Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

Symantec™ Managed Security Services (MSS) provides round-the-clock security monitoring powered by big data analytics, equipping you with the strategic insights you need to prioritize and respond to critical incidents—as well as build the strategies required to protect your organization’s assets, reputation, and viability.

This document provides information about the Symantec MSS connector, which facilitates automated interactions, with a Symantec MSS server using FortiSOAR™ playbooks. Add the Symantec MSS connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of all organizations and persons within each organization from Symantec MSS or retrieving a list of security incidents from Symantec MSS based on the search parameters you have specified.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 5.1.1-69

Authored By: Fortinet 

Certified: Yes

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™repository and run the yum command as a root user to install connectors:

yum install cyops-connector-symantec-mss

Prerequisites to configuring the connector

  • You must have the URL of Symantec MSS server to which you will connect and perform automated operations and the certificate file to access that server.
  • To use the Symantec MSS connector, you must be assigned at least one of the following roles in Symantec MSS: Administrator, Incident Manager, Incident Reviewer or Asset Manager.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Symantec MSS connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL Server URL where your SWS (Secure Web Service) is installed.
Certificate File Certificate .pem file used to connect to the Symantec MSS server.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Get Organizations and Person List Retrieves a list of all organizations and persons within each organization from Symantec MSS. get_incident_organization
Investigation
Get List of Incident Retrieves a list of security incidents from Symantec MSS based on the search parameters you have specified.
Note: If a parameter is left blank or null, then this operation will return incidents matching all values.
incident_get_list
Investigation
Query Incident Retrieves details of a specific incident either with or without the workflow information from Symantec MSS based on the incident ID and other input parameters you have specified. incident_query
Investigation
Get Incident Attachment Retrieves the contents of a specific attachment associated with a specific incident from Symantec MSS based on the incident ID and attachment ID you have specified. incident_get_attachment
Investigation
Incident Add Attachment Adds an attachment to a specific incident in Symantec MSS based on the incident ID and other input parameters you have specified. incident_add_attachment
Investigation
Update Incident Workflow Updates the incident workflow in Symantec MSS based on the incident ID, status, resolution, severity, and other input parameters you have specified. update_incident_workflow
Investigation
Get User Devices Retrieves a list of all the devices that you are able to see under your organizational hierarchy from Symantec MSS. user_get_devices
Investigation
Get Ticket List Retrieves a list of tickets from Symantec MSS based on the search parameters you have specified.
Note: If a parameter is left blank or null, then this operation will return incidents matching all values.
ticket_get_list
Investigation
Query Ticket Retrieves details of a specific ticket from Symantec MSS based on the ticket ID or client reference you have specified. ticket_query
Investigation
Get List of Ticket Attachment Retrieves a list of attachments i.e., only retrieves the FileName and AttachmentOID from Symantec MSS based on ticket ID you have specified. ticket_get_attachment_list
Investigation
Get Ticket Attachment Retrieves the contents of a specific attachment associated with a specific ticket from Symantec MSS based on the ticket ID and attachment OID you have specified. ticket_get_attachment_contents
Investigation
Delete Ticket Attachments Deletes specific attachments from a specific ticket in Symantec MSS based on the ticket ID, attachment OID, and other input parameters you have specified. ticket_delete_attachments
 

operation: Get Organizations and Person List

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "Persons": {
         "Person": []
     },
     "OrganizationName": ""
}

operation: Get List of Incident

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Severity Select the severity based on which you want to retrieve a list of incidents from Symantec MSS, or specify a comma-delimited list of valid security incident severities that are set by MSS and based on which you want to retrieve the list of incidents from Symantec MSS.
This operation uses the get_incident_severities API Operation. This parameter makes an API call named "get_incident_severities" to dynamically populate its drop-down selections.
You can choose from the following options: Informational, Warning, Critical, or Emergency.
Source Organization Comma-delimited list of valid source organizations based on which you want to retrieve a list of incidents from Symantec MSS. You can retrieve source organization information using the "Get Organizations and Person List" operation.
Destination Organization Comma-delimited list of valid destination organizations based on which you want to retrieve a list of incidents from Symantec MSS. You can retrieve destination organization information using the "Get Organizations and Person List" operation.
Max Incidents Maximum number of incidents that this operation should return.
Source IP Comma-delimited list of valid source IP addresses based on which you want to retrieve a list of incidents from Symantec MSS.
Category Select the category based on which you want to retrieve a list of incidents from Symantec MSS, or specify a comma-delimited list of valid security incident categories that are set by MSS and based on which you want to retrieve the list of incidents from Symantec MSS.
This operation uses the get_incident_categories API Operation. This parameter makes an API call named "get_incident_categories" to dynamically populate its drop-down selections.
You can choose from options such as Unassigned, Authorized Scanning/Penetration Testing, Denial of Service, or Emerging Threats, etc.
Exclude Category Select the category that you want to exclude from the list of incidents retrieved from Symantec MSS, or specify a comma-delimited list of valid security incident categories that are set by MSS, which you want to exclude from the list of incidents retrieved from Symantec MSS.
This operation uses the get_incident_categories API Operation. This parameter makes an API call named "get_incident_categories" to dynamically populate its drop-down selections.
You can choose from options such as Unassigned, Authorized Scanning/Penetration Testing, Denial of Service, or Emerging Threats, etc.
Get List of Recent Incident Searches for list of latest incidents in Symantec MSS based on the created timestamp, updated timestamp, or LatestKeyEvent timestamp of the incidents.
If you select this checkbox, i.e. set it to true, then you must specify the following parameter:
  • Start Time: Specific DateTime or created timestamp from when you want to return incidents created in Symantec MSS.
If you clear this checkbox, i.e. set it to false, then you must specify the following parameter:
  • Start Time: Specific DateTime or created timestamp from when you want to return incidents created in Symantec MSS.
  • Customer Severity: Comma-delimited list of valid security incident severities set by customers.
End Time Datetime or created timestamp till when you want to return incidents created in Symantec MSS.

