About the connector
Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Windows and Mac computers, and servers in your network against malware. Symantec Endpoint Protection combines virus protection with advanced threat protection to proactively secure your computers against known and unknown threats. The Symantec Endpoint Protection client combines different types of scans to secure your computers against virus and spyware attacks.
This document provides information about the Symantec EPM (SEPM) connector, which facilitates automated interactions, with a Symantec EPM (SEPM) server using FortiSOAR™ playbooks. Add the Symantec EPM (SEPM) connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of groups configured on the device, or updating information of an existing domain.
Version information
Connector Version: 1.1.1
Authored By: Community
Certified: No
Release Notes for version 1.1.1
Following enhancements have been made to the Symantec EPM (SEPM) connector in version 1.1.1:
- Added provision to select either GroupID or ComputerID as an input to the following operations
- Full Scan Endpoint
- Active Scan Endpoint
Installing the connector
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-symantec-sepm
Prerequisites to configuring the connector
- You must have the URL of the Symantec EPM (SEPM) server to which you will connect and perform the automated operations and credentials to access that server.
- Ensure that port 8446 is open.
- The FortiSOAR™ server should have outbound connectivity to port 443 on the Symantec EPM (SEPM) server.
Minimum Permissions Required
Not Applicable
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Symantec EPM (SEPM) connector card. On the connector popup, click the Configurations tab to enter the required configuration details.
| Parameter |
Description |
| Server URL |
URL of the Symantec EPM (SEPM) server to which you will connect and perform the automated operations.
For example, https://<ServerIPAddress>:8446 |
| Username |
The username used for accessing the Symantec EPM (SEPM) server to which you will connect and perform the automated operations. |
| Password |
The password used for accessing the Symantec EPM (SEPM) server to which you will connect and perform the automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations
| Function |
Description |
Annotation and Category |
| List Groups |
Retrieves details for all groups configured on the device from the Symantec EPM (SEPM) server. |
list_groups
Investigation |
| Get Group Information |
Retrieves information about a group, based on the group ID that you have specified, from the Symantec EPM (SEPM) server. |
group_info
Investigation |
| List Endpoints |
Retrieves details for all endpoints, based on the domain ID and other input parameters that you have specified, from the Symantec EPM (SEPM) server. |
list_sensors
Investigation |
| List Domains |
Retrieves details for all accessible domains from the Symantec EPM (SEPM) server. |
get_domains
Investigation |
| Create Domain |
Creates a domain, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. |
create_domain
Investigation |
| Get Domain Name |
Retrieves the domain name, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. |
get_domain_name
Investigation |
| Get Domain Information |
Retrieves details about a particular domain, based on the domain ID that you have specified, from the Symantec EPM (SEPM) server. |
get_domain_info
Investigation |
| Update Domain |
Updates information about an existing domain, based on the domain ID and other input parameters that you have specified, on the Symantec EPM (SEPM) server. |
updates_domain_info
Investigation |
| Delete Domain |
Deletes a particular domain, based on the input parameters that you have specified, from the Symantec EPM (SEPM) server. |
delete_domain
Investigation |
| Get Critical Events Information |
Retrieves details associated with critical events from the Symantec EPM (SEPM) server. |
critical_events_info
Investigation |
| Get Client Groups By Content Source |
Retrieves a list and count of client groups, filtered by content download sources, from the Symantec EPM (SEPM) server. |
list_client_groups_by_content_source
Investigation |
| List Client For Group By Content Version |
Retrieves a list of clients for a group, filtered by content version, from the Symantec EPM (SEPM) server. |
client_list_group_by_content_version
Investigation |
| List Infected Client |
Retrieves a list and count of infected clients, based on the time range and report type that you have specified, from the Symantec EPM (SEPM) server. |
list_infected_clients
Investigation |
| Get Malware Reporting Clients |
Retrieves a list of clients reporting malware events, based on the time range that you have specified, from the Symantec EPM (SEPM) server. |
client_list_reporting_malware_events
Investigation |
| Get Threat Status |
Retrieves details for all threat statistics from the Symantec EPM (SEPM) server. |
get_threat_stats
Investigation |
| Scan Endpoint |
Scans an endpoint to identify threats, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. |
scan_endpoint
Investigation |
| Quarantine Endpoints |
Quarantines groups or endpoints, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. |
isolate_endpoint
Containment |
| Unquarantine Endpoints |
Removes the quarantine (unquarantines) of groups or endpoints, based on the input parameters that you have specified, on the Symantec EPM (SEPM) server. |
unisolate_endpoint
Remediation |
| Get Command Status |
Retrieves the command status, based on the command ID that you have specified, from the Symantec EPM (SEPM) server. |
command_status
Investigation |
| Get Fingerprint List Information |
Retrieves the file fingerprint list as a set of hash values, based on the file fingerprint name that you have specified, from the Symantec EPM (SEPM) server. |
get_fingerprint_list
Investigation |
| Assign Fingerprint List To Group |
Assigns a file fingerprint list that you have specified to a group that you have specified on the Symantec EPM (SEPM) server. |
assign_fingerprint_to_group
Containment |
| Add Blacklist |
Add a blacklist as a file fingerprint list to the Symantec EPM (SEPM) server. |
add_blacklist
Containment |
| Update Blacklist |
Updates an existing blacklist, based on the input parameters, such as the file fingerprint file ID, that you have specified, from the Symantec EPM (SEPM) server. |
update_blacklist
Containment |
| Delete Blacklist |
Deletes an existing blacklist, based on the file fingerprint file ID that you have specified, from the Symantec EPM (SEPM) server. This operation also removes this blacklist from the group to which it applies. |
delete_blacklist
Miscellaneous |
| Full Scan Endpoint |
Performs a full scan on the specified endpoint on the Symantec Endpoint Protection Manager server, based on the group IDs or computer IDs you have specified. |
scan_endpoint
Investigation |
| Active Scan Endpoint |
Performs an active scan on the specified endpoint on the Symantec Endpoint Protection Manager server, based on the group IDs or computer IDs you have specified. |
scan_endpoint
Investigation |
operation: List Groups
Input parameters
None.
