Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Windows and Mac computers, and servers in your network against malware. Symantec Endpoint Protection combines virus protection with advanced threat protection to proactively secure your computers against known and unknown threats. The Symantec Endpoint Protection client combines different types of scans to secure your computers against virus and spyware attacks.
This document provides information about the Symantec EPM (SEPM) connector, which facilitates automated interactions, with a Symantec EPM (SEPM) server using FortiSOAR™ playbooks. Add the Symantec EPM (SEPM) connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of groups configured on the device, or updating information of an existing domain.
Connector Version: 1.1.1
Authored By: Community
Certified: No
Following enhancements have been made to the Symantec EPM (SEPM) connector in version 1.1.1:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-symantec-sepm
Not Applicable
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Symantec EPM (SEPM) connector card. On the connector popup, click the Configurations tab to enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Symantec EPM (SEPM) server to which you will connect and perform the automated operations. For example, https://<ServerIPAddress>:8446 |
Username | The username used for accessing the Symantec EPM (SEPM) server to which you will connect and perform the automated operations. |
Password | The password used for accessing the Symantec EPM (SEPM) server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations
Function | Description | Annotation and Category |
---|---|---|
List Groups | Retrieves details for all groups configured on the device from the Symantec EPM (SEPM) server. | list_groups Investigation |
Get Group Information | Retrieves information about a group, based on the group ID that you have specified, from the Symantec EPM (SEPM) server. | group_info Investigation |
List Endpoints | Retrieves details for all endpoints, based on the domain ID and other input parameters that you have specified, from the Symantec EPM (SEPM) server. | list_sensors Investigation |
List Domains | Retrieves details for all accessible domains from the Symantec EPM (SEPM) server. | get_domains Investigation |
Create Domain | Creates a domain, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. | create_domain Investigation |
Get Domain Name | Retrieves the domain name, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. | get_domain_name Investigation |
Get Domain Information | Retrieves details about a particular domain, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. | get_domain_info Investigation |
Update Domain | Updates information about an existing domain, based on the domain ID and other input parameters that you have specified, on the Symantec EPM (SEPM) server. | updates_domain_info Investigation |
Delete Domain | Deletes a particular domain, based on the input parameters that you have specified, from the Symantec EPM (SEPM) server. | delete_domain Investigation |
Get Critical Events Information | Retrieves details associated with critical events from the Symantec EPM (SEPM) server. | critical_events_info Investigation |
Get Client Groups By Content Source | Retrieves a list and count of client groups, filtered by content download sources, from the Symantec EPM (SEPM) server. | list_client_groups_by_content_source Investigation |
List Client For Group By Content Version | Retrieves a list of clients for a group, filtered by content version, from the Symantec EPM (SEPM) server. | client_list_group_by_content_version Investigation |
List Infected Client | Retrieves a list and count of infected clients, based on the time range and report type that you have specified, from the Symantec EPM (SEPM) server. | list_infected_clients Investigation |
Get Malware Reporting Clients | Retrieves a list of clients reporting malware events, based on the time range that you have specified, from the Symantec EPM (SEPM) server. | client_list_reporting_malware_events Investigation |
Get Threat Status | Retrieves details for all threat statistics from the Symantec EPM (SEPM) server. | get_threat_stats Investigation |
Scan Endpoint | Scans an endpoint to identify threats, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. | scan_endpoint Investigation |
Quarantine Endpoints | Quarantines groups or endpoints, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. | isolate_endpoint Containment |
Unquarantine Endpoints | Removes the quarantine (unquarantines) of groups or endpoints, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. | unisolate_endpoint Remediation |
Get Command Status | Retrieves the command status, based on the command ID that you have specified, from the Symantec EPM (SEPM) server. | command_status Investigation |
Get Fingerprint List Information | Retrieves the file fingerprint list as a set of hash values, based on the file fingerprint name that you have specified, from the Symantec EPM (SEPM) server. | get_fingerprint_list Investigation |
Assign Fingerprint List To Group | Assigns a file fingerprint list that you have specified to a group that you have specified on the Symantec EPM (SEPM) server. | assign_fingerprint_to_group Containment |
Add Blacklist | Add a blacklist as a file fingerprint list to the Symantec EPM (SEPM) server. | add_blacklist Containment |
Update Blacklist | Updates an existing blacklist, based on the input parameters, such as the file fingerprint file ID, that you have specified, from the Symantec EPM (SEPM) server. | update_blacklist Containment |
Delete Blacklist | Deletes an existing blacklist, based on the file fingerprint file ID that you have specified, from the Symantec EPM (SEPM) server. This operation also removes this blacklist from the group to which it applies. | delete_blacklist Miscellaneous |
Full Scan Endpoint | Performs a full scan on the specified endpoint on the Symantec Endpoint Protection Manager server, based on the group IDs or computer IDs you have specified. | scan_endpoint Investigation |
Active Scan Endpoint | Performs an active scan on the specified endpoint on the Symantec Endpoint Protection Manager server, based on the group IDs or computer IDs you have specified. | scan_endpoint Investigation |
None.
