About the connector
Symantec Security Analytics connector provides automated operations for advanced network forensics, and real-time content inspection for all network traffic.
This document provides information about the Symantec Security Analytics connector, which facilitates automated interactions, with a Symantec Security Analytics server using FortiSOAR™ playbooks. Add the Symantec Security Analytics connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of sensors or alerts from Symantec Security Analytics, based on the input parameters you have specified, or initiating artifact extraction from Symantec Security Analytics, based on the extraction type and other input parameters you have specified.
Version information
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-symantec-security-analytics
For the detailed procedure to install a connector, click here
Prerequisites to configuring the connector
- You must have the URL of Symantec Security Analytics server to which you will connect and perform automated operations and the username to access that server.
- You must have the API key to access Symantec Security Analytics CMC API.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In CyOPsTM, on the connectors page, select the Symantec Security Analytics connector and click Configure to configure the following parameters:
| Parameter |
Description |
| Server URL |
URL of the Symantec Security Analytics CMC server to which you will connect and perform automated operations. |
| Port |
Port number to connect Symantec Security Analytics CMC server. |
| Username |
Username to access the Symantec Security Analytics CMC server. |
| Symantec CMC API Key |
API key to access Symantec Security Analytics CMC API. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function |
Description |
Annotation and Category |
| Get Sensor List |
Retrieves a list of sensors from Symantec Security Analytics, based on the input parameters you have specified. |
get_sensor
Investigation |
| Get Alerts |
Retrieves a list of alerts from Symantec Security Analytics, based on the time range and other input parameters you have specified. |
get_alerts
Investigation |
| Get Alerts Details |
Retrieve a summary of alerts from Symantec Security Analytics, based on the time range and other input parameters you have specified. |
get_alerts
Investigation |
| Get Alerts Timeline Data |
Retrieve the histogram of alerts from Symantec Security Analytics, based on the time range and other input parameters you have specified. |
get_alerts
Investigation |
| Start Artifact Extractions |
Initiates artifact extraction from Symantec Security Analytics, based on the extraction type and other input parameters you have specified. |
start_extractions
Investigation |
| Start Extractions for MD5 |
Initiates artifact extraction on the MD5 hash from Symantec Security Analytics, based on the extraction type, and other input parameters you have specified. |
start_extractions
Investigation |
| Start Extractions for SHA1 |
Initiates artifact extraction on the SHA1 from Symantec Security Analytics, based on the extraction type, and other input parameters you have specified. |
start_extractions
Investigation |
| Start Extractions for SHA256 |
Initiates artifact extraction on the SHA256 from Symantec Security Analytics, based on the extraction type, and other input parameters you have specified. |
start_extractions
Investigation |
| Start Extractions for IP Address |
Initiates artifact extraction on the IP address from Symantec Security Analytics, based on the extraction type, and other input parameters you have specified. |
start_extractions
Investigation |
| Start Extractions for Port |
Initiates artifact extraction on the port number from Symantec Security Analytics, based on the extraction type, and other input parameters you have specified. |
start_extractions
Investigation |
| Start Extractions for Protocol |
Initiates artifact extraction on the protocol from Symantec Security Analytics, based on the extraction type, and other input parameters you have specified. |
start_extractions
Investigation |
| Search for Artifacts in Extraction |
Retrieves details about an artifact from Symantec Security Analytics, based on the artifact ID, search ID, and other input parameters you have specified. |
get_sensor
Investigation |
| Get Artifact Reputation |
Retrieves the reputation of an artifact from a specified provider, from Symantec Security Analytics based on the artifact ID and other input parameters you have specified. |
get_artifact_reputation
Investigation |
| Get Sensors Status |
Retrieves the status of all sensors or specific sensors from Symantec Security Analytics based on the sensor or appliance ID you have specified. |
get_sensor_status
Investigation |
| Get Artifact Rootcause |
