec MSS, or specify a comma-delimited list of valid ticket categories that are set by MSS and based on which you want to retrieve the list of tickets from Symantec MSS. This operation uses the ticket_get_categories API Operation. This parameter makes an API call named "ticket_get_categories" to dynamically populate its drop-down selections. You can choose from options such as Add New Detection, Alarm, Alarm / Log Delay, Change, Change / Policy Change, etc.
Urgency	Select the urgency based on which you want to retrieve a list of tickets from Symantec MSS, or specify a comma-delimited list of valid ticket urgencies that are set by MSS and based on which you want to retrieve the list of tickets from Symantec MSS. This operation uses the ticket_get_urgencies API Operation. This parameter makes an API call named "ticket_get_urgencies" to dynamically populate its drop-down selections. You can choose from the following options: Low, Routine, High, or Critical.
Ticket ID	Comma-delimited list of valid MSS ticket numbers based on which you want to retrieve a list of tickets from Symantec MSS.
Client Reference	Comma-delimited list of client reference values based on which you want to retrieve a list of tickets from Symantec MSS. Since some ClientReference values may have commas, the individual values are matched using a `LIKE` operator.
Device	Comma-delimited list of valid device names based on which you want to retrieve a list of tickets from Symantec MSS. You can find a device name by using the "Get User Devices" operation.
Requested By Organization	Select the organization that has requested the ticket whose associated a list of tickets you want to retrieve from Symantec MSS, or specify a comma-delimited list of valid requested by organizations that are set by MSS whose associated a list of tickets you want to retrieve from Symantec MSS. This operation uses the user_get_organization API Operation. This parameter makes an API call named "user_get_organization" to dynamically populate its drop-down selections.
Assigned to Organization	Select the organization that has been assigned the ticket whose associated a list of tickets you want to retrieve from Symantec MSS, or specify a comma-delimited list of valid assigned to organizations that are set by MSS whose associated a list of tickets you want to retrieve from Symantec MSS. This operation uses the user_get_organization API Operation. This parameter makes an API call named "user_get_organization" to dynamically populate its drop-down selections.
Max Tickets	Maximum number of tickets that this operation should return
Get Ticket Recent List	Select this checkbox to search for tickets based on the created timestamp and updated timestamps for the following parameters: Request comments/Activity Log, Client Reference, or Assigned to.

Output

The output contains the following populated JSON schema:
{
"Urgency": "",
"UpdateTimestampGMT": "",
"Description": "",
"CreatedDate": "",
"ClosureCodeString": "",
"RelatedTickets": "",
"LastModifiedDate": "",
"RequestedByOrgID": "",
"Status": "",
"TicketCategory": "",
"TicketID": "",
"AssignedToOrgName": "",
"RelatedDeviceList": "",
"RequestedByPersonName": "",
"Active": "",
"ClosedDate": "",
"RelatedSecurityIncidents": "",
"LastUpdated": "",
"Deadline": "",
"AssignedToOrgID": "",
"RequestedByOrgName": "",
"ClientReference": ""
}

operation: Query Ticket

Input parameters

Parameter	Description
Ticket ID	ID of the ticket in the SOC whose details you want to retrieve from Symantec MSS. Note: If you specify both the ticket ID and the client reference ticket number, then the ticket ID will be used by this operation.
Client Reference	Customer reference ticket number that is specified during the creation of the ticket creation (currently, using the portal) whose details you want to retrieve from Symantec MSS.

Output

The output contains the following populated JSON schema:
{
"Ticket": {
"Urgency": "",
"UpdateTimestampGMT": "",
"Description": "",
"CreatedDate": "",
"ClosureCodeString": "",
"ActivityLog": "",
"@xmlns:xsi": "",
"RelatedTickets": "",
"LastModifiedDate": "",
"TicketID": "",
"RequestedByOrgID": "",
"Status": "",
"TicketCategory": "",
"RelatedDeviceList": "",
"AssignedToOrgName": "",
"Active": "",
"RequestedByPersonName": "",
"ClosedDate": "",
"@xmlns": "",
"@xmlns:xsd": "",
"RelatedSecurityIncidents": "",
"LastUpdated": "",
"Deadline": "",
"AssignedToOrgID": "",
"RequestedByOrgName": "",
"ClientReference": ""
}
}

operation: Get List of Ticket Attachment

Input parameters

Parameter	Description
Ticket ID	ID of the ticket service case whose associated list of attachments you want to retrieve from Symantec MSS.