The JSON output contains details for all groups configured on the device retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"size": "",
"sort": [
{
"property": "",
"direction": "",
"ascending": ""
}
],
"firstPage": "",
"totalElements": "",
"totalPages": "",
"numberOfElements": "",
"number": "",
"lastPage": "",
"content": [
{
"customIpsNumber": "",
"description": "",
"domain": {
"id": "",
"name": ""
},
"numberOfPhysicalComputers": "",
"lastModified": "",
"createdBy": "",
"fullPathName": "",
"created": "",
"id": "",
"policySerialNumber": "",
"numberOfRegisteredUsers": "",
"name": "",
"policyDate": "",
"policyInheritanceEnabled": ""
}
]
}
Parameter | Description |
---|---|
Group ID | The ID of the group whose details you want to retrieve from the Symantec EPM (SEPM) server. |
The JSON output contains detailed information about the group based on the group ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"defaultLocationId": "",
"description": "",
"numberOfPhysicalComputers": "",
"lastModified": "",
"numberOfRegisteredUsers": "",
"created": "",
"id": "",
"name": "",
"createdBy": "",
"policySerialNumber": "",
"policyDate": "",
"policyInheritanceEnabled": ""
}
Parameter | Description |
---|---|
Domain ID | The domain ID using which you want to retrieve information for all associated endpoints from the Symantec EPM (SEPM) server. |
Computer Name | (Optional) The hostname of the computer for which you want to retrieve computer information from the Symantec EPM (SEPM) server. |
Page Size | (Optional) The number of record requests that should be included per page. By default, this is set as 20, i.e., if you leave this field blank, then only 20 records will be returned by this operation. |
Page Index | (Optional) The page number from which records will be returned from the Symantec EPM (SEPM) server. By default, this is set as '1' i.e., if you leave this field blank, then records from only the first page will be returned by this operation. |
Custom Filter | (Optional) The Query filter using which you want to filter endpoints retrieved from the Symantec EPM (SEPM) server. |
The JSON output contains information for all endpoints that are associated with the Domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"size": "",
"sort": [
{
"property": "",
"direction": "",
"ascending": ""
}
],
"firstPage": "",
"totalElements": "",
"totalPages": "",
"numberOfElements": "",
"number": "",
"lastPage": "",
"content": [
{
"svaId": "",
"osElamStatus": "",
"physicalCpus": "",
"osMinor": "",
"hypervisorVendorId": "",
"lastSiteName": "",
"macAddresses": [
""
],
"tmpDevice": "",
"description": "",
"cidsSilentMode": "",
"osflavorNumber": "",
"computerName": "",
"osVersion": "",
"deploymentTargetVersion": "",
"osminor": "",
"tpmDevice": "",
"infected": "",
"serialNumber": "",
"cidsDrvOnOff": "",
"lastVirusTime": "",
"ptpOnOff": "",
"osFunction": "",
"homePhone": "",
"cidsEngineVersion": "",
"lastDeploymentTime": "",
"atpServer": "",
"atpDeviceId": "",
"osLanguage": "",
"timeZone": "",
"fullName": "",
"onlineStatus": "",
"idsSerialNo": "",
"domainOrWorkgroup": "",
"ipAddresses": [],
"group": {
"externalReferenceId": "",
"source": "",
"id": "",
"name": "",
"domain": {
"id": "",
"name": ""
},
"fullPathName": ""
},
"lastHeuristicThreatTime": "",
"lastServerId": "",
"licenseStatus": "",
"virtualizationPlatform": "",
"profileSerialNo": "",
"computerUsn": "",
"osservicePack": "",
"osbitness": "",
"isNpvdiClient": "",
"currentClientId": "",
"bwf": "",
"deleted": "",
"winServers": [],
"computerTimeStamp": "",
"rebootRequired": "",
"avEngineOnOff": "",
"patternIdx": "",
"hardwareKey": "",
"subnetMasks": [],
"lastDownloadTime": "",
"edrStatus": 2,
"quarantineDesc": "",
"employeeStatus": "",
"department": "",
"rebootReason": "",
"operatingSystem": "",
"osfunction": "",
"bashStatus": "",
"freeMem": "",
"cidsDrvMulfCode": "",
"cidsBrowserIeOnOff": "",
"logonUserName": "",
"dnsServers": [],
"osServicePack": "",
"freeDisk": "",
"agentVersion": "",
"uniqueId": "",
"agentTimeStamp": "",
"idsVersion": "",
"cidsBrowserFfOnOff": "",
"groupUpdateProvider": "",
"attributeExtension": "",
"officePhone": "",
"uuid": "",
"tamperOnOff": "",
"minorVersion": "",
"osMajor": "",
"diskDrive": "",
"mobilePhone": "",
"profileVersion": "",
"apOnOff": "",
"creationTime": "",
"securityVirtualAppliance": "",
"snacLicenseId": "",
"uwf": "",
"osBitness": "",
"firewallOnOff": "",
"contentUpdate": "",
"worstInfectionIdx": "",
"deploymentMessage": "",
"licenseExpiry": "",
"fbwf": "",
"elamOnOff": "",
"lastUpdateTime": "",
"totalDiskSpace": "",
"vsicStatus": "",
"daOnOff": "",
"agentUsn": "",
"osName": "",
"biosVersion": "",
"deploymentRunningVersion": "",
"dhcpServer": "",
"loginDomain": "",
"osname": "",
"osFlavorNumber": "",
"agentId": "",
"deploymentPreVersion": "",
"idsChecksum": "",
"processorType": "",
"logicalCpus": "",
"lastServerName": "",
"computerDescription": "",
"lastConnectedIpAddr": "",
"publicKey": "",
"gateways": [],
"memory": "",
"deploymentStatus": "",
"jobTitle": "",
"oslanguage": "",
"cidsDefsetVersion": "",
"email": "",
"osversion": "",
"licenseId": "",
"employeeNumber": "",
"lastScanTime": "",
"encryptedDevicePassword": "",
"processorClock": "",
"pepOnOff": "",
"lastSiteId": "",
"isGrace": "",
"osmajor": "",
"profileChecksum": "",
"agentType": "",
"kernel": "",
"writeFiltersStatus": "",
"installType": "",
"majorVersion": ""
}
]
}
None.