Retrieves the referrer chain of an artifact from Symantec Security Analytics based on the artifact ID, artifact search ID, and other input parameters you have specified. |
get_artifact_rootcause
Investigation |
| List All Enrichment Providers |
Retrieves a list of all enrichment providers from Symantec Security Analytics |
get_providers
Investigation |
operation: Get Sensor List
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Filter Key |
Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Filter Operator |
Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<=" |
| Filter Value |
Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Sort |
Sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
You can use one of the following keys: "Name","Model","Connected","Capturing", or "Last Selected". |
| Sort By |
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order. |
| Page Number |
Page number from which you want to request for data from Symantec Security Analytics. |
| Max Number of Records Per Page |
Maximum number of records that the operation should fetch per page from Symantec Security Analytics. |
Output
The output contains the following populated JSON schema:
{
"resultCode": "",
"messages": [],
"errors": [],
"validationErrors": {
"GroupAppliance": [],
"ApplianceAuth": [],
"Meta": [],
"Group": [],
"Label": [],
"User": [],
"UserRemoteGroup": [],
"Appliance": []
},
"paging": {
"Appliance": {
"limit": "",
"current": "",
"nextPage": "",
"order": {
"Appliance.name": ""
},
"paramType": "",
"options": {
"order": {
"Appliance.name": ""
},
"page": ""
},
"page": "",
"pageCount": "",
"count": "",
"prevPage": ""
}
},
"result": [
{
"GroupAppliance": [
{
"group_id": "",
"id": "",
"appliance_id": "",
"Group": {
"default": "",
"description": "",
"remote": "",
"id": "",
"deepsee": "",
"groupname": "",
"outside_groups": ""
}
}
],
"Label": [],
"Appliance": {
"name": "",
"capturing": false,
"model": "",
"id": "",
"host": "",
"last_selected": "",
"api": "",
"meta_data": {
"cmc_management": {
"licensed": ""
},
"deepsee": {
"licensed": ""
},
"appliance_box": "",
"eval": "",
"version": "",
"model": "",
"licensed": "",
"capture": {
"licensed": ""
},
"manager_box": "",
"build": ""
},
"connected": "",
"cmc_proxy_key_hash": "",
"cmc_proxy_key": ""
},
"ApplianceAuth": [
{
"auto_assigned": "",
"id": "",
"appliance_id": "",
"remote_username": "",
"user_id": "",
"User": {
"account_disabled": "",
"id": "",
"accept_eula": "",
"api_key": "",
"failed_auth_attempts": "",
"username": "",
"eula_date": "",
"local": "",
"pagination_limit": "",
"unit_network": "",
"role": "",
"name": "",
"email": ""
},
"updated": "",
"role": ""
}
]
}
]
}
operation: Get Alerts
Input parameters
| Parameter |
Description |
| Filter Key |
(Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Filter Operator |
(Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<=" |
| Filter Value |
(Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Sensor ID(Appliance ID) |
(Optional) Sensor ID or Appliance ID based on which you want to pull alerts from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format. |
| Start Date |
Start date and time from when you want to pull alerts from Symantec Security Analytics. |
| End Date |
End date and time till when you want to pull alerts from Symantec Security Analytics. |
| Sort By |
(Optional) Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order. |
| Page Number |
(Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1. |
| Max Number of Records Per Page |
(Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics. |
Output
The output contains the following populated JSON schema:
{
"resultCode": "",
"messages": [],
"errors": [],
"validationErrors": {
"NotificationAlert": [],
"res": [],
"Meta": [],
"NotificationAlertHit": []
},
"paging": {
"NotificationAlert": {
"limit": "",
"current": "",
"nextPage": "",
"order": {
"NotificationAlert.modified_date": ""
},
"paramType": "",
"options": {
"order": {
"NotificationAlert.modified_date": ""
}
},
"page": "",
"pageCount": "",
"count": "",
"prevPage": ""
}
},
"result": {
"pageCount": "",
"rows": []
}
}
operation: Get Alerts Details
Input parameters
| Parameter |
Description |
| Filter Key |
(Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Filter Operator |
(Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<=" |
| Filter Value |
(Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Sensor ID(Appliance ID) |
(Optional) Sensor ID or Appliance ID based on which you want to pull alerts from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format. |
| Start Date |
Start date and time from when you want to pull alerts from Symantec Security Analytics. |
| End Date |
End date and time till when you want to pull alerts from Symantec Security Analytics. |
| Sort By |
(Optional) Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order. |
| Group By |
Group keys that you can apply to the result that is retrieved from Symantec Security Analytics.