Output

The output contains the following populated JSON schema:
{
"Attachments": {
"@xmlns": "",
"Attachment": {
"FileName": "",
"AttachmentOID": ""
}
}
}

operation: Get Ticket Attachment

Input parameters

Parameter	Description
Ticket ID	ID of the ticket service case whose associated attachments contents you want to retrieve from Symantec MSS.
Attachment Item OID	OID of the attachment item that you want to download from Symantec MSS. To get the Attachment Item OID for the ticket, use the "Get List of Ticket Attachment" operation.
Is All Attachments Required	Selecting this checkbox, i.e, setting it to true, retrieves all the attachments associated with the specified ticket ID. Clearing this checkbox, i.e, setting it to false, fetch only those attachments that are associated with Attachment Item OID and TicketID.

Output

The output contains the following populated JSON schema:
{
"file_iri": "",
"attachments_iri": ""
}

operation: Delete Ticket Attachments

Input parameters

Parameter	Description
Ticket ID	ID of the ticket service case whose associated attachments you want to delete from Symantec MSS. Ticket service case ID.
Attachment OID	AttachmentOID array that you want to delete from the specified ticket in Symantec MSS.
Update Comment	(Optional) Comments that you want to associate with deletion of the attachments.
Retry Attempts	(Optional) Number of times this operation should retry in case of failures.

Output

The output contains the following populated JSON schema:
{
"TicketIDs": {
"@xmlns": "",
"isFiledDeleted": "",
"isMatchFound": "",
"isHistoryLineSaved": "",
"isCommentSaved": ""
}
}

Included playbooks

The Sample - Symantec MSS - 1.0.0 playbook collection comes bundled with the Symantec MSS connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPs^TM after importing the Symantec MSS connector.

Delete Ticket Attachments
Get Incident Attachment
Get List of Incident
Get List of Ticket Attachment
Get Organizations and Person List
Get Ticket Attachment Contents
Get Ticket List
Get User Devices
Incident Add Attachment
Query Incident
Query Ticket
Update Incident Workflow

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 5.1.1-69

Authored By: Fortinet

Certified: Yes

Installing the connector

yum install cyops-connector-symantec-mss

Prerequisites to configuring the connector

You must have the URL of Symantec MSS server to which you will connect and perform automated operations and the certificate file to access that server.
To use the Symantec MSS connector, you must be assigned at least one of the following roles in Symantec MSS: Administrator, Incident Manager, Incident Reviewer or Asset Manager.
To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

Parameter	Description
Server URL	Server URL where your SWS (Secure Web Service) is installed.
Certificate File	Certificate .pem file used to connect to the Symantec MSS server.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function	Description	Annotation and Category
Get Organizations and Person List	Retrieves a list of all organizations and persons within each organization from Symantec MSS.	get_incident_organization Investigation
Get List of Incident	Retrieves a list of security incidents from Symantec MSS based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return incidents matching all values.	incident_get_list Investigation
Query Incident	Retrieves details of a specific incident either with or without the workflow information from Symantec MSS based on the incident ID and other input parameters you have specified.	incident_query Investigation
Get Incident Attachment	Retrieves the contents of a specific attachment associated with a specific incident from Symantec MSS based on the incident ID and attachment ID you have specified.	incident_get_attachment Investigation
Incident Add Attachment	Adds an attachment to a specific incident in Symantec MSS based on the incident ID and other input parameters you have specified.	incident_add_attachment Investigation
Update Incident Workflow	Updates the incident workflow in Symantec MSS based on the incident ID, status, resolution, severity, and other input parameters you have specified.	update_incident_workflow Investigation
Get User Devices	Retrieves a list of all the devices that you are able to see under your organizational hierarchy from Symantec MSS.	user_get_devices Investigation
Get Ticket List	Retrieves a list of tickets from Symantec MSS based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return incidents matching all values.	ticket_get_list Investigation
Query Ticket	Retrieves details of a specific ticket from Symantec MSS based on the ticket ID or client reference you have specified.	ticket_query Investigation
Get List of Ticket Attachment	Retrieves a list of attachments i.e., only retrieves the FileName and AttachmentOID from Symantec MSS based on ticket ID you have specified.	ticket_get_attachment_list Investigation
Get Ticket Attachment	Retrieves the contents of a specific attachment associated with a specific ticket from Symantec MSS based on the ticket ID and attachment OID you have specified.	ticket_get_attachment_contents Investigation
Delete Ticket Attachments	Deletes specific attachments from a specific ticket in Symantec MSS based on the ticket ID, attachment OID, and other input parameters you have specified.	ticket_delete_attachments