Output

The output contains the following populated JSON schema:
{
     "SourceIPString": "",
     "FirstSeenGlobally": "",
     "LatestKeyEvent": "",
     "UpdateTimestampGMT": "",
     "FirstSeenInLast30Days": "",
     "Correlation": "",
     "DaysSeenGlobally": "",
     "CountryCode": "",
     "TimeCreated": "",
     "Severity": "",
     "Classification": "",
     "DestOrganizationName": "",
     "CountryName": "",
     "GlobalLookbackDays": "",
     "UserList": "",
     "SourceOrganizationName": "",
     "PrevalenceGlobally": "",
     "CountryOfOrigin": "",
     "CustomerSeverity": "",
     "IncidentNumber": "",
     "Category": "",
     "DaysSeenInLast30Days": "",
     "HostNameList": "",
     "IsInternalExternal": ""
}

operation: Query Incident

Input parameters

Parameter Description
Incident ID ID of the incident in the SOC whose details you want to retrieve from Symantec MSS.
Max Signatures (Optional) Maximum number of signatures to be retrieved for the specific incident from Symantec MSS.
Get Incident Workflow Select this option to retrieves incident details with workflow information for the specified incident number.

Output

The output contains the following populated JSON schema:
{
     "SecurityIncident": {
         "AnalystAssessment": "",
         "Description": "",
         "CountryCode": "",
         "Correlation": "",
         "SourceOrganizationList": {
             "Organization": {
                 "OrganizationName": ""
             }
         },
         "ActivityLogs": {
             "Activity": [
                 {
                     "NewValue": "",
                     "ActivityBy": "",
                     "ActivityDateGMT": "",
                     "OldValue": "",
                     "FieldName": ""
                 }
             ]
         },
         "@xmlns:xsi": "",
         "TimeCreated": "",
         "RelatedTickets": "",
         "Severity": "",
         "DestinationOrganizationList": {
             "Organization": {
                 "OrganizationName": ""
             }
         },
         "WorkFlowDetail": {
             "Resolution": "",
             "Status": "",
             "AssignedPerson": "",
             "AssignedOrganization": "",
             "Reference": "-"
         },
         "CountryName": "",
         "IncidentNumber": "",
         "IncidentAttachmentItems": {
             "IncidentAttachmentItem": [
                 {
                     "UploadBy": "",
                     "Comment": "",
                     "AttachmentName": "",
                     "UploadDateGMT": "",
                     "AttachmentNumber": ""
                 }
             ]
         },
         "IsGroupIncidentAvailable": "",
         "IncidentComments": {
             "IncidentComment": [
                 {
                     "CommentedBy": "",
                     "Comment": "",
                     "CommentedTimeStampGMT": ""
                 }
             ]
         },
         "@xmlns": "",
         "@xmlns:xsd": "",
         "NumberOfAnalyzedSignatures": "",
         "Classification": "",
         "SignatureList": {
             "Signature": [
                 {
                     "SourceIPString": "",
                     "FirstSeenGlobally": "",
                     "FirstSeenInLast30Days": "",
                     "SourceOrganizationList": "",
                     "CountryCode": "",
                     "CountryName": "",
                     "TimeCreated": "",
                     "CorrelatedEvent": "",
                     "FileDetails": "",
                     "DestinationOrganizationList": "",
                     "SourceIPAddressBinary": "",
                     "Classification": "",
                     "ReportingDeviceList": "",
                     "NumberNotBlocked": "",
                     "VendorSignature": "",
                     "GlobalLookbackDays": "",
                     "CorrelatedEventList": "",
                     "HostName": "",
                     "PrevalenceGlobally": "",
                     "SourceHostDetailList": "",
                     "SourceIPAddressBinarySQL": "",
                     "AffectedAssetList": "",
                     "NumberBlocked": "",
                     "Category": "",
                     "SignatureNumber": "",
                     "Outcome": "",
                     "NetworkRanges": {
                         "NetworkRange": {
                             "NetworkRangeName": "",
                             "NetworkRangeIPs": ""
                         }
                     },
                     "DaysSeenGlobally": "",
                     "DaysSeenInLast30Days": "",
                     "IsKey": "true",
                     "SignatureName": ""
                 }
             ]
         },
         "RelatedIncidents": ""
     }
}
{
     "SecurityIncident": {
         "AnalystAssessment": "",
         "Description": "",
         "CountryCode": "",
         "Severity": "",
         "Correlation": "",
         "SourceOrganizationList": {
             "Organization": {
                 "OrganizationName": ""
             }
         },
         "@xmlns:xsi": "",
         "TimeCreated": "",
         "RelatedTickets": "",
         "@xmlns": "",
         "DestinationOrganizationList": {
             "Organization": {
                 "OrganizationName": ""
             }
         },
         "@xmlns:xsd": "",
         "Classification": "",
         "NumberOfAnalyzedSignatures": "",
         "CountryName": "",
         "IncidentNumber": "",
         "SignatureList": {
             "Signature": [
                 {
                     "SourceIPString": "",
                     "FirstSeenGlobally": "",
                     "SourceHostDetailList": "",
                     "DaysSeenGlobally": "",
                     "CountryCode": "",
                     "TimeCreated": "",
                     "NumberNotBlocked": "",
                     "FileDetails": "",
                     "SignatureNumber": "",
                     "Outcome": "",
                     "DaysSeenInLast30Days": "",
                     "ReportingDeviceList": "",
                     "CountryName": "",
                     "GlobalLookbackDays": "",
                     "CorrelatedEventList": "",
                     "HostName": "",
                     "AffectedAssetList": "",
                     "VendorSignature": "",
                     "SourceIPAddressBinarySQL": "",
                     "PrevalenceGlobally": "",
                     "NumberBlocked": "",
                     "Category": "",
                     "SourceOrganizationList": "",
                     "DestinationOrganizationList": "",
                     "FirstSeenInLast30Days": "",
                     "NetworkRanges": {
                         "NetworkRange": {
                             "NetworkRangeIPs": "",
                             "NetworkRangeName": ""
                         }
                     },
                     "CorrelatedEvent": "",
                     "SourceIPAddressBinary": "",
                     "Classification": "",
                     "IsKey": "",
                     "SignatureName": ""
                 }
             ]
         }
     }
}

operation: Get Incident Attachment

Input parameters

Parameter Description
Incident ID ID of the incident in the SOC whose associated attachment contents you want to retrieve from Symantec MSS.
Attachment ID ID of the attachment that you want to download from Symantec MSS.
To get the Attachment ID for the incident, refer to the Query Incident operations's output > SecurityIncident-> IncidentAttachmentItems -> IncidentAttachmentItem -> AttachmentNumber.