The JSON output contains details for all accessible domains retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"companyName": "",
"enable": "",
"description": "",
"id": "",
"name": "",
"contactInfo": "",
"createdTime": "",
"administratorCount": ""
}
Parameter | Description |
---|---|
Domain Name | Name of the domain that you want to create on the Symantec EPM (SEPM) server. |
Max Client Idle Time In Days | (Optional) The number of days after which Symantec EPM (SEPM) deletes clients that have not connected. The minimum value is set as 1 . |
Max Npvdi Client Idle Time In Days | (Optional) The number of days after which Symantec EPM (SEPM) deletes virtual desktop infrastructure (VDI) clients that have not connected. The minimum value is set as 1 . |
Delete Idle Clients | (Optional) Select this option to delete clients that have not connected to Symantec EPM (SEPM) for a specified number of days. By default, this is set to False . |
Delete Idle Npvdi Clients | (Optional) Select this option to delete virtual desktop infrastructure (VDI) clients that have not connected to Symantec EPM (SEPM) for a specified number of days. By default, this is set to False . |
Allow Saving Credentials | (Optional) Select this option to allow users to save credentials when logging on to Symantec EPM (SEPM). By default, this is set to False . |
Allow Never Expiring Passwords | (Optional) Select this option to allow passwords in the Symantec EPM (SEPM) domain to never expire. By default, this is set to False . |
Display Logon Banner | (Optional) Select this option to display a logon banner when an administrator logs on to this domain on Symantec EPM (SEPM). By default, this is set to False . |
The JSON output contains details of the newly created domain on the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"enable": "",
"contactInfo": "",
"bannerText": "",
"allowUsersToSaveCredentials": "",
"companyName": "",
"createdTime": "",
"description": "",
"deleteOldClients": "",
"administratorCount": "",
"deleteOldVDIClients": "",
"showBanner": "",
"bannerTitle": "",
"deleteOldClientsDays": "",
"id": "",
"allowNeverExpiresPasswords": "",
"name": "",
"deleteOldVDIClientsDays": ""
}
Parameter | Description |
---|---|
Domain ID | The ID of the domain whose name you want to retrieve from the Symantec EPM (SEPM) server. |
The JSON output contains the domain name based on the domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"name": "",
"value": ""
}
Parameter | Description |
---|---|
Domain ID | The ID of the domain for which you want to retrieve details from the Symantec EPM (SEPM) server. |
The JSON output contains detailed information about the domain based on the domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"enable": "",
"contactInfo": "",
"bannerText": "",
"allowUsersToSaveCredentials": "",
"companyName": "",
"createdTime": "",
"description": "",
"deleteOldClients": "",
"administratorCount": "",
"deleteOldVDIClients": "",
"showBanner": "",
"bannerTitle": "",
"deleteOldClientsDays": "",
"id": "",
"allowNeverExpiresPasswords": "",
"name": "",
"deleteOldVDIClientsDays": ""
}
Parameter | Description |
---|---|
Domain ID | The ID of the domain that you want to update on the Symantec EPM (SEPM) server. |
Domain Name | Name of the domain that you want to update on the Symantec EPM (SEPM) server. |
Max Client Idle Time In Days | (Optional) The number of days after which Symantec EPM (SEPM) deletes clients that have not connected. The minimum value is set as 1 . |
Max Npvdi Client Idle Time In Days | (Optional) The number of days after which Symantec EPM (SEPM) deletes virtual desktop infrastructure (VDI) clients that have not connected. The minimum value is set as 1 . |
Delete Idle Clients | (Optional) Select this option to delete clients that have not connected to Symantec EPM (SEPM) for a specified number of days. By default, this is set to False . |
Delete Idle Npvdi Clients | (Optional) Select this option to delete virtual desktop infrastructure (VDI) clients that have not connected to Symantec EPM (SEPM) for a specified number of days. By default, this is set to False . |
Allow Saving Credentials | (Optional) Select this option to allow users to save credentials when logging on to Symantec EPM (SEPM). By default, this is set to False . |
Allow Never Expiring Passwords | (Optional) Select this option to allow passwords in the Symantec EPM (SEPM) domain to never expire. By default, this is set to False . |
Display Logon Banner | (Optional) Select this option to display a logon banner when an administrator logs on to this domain on Symantec EPM (SEPM). By default, this is set to False . |
The JSON output contains the updated domain information, based on the domain ID and domain name you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"enable": "",
"contactInfo": "",
"bannerText": "",
"allowUsersToSaveCredentials": "",
"companyName": "",
"createdTime": "",
"description": "",
"deleteOldClients": "",
"administratorCount": "",
"deleteOldVDIClients": "",
"showBanner": "",
"bannerTitle": "",
"deleteOldClientsDays": "",
"id": "",
"allowNeverExpiresPasswords": "",
"name": "",
"deleteOldVDIClientsDays": ""
}
Parameter | Description |
---|---|
Domain ID | The ID of the domain that you want to delete from the Symantec EPM (SEPM) server. |
The JSON output contains a Success
message if the specified domain is successfully deleted from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"response": ""
}
None.
The JSON output contains details associated with critical events retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"criticalEventsInfoList": [],
"totalUnacknowledgedMessages": "",
"lastUpdated": ""
}
None.
The JSON output contains a list and count of client groups, filtered by content download sources, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"downloadSources": [
{
"clientCount": "",
"sourceName": "",
"sourceKey": ""
}
],
"lastUpdated": ""
}
None.