You can use one of the following group keys: "Integration Provider","Importance","Rule","Indicator","Source IP","Destination IP","Source Port","Destination Port","Source Mac","Destination Mac","Type","Cached",or "Score". |
| Page Number |
(Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1. |
| Max Number of Records Per Page |
(Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics. |
Output
The output contains the following populated JSON schema:
{
"resultCode": "",
"messages": [],
"errors": [],
"validationErrors": {
"NotificationAlert": [],
"res": [],
"Meta": [],
"NotificationAlertHit": []
},
"paging": {
"NotificationAlert": {
"limit": "",
"current": "",
"nextPage": "",
"order": {
"NotificationAlert.modified_date": ""
},
"paramType": "",
"options": {
"order": {
"NotificationAlert.modified_date": ""
}
},
"page": "",
"pageCount": "",
"count": "",
"prevPage": ""
}
},
"result": {
"pageCount": "",
"rows": []
}
}
operation: Get Alerts Timeline Data
Input parameters
| Parameter |
Description |
| Filter Key |
(Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Filter Operator |
(Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<=" |
| Filter Value |
(Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Start Date |
Start date and time from when you want to pull alerts from Symantec Security Analytics. |
| End Date |
End date and time till when you want to pull alerts from Symantec Security Analytics. |
| Sensor ID(Appliance ID) |
(Optional) Sensor ID or Appliance ID based on which you want to pull alerts from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format. |
Output
The output contains the following populated JSON schema:
{
"resultCode": "",
"messages": [],
"errors": [],
"validationErrors": {
"NotificationAlert": [],
"res": [],
"Meta": []
},
"paging": [],
"result": {
"rows": []
}
}
operation: Start Artifact Extractions
Input parameters
| Parameter |
Description |
| Sensor ID(Appliance ID) |
(Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format. |
| Select Extraction Type |
Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts", "Artifacts Timeline", or "IM Conversations". |
| Filter Key |
(Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Filter Operator |
(Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<=" |
| Filter Value |
(Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Start Date |
(Optional) Start date and time from when you want to pull records from Symantec Security Analytics. |
| End Date |
(Optional) End date and time till when you want to pull records from Symantec Security Analytics. |
| Page Number |
(Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1. |
| Max Number of Records Per Page |
(Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics. |
| Check Action Finish Count |
(Optional) Specify the count up to which the connector will check if the action is completed or not. |
| Sort By |
(Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
In case of "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
In case of "IM Conversations", you can choose one of the following options: Date, Source, Type, Size, Sender, Recipient, or Subject. |
| Direction |
(Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order. |
Output
The output contains the following populated JSON schema:
{
"resultCode": "",
"messages": [],
"errors": [],
"validationErrors": {
"Artifact": [],
"ArtifactsSummary": [],
"ArtifactSearch": [],
"Meta": [],
"UserSetting": [],
"DeepseeFavorite": [],
"res": [],
"ReportDaemon": [],
"SavedResult": []
},
"paging": [],
"result": {
"background": "",
"sorted_artifacts": [],
"histogram": {
"total": [],
"data": [
{
"extra": {
"end_time": ""
},
"time": "",
"columns": []
}
],
"meta": {
"data_type": {
"text": "",
"type": ""
},
"columns": [
{
"type": "",
"text": "",
"has_total": ""
}
]
}
},
"numResults": "",
"artifact_search_id": "",
"maxpage": "",
"timeDeleted": "",
"field_counts": {
"file_extension": [],
"file_type": []
},
"time_place": "",
"search_status": "",
"percentcomplete": "",
"numFilteredArtifacts": "",
"killed": ""
}
}
operation: Start Extractions for MD5
Input parameters
| Parameter |
Description |
| Sensor ID(Appliance ID) |
(Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format. |
| Select Extraction Type |
Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts", "Artifacts Timeline", or "IM Conversations". |
| Filter Key |
(Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Filter Operator |
(Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<=" |
| Filter Value |
(Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Start Date |
(Optional) Start date and time from when you want to pull records from Symantec Security Analytics. |
| End Date |
(Optional) End date and time till when you want to pull records from Symantec Security Analytics. |
| Page Number |
(Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1. |
| Max Number of Records Per Page |
(Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics. |