Output

The output contains the following populated JSON schema:


{
     "file_iri": "",
     "attachments_iri": ""
}

operation: Incident Add Attachment

Input parameters

Parameter Description
Incident ID ID of the incident in the SOC to which you want to add an attachment.
Reference ID UUID value of the attachment that you want to add to the specified incident.
Supported attachment types are: .doc, .docx, .pdf, .txt, .ppt, .pptx, .xls, .xlsx, .csv, .jpg, .png, .jpeg, .bmp. This list is subject to change at our discretion to better serve our customers. Attachment size must be less than or equal to 15 MB.
Attachment Comment (Optional) Comment that you want to associate with the attachment.
File Details Selecting this checkbox, i.e, setting it to true, retrieves the attached file details or get the Attachment ID.
Clearing this checkbox, i.e, setting it to false, provides the successfully uploaded attachment(s) count.

Output

The output contains the following populated JSON schema:
{
     "Incident": {
         "@xmlns": "",
         "FilesRejected": "",
         "IncidentNumber": "",
         "FilesAttached": {
             "File": {
                 "Name": "",
                 "AttachmentID": ""
             }
         }
     }
} 

operation: Update Incident Workflow

Input parameters

Parameter Description
Incident ID ID of the incident in the SOC whose workflow you want to update in Symantec MSS.
Status Select the status that you want to set for the specific incident in Symantec MSS, or specify a comma-delimited list of valid security incident statuses that are set by MSS and based on which you want to update the specific incident workflow in Symantec MSS.
This operation uses the get_incident_status API Operation. This parameter makes an API call named "get_incident_status" to dynamically populate its drop-down selections.
You can choose from the following options: New, In Progress, or Closed.
Resolution Select the resolution that you want to set for the specific incident in Symantec MSS, or specify a comma-delimited list of valid security incident resolutions that are set by MSS and based on which you want to update the specific incident workflow in Symantec MSS.
This operation uses the get_incident_status_resolution API Operation. This parameter makes an API call named "get_incident_status_resolution" to dynamically populate its drop-down selections.
You can choose from the following options: False Postive, Resolved, Deferred or No Action.
Severity Select the severity that you want to set for the specific incident in Symantec MSS, or specify a comma-delimited list of valid security incident severities that are set by MSS and based on which you want to update the specific incident workflow in Symantec MSS.
This operation uses the get_incident_severities API Operation. This parameter makes an API call named "get_incident_severities" to dynamically populate its drop-down selections.
You can choose from the following options: Informational, Warning, Critical, or Emergency.
Is Group Update Select this option to update the workflow changes of the specific incident to related incidents.
Note: This is applicable only if related incidents are available. To know if any related incident is associated to this Incident, refer to the Query Incident operations' output or the IncidentQuery API -> SecurityIncident -> IsGroupIncidentAvailable
Assigned to Organization (Optional) Updates the incident assignment to the specified organization.
To know the organization details for changing the incident assignment to an organization, use the Get the Organization list from "Get Organizations and Person List" action -> IncidentAssignOrganization-> OrganizationName.
Note: You must specify either Assigned to Organization or Assigned to Person for this operation.
Assigned to Person (Optional) Updates the incident assignment to the specified Person (user)
To know the organization details for changing the incident assignment to a person, use the Get the person list from "Get Organizations and Person List" action -> IncidentAssignOrganization-> OrganizationName- > Persons-> Person.
Note: You must specify either Assigned to Organization or Assigned to Person for this operation.
Comments (Optional) Comments that you want to associate with this update.
Reference (Optional) References that you want to associate with this update.

Output

The output contains the following populated JSON schema:
{
     "soap:Envelope": {
         "soap:Body": {
             "UpdateIncidentWorkflowResponse": {
                 "UpdateIncidentWorkflowResult": "",
                 "@xmlns": ""
             }
         },
         "@xmlns:xsd": "",
         "@xmlns:soap": "",
         "@xmlns:xsi": ""
     }
}

operation: Get User Devices

Input parameters

None.

Output

The output contains the following populated JSON schema:


{
     "SearchCode": "",
     "Status": "",
     "LastLogReceived": "",
     "DeviceName": "",
     "OwnerOrganization": "",
     "ChangeManager": ""
}