The JSON output contains a list of clients for a group, filtered by content version, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"lastUpdated": "",
"clientDefStatusList": [
{
"clientsCount": "",
"version": ""
}
]
}
Parameter | Description |
---|---|
Report Type | The type of report based on which you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server. You can choose from the following options: Hour, Day, Week, or Month. By default, this is set as Day . |
From | The DateTime from when you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server. |
To | The DateTime till when you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server. |
The JSON output contains a list and count of infected clients, based on the time range and report type that you have specified, from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"infectedClientStats": [
{
"epochTime": "",
"clientsCount": ""
}
],
"lastUpdated": ""
}
Parameter | Description |
---|---|
Report Type | The type of report based on which you want to retrieve a list of clients which have reported malware events from the Symantec EPM (SEPM) server. You can choose from the following options: Hour, Day, Week, or Month. By default, this is set as Day . |
From | The DateTime from when you want to retrieve a list of clients that have reported malware events from the Symantec EPM (SEPM) server. |
To | The DateTime till when you want to retrieve a list of clients that have reported malware events from the Symantec EPM (SEPM) server. |
The JSON output contains a list of clients reporting malware events, based on the time range that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"malwareClientStats": [
{
"epochTime": "",
"clientsCount": ""
}
],
"lastUpdated": ""
}
None.
The JSON output contains details for all threat statistics retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"Stats": {
"lastUpdated": "",
"infectedClients": ""
}
}
Parameter | Description |
---|---|
Scan Groups or Computers | Choose whether you want to perform the scan action on Groups or Computers. By default, this is set as Computers . |
IDs | The list of Computer IDs or Group IDs that you want to scan. |
Body | The evidence of compromise command in XML. |
The JSON output contains detailed information about the scan operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Apply Quarantine | Choose whether you want to perform the quarantine action on Groups or Computers. By default, this is set as Computers . |
IDs | The list of Computer IDs or Group IDs that you want to quarantine. |
The JSON output contains detailed information about the quarantine operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"commandID_computer": ""
}
Parameter | Description |
---|---|
Apply Unquarantine | Choose whether you want to perform the unquarantine action on Groups or Computers. By default, this is set as Computers . |
IDs | The list of Computer IDs or Group IDs that you want to unquarantine. |
The JSON output contains detailed information about the unquarantine operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"commandID_computer": ""
}
Parameter | Description |
---|---|
Command ID | The ID of the command whose status you want to retrieve from the Symantec EPM (SEPM) server. |
The JSON output contains information about the status of the command based on the command ID that you have specified retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"size": "",
"sort": [
{
"property": "",
"direction": "",
"ascending": ""
}
],
"firstPage": "",
"totalElements": "",
"totalPages": "",
"numberOfElements": "",
"number": "",
"lastPage": "",
"content": [
{
"stateId": "",
"beginTime": "",
"computerId": "",
"currentLoginUserName": "",
"computerIp": "",
"binaryFileId": "",
"computerName": "",
"resultInXML": "",
"lastUpdateTime": "",
"domainName": "",
"subStateDesc": "",
"hardwareKey": "",
"subStateId": ""
}
]
}
Parameter | Description |
---|---|
Name | The ID of the file fingerprint based on which you want to retrieve the file fingerprint list from the Symantec EPM (SEPM) server. |
The JSON output contains the file fingerprint list as a set of hash values, based on the file fingerprint name that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"hashType": "",
"source": "",
"description": "",
"data": [],
"groupIds": []
}
Parameter | Description |
---|---|
Fingerprint ID | The ID of the file fingerprint list that you want to assign to a group on the Symantec EPM (SEPM) server. |
Group ID | The ID of the group to which you want to assign the file fingerprint list on the Symantec EPM (SEPM) server. |
The JSON output contains a Success
message if the specified file fingerprint list is successfully assigned to the specified group on the Symantec EPM (SEPM) server.
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Blacklist Name | The name of the blacklist that you want to add to the Symantec EPM (SEPM) server. |
Hash Type | The hash type of the blacklist file that you want to add to the Symantec EPM (SEPM) server. You can choose between MD5 or SHA256 By default, this is set as MD5 . |
Hash Value | The file hashes that you want to add to the blacklist as a file fingerprint list on the Symantec EPM (SEPM) server. |
Domain ID | The domain ID to which the blacklist file will be applied on the Symantec EPM (SEPM) server. |
Description | The description of the blacklist file that you want to add to the Symantec EPM (SEPM) server. |
The JSON output contains details of the blacklist file added on the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"id": ""
}
Parameter | Description |
---|---|
Fingerprint ID | The ID of the file fingerprint list that you want to update on the Symantec EPM (SEPM) server. |
Blacklist Name | The name of the blacklist whose details you want to update in the Symantec EPM (SEPM) server. |
Hash Type | The hash type of the blacklist file that you want to update in the Symantec EPM (SEPM) server. You can choose between MD5 or SHA256 By default, this is set as MD5 . |
Hash Value | The file hashes that you want to update to the blacklist as a file fingerprint list on the Symantec EPM (SEPM) server. |
Domain ID | The domain ID to which the blacklist file will be applied on the Symantec EPM (SEPM) server. |
Description | The description of the blacklist file that you want to add to the Symantec EPM (SEPM) server. |
The JSON output contains details of the updated blacklist from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"response": ""
}
Parameter | Description |
---|---|
Fingerprint ID | The ID of the file fingerprint list that you want to delete from the Symantec EPM (SEPM) server. |
The JSON output contains a Success
message if the specified blacklist file is successfully deleted from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"response": ""
}
Parameter | Description |
---|---|
Endpoint ID Type | Select the type of endpoint ID on whose associated endpoints you want to perform a full scan. You can choose between Group IDs or Computer IDs.
|
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Endpoint ID Type | Select the type of endpoint ID on whose associated endpoints you want to perform an active scan. You can choose between Group IDs or Computer IDs.
|
The output contains a non-dictionary value.