| Check Action Finish Count |
(Optional) Specify the count up to which the connector will check if the action is completed or not. |
| Sort By |
(Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
In case of "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
In case of "IM Conversations", you can choose one of the following options: Date, Source, Type, Size, Sender, Recipient, or Subject. |
| Direction |
(Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order. |
Output
The output contains the following populated JSON schema:(Optional)
{
"resultCode": "",
"messages": [],
"errors": [],
"validationErrors": {
"Artifact": [],
"ArtifactsSummary": [],
"ArtifactSearch": [],
"Meta": [],
"UserSetting": [],
"DeepseeFavorite": [],
"res": [],
"ReportDaemon": [],
"SavedResult": []
},
"paging": [],
"result": {
"background": "",
"sorted_artifacts": [
{
"Artifact": {
"filename": "",
"destination_port": "",
"children": [],
"source_ip": "",
"wh_ratio": "",
"height": "",
"magic_type": "",
"remote_artifact_id": "",
"artifact_search_id": "",
"flow_id": "",
"icon": "",
"destination_ip": "",
"capture_end_time": "",
"hw_ratio": "",
"pcap_path": "",
"fuzzy": "",
"filesize": "",
"md5": "",
"sha256": "",
"title": "",
"id": "",
"derived_type": "",
"host": "",
"sha1": "",
"capture_end_nanoseconds": "",
"meta_info": {
"filename": "",
"response_code": "",
"response_headers": "",
"method": "",
"request_headers": "",
"referer": "",
"parent_artifact_id": ""
},
"capture_start_time": "",
"referer": "",
"protocol": "",
"mime_type": "",
"extension": "",
"capture_start_nanoseconds": "",
"appliance_id": "",
"session_id": "",
"width": "",
"source_port": ""
}
}
],
"histogram": {
"total": [],
"data": [
{
"extra": {
"end_time": ""
},
"time": "",
"columns": []
}
],
"meta": {
"data_type": {
"text": "",
"type": ""
},
"columns": [
{
"type": "",
"text": "",
"has_total": ""
}
]
}
},
"numResults": "",
"artifact_search_id": "",
"maxpage": "",
"timeDeleted": "",
"field_counts": {
"file_extension": [],
"file_type": []
},
"time_place": "",
"search_status": "",
"percentcomplete": "",
"numFilteredArtifacts": "",
"killed": ""
}
}
operation: Start Extractions for SHA1
Input parameters
| Parameter |
Description |
| Sensor ID(Appliance ID) |
(Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format. |
| Select Extraction Type |
Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts", "Artifacts Timeline", or "IM Conversations". |
| Filter Key |
(Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Filter Operator |
(Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<=" |
| Filter Value |
(Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Start Date |
(Optional) Start date and time from when you want to pull records from Symantec Security Analytics. |
| End Date |
(Optional) End date and time till when you want to pull records from Symantec Security Analytics. |
| Page Number |
(Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1. |
| Max Number of Records Per Page |
(Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics. |
| Check Action Finish Count |
(Optional) Specify the count up to which the connector will check if the action is completed or not. |
| Sort By |
(Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
In case of "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
In case of "IM Conversations", you can choose one of the following options: Date, Source, Type, Size, Sender, Recipient, or Subject. |
| Direction |
(Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order. |
Output
The output contains the following populated JSON schema:
{
"resultCode": "",
"messages": [],
"errors": [],
"validationErrors": {
"Artifact": [],
"ArtifactsSummary": [],
"ArtifactSearch": [],
"Meta": [],
"UserSetting": [],
"DeepseeFavorite": [],
"res": [],
"ReportDaemon": [],
"SavedResult": []
},
"paging": [],
"result": {
"background": "",
"sorted_artifacts": [
{
"Artifact": {
"filename": "",
"destination_port": "",
"children": [],
"source_ip": "",
"wh_ratio": "",
"height": "",
"magic_type": "",
"remote_artifact_id": "",
"artifact_search_id": "",
"flow_id": "",
"icon": "",
"destination_ip": "",
"capture_end_time": "",
"hw_ratio": "",
"pcap_path": "",
"fuzzy": "",
"filesize": "",
"md5": "",
"sha256": "",
"title": "",
"id": "",
"derived_type": "",
"host": "",
"sha1": "",
"capture_end_nanoseconds": "",
"meta_info": {
"filename": "",
"response_code": "",
"response_headers": "",
"method": "",
"request_headers": "",
"referer": "",
"parent_artifact_id": ""
},
"capture_start_time": "",
"referer": "",
"protocol": "",
"mime_type": "",
"extension": "",
"capture_start_nanoseconds": "",
"appliance_id": "",
"session_id": "",
nbsp; "width": "",
"source_port": ""
}
}
],
"histogram": {
"total": [],
"data": [
{
"extra": {
"end_time": ""
},
"time": "",
"columns": []
}
],
"meta": {
"data_type": {
"text": "",
"type": ""
},
"columns": [
{
"type": "",
"text": "",
"has_total": ""
}
]
}
},
"numResults": "",
"artifact_search_id": "",
"maxpage": "",