operation: Get Ticket List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Start Time Start Datetime (created time or modified time) from when you want to retrieve tickets from Symantec MSS.
End Time End Datetime (created time or modified time) till when you want to retrieve tickets from Symantec MSS.
Status Select the status based on which you want to retrieve a list of tickets from Symantec MSS, or specify a comma-delimited list of valid ticket statuses that are set by MSS and based on which you want to retrieve the list of tickets from Symantec MSS.
This operation uses the ticket_get_statuses API Operation. This parameter makes an API call named "ticket_get_statuses" to dynamically populate its drop-down selections.
You can choose from options such as Approved, Assigned, Awaiting Approval, Informed, Internal Escalation, etc.
Ticket Category Select the category based on which you want to retrieve a list of tickets from Symantec MSS, or specify a comma-delimited list of valid ticket categories that are set by MSS and based on which you want to retrieve the list of tickets from Symantec MSS.
This operation uses the ticket_get_categories API Operation. This parameter makes an API call named "ticket_get_categories" to dynamically populate its drop-down selections.
You can choose from options such as Add New Detection, Alarm, Alarm / Log Delay, Change, Change / Policy Change, etc.
Urgency Select the urgency based on which you want to retrieve a list of tickets from Symantec MSS, or specify a comma-delimited list of valid ticket urgencies that are set by MSS and based on which you want to retrieve the list of tickets from Symantec MSS.
This operation uses the ticket_get_urgencies API Operation. This parameter makes an API call named "ticket_get_urgencies" to dynamically populate its drop-down selections.
You can choose from the following options: Low, Routine, High, or Critical.
Ticket ID Comma-delimited list of valid MSS ticket numbers based on which you want to retrieve a list of tickets from Symantec MSS.
Client Reference Comma-delimited list of client reference values based on which you want to retrieve a list of tickets from Symantec MSS. Since some ClientReference values may have commas, the individual values are matched using a LIKE operator.
Device Comma-delimited list of valid device names based on which you want to retrieve a list of tickets from Symantec MSS. You can find a device name by using the "Get User Devices" operation.
Requested By Organization Select the organization that has requested the ticket whose associated a list of tickets you want to retrieve from Symantec MSS, or specify a comma-delimited list of valid requested by organizations that are set by MSS whose associated a list of tickets you want to retrieve from Symantec MSS.
This operation uses the user_get_organization API Operation. This parameter makes an API call named "user_get_organization" to dynamically populate its drop-down selections.
Assigned to Organization Select the organization that has been assigned the ticket whose associated a list of tickets you want to retrieve from Symantec MSS, or specify a comma-delimited list of valid assigned to organizations that are set by MSS whose associated a list of tickets you want to retrieve from Symantec MSS.
This operation uses the user_get_organization API Operation. This parameter makes an API call named "user_get_organization" to dynamically populate its drop-down selections.
Max Tickets Maximum number of tickets that this operation should return
Get Ticket Recent List Select this checkbox to search for tickets based on the created timestamp and updated timestamps for the following parameters: Request comments/Activity Log, Client Reference, or Assigned to.

Output

The output contains the following populated JSON schema:
{
     "Urgency": "",
     "UpdateTimestampGMT": "",
     "Description": "",
     "CreatedDate": "",
     "ClosureCodeString": "",
     "RelatedTickets": "",
     "LastModifiedDate": "",
     "RequestedByOrgID": "",
     "Status": "",
     "TicketCategory": "",
     "TicketID": "",
     "AssignedToOrgName": "",
     "RelatedDeviceList": "",
     "RequestedByPersonName": "",
     "Active": "",
     "ClosedDate": "",
     "RelatedSecurityIncidents": "",
     "LastUpdated": "",
     "Deadline": "",
     "AssignedToOrgID": "",
     "RequestedByOrgName": "",
     "ClientReference": ""
}

operation: Query Ticket

Input parameters

Parameter Description
Ticket ID ID of the ticket in the SOC whose details you want to retrieve from Symantec MSS.
Note: If you specify both the ticket ID and the client reference ticket number, then the ticket ID will be used by this operation.
Client Reference Customer reference ticket number that is specified during the creation of the ticket creation (currently, using the portal) whose details you want to retrieve from Symantec MSS.

Output

The output contains the following populated JSON schema:
{
     "Ticket": {
         "Urgency": "",
         "UpdateTimestampGMT": "",
         "Description": "",
         "CreatedDate": "",
         "ClosureCodeString": "",
         "ActivityLog": "",
         "@xmlns:xsi": "",
         "RelatedTickets": "",
         "LastModifiedDate": "",
         "TicketID": "",
         "RequestedByOrgID": "",
         "Status": "",
         "TicketCategory": "",
         "RelatedDeviceList": "",
         "AssignedToOrgName": "",
         "Active": "",
         "RequestedByPersonName": "",
         "ClosedDate": "",
         "@xmlns": "",
         "@xmlns:xsd": "",
         "RelatedSecurityIncidents": "",
         "LastUpdated": "",
         "Deadline": "",
         "AssignedToOrgID": "",
         "RequestedByOrgName": "",
         "ClientReference": ""
     }
}

operation: Get List of Ticket Attachment

Input parameters

Parameter Description
Ticket ID ID of the ticket service case whose associated list of attachments you want to retrieve from Symantec MSS.

Output

The output contains the following populated JSON schema:
{
     "Attachments": {
         "@xmlns": "",
         "Attachment": {
             "FileName": "",
             "AttachmentOID": ""
         }
     }
}

operation: Get Ticket Attachment

Input parameters

Parameter Description
Ticket ID ID of the ticket service case whose associated attachments contents you want to retrieve from Symantec MSS.
Attachment Item OID OID of the attachment item that you want to download from Symantec MSS.
To get the Attachment Item OID for the ticket, use the "Get List of Ticket Attachment" operation.
Is All Attachments Required Selecting this checkbox, i.e, setting it to true, retrieves all the attachments associated with the specified ticket ID.
Clearing this checkbox, i.e, setting it to false, fetch only those attachments that are associated with Attachment Item OID and TicketID.

Output

The output contains the following populated JSON schema:
{
     "file_iri": "",
     "attachments_iri": ""
}

operation: Delete Ticket Attachments

Input parameters

Parameter Description
Ticket ID ID of the ticket service case whose associated attachments you want to delete from Symantec MSS.
Ticket service case ID.
Attachment OID AttachmentOID array that you want to delete from the specified ticket in Symantec MSS.
Update Comment (Optional) Comments that you want to associate with deletion of the attachments.
Retry Attempts (Optional) Number of times this operation should retry in case of failures.

Output

The output contains the following populated JSON schema:
{
     "TicketIDs": {
         "@xmlns": "",
         "isFiledDeleted": "",
         "isMatchFound": "",
         "isHistoryLineSaved": "",
         "isCommentSaved": ""
     }
}

Included playbooks

The Sample - Symantec MSS - 1.0.0 playbook collection comes bundled with the Symantec MSS connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Symantec MSS connector.