The Sample - Symantec-EPM (SEPM) - 1.1.1
playbook collection comes bundled with the Symantec EPM (SEPM) connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EPM (SEPM) connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Windows and Mac computers, and servers in your network against malware. Symantec Endpoint Protection combines virus protection with advanced threat protection to proactively secure your computers against known and unknown threats. The Symantec Endpoint Protection client combines different types of scans to secure your computers against virus and spyware attacks.
This document provides information about the Symantec EPM (SEPM) connector, which facilitates automated interactions, with a Symantec EPM (SEPM) server using FortiSOAR™ playbooks. Add the Symantec EPM (SEPM) connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of groups configured on the device, or updating information of an existing domain.
Connector Version: 1.1.1
Authored By: Community
Certified: No
Following enhancements have been made to the Symantec EPM (SEPM) connector in version 1.1.1:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-symantec-sepm
Not Applicable
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Symantec EPM (SEPM) connector card. On the connector popup, click the Configurations tab to enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Symantec EPM (SEPM) server to which you will connect and perform the automated operations. For example, https://<ServerIPAddress>:8446 |
Username | The username used for accessing the Symantec EPM (SEPM) server to which you will connect and perform the automated operations. |
Password | The password used for accessing the Symantec EPM (SEPM) server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations
Function | Description | Annotation and Category |
---|---|---|
List Groups | Retrieves details for all groups configured on the device from the Symantec EPM (SEPM) server. | list_groups Investigation |
Get Group Information | Retrieves information about a group, based on the group ID that you have specified, from the Symantec EPM (SEPM) server. | group_info Investigation |
List Endpoints | Retrieves details for all endpoints, based on the domain ID and other input parameters that you have specified, from the Symantec EPM (SEPM) server. | list_sensors Investigation |
List Domains | Retrieves details for all accessible domains from the Symantec EPM (SEPM) server. | get_domains Investigation |
Create Domain | Creates a domain, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. | create_domain Investigation |
Get Domain Name | Retrieves the domain name, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. | get_domain_name Investigation |
Get Domain Information | Retrieves details about a particular domain, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. | get_domain_info Investigation |
Update Domain | Updates information about an existing domain, based on the domain ID and other input parameters that you have specified, on the Symantec EPM (SEPM) server. | updates_domain_info Investigation |
Delete Domain | Deletes a particular domain, based on the input parameters that you have specified, from the Symantec EPM (SEPM) server. | delete_domain Investigation |
Get Critical Events Information | Retrieves details associated with critical events from the Symantec EPM (SEPM) server. | critical_events_info Investigation |
Get Client Groups By Content Source | Retrieves a list and count of client groups, filtered by content download sources, from the Symantec EPM (SEPM) server. | list_client_groups_by_content_source Investigation |
List Client For Group By Content Version | Retrieves a list of clients for a group, filtered by content version, from the Symantec EPM (SEPM) server. | client_list_group_by_content_version Investigation |
List Infected Client | Retrieves a list and count of infected clients, based on the time range and report type that you have specified, from the Symantec EPM (SEPM) server. | list_infected_clients Investigation |
Get Malware Reporting Clients | Retrieves a list of clients reporting malware events, based on the time range that you have specified, from the Symantec EPM (SEPM) server. | client_list_reporting_malware_events Investigation |
Get Threat Status | Retrieves details for all threat statistics from the Symantec EPM (SEPM) server. | get_threat_stats Investigation |
Scan Endpoint | Scans an endpoint to identify threats, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. | scan_endpoint Investigation |
Quarantine Endpoints | Quarantines groups or endpoints, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. | isolate_endpoint Containment |
Unquarantine Endpoints | Removes the quarantine (unquarantines) of groups or endpoints, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. | unisolate_endpoint Remediation |
Get Command Status | Retrieves the command status, based on the command ID that you have specified, from the Symantec EPM (SEPM) server. | command_status Investigation |
Get Fingerprint List Information | Retrieves the file fingerprint list as a set of hash values, based on the file fingerprint name that you have specified, from the Symantec EPM (SEPM) server. | get_fingerprint_list Investigation |
Assign Fingerprint List To Group | Assigns a file fingerprint list that you have specified to a group that you have specified on the Symantec EPM (SEPM) server. | assign_fingerprint_to_group Containment |
Add Blacklist | Add a blacklist as a file fingerprint list to the Symantec EPM (SEPM) server. | add_blacklist Containment |
Update Blacklist | Updates an existing blacklist, based on the input parameters, such as the file fingerprint file ID, that you have specified, from the Symantec EPM (SEPM) server. | update_blacklist Containment |
Delete Blacklist | Deletes an existing blacklist, based on the file fingerprint file ID that you have specified, from the Symantec EPM (SEPM) server. This operation also removes this blacklist from the group to which it applies. | delete_blacklist Miscellaneous |
Full Scan Endpoint | Performs a full scan on the specified endpoint on the Symantec Endpoint Protection Manager server, based on the group IDs or computer IDs you have specified. | scan_endpoint Investigation |
Active Scan Endpoint | Performs an active scan on the specified endpoint on the Symantec Endpoint Protection Manager server, based on the group IDs or computer IDs you have specified. | scan_endpoint Investigation |
None.