"timeDeleted": "",
"field_counts": {
"file_extension": [],
"file_type": []
},
"time_place": "",
"search_status": "",
"percentcomplete": "",
"numFilteredArtifacts": "",
"killed": ""
}
}
operation: Start Extractions for SHA256
Input parameters
| Parameter |
Description |
| Sensor ID(Appliance ID) |
(Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format. |
| Select Extraction Type |
Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts", "Artifacts Timeline", or "IM Conversations". |
| Filter Key |
(Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Filter Operator |
(Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<=" |
| Filter Value |
(Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Start Date |
(Optional) Start date and time from when you want to pull records from Symantec Security Analytics. |
| End Date |
(Optional) End date and time till when you want to pull records from Symantec Security Analytics. |
| Page Number |
(Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1. |
| Max Number of Records Per Page |
(Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics. |
| Check Action Finish Count |
(Optional) Specify the count up to which the connector will check if the action is completed or not. |
| Sort By |
(Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
In case of "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
In case of "IM Conversations", you can choose one of the following options: Date, Source, Type, Size, Sender, Recipient, or Subject. |
| Direction |
(Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order. |
Output
The output contains the following populated JSON schema:
{
"resultCode": "",
"messages": [],
"errors": [],
"validationErrors": {
"Artifact": [],
"ArtifactsSummary": [],
"ArtifactSearch": [],
"Meta": [],
"UserSetting": [],
"DeepseeFavorite": [],
"res": [],
"ReportDaemon": [],
"SavedResult": []
},
"paging": [],
"result": {
"background": "",
"sorted_artifacts": [
{
"Artifact": {
"filename": "",
"destination_port": "",
"children": [],
"source_ip": "",
"wh_ratio": "",
"height": "",
"magic_type": "",
"remote_artifact_id": "",
"artifact_search_id": "",
"flow_id": "",
"icon": "",
"destination_ip": "",
"capture_end_time": "",
"hw_ratio": "",
"pcap_path": "",
"fuzzy": "",
"filesize": "",
"md5": "",
"sha256": "",
"title": "",
"id": "",
"derived_type": "",
"host": "",
"sha1": "",
"capture_end_nanoseconds": "",
"meta_info": {
"filename": "",
"response_code": "",
"response_headers": "",
"method": "",
"request_headers": "",
"referer": "",
"parent_artifact_id": ""
},
"capture_start_time": "",
"referer": "",
"protocol": "",
"mime_type": "",
"extension": "",
"capture_start_nanoseconds": "",
"appliance_id": "",
"session_id": "",
"width": "",
"source_port": ""
}
}
],
"histogram": {
"total": [],
"data": [
{
"extra": {
"end_time": ""
},
"time": "",
"columns": []
}
],
"meta": {
"data_type": {
"text": "",
"type": ""
},
"columns": [
{
"type": "",
"text": "",
"has_total": ""
}
]
}
},
"numResults": "",
"artifact_search_id": "",
"maxpage": "",
"timeDeleted": "",
"field_counts": {
"file_extension": [],
"file_type": []
},
"time_place": "",
"search_status": "",
"percentcomplete": "",
"numFilteredArtifacts": "",
"killed": ""
}
}
operation: Start Extractions for IP Address
Input parameters
| Parameter |
Description |
| Sensor ID(Appliance ID) |
(Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format. |
| Select Extraction Type |
Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts", "Artifacts Timeline", or "IM Conversations". |
| Filter Key |
(Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Filter Operator |
(Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<=" |
| Filter Value |
(Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Start Date |
(Optional) Start date and time from when you want to pull records from Symantec Security Analytics. |
| End Date |
(Optional) End date and time till when you want to pull records from Symantec Security Analytics. |
| Page Number |
(Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1. |
| Max Number of Records Per Page |
(Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics. |
| Check Action Finish Count |
(Optional) Specify the count up to which the connector will check if the action is completed or not. |
| Sort By |
(Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
In case of "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
In case of "IM Conversations", you can choose one of the following options: Date, Source, Type, Size, Sender, Recipient, or Subject. |
| Direction |
(Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order. |
Output
The output contains the following populated JSON schema:
{
"resultCode": "",
"messages": [],
"errors": [],
"validationErrors": {
"Artifact": [],
"ArtifactsSummary": [],
"ArtifactSearch": [],
"Meta": [],
"UserSetting": [],
"DeepseeFavorite": [],
"res": [],
"ReportDaemon": [],
"SavedResult": []
},
"paging": [],
"result": {
"background": "",