  • Delete Ticket Attachments
  • Get Incident Attachment
  • Get List of Incident
  • Get List of Ticket Attachment
  • Get Organizations and Person List
  • Get Ticket Attachment Contents
  • Get Ticket List
  • Get User Devices
  • Incident Add Attachment
  • Query Incident
  • Query Ticket
  • Update Incident Workflow

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

Symantec™ Managed Security Services (MSS) provides round-the-clock security monitoring powered by big data analytics, equipping you with the strategic insights you need to prioritize and respond to critical incidents—as well as build the strategies required to protect your organization’s assets, reputation, and viability.

This document provides information about the Symantec MSS connector, which facilitates automated interactions, with a Symantec MSS server using FortiSOAR™ playbooks. Add the Symantec MSS connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of all organizations and persons within each organization from Symantec MSS or retrieving a list of security incidents from Symantec MSS based on the search parameters you have specified.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 5.1.1-69

Authored By: Fortinet 

Certified: Yes

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™repository and run the yum command as a root user to install connectors:

yum install cyops-connector-symantec-mss

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Symantec MSS connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL Server URL where your SWS (Secure Web Service) is installed.
Certificate File Certificate .pem file used to connect to the Symantec MSS server.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Get Organizations and Person List Retrieves a list of all organizations and persons within each organization from Symantec MSS. get_incident_organization
Investigation
Get List of Incident Retrieves a list of security incidents from Symantec MSS based on the search parameters you have specified.
Note: If a parameter is left blank or null, then this operation will return incidents matching all values.
incident_get_list
Investigation
Query Incident Retrieves details of a specific incident either with or without the workflow information from Symantec MSS based on the incident ID and other input parameters you have specified. incident_query
Investigation
Get Incident Attachment Retrieves the contents of a specific attachment associated with a specific incident from Symantec MSS based on the incident ID and attachment ID you have specified. incident_get_attachment
Investigation
Incident Add Attachment Adds an attachment to a specific incident in Symantec MSS based on the incident ID and other input parameters you have specified. incident_add_attachment
Investigation
Update Incident Workflow Updates the incident workflow in Symantec MSS based on the incident ID, status, resolution, severity, and other input parameters you have specified. update_incident_workflow
Investigation
Get User Devices Retrieves a list of all the devices that you are able to see under your organizational hierarchy from Symantec MSS. user_get_devices
Investigation
Get Ticket List Retrieves a list of tickets from Symantec MSS based on the search parameters you have specified.
Note: If a parameter is left blank or null, then this operation will return incidents matching all values.
ticket_get_list
Investigation
Query Ticket Retrieves details of a specific ticket from Symantec MSS based on the ticket ID or client reference you have specified. ticket_query
Investigation
Get List of Ticket Attachment Retrieves a list of attachments i.e., only retrieves the FileName and AttachmentOID from Symantec MSS based on ticket ID you have specified. ticket_get_attachment_list
Investigation
Get Ticket Attachment Retrieves the contents of a specific attachment associated with a specific ticket from Symantec MSS based on the ticket ID and attachment OID you have specified. ticket_get_attachment_contents
Investigation
Delete Ticket Attachments Deletes specific attachments from a specific ticket in Symantec MSS based on the ticket ID, attachment OID, and other input parameters you have specified. ticket_delete_attachments
 

operation: Get Organizations and Person List

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "Persons": {
         "Person": []
     },
     "OrganizationName": ""
}

operation: Get List of Incident

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Severity Select the severity based on which you want to retrieve a list of incidents from Symantec MSS, or specify a comma-delimited list of valid security incident severities that are set by MSS and based on which you want to retrieve the list of incidents from Symantec MSS.
This operation uses the get_incident_severities API Operation. This parameter makes an API call named "get_incident_severities" to dynamically populate its drop-down selections.
You can choose from the following options: Informational, Warning, Critical, or Emergency.
Source Organization Comma-delimited list of valid source organizations based on which you want to retrieve a list of incidents from Symantec MSS. You can retrieve source organization information using the "Get Organizations and Person List" operation.
Destination Organization Comma-delimited list of valid destination organizations based on which you want to retrieve a list of incidents from Symantec MSS. You can retrieve destination organization information using the "Get Organizations and Person List" operation.
Max Incidents Maximum number of incidents that this operation should return.
Source IP Comma-delimited list of valid source IP addresses based on which you want to retrieve a list of incidents from Symantec MSS.
Category Select the category based on which you want to retrieve a list of incidents from Symantec MSS, or specify a comma-delimited list of valid security incident categories that are set by MSS and based on which you want to retrieve the list of incidents from Symantec MSS.
This operation uses the get_incident_categories API Operation. This parameter makes an API call named "get_incident_categories" to dynamically populate its drop-down selections.
You can choose from options such as Unassigned, Authorized Scanning/Penetration Testing, Denial of Service, or Emerging Threats, etc.
Exclude Category Select the category that you want to exclude from the list of incidents retrieved from Symantec MSS, or specify a comma-delimited list of valid security incident categories that are set by MSS, which you want to exclude from the list of incidents retrieved from Symantec MSS.
This operation uses the get_incident_categories API Operation. This parameter makes an API call named "get_incident_categories" to dynamically populate its drop-down selections.
You can choose from options such as Unassigned, Authorized Scanning/Penetration Testing, Denial of Service, or Emerging Threats, etc.
Get List of Recent Incident Searches for list of latest incidents in Symantec MSS based on the created timestamp, updated timestamp, or LatestKeyEvent timestamp of the incidents.
If you select this checkbox, i.e. set it to true, then you must specify the following parameter:
  • Start Time: Specific DateTime or created timestamp from when you want to return incidents created in Symantec MSS.
If you clear this checkbox, i.e. set it to false, then you must specify the following parameter:
  • Start Time: Specific DateTime or created timestamp from when you want to return incidents created in Symantec MSS.
  • Customer Severity: Comma-delimited list of valid security incident severities set by customers.
End Time Datetime or created timestamp till when you want to return incidents created in Symantec MSS.