The JSON output contains details for all groups configured on the device retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"size": "",
"sort": [
{
"property": "",
"direction": "",
"ascending": ""
}
],
"firstPage": "",
"totalElements": "",
"totalPages": "",
"numberOfElements": "",
"number": "",
"lastPage": "",
"content": [
{
"customIpsNumber": "",
"description": "",
"domain": {
"id": "",
"name": ""
},
"numberOfPhysicalComputers": "",
"lastModified": "",
"createdBy": "",
"fullPathName": "",
"created": "",
"id": "",
"policySerialNumber": "",
"numberOfRegisteredUsers": "",
"name": "",
"policyDate": "",
"policyInheritanceEnabled": ""
}
]
}
Parameter | Description |
---|---|
Group ID | The ID of the group whose details you want to retrieve from the Symantec EPM (SEPM) server. |
The JSON output contains detailed information about the group based on the group ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"defaultLocationId": "",
"description": "",
"numberOfPhysicalComputers": "",
"lastModified": "",
"numberOfRegisteredUsers": "",
"created": "",
"id": "",
"name": "",
"createdBy": "",
"policySerialNumber": "",
"policyDate": "",
"policyInheritanceEnabled": ""
}
Parameter | Description |
---|---|
Domain ID | The domain ID using which you want to retrieve information for all associated endpoints from the Symantec EPM (SEPM) server. |
Computer Name | (Optional) The hostname of the computer for which you want to retrieve computer information from the Symantec EPM (SEPM) server. |
Page Size | (Optional) The number of record requests that should be included per page. By default, this is set as 20, i.e., if you leave this field blank, then only 20 records will be returned by this operation. |
Page Index | (Optional) The page number from which records will be returned from the Symantec EPM (SEPM) server. By default, this is set as '1' i.e., if you leave this field blank, then records from only the first page will be returned by this operation. |
Custom Filter | (Optional) The Query filter using which you want to filter endpoints retrieved from the Symantec EPM (SEPM) server. |
The JSON output contains information for all endpoints that are associated with the Domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"size": "",
"sort": [
{
"property": "",
"direction": "",
"ascending": ""
}
],
"firstPage": "",
"totalElements": "",
"totalPages": "",
"numberOfElements": "",
"number": "",
"lastPage": "",
"content": [
{
"svaId": "",
"osElamStatus": "",
"physicalCpus": "",
"osMinor": "",
"hypervisorVendorId": "",
"lastSiteName": "",
"macAddresses": [
""
],
"tmpDevice": "",
"description": "",
"cidsSilentMode": "",
"osflavorNumber": "",
"computerName": "",
"osVersion": "",
"deploymentTargetVersion": "",
"osminor": "",
"tpmDevice": "",
"infected": "",
"serialNumber": "",
"cidsDrvOnOff": "",
"lastVirusTime": "",
"ptpOnOff": "",
"osFunction": "",
"homePhone": "",
"cidsEngineVersion": "",
"lastDeploymentTime": "",
"atpServer": "",
"atpDeviceId": "",
"osLanguage": "",
"timeZone": "",
"fullName": "",
"onlineStatus": "",
"idsSerialNo": "",
"domainOrWorkgroup": "",
"ipAddresses": [],
"group": {
"externalReferenceId": "",
"source": "",
"id": "",
"name": "",
"domain": {
"id": "",
"name": ""
},
"fullPathName": ""
},
"lastHeuristicThreatTime": "",
"lastServerId": "",
"licenseStatus": "",
"virtualizationPlatform": "",
"profileSerialNo": "",
"computerUsn": "",
"osservicePack": "",
"osbitness": "",
"isNpvdiClient": "",
"currentClientId": "",
"bwf": "",
"deleted": "",
"winServers": [],
"computerTimeStamp": "",
"rebootRequired": "",
"avEngineOnOff": "",
"patternIdx": "",
"hardwareKey": "",
"subnetMasks": [],
"lastDownloadTime": "",
"edrStatus": 2,
"quarantineDesc": "",
"employeeStatus": "",
"department": "",
"rebootReason": "",
"operatingSystem": "",
"osfunction": "",
"bashStatus": "",
"freeMem": "",
"cidsDrvMulfCode": "",
"cidsBrowserIeOnOff": "",
"logonUserName": "",
"dnsServers": [],
"osServicePack": "",
"freeDisk": "",
"agentVersion": "",
"uniqueId": "",
"agentTimeStamp": "",
"idsVersion": "",
"cidsBrowserFfOnOff": "",
"groupUpdateProvider": "",
"attributeExtension": "",
"officePhone": "",
"uuid": "",
"tamperOnOff": "",
"minorVersion": "",
"osMajor": "",
"diskDrive": "",
"mobilePhone": "",
"profileVersion": "",
"apOnOff": "",
"creationTime": "",
"securityVirtualAppliance": "",
"snacLicenseId": "",
"uwf": "",
"osBitness": "",
"firewallOnOff": "",
"contentUpdate": "",
"worstInfectionIdx": "",
"deploymentMessage": "",
"licenseExpiry": "",
"fbwf": "",
"elamOnOff": "",
"lastUpdateTime": "",
"totalDiskSpace": "",
"vsicStatus": "",
"daOnOff": "",
"agentUsn": "",
"osName": "",
"biosVersion": "",
"deploymentRunningVersion": "",
"dhcpServer": "",
"loginDomain": "",
"osname": "",
"osFlavorNumber": "",
"agentId": "",
"deploymentPreVersion": "",
"idsChecksum": "",
"processorType": "",
"logicalCpus": "",
"lastServerName": "",
"computerDescription": "",
"lastConnectedIpAddr": "",
"publicKey": "",
"gateways": [],
"memory": "",
"deploymentStatus": "",
"jobTitle": "",
"oslanguage": "",
"cidsDefsetVersion": "",
"email": "",
"osversion": "",
"licenseId": "",
"employeeNumber": "",
"lastScanTime": "",
"encryptedDevicePassword": "",
"processorClock": "",
"pepOnOff": "",
"lastSiteId": "",
"isGrace": "",
"osmajor": "",
"profileChecksum": "",
"agentType": "",
"kernel": "",
"writeFiltersStatus": "",
"installType": "",
"majorVersion": ""
}
]
}
None.