operation: Get Organizations and Person List

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"Persons": {
"Person": []
},
"OrganizationName": ""
}

operation: Get List of Incident

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter	Description
Severity	Select the severity based on which you want to retrieve a list of incidents from Symantec MSS, or specify a comma-delimited list of valid security incident severities that are set by MSS and based on which you want to retrieve the list of incidents from Symantec MSS. This operation uses the get_incident_severities API Operation. This parameter makes an API call named "get_incident_severities" to dynamically populate its drop-down selections. You can choose from the following options: Informational, Warning, Critical, or Emergency.
Source Organization	Comma-delimited list of valid source organizations based on which you want to retrieve a list of incidents from Symantec MSS. You can retrieve source organization information using the "Get Organizations and Person List" operation.
Destination Organization	Comma-delimited list of valid destination organizations based on which you want to retrieve a list of incidents from Symantec MSS. You can retrieve destination organization information using the "Get Organizations and Person List" operation.
Max Incidents	Maximum number of incidents that this operation should return.
Source IP	Comma-delimited list of valid source IP addresses based on which you want to retrieve a list of incidents from Symantec MSS.
Category	Select the category based on which you want to retrieve a list of incidents from Symantec MSS, or specify a comma-delimited list of valid security incident categories that are set by MSS and based on which you want to retrieve the list of incidents from Symantec MSS. This operation uses the get_incident_categories API Operation. This parameter makes an API call named "get_incident_categories" to dynamically populate its drop-down selections. You can choose from options such as Unassigned, Authorized Scanning/Penetration Testing, Denial of Service, or Emerging Threats, etc.
Exclude Category	Select the category that you want to exclude from the list of incidents retrieved from Symantec MSS, or specify a comma-delimited list of valid security incident categories that are set by MSS, which you want to exclude from the list of incidents retrieved from Symantec MSS. This operation uses the get_incident_categories API Operation. This parameter makes an API call named "get_incident_categories" to dynamically populate its drop-down selections. You can choose from options such as Unassigned, Authorized Scanning/Penetration Testing, Denial of Service, or Emerging Threats, etc.
Get List of Recent Incident	Searches for list of latest incidents in Symantec MSS based on the created timestamp, updated timestamp, or LatestKeyEvent timestamp of the incidents. If you select this checkbox, i.e. set it to true, then you must specify the following parameter: Start Time: Specific DateTime or created timestamp from when you want to return incidents created in Symantec MSS. If you clear this checkbox, i.e. set it to false, then you must specify the following parameter: Start Time: Specific DateTime or created timestamp from when you want to return incidents created in Symantec MSS. Customer Severity: Comma-delimited list of valid security incident severities set by customers.
End Time	Datetime or created timestamp till when you want to return incidents created in Symantec MSS.

Output

operation: Query Incident

Input parameters

Parameter	Description
Incident ID	ID of the incident in the SOC whose details you want to retrieve from Symantec MSS.
Max Signatures	(Optional) Maximum number of signatures to be retrieved for the specific incident from Symantec MSS.
Get Incident Workflow	Select this option to retrieves incident details with workflow information for the specified incident number.

Output

operation: Get Incident Attachment

Input parameters

Parameter	Description
Incident ID	ID of the incident in the SOC whose associated attachment contents you want to retrieve from Symantec MSS.
Attachment ID	ID of the attachment that you want to download from Symantec MSS. To get the Attachment ID for the incident, refer to the Query Incident operations's output > `SecurityIncident-> IncidentAttachmentItems -> IncidentAttachmentItem -> AttachmentNumber`.

Output

The output contains the following populated JSON schema:

{
"file_iri": "",
"attachments_iri": ""
}

operation: Incident Add Attachment

Input parameters

Parameter	Description
Incident ID	ID of the incident in the SOC to which you want to add an attachment.
Reference ID	UUID value of the attachment that you want to add to the specified incident. Supported attachment types are: .doc, .docx, .pdf, .txt, .ppt, .pptx, .xls, .xlsx, .csv, .jpg, .png, .jpeg, .bmp. This list is subject to change at our discretion to better serve our customers. Attachment size must be less than or equal to 15 MB.
Attachment Comment	(Optional) Comment that you want to associate with the attachment.
File Details	Selecting this checkbox, i.e, setting it to true, retrieves the attached file details or get the Attachment ID. Clearing this checkbox, i.e, setting it to false, provides the successfully uploaded attachment(s) count.