"sorted_artifacts": [
{
"Artifact": {
"filename": "",
"destination_port": "",
"children": [],
"source_ip": "",
"wh_ratio": "",
"height": "",
"magic_type": "",
"remote_artifact_id": "",
"artifact_search_id": "",
"flow_id": "",
"icon": "",
"destination_ip": "",
"capture_end_time": "",
"hw_ratio": "",
"pcap_path": "",
"fuzzy": "",
"filesize": "",
"md5": "",
"sha256": "",
"title": "",
"id": "",
"derived_type": "",
"host": "",
"sha1": "",
"capture_end_nanoseconds": "",
"meta_info": {
"filename": "",
"response_code": "",
"response_headers": "",
"method": "",
"request_headers": "",
"referer": "",
"parent_artifact_id": ""
},
"capture_start_time": "",
"referer": "",
"protocol": "",
"mime_type": "",
"extension": "",
"capture_start_nanoseconds": "",
"appliance_id": "",
"session_id": "",
"width": "",
"source_port": ""
}
}
],
"histogram": {
"total": [],
"data": [
{
"extra": {
"end_time": ""
},
"time": "",
"columns": []
}
],
"meta": {
"data_type": {
"text": "",
"type": ""
},
"columns": [
{
"type": "",
"text": "",
"has_total": ""
}
]
}
},
"numResults": "",
"artifact_search_id": "",
"maxpage": "",
"timeDeleted": "",
"field_counts": {
"file_extension": [],
"file_type": []
},
"time_place": "",
"search_status": "",
"percentcomplete": "",
"numFilteredArtifacts": "",
"killed": ""
}
}
operation: Start Extractions for Port
Input parameters
| Parameter |
Description |
| Sensor ID(Appliance ID) |
(Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format. |
| Select Extraction Type |
Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts", "Artifacts Timeline", or "IM Conversations". |
| Filter Key |
(Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Filter Operator |
(Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<=" |
| Filter Value |
(Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Start Date |
(Optional) Start date and time from when you want to pull records from Symantec Security Analytics. |
| End Date |
(Optional) End date and time till when you want to pull records from Symantec Security Analytics. |
| Page Number |
(Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1. |
| Max Number of Records Per Page |
(Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics. |
| Check Action Finish Count |
(Optional) Specify the count up to which the connector will check if the action is completed or not. |
| Sort By |
(Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
In case of "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
In case of "IM Conversations", you can choose one of the following options: Date, Source, Type, Size, Sender, Recipient, or Subject. |
| Direction |
(Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order. |
Output
The output contains the following populated JSON schema:
{
"resultCode": "",
"messages": [],
"errors": [],
"validationErrors": {
"Artifact": [],
"ArtifactsSummary": [],
"ArtifactSearch": [],
"Meta": [],
"UserSetting": [],
"DeepseeFavorite": [],
"res": [],
"ReportDaemon": [],
"SavedResult": []
},
"paging": [],
"result": {
"background": "",
"sorted_artifacts": [
{
"Artifact": {
"filename": "",
"destination_port": "",
"children": [],
"source_ip": "",
"wh_ratio": "",
"height": "",
"magic_type": "",
"remote_artifact_id": "",
"artifact_search_id": "",
"flow_id": "",
"icon": "",
"destination_ip": "",
"capture_end_time": "",
"hw_ratio": "",
"pcap_path": "",
"fuzzy": "",
"filesize": "",
"md5": "",
"sha256": "",
"title": "",
"id": "",
"derived_type": "",
"host": "",
"sha1": "",
"capture_end_nanoseconds": "",
"meta_info": {
"filename": "",
"response_code": "",
"response_headers": "",
"method": "",
"request_headers": "",
"referer": "",
"parent_artifact_id": ""
},
"capture_start_time": "",
"referer": "",
"protocol": "",
"mime_type": "",
"extension": "",
"capture_start_nanoseconds": "",
"appliance_id": "",
"session_id": "",
"width": "",
"source_port": ""
}
}
],
"histogram": {
"total": [],
"data": [
{
"extra": {
"end_time": ""
},
"time": "",
"columns": []
}
],
"meta": {
"data_type": {
"text": "",
"type": ""
},
"columns": [
{
"type": "",
"text": "",
"has_total": ""
}
]
}
},
"numResults": "",
"artifact_search_id": "",
"maxpage": "",
"timeDeleted": "",
"field_counts": {
"file_extension": [],
"file_type": []
},
"time_place": "",
"search_status": "",
"percentcomplete": "",
"numFilteredArtifacts": "",
"killed": ""
}
}
operation: Start Extractions for Protocol
Input parameters
| Parameter |
Description |
| Sensor ID(Appliance ID) |
(Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format. |
| Select Extraction Type |
Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts", "Artifacts Timeline", or "IM Conversations". |
| Filter Key |
(Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Filter Operator |
(Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<=" |
| Filter Value |
(Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics. |
| Start Date |
(Optional) Start date and time from when you want to pull records from Symantec Security Analytics. |