The JSON output contains details for all accessible domains retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"companyName": "",
"enable": "",
"description": "",
"id": "",
"name": "",
"contactInfo": "",
"createdTime": "",
"administratorCount": ""
}
Parameter | Description |
---|---|
Domain Name | Name of the domain that you want to create on the Symantec EPM (SEPM) server. |
Max Client Idle Time In Days | (Optional) The number of days after which Symantec EPM (SEPM) deletes clients that have not connected. The minimum value is set as 1 . |
Max Npvdi Client Idle Time In Days | (Optional) The number of days after which Symantec EPM (SEPM) deletes virtual desktop infrastructure (VDI) clients that have not connected. The minimum value is set as 1 . |
Delete Idle Clients | (Optional) Select this option to delete clients that have not connected to Symantec EPM (SEPM) for a specified number of days. By default, this is set to False . |
Delete Idle Npvdi Clients | (Optional) Select this option to delete virtual desktop infrastructure (VDI) clients that have not connected to Symantec EPM (SEPM) for a specified number of days. By default, this is set to False . |
Allow Saving Credentials | (Optional) Select this option to allow users to save credentials when logging on to Symantec EPM (SEPM). By default, this is set to False . |
Allow Never Expiring Passwords | (Optional) Select this option to allow passwords in the Symantec EPM (SEPM) domain to never expire. By default, this is set to False . |
Display Logon Banner | (Optional) Select this option to display a logon banner when an administrator logs on to this domain on Symantec EPM (SEPM). By default, this is set to False . |
The JSON output contains details of the newly created domain on the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"enable": "",
"contactInfo": "",
"bannerText": "",
"allowUsersToSaveCredentials": "",
"companyName": "",
"createdTime": "",
"description": "",
"deleteOldClients": "",
"administratorCount": "",
"deleteOldVDIClients": "",
"showBanner": "",
"bannerTitle": "",
"deleteOldClientsDays": "",
"id": "",
"allowNeverExpiresPasswords": "",
"name": "",
"deleteOldVDIClientsDays": ""
}
Parameter | Description |
---|---|
Domain ID | The ID of the domain whose name you want to retrieve from the Symantec EPM (SEPM) server. |
The JSON output contains the domain name based on the domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"name": "",
"value": ""
}
Parameter | Description |
---|---|
Domain ID | The ID of the domain for which you want to retrieve details from the Symantec EPM (SEPM) server. |
The JSON output contains detailed information about the domain based on the domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"enable": "",
"contactInfo": "",
"bannerText": "",
"allowUsersToSaveCredentials": "",
"companyName": "",
"createdTime": "",
"description": "",
"deleteOldClients": "",
"administratorCount": "",
"deleteOldVDIClients": "",
"showBanner": "",
"bannerTitle": "",
"deleteOldClientsDays": "",
"id": "",
"allowNeverExpiresPasswords": "",
"name": "",
"deleteOldVDIClientsDays": ""
}
Parameter | Description |
---|---|
Domain ID | The ID of the domain that you want to update on the Symantec EPM (SEPM) server. |
Domain Name | Name of the domain that you want to update on the Symantec EPM (SEPM) server. |
Max Client Idle Time In Days | (Optional) The number of days after which Symantec EPM (SEPM) deletes clients that have not connected. The minimum value is set as 1 . |
Max Npvdi Client Idle Time In Days | (Optional) The number of days after which Symantec EPM (SEPM) deletes virtual desktop infrastructure (VDI) clients that have not connected. The minimum value is set as 1 . |
Delete Idle Clients | (Optional) Select this option to delete clients that have not connected to Symantec EPM (SEPM) for a specified number of days. By default, this is set to False . |
Delete Idle Npvdi Clients | (Optional) Select this option to delete virtual desktop infrastructure (VDI) clients that have not connected to Symantec EPM (SEPM) for a specified number of days. By default, this is set to False . |
Allow Saving Credentials | (Optional) Select this option to allow users to save credentials when logging on to Symantec EPM (SEPM). By default, this is set to False . |
Allow Never Expiring Passwords | (Optional) Select this option to allow passwords in the Symantec EPM (SEPM) domain to never expire. By default, this is set to False . |
Display Logon Banner | (Optional) Select this option to display a logon banner when an administrator logs on to this domain on Symantec EPM (SEPM). By default, this is set to False . |
The JSON output contains the updated domain information, based on the domain ID and domain name you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"enable": "",
"contactInfo": "",
"bannerText": "",
"allowUsersToSaveCredentials": "",
"companyName": "",
"createdTime": "",
"description": "",
"deleteOldClients": "",
"administratorCount": "",
"deleteOldVDIClients": "",
"showBanner": "",
"bannerTitle": "",
"deleteOldClientsDays": "",
"id": "",
"allowNeverExpiresPasswords": "",
"name": "",
"deleteOldVDIClientsDays": ""
}
Parameter | Description |
---|---|
Domain ID | The ID of the domain that you want to delete from the Symantec EPM (SEPM) server. |
The JSON output contains a Success
message if the specified domain is successfully deleted from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"response": ""
}
None.
The JSON output contains details associated with critical events retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"criticalEventsInfoList": [],
"totalUnacknowledgedMessages": "",
"lastUpdated": ""
}
None.
The JSON output contains a list and count of client groups, filtered by content download sources, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"downloadSources": [
{
"clientCount": "",
"sourceName": "",
"sourceKey": ""
}
],
"lastUpdated": ""
}
None.