Output

operation: Update Incident Workflow

Input parameters

Parameter	Description
Incident ID	ID of the incident in the SOC whose workflow you want to update in Symantec MSS.
Status	Select the status that you want to set for the specific incident in Symantec MSS, or specify a comma-delimited list of valid security incident statuses that are set by MSS and based on which you want to update the specific incident workflow in Symantec MSS. This operation uses the get_incident_status API Operation. This parameter makes an API call named "get_incident_status" to dynamically populate its drop-down selections. You can choose from the following options: New, In Progress, or Closed.
Resolution	Select the resolution that you want to set for the specific incident in Symantec MSS, or specify a comma-delimited list of valid security incident resolutions that are set by MSS and based on which you want to update the specific incident workflow in Symantec MSS. This operation uses the get_incident_status_resolution API Operation. This parameter makes an API call named "get_incident_status_resolution" to dynamically populate its drop-down selections. You can choose from the following options: False Postive, Resolved, Deferred or No Action.
Severity	Select the severity that you want to set for the specific incident in Symantec MSS, or specify a comma-delimited list of valid security incident severities that are set by MSS and based on which you want to update the specific incident workflow in Symantec MSS. This operation uses the get_incident_severities API Operation. This parameter makes an API call named "get_incident_severities" to dynamically populate its drop-down selections. You can choose from the following options: Informational, Warning, Critical, or Emergency.
Is Group Update	Select this option to update the workflow changes of the specific incident to related incidents. Note: This is applicable only if related incidents are available. To know if any related incident is associated to this Incident, refer to the Query Incident operations' output or the IncidentQuery API -> SecurityIncident -> IsGroupIncidentAvailable
Assigned to Organization	(Optional) Updates the incident assignment to the specified organization. To know the organization details for changing the incident assignment to an organization, use the Get the Organization list from "Get Organizations and Person List" action -> `IncidentAssignOrganization-> OrganizationName`. Note: You must specify either Assigned to Organization or Assigned to Person for this operation.
Assigned to Person	(Optional) Updates the incident assignment to the specified Person (user) To know the organization details for changing the incident assignment to a person, use the Get the person list from "Get Organizations and Person List" action -> `IncidentAssignOrganization-> OrganizationName- > Persons-> Person`. Note: You must specify either Assigned to Organization or Assigned to Person for this operation.
Comments	(Optional) Comments that you want to associate with this update.
Reference	(Optional) References that you want to associate with this update.

Output

operation: Get User Devices

Input parameters

None.

Output

The output contains the following populated JSON schema:

{
"SearchCode": "",
"Status": "",
"LastLogReceived": "",
"DeviceName": "",
"OwnerOrganization": "",
"ChangeManager": ""
}