| End Date |
(Optional) End date and time till when you want to pull records from Symantec Security Analytics. |
| Page Number |
(Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1. |
| Max Number of Records Per Page |
(Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics. |
| Check Action Finish Count |
(Optional) Specify the count up to which the connector will check if the action is completed or not. |
| Sort By |
(Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
In case of "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
In case of "IM Conversations", you can choose one of the following options: Date, Source, Type, Size, Sender, Recipient, or Subject. |
| Direction |
(Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order. |
Output
The output contains the following populated JSON schema:
{
"resultCode": "",
"messages": [],
"errors": [],
"validationErrors": {
"Artifact": [],
"ArtifactsSummary": [],
"ArtifactSearch": [],
"Meta": [],
"UserSetting": [],
"DeepseeFavorite": [],
"res": [],
"ReportDaemon": [],
"SavedResult": []
},
"paging": [],
"result": {
"background": "",
"sorted_artifacts": [
{
"Artifact": {
"filename": "",
"destination_port": "",
"children": [],
"source_ip": "",
"wh_ratio": "",
"height": "",
"magic_type": "",
"remote_artifact_id": "",
"artifact_search_id": "",
"flow_id": "",
"icon": "",
"destination_ip": "",
"capture_end_time": "",
"hw_ratio": "",
"pcap_path": "",
"fuzzy": "",
"filesize": "",
"md5": "",
"sha256": "",
"title": "",
"id": "",
"derived_type": "",
"host": "",
"sha1": "",
"capture_end_nanoseconds": "",
"meta_info": {
"filename": "",
"response_code": "",
"response_headers": "",
"method": "",
"request_headers": "",
"referer": "",
"parent_artifact_id": ""
},
"capture_start_time": "",
"referer": "",
"protocol": "",
"mime_type": "",
"extension": "",
"capture_start_nanoseconds": "",
"appliance_id": "",
"session_id": "",
"width": "",
"source_port": ""
}
}
],
"histogram": {
"total": [],
"data": [
{
"extra": {
"end_time": ""
},
"time": "",
"columns": []
}
],
"meta": {
"data_type": {
"text": "",
"type": ""
},
"columns": [
{
&nbnbsp; "type": "",
"text": "",
"has_total": ""
}
]
}
},
"numResults": "",
"artifact_search_id": "",
"maxpage": "",
"timeDeleted": "",
"field_counts": {
"file_extension": [],
"file_type": []
},
"time_place": "",
"search_status": "",
"percentcomplete": "",
"numFilteredArtifacts": "",
"killed": ""
}
}
operation: Search for Artifacts in Extraction
Input parameters
| Parameter |
Description |
| Sensor ID(Appliance ID) |
(Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format. |
| Artifact ID |
Artifact ID that is generated from the extraction whose details you want to retrieve from Symantec Security Analytics. Defaults to 1. |
| Search ID |
Search ID that is generated from the extraction based on which you want to retrieve artifact details from Symantec Security Analytics. Defaults to 1. |
Output
The output contains the following populated JSON schema:
{
"resultCode": "",
"messages": [],
"errors": [],
"validationErrors": {
"Artifact": [],
"Meta": [],
"UserSetting": [],
"MetaInfo": [],
"DeepseeFavorite": [],
"res": []
},
"paging": [],
"result": {
"artifacts": [
{
"PresentedFilename": {
"value": ""
},
"Artifact": {
"filename": "",
"source_ip": "",
"meta_info": [],
"mime_type": "",
"magic_type": "",
"referer": "",
"icon": "",
"flow_id": "",
"capture_end_nanoseconds": "",
"artifact_search_id": "",
"destination_ip": "",
"capture_end_time": "",
"hw_ratio": "",
"pcap_path": "",
"fuzzy": "",
"filesize": "",
"md5": "",
"sha256": "",
"title": "",
"sha1": "",
"id": "",
"extension": "",
"host": "",
"destination_port": "",
"source_port": "",
"wh_ratio": "",
"capture_start_time": "",
"protocol": "",
"height": "",
"capture_start_nanoseconds": "",
"session_id": "",
"width": "",
"derived_type": ""
}
}
]
}
}
operation: Get Artifact Reputation
Input parameters
| Parameter |
Description |
| Sensor ID(Appliance ID) |
(Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format. |
| Artifact ID |
Artifact ID that is generated from the extraction whose reputation you want to retrieve from Symantec Security Analytics. Defaults to 1. |
| Provider |
(Optional) Provider whose artifact reputation you want to retrieve from Symantec Security Analytics. |
| Artifact Field |
(Optional) Artifact field based on which you want to retrieve the reputation of the artifact from Symantec Security Analytics. |
Output
The output contains the following populated JSON schema:
{
"resultCode": "",
"messages": [],
"errors": [],
"validationErrors": {
"ip": [],
"Artifact": [],
"ipt": [],
"MetaInfo": [],
"res": [],
"Reputation": [],
"Meta": []
},
"result": {
"reputation_results": {
"status": "",
"artifact": {
"filename": "",
"source_ip": "",
"wh_ratio": "",
"height": "",
"magic_type": "",
"hw_ratio": "",
"artifact_search_id": "",
"destination_port": "",
"referer": "",
"capture_end_nanoseconds": "",
"icon": "",
"destination_ip": "",
"capture_end_time": "",
"flow_id": "",