The JSON output contains a list of clients for a group, filtered by content version, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"lastUpdated": "",
"clientDefStatusList": [
{
"clientsCount": "",
"version": ""
}
]
}
Parameter | Description |
---|---|
Report Type | The type of report based on which you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server. You can choose from the following options: Hour, Day, Week, or Month. By default, this is set as Day . |
From | The DateTime from when you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server. |
To | The DateTime till when you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server. |
The JSON output contains a list and count of infected clients, based on the time range and report type that you have specified, from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"infectedClientStats": [
{
"epochTime": "",
"clientsCount": ""
}
],
"lastUpdated": ""
}
Parameter | Description |
---|---|
Report Type | The type of report based on which you want to retrieve a list of clients which have reported malware events from the Symantec EPM (SEPM) server. You can choose from the following options: Hour, Day, Week, or Month. By default, this is set as Day . |
From | The DateTime from when you want to retrieve a list of clients that have reported malware events from the Symantec EPM (SEPM) server. |
To | The DateTime till when you want to retrieve a list of clients that have reported malware events from the Symantec EPM (SEPM) server. |
The JSON output contains a list of clients reporting malware events, based on the time range that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"malwareClientStats": [
{
"epochTime": "",
"clientsCount": ""
}
],
"lastUpdated": ""
}
None.
The JSON output contains details for all threat statistics retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"Stats": {
"lastUpdated": "",
"infectedClients": ""
}
}
Parameter | Description |
---|---|
Scan Groups or Computers | Choose whether you want to perform the scan action on Groups or Computers. By default, this is set as Computers . |
IDs | The list of Computer IDs or Group IDs that you want to scan. |
Body | The evidence of compromise command in XML. |
The JSON output contains detailed information about the scan operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Apply Quarantine | Choose whether you want to perform the quarantine action on Groups or Computers. By default, this is set as Computers . |
IDs | The list of Computer IDs or Group IDs that you want to quarantine. |
The JSON output contains detailed information about the quarantine operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"commandID_computer": ""
}
Parameter | Description |
---|---|
Apply Unquarantine | Choose whether you want to perform the unquarantine action on Groups or Computers. By default, this is set as Computers . |
IDs | The list of Computer IDs or Group IDs that you want to unquarantine. |
The JSON output contains detailed information about the unquarantine operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"commandID_computer": ""
}
Parameter | Description |
---|---|
Command ID | The ID of the command whose status you want to retrieve from the Symantec EPM (SEPM) server. |
The JSON output contains information about the status of the command based on the command ID that you have specified retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"size": "",
"sort": [
{
"property": "",
"direction": "",
"ascending": ""
}
],
"firstPage": "",
"totalElements": "",
"totalPages": "",
"numberOfElements": "",
"number": "",
"lastPage": "",
"content": [
{
"stateId": "",
"beginTime": "",
"computerId": "",
"currentLoginUserName": "",
"computerIp": "",
"binaryFileId": "",
"computerName": "",
"resultInXML": "",
"lastUpdateTime": "",
"domainName": "",
"subStateDesc": "",
"hardwareKey": "",
"subStateId": ""
}
]
}
Parameter | Description |
---|---|
Name | The ID of the file fingerprint based on which you want to retrieve the file fingerprint list from the Symantec EPM (SEPM) server. |
The JSON output contains the file fingerprint list as a set of hash values, based on the file fingerprint name that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"hashType": "",
"source": "",
"description": "",
"data": [],
"groupIds": []
}
Parameter | Description |
---|---|
Fingerprint ID | The ID of the file fingerprint list that you want to assign to a group on the Symantec EPM (SEPM) server. |
Group ID | The ID of the group to which you want to assign the file fingerprint list on the Symantec EPM (SEPM) server. |
The JSON output contains a Success
message if the specified file fingerprint list is successfully assigned to the specified group on the Symantec EPM (SEPM) server.
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Blacklist Name | The name of the blacklist that you want to add to the Symantec EPM (SEPM) server. |
Hash Type | The hash type of the blacklist file that you want to add to the Symantec EPM (SEPM) server. You can choose between MD5 or SHA256 By default, this is set as MD5 . |
Hash Value | The file hashes that you want to add to the blacklist as a file fingerprint list on the Symantec EPM (SEPM) server. |
Domain ID | The domain ID to which the blacklist file will be applied on the Symantec EPM (SEPM) server. |
Description | The description of the blacklist file that you want to add to the Symantec EPM (SEPM) server. |
The JSON output contains details of the blacklist file added on the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"id": ""
}
Parameter | Description |
---|---|
Fingerprint ID | The ID of the file fingerprint list that you want to update on the Symantec EPM (SEPM) server. |
Blacklist Name | The name of the blacklist whose details you want to update in the Symantec EPM (SEPM) server. |
Hash Type | The hash type of the blacklist file that you want to update in the Symantec EPM (SEPM) server. You can choose between MD5 or SHA256 By default, this is set as MD5 . |
Hash Value | The file hashes that you want to update to the blacklist as a file fingerprint list on the Symantec EPM (SEPM) server. |
Domain ID | The domain ID to which the blacklist file will be applied on the Symantec EPM (SEPM) server. |
Description | The description of the blacklist file that you want to add to the Symantec EPM (SEPM) server. |
The JSON output contains details of the updated blacklist from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"response": ""
}
Parameter | Description |
---|---|
Fingerprint ID | The ID of the file fingerprint list that you want to delete from the Symantec EPM (SEPM) server. |
The JSON output contains a Success
message if the specified blacklist file is successfully deleted from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"response": ""
}
Parameter | Description |
---|---|
Endpoint ID Type | Select the type of endpoint ID on whose associated endpoints you want to perform a full scan. You can choose between Group IDs or Computer IDs.
|
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Endpoint ID Type | Select the type of endpoint ID on whose associated endpoints you want to perform an active scan. You can choose between Group IDs or Computer IDs.
|
The output contains a non-dictionary value.
The Sample - Symantec-EPM (SEPM) - 1.1.1
playbook collection comes bundled with the Symantec EPM (SEPM) connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EPM (SEPM) connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.