Output

The output contains the following populated JSON schema:
{
     "SourceIPString": "",
     "FirstSeenGlobally": "",
     "LatestKeyEvent": "",
     "UpdateTimestampGMT": "",
     "FirstSeenInLast30Days": "",
     "Correlation": "",
     "DaysSeenGlobally": "",
     "CountryCode": "",
     "TimeCreated": "",
     "Severity": "",
     "Classification": "",
     "DestOrganizationName": "",
     "CountryName": "",
     "GlobalLookbackDays": "",
     "UserList": "",
     "SourceOrganizationName": "",
     "PrevalenceGlobally": "",
     "CountryOfOrigin": "",
     "CustomerSeverity": "",
     "IncidentNumber": "",
     "Category": "",
     "DaysSeenInLast30Days": "",
     "HostNameList": "",
     "IsInternalExternal": ""
}

operation: Query Incident

Input parameters

Parameter Description
Incident ID ID of the incident in the SOC whose details you want to retrieve from Symantec MSS.
Max Signatures (Optional) Maximum number of signatures to be retrieved for the specific incident from Symantec MSS.
Get Incident Workflow Select this option to retrieves incident details with workflow information for the specified incident number.

Output

The output contains the following populated JSON schema:
{
     "SecurityIncident": {
         "AnalystAssessment": "",
         "Description": "",
         "CountryCode": "",
         "Correlation": "",
         "SourceOrganizationList": {
             "Organization": {
                 "OrganizationName": ""
             }
         },
         "ActivityLogs": {
             "Activity": [
                 {
                     "NewValue": "",
                     "ActivityBy": "",
                     "ActivityDateGMT": "",
                     "OldValue": "",
                     "FieldName": ""
                 }
             ]
         },
         "@xmlns:xsi": "",
         "TimeCreated": "",
         "RelatedTickets": "",
         "Severity": "",
         "DestinationOrganizationList": {
             "Organization": {
                 "OrganizationName": ""
             }
         },
         "WorkFlowDetail": {
             "Resolution": "",
             "Status": "",
             "AssignedPerson": "",
             "AssignedOrganization": "",
             "Reference": "-"
         },
         "CountryName": "",
         "IncidentNumber": "",
         "IncidentAttachmentItems": {
             "IncidentAttachmentItem": [
                 {
                     "UploadBy": "",
                     "Comment": "",
                     "AttachmentName": "",
                     "UploadDateGMT": "",
                     "AttachmentNumber": ""
                 }
             ]
         },
         "IsGroupIncidentAvailable": "",
         "IncidentComments": {
             "IncidentComment": [
                 {
                     "CommentedBy": "",
                     "Comment": "",
                     "CommentedTimeStampGMT": ""
                 }
             ]
         },
         "@xmlns": "",
         "@xmlns:xsd": "",
         "NumberOfAnalyzedSignatures": "",
         "Classification": "",
         "SignatureList": {
             "Signature": [
                 {
                     "SourceIPString": "",
                     "FirstSeenGlobally": "",
                     "FirstSeenInLast30Days": "",
                     "SourceOrganizationList": "",
                     "CountryCode": "",
                     "CountryName": "",
                     "TimeCreated": "",
                     "CorrelatedEvent": "",
                     "FileDetails": "",
                     "DestinationOrganizationList": "",
                     "SourceIPAddressBinary": "",
                     "Classification": "",
                     "ReportingDeviceList": "",
                     "NumberNotBlocked": "",
                     "VendorSignature": "",
                     "GlobalLookbackDays": "",
                     "CorrelatedEventList": "",
                     "HostName": "",
                     "PrevalenceGlobally": "",
                     "SourceHostDetailList": "",
                     "SourceIPAddressBinarySQL": "",
                     "AffectedAssetList": "",
                     "NumberBlocked": "",
                     "Category": "",
                     "SignatureNumber": "",
                     "Outcome": "",
                     "NetworkRanges": {
                         "NetworkRange": {
                             "NetworkRangeName": "",
                             "NetworkRangeIPs": ""
                         }
                     },
                     "DaysSeenGlobally": "",
                     "DaysSeenInLast30Days": "",
                     "IsKey": "true",
                     "SignatureName": ""
                 }
             ]
         },
         "RelatedIncidents": ""
     }
}
{
     "SecurityIncident": {
         "AnalystAssessment": "",
         "Description": "",
         "CountryCode": "",
         "Severity": "",
         "Correlation": "",
         "SourceOrganizationList": {
             "Organization": {
                 "OrganizationName": ""
             }
         },
         "@xmlns:xsi": "",
         "TimeCreated": "",
         "RelatedTickets": "",
         "@xmlns": "",
         "DestinationOrganizationList": {
             "Organization": {
                 "OrganizationName": ""
             }
         },
         "@xmlns:xsd": "",
         "Classification": "",
         "NumberOfAnalyzedSignatures": "",
         "CountryName": "",
         "IncidentNumber": "",
         "SignatureList": {
             "Signature": [
                 {
                     "SourceIPString": "",
                     "FirstSeenGlobally": "",
                     "SourceHostDetailList": "",
                     "DaysSeenGlobally": "",
                     "CountryCode": "",
                     "TimeCreated": "",
                     "NumberNotBlocked": "",
                     "FileDetails": "",
                     "SignatureNumber": "",
                     "Outcome": "",
                     "DaysSeenInLast30Days": "",
                     "ReportingDeviceList": "",
                     "CountryName": "",
                     "GlobalLookbackDays": "",
                     "CorrelatedEventList": "",
                     "HostName": "",
                     "AffectedAssetList": "",
                     "VendorSignature": "",
                     "SourceIPAddressBinarySQL": "",
                     "PrevalenceGlobally": "",
                     "NumberBlocked": "",
                     "Category": "",
                     "SourceOrganizationList": "",
                     "DestinationOrganizationList": "",
                     "FirstSeenInLast30Days": "",
                     "NetworkRanges": {
                         "NetworkRange": {
                             "NetworkRangeIPs": "",
                             "NetworkRangeName": ""
                         }
                     },
                     "CorrelatedEvent": "",
                     "SourceIPAddressBinary": "",
                     "Classification": "",
                     "IsKey": "",
                     "SignatureName": ""
                 }
             ]
         }
     }
}

operation: Get Incident Attachment

Input parameters

Parameter Description
Incident ID ID of the incident in the SOC whose associated attachment contents you want to retrieve from Symantec MSS.
Attachment ID ID of the attachment that you want to download from Symantec MSS.
To get the Attachment ID for the incident, refer to the Query Incident operations's output > SecurityIncident-> IncidentAttachmentItems -> IncidentAttachmentItem -> AttachmentNumber.