"pcap_path": "",
"fuzzy": "",
"filesize": "",
"md5": "",
"sha256": "",
"title": "",
"sha1": "",
"id": "",
"extension": "",
"host": "",
"original_filename": "",
"source_port": "",
"meta_info": {
"filename": "",
"request_headers": "",
"response_code": "",
"response_headers": "",
"method": ""
},
"capture_start_time": "",
"protocol": "",
"mime_type": "",
"capture_start_nanoseconds": "",
"session_id": "",
"width": "",
"derived_type": ""
},
"score": "",
"flags": [],
"provider_responses": [
{
"score": "",
"response": {
"score": "",
"flags": [],
"status": "",
"result": "",
"value": "",
"responses": {
"MD5 Hash": "",
"Artifact": "",
"First Seen Date": "",
"Anti Virus Engine Count": "",
"score": "",
"SHA256 Hash": "",
"Whitelist Lookup": "",
"GIN Blacklist": "",
"SHA1 Hash": "",
"Anti Virus Engines": ""
}
},
"success": "",
"integration_provider": {
"integration_provider_category": {
"name": ""
},
"integration_provider_category_uuid": "",
"active": "",
"class_type": "",
"ordinal": "",
"last_modified_date": "",
"integration_provider_type_uuid": "",
"data": {
"category": "",
"type": "",
"integration_provider_uuid": ""
},
"uuid": "",
"licensed": "",
"pivot_url": "",
"integration_provider_tonic_actions": [],
"description": "",
"integration_provider_type": {
"abyssal": "",
"bigfile": "",
"last_modified_date": "",
"creatable": "",
"user_initiated": "",
"league": "",
"associate_with_action": "",
"deletable": "",
"internal_name": "",
"edit_type": "",
"name": "",
"pivot_only": ""
},
"name": "",
"appliance_id": "",
"integration_provider_type_field_set": {
"name": ""
}
},
"request_id": "",
"value": "",
"name": ""
}
],
"cacheIds": [],
"result": "",
"responses": []
}
},
"paging": []
}
operation: Get Sensors Status
Input parameters
| Parameter |
Description |
| Sensor ID(Appliance ID) |
(Optional) Sensor ID or Appliance ID whose status you want to retrieve from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format. |
Output
The output contains the following populated JSON schema:
{
"resultCode": "",
"messages": "",
"errors": [],
"validationErrors": {
"Meta": [],
"ApplianceAuth": [],
"Label": [],
"LocalRepository": [],
"User": [],
"UserRemoteGroup": [],
"Appliance": []
},
"paging": [],
"result": {
"applianceStatuses": {}
}
}
operation: Get Artifact Rootcause
Input parameters
| Parameter |
Description |
| Sensor ID(Appliance ID) |
(Optional) Sensor ID or Appliance ID based on which you want to pull artifacts rootcause from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format. |
| Artifact ID |
Artifact ID that is generated from the extraction whose rootcause you want to retrieve from Symantec Security Analytics. Defaults to 1. |
| Artifact Search ID |
Artifact Search ID that is generated from the extraction based on which you want to retrieve artifacts rootcause from Symantec Security Analytics. |
Output
The output contains the following populated JSON schema:
{
"resultCode": "",
"messages": [],
"errors": [],
"validationErrors": {
"Artifact": [],
"ArtifactSearch": [],
"Meta": [],
"ApplianceAuth": [],
"Label": [],
"User": [],
"ApplianceArtifactSearch": [],
"UserRemoteGroup": [],
"Appliance": []
},
"result": {
"ims": "",
"emails": "",
"applianceArtifactSearches": [],
"referer": []
},
"paging": []
}
operation: List All Enrichment Providers
Input parameters
None.
Output
The output contains the following populated JSON schema:
{
"resultCode": "",
"messages": [],
"errors": [],
"validationErrors": {
"ip": [],
"Meta": [],
"User": [],
"Label": [],
"ApplianceAuth": [],
"UserRemoteGroup": [],
"Appliance": [],
"ipt": []
},
"result": {
"pageCount": "",
"rows": [
{
"integration_provider_category": {
"name": ""
},
"integration_provider_category_uuid": "",
"active": "",
"class_type": "",
"ordinal": "",
"last_modified_date": "",
"integration_provider_type_uuid": "",
"data": "",
"uuid": "",
"description": "",
"pivot_url": "",
"integration_provider_tonic_actions": [],
"licensed": "",
"integration_provider_type": {
"abyssal": "",
"bigfile": "",
"last_modified_date": "",
"creatable": "",
"user_initiated": "",
"league": "",
"associate_with_action": "",
"deletable": "",
"internal_name": "",
"edit_type": "",
"name": "",
"pivot_only": ""
},
"name": "",
"appliance_id": "",
"integration_provider_type_field_set": {
"name": ""
}
}
]
},
"paging": []
}
Included playbooks
The Sample - Symantec-Security-Analytics - 1.0.0 playbook collection comes bundled with the Symantec Security Analytics connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Symantec Security Analytics connector.
- Get Alerts List
- Get Alerts Summary
- Get Alerts Timeline Data
- Get All Providers
- Get Artifact Reputation
- Get Artifact Rootcause
- Get Sensor List
- Search for Artifacts in Extraction
- Start Artifact Extractions
- Start Extractions for IP Address
- Start Extractions for MD5
- Start Extractions for Port
- Start Extractions for Protocol
- Start Extractions for SHA1
- Start Extractions for SHA256
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