operation: Get Ticket List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter	Description
Start Time	Start Datetime (created time or modified time) from when you want to retrieve tickets from Symantec MSS.
End Time	End Datetime (created time or modified time) till when you want to retrieve tickets from Symantec MSS.
Status	Select the status based on which you want to retrieve a list of tickets from Symantec MSS, or specify a comma-delimited list of valid ticket statuses that are set by MSS and based on which you want to retrieve the list of tickets from Symantec MSS. This operation uses the ticket_get_statuses API Operation. This parameter makes an API call named "ticket_get_statuses" to dynamically populate its drop-down selections. You can choose from options such as Approved, Assigned, Awaiting Approval, Informed, Internal Escalation, etc.
Ticket Category	Select the category based on which you want to retrieve a list of tickets from Symantec MSS, or specify a comma-delimited list of valid ticket categories that are set by MSS and based on which you want to retrieve the list of tickets from Symantec MSS. This operation uses the ticket_get_categories API Operation. This parameter makes an API call named "ticket_get_categories" to dynamically populate its drop-down selections. You can choose from options such as Add New Detection, Alarm, Alarm / Log Delay, Change, Change / Policy Change, etc.
Urgency	Select the urgency based on which you want to retrieve a list of tickets from Symantec MSS, or specify a comma-delimited list of valid ticket urgencies that are set by MSS and based on which you want to retrieve the list of tickets from Symantec MSS. This operation uses the ticket_get_urgencies API Operation. This parameter makes an API call named "ticket_get_urgencies" to dynamically populate its drop-down selections. You can choose from the following options: Low, Routine, High, or Critical.
Ticket ID	Comma-delimited list of valid MSS ticket numbers based on which you want to retrieve a list of tickets from Symantec MSS.
Client Reference	Comma-delimited list of client reference values based on which you want to retrieve a list of tickets from Symantec MSS. Since some ClientReference values may have commas, the individual values are matched using a `LIKE` operator.
Device	Comma-delimited list of valid device names based on which you want to retrieve a list of tickets from Symantec MSS. You can find a device name by using the "Get User Devices" operation.
Requested By Organization	Select the organization that has requested the ticket whose associated a list of tickets you want to retrieve from Symantec MSS, or specify a comma-delimited list of valid requested by organizations that are set by MSS whose associated a list of tickets you want to retrieve from Symantec MSS. This operation uses the user_get_organization API Operation. This parameter makes an API call named "user_get_organization" to dynamically populate its drop-down selections.
Assigned to Organization	Select the organization that has been assigned the ticket whose associated a list of tickets you want to retrieve from Symantec MSS, or specify a comma-delimited list of valid assigned to organizations that are set by MSS whose associated a list of tickets you want to retrieve from Symantec MSS. This operation uses the user_get_organization API Operation. This parameter makes an API call named "user_get_organization" to dynamically populate its drop-down selections.
Max Tickets	Maximum number of tickets that this operation should return
Get Ticket Recent List	Select this checkbox to search for tickets based on the created timestamp and updated timestamps for the following parameters: Request comments/Activity Log, Client Reference, or Assigned to.

Output

operation: Query Ticket

Input parameters

Parameter	Description
Ticket ID	ID of the ticket in the SOC whose details you want to retrieve from Symantec MSS. Note: If you specify both the ticket ID and the client reference ticket number, then the ticket ID will be used by this operation.
Client Reference	Customer reference ticket number that is specified during the creation of the ticket creation (currently, using the portal) whose details you want to retrieve from Symantec MSS.

Output

operation: Get List of Ticket Attachment

Input parameters

Parameter	Description
Ticket ID	ID of the ticket service case whose associated list of attachments you want to retrieve from Symantec MSS.

Output

The output contains the following populated JSON schema:
{
"Attachments": {
"@xmlns": "",
"Attachment": {
"FileName": "",
"AttachmentOID": ""
}
}
}

operation: Get Ticket Attachment

Input parameters

Parameter	Description
Ticket ID	ID of the ticket service case whose associated attachments contents you want to retrieve from Symantec MSS.
Attachment Item OID	OID of the attachment item that you want to download from Symantec MSS. To get the Attachment Item OID for the ticket, use the "Get List of Ticket Attachment" operation.
Is All Attachments Required	Selecting this checkbox, i.e, setting it to true, retrieves all the attachments associated with the specified ticket ID. Clearing this checkbox, i.e, setting it to false, fetch only those attachments that are associated with Attachment Item OID and TicketID.

Output

The output contains the following populated JSON schema:
{
"file_iri": "",
"attachments_iri": ""
}

operation: Delete Ticket Attachments

Input parameters

Parameter	Description
Ticket ID	ID of the ticket service case whose associated attachments you want to delete from Symantec MSS. Ticket service case ID.
Attachment OID	AttachmentOID array that you want to delete from the specified ticket in Symantec MSS.
Update Comment	(Optional) Comments that you want to associate with deletion of the attachments.
Retry Attempts	(Optional) Number of times this operation should retry in case of failures.

Output

The output contains the following populated JSON schema:
{
"TicketIDs": {
"@xmlns": "",
"isFiledDeleted": "",
"isMatchFound": "",
"isHistoryLineSaved": "",
"isCommentSaved": ""
}
}

Included playbooks

Delete Ticket Attachments
Get Incident Attachment
Get List of Incident
Get List of Ticket Attachment
Get Organizations and Person List
Get Ticket Attachment Contents
Get Ticket List
Get User Devices
Incident Add Attachment
Query Incident
Query Ticket
Update Incident Workflow