Output

The output contains the following populated JSON schema:


{
     "file_iri": "",
     "attachments_iri": ""
}

operation: Incident Add Attachment

Input parameters

Parameter Description
Incident ID ID of the incident in the SOC to which you want to add an attachment.
Reference ID UUID value of the attachment that you want to add to the specified incident.
Supported attachment types are: .doc, .docx, .pdf, .txt, .ppt, .pptx, .xls, .xlsx, .csv, .jpg, .png, .jpeg, .bmp. This list is subject to change at our discretion to better serve our customers. Attachment size must be less than or equal to 15 MB.
Attachment Comment (Optional) Comment that you want to associate with the attachment.
File Details Selecting this checkbox, i.e, setting it to true, retrieves the attached file details or get the Attachment ID.
Clearing this checkbox, i.e, setting it to false, provides the successfully uploaded attachment(s) count.

Output

The output contains the following populated JSON schema:
{
     "Incident": {
         "@xmlns": "",
         "FilesRejected": "",
         "IncidentNumber": "",
         "FilesAttached": {
             "File": {
                 "Name": "",
                 "AttachmentID": ""
             }
         }
     }
} 

operation: Update Incident Workflow

Input parameters

Parameter Description
Incident ID ID of the incident in the SOC whose workflow you want to update in Symantec MSS.
Status Select the status that you want to set for the specific incident in Symantec MSS, or specify a comma-delimited list of valid security incident statuses that are set by MSS and based on which you want to update the specific incident workflow in Symantec MSS.
This operation uses the get_incident_status API Operation. This parameter makes an API call named "get_incident_status" to dynamically populate its drop-down selections.
You can choose from the following options: New, In Progress, or Closed.
Resolution Select the resolution that you want to set for the specific incident in Symantec MSS, or specify a comma-delimited list of valid security incident resolutions that are set by MSS and based on which you want to update the specific incident workflow in Symantec MSS.
This operation uses the get_incident_status_resolution API Operation. This parameter makes an API call named "get_incident_status_resolution" to dynamically populate its drop-down selections.
You can choose from the following options: False Postive, Resolved, Deferred or No Action.
Severity Select the severity that you want to set for the specific incident in Symantec MSS, or specify a comma-delimited list of valid security incident severities that are set by MSS and based on which you want to update the specific incident workflow in Symantec MSS.
This operation uses the get_incident_severities API Operation. This parameter makes an API call named "get_incident_severities" to dynamically populate its drop-down selections.
You can choose from the following options: Informational, Warning, Critical, or Emergency.
Is Group Update Select this option to update the workflow changes of the specific incident to related incidents.
Note: This is applicable only if related incidents are available. To know if any related incident is associated to this Incident, refer to the Query Incident operations' output or the IncidentQuery API -> SecurityIncident -> IsGroupIncidentAvailable
Assigned to Organization (Optional) Updates the incident assignment to the specified organization.
To know the organization details for changing the incident assignment to an organization, use the Get the Organization list from "Get Organizations and Person List" action -> IncidentAssignOrganization-> OrganizationName.
Note: You must specify either Assigned to Organization or Assigned to Person for this operation.
Assigned to Person (Optional) Updates the incident assignment to the specified Person (user)
To know the organization details for changing the incident assignment to a person, use the Get the person list from "Get Organizations and Person List" action -> IncidentAssignOrganization-> OrganizationName- > Persons-> Person.
Note: You must specify either Assigned to Organization or Assigned to Person for this operation.
Comments (Optional) Comments that you want to associate with this update.
Reference (Optional) References that you want to associate with this update.

Output

The output contains the following populated JSON schema:
{
     "soap:Envelope": {
         "soap:Body": {
             "UpdateIncidentWorkflowResponse": {
                 "UpdateIncidentWorkflowResult": "",
                 "@xmlns": ""
             }
         },
         "@xmlns:xsd": "",
         "@xmlns:soap": "",
         "@xmlns:xsi": ""
     }
}

operation: Get User Devices

Input parameters

None.

Output

The output contains the following populated JSON schema:


{
     "SearchCode": "",
     "Status": "",
     "LastLogReceived": "",
     "DeviceName": "",
     "OwnerOrganization": "",
     "ChangeManager": ""
}