Output
The JSON output contains details for all groups configured on the device retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"size": "",
"sort": [
{
"property": "",
"direction": "",
"ascending": ""
}
],
"firstPage": "",
"totalElements": "",
"totalPages": "",
"numberOfElements": "",
"number": "",
"lastPage": "",
"content": [
{
"customIpsNumber": "",
"description": "",
"domain": {
"id": "",
"name": ""
},
"numberOfPhysicalComputers": "",
"lastModified": "",
"createdBy": "",
"fullPathName": "",
"created": "",
"id": "",
"policySerialNumber": "",
"numberOfRegisteredUsers": "",
"name": "",
"policyDate": "",
"policyInheritanceEnabled": ""
}
]
}
operation: Get Group Information
Input parameters
| Parameter |
Description |
| Group ID |
The ID of the group whose details you want to retrieve from the Symantec EPM (SEPM) server. |
Output
The JSON output contains detailed information about the group based on the group ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"defaultLocationId": "",
"description": "",
"numberOfPhysicalComputers": "",
"lastModified": "",
"numberOfRegisteredUsers": "",
"created": "",
"id": "",
"name": "",
"createdBy": "",
"policySerialNumber": "",
"policyDate": "",
"policyInheritanceEnabled": ""
}
operation: List Endpoints
Input parameters
| Parameter |
Description |
| Domain ID |
The domain ID using which you want to retrieve information for all associated endpoints from the Symantec EPM (SEPM) server. |
| Computer Name |
(Optional) The hostname of the computer for which you want to retrieve computer information from the Symantec EPM (SEPM) server. |
| Page Size |
(Optional) The number of record requests that should be included per page. By default, this is set as 20, i.e., if you leave this field blank, then only 20 records will be returned by this operation. |
| Page Index |
(Optional) The page number from which records will be returned from the Symantec EPM (SEPM) server. By default, this is set as '1' i.e., if you leave this field blank, then records from only the first page will be returned by this operation. |
| Custom Filter |
(Optional) The Query filter using which you want to filter endpoints retrieved from the Symantec EPM (SEPM) server. |
Output
The JSON output contains information for all endpoints that are associated with the Domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"size": "",
"sort": [
{
"property": "",
"direction": "",
"ascending": ""
}
],
"firstPage": "",
"totalElements": "",
"totalPages": "",
"numberOfElements": "",
"number": "",
"lastPage": "",
"content": [
{
"svaId": "",
"osElamStatus": "",
"physicalCpus": "",
"osMinor": "",
"hypervisorVendorId": "",
"lastSiteName": "",
"macAddresses": [
""
],
"tmpDevice": "",
"description": "",
"cidsSilentMode": "",
"osflavorNumber": "",
"computerName": "",
"osVersion": "",
"deploymentTargetVersion": "",
"osminor": "",
"tpmDevice": "",
"infected": "",
"serialNumber": "",
"cidsDrvOnOff": "",
"lastVirusTime": "",
"ptpOnOff": "",
"osFunction": "",
"homePhone": "",
"cidsEngineVersion": "",
"lastDeploymentTime": "",
"atpServer": "",
"atpDeviceId": "",
"osLanguage": "",
"timeZone": "",
"fullName": "",
"onlineStatus": "",
"idsSerialNo": "",
"domainOrWorkgroup": "",
"ipAddresses": [],
"group": {
"externalReferenceId": "",
"source": "",
"id": "",
"name": "",
"domain": {
"id": "",
"name": ""
},
"fullPathName": ""
},
"lastHeuristicThreatTime": "",
"lastServerId": "",
"licenseStatus": "",
"virtualizationPlatform": "",
"profileSerialNo": "",
"computerUsn": "",
"osservicePack": "",
"osbitness": "",
"isNpvdiClient": "",
"currentClientId": "",
"bwf": "",
"deleted": "",
"winServers": [],
"computerTimeStamp": "",
"rebootRequired": "",
"avEngineOnOff": "",
"patternIdx": "",
"hardwareKey": "",
"subnetMasks": [],
"lastDownloadTime": "",
"edrStatus": 2,
"quarantineDesc": "",
"employeeStatus": "",
"department": "",
"rebootReason": "",
"operatingSystem": "",
"osfunction": "",
"bashStatus": "",
"freeMem": "",
"cidsDrvMulfCode": "",
"cidsBrowserIeOnOff": "",
"logonUserName": "",
"dnsServers": [],
"osServicePack": "",
"freeDisk": "",
"agentVersion": "",
"uniqueId": "",
"agentTimeStamp": "",
"idsVersion": "",
"cidsBrowserFfOnOff": "",
"groupUpdateProvider": "",
"attributeExtension": "",
"officePhone": "",
"uuid": "",
"tamperOnOff": "",
"minorVersion": "",
"osMajor": "",
"diskDrive": "",
"mobilePhone": "",
"profileVersion": "",
"apOnOff": "",
"creationTime": "",
"securityVirtualAppliance": "",
"snacLicenseId": "",
"uwf": "",
"osBitness": "",
"firewallOnOff": "",
"contentUpdate": "",
"worstInfectionIdx": "",
"deploymentMessage": "",