operation: Get Ticket List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Start Time Start Datetime (created time or modified time) from when you want to retrieve tickets from Symantec MSS.
End Time End Datetime (created time or modified time) till when you want to retrieve tickets from Symantec MSS.
Status Select the status based on which you want to retrieve a list of tickets from Symantec MSS, or specify a comma-delimited list of valid ticket statuses that are set by MSS and based on which you want to retrieve the list of tickets from Symantec MSS.
This operation uses the ticket_get_statuses API Operation. This parameter makes an API call named "ticket_get_statuses" to dynamically populate its drop-down selections.
You can choose from options such as Approved, Assigned, Awaiting Approval, Informed, Internal Escalation, etc.
Ticket Category Select the category based on which you want to retrieve a list of tickets from Symantec MSS, or specify a comma-delimited list of valid ticket categories that are set by MSS and based on which you want to retrieve the list of tickets from Symantec MSS.
This operation uses the ticket_get_categories API Operation. This parameter makes an API call named "ticket_get_categories" to dynamically populate its drop-down selections.
You can choose from options such as Add New Detection, Alarm, Alarm / Log Delay, Change, Change / Policy Change, etc.
Urgency Select the urgency based on which you want to retrieve a list of tickets from Symantec MSS, or specify a comma-delimited list of valid ticket urgencies that are set by MSS and based on which you want to retrieve the list of tickets from Symantec MSS.
This operation uses the ticket_get_urgencies API Operation. This parameter makes an API call named "ticket_get_urgencies" to dynamically populate its drop-down selections.
You can choose from the following options: Low, Routine, High, or Critical.
Ticket ID Comma-delimited list of valid MSS ticket numbers based on which you want to retrieve a list of tickets from Symantec MSS.
Client Reference Comma-delimited list of client reference values based on which you want to retrieve a list of tickets from Symantec MSS. Since some ClientReference values may have commas, the individual values are matched using a LIKE operator.
Device Comma-delimited list of valid device names based on which you want to retrieve a list of tickets from Symantec MSS. You can find a device name by using the "Get User Devices" operation.
Requested By Organization Select the organization that has requested the ticket whose associated a list of tickets you want to retrieve from Symantec MSS, or specify a comma-delimited list of valid requested by organizations that are set by MSS whose associated a list of tickets you want to retrieve from Symantec MSS.
This operation uses the user_get_organization API Operation. This parameter makes an API call named "user_get_organization" to dynamically populate its drop-down selections.
Assigned to Organization Select the organization that has been assigned the ticket whose associated a list of tickets you want to retrieve from Symantec MSS, or specify a comma-delimited list of valid assigned to organizations that are set by MSS whose associated a list of tickets you want to retrieve from Symantec MSS.
This operation uses the user_get_organization API Operation. This parameter makes an API call named "user_get_organization" to dynamically populate its drop-down selections.
Max Tickets Maximum number of tickets that this operation should return
Get Ticket Recent List Select this checkbox to search for tickets based on the created timestamp and updated timestamps for the following parameters: Request comments/Activity Log, Client Reference, or Assigned to.

Output

The output contains the following populated JSON schema:
{
     "Urgency": "",
     "UpdateTimestampGMT": "",
     "Description": "",
     "CreatedDate": "",
     "ClosureCodeString": "",
     "RelatedTickets": "",
     "LastModifiedDate": "",
     "RequestedByOrgID": "",
     "Status": "",
     "TicketCategory": "",
     "TicketID": "",
     "AssignedToOrgName": "",
     "RelatedDeviceList": "",
     "RequestedByPersonName": "",
     "Active": "",
     "ClosedDate": "",
     "RelatedSecurityIncidents": "",
     "LastUpdated": "",
     "Deadline": "",
     "AssignedToOrgID": "",
     "RequestedByOrgName": "",
     "ClientReference": ""
}

operation: Query Ticket

Input parameters

Parameter Description
Ticket ID ID of the ticket in the SOC whose details you want to retrieve from Symantec MSS.
Note: If you specify both the ticket ID and the client reference ticket number, then the ticket ID will be used by this operation.
Client Reference Customer reference ticket number that is specified during the creation of the ticket creation (currently, using the portal) whose details you want to retrieve from Symantec MSS.

Output

The output contains the following populated JSON schema:
{
     "Ticket": {
         "Urgency": "",
         "UpdateTimestampGMT": "",
         "Description": "",
         "CreatedDate": "",
         "ClosureCodeString": "",
         "ActivityLog": "",
         "@xmlns:xsi": "",
         "RelatedTickets": "",
         "LastModifiedDate": "",
         "TicketID": "",
         "RequestedByOrgID": "",
         "Status": "",
         "TicketCategory": "",
         "RelatedDeviceList": "",
         "AssignedToOrgName": "",
         "Active": "",
         "RequestedByPersonName": "",
         "ClosedDate": "",
         "@xmlns": "",
         "@xmlns:xsd": "",
         "RelatedSecurityIncidents": "",
         "LastUpdated": "",
         "Deadline": "",
         "AssignedToOrgID": "",
         "RequestedByOrgName": "",
         "ClientReference": ""
     }
}

operation: Get List of Ticket Attachment

Input parameters

Parameter Description
Ticket ID ID of the ticket service case whose associated list of attachments you want to retrieve from Symantec MSS.

Output

The output contains the following populated JSON schema:
{
     "Attachments": {
         "@xmlns": "",
         "Attachment": {
             "FileName": "",
             "AttachmentOID": ""
         }
     }
}

operation: Get Ticket Attachment

Input parameters

Parameter Description
Ticket ID ID of the ticket service case whose associated attachments contents you want to retrieve from Symantec MSS.
Attachment Item OID OID of the attachment item that you want to download from Symantec MSS.
To get the Attachment Item OID for the ticket, use the "Get List of Ticket Attachment" operation.
Is All Attachments Required Selecting this checkbox, i.e, setting it to true, retrieves all the attachments associated with the specified ticket ID.
Clearing this checkbox, i.e, setting it to false, fetch only those attachments that are associated with Attachment Item OID and TicketID.

Output

The output contains the following populated JSON schema:
{
     "file_iri": "",
     "attachments_iri": ""
}

operation: Delete Ticket Attachments

Input parameters

Parameter Description
Ticket ID ID of the ticket service case whose associated attachments you want to delete from Symantec MSS.
Ticket service case ID.
Attachment OID AttachmentOID array that you want to delete from the specified ticket in Symantec MSS.
Update Comment (Optional) Comments that you want to associate with deletion of the attachments.
Retry Attempts (Optional) Number of times this operation should retry in case of failures.

Output

The output contains the following populated JSON schema:
{
     "TicketIDs": {
         "@xmlns": "",
         "isFiledDeleted": "",
         "isMatchFound": "",
         "isHistoryLineSaved": "",
         "isCommentSaved": ""
     }
}

Included playbooks

The Sample - Symantec MSS - 1.0.0 playbook collection comes bundled with the Symantec MSS connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Symantec MSS connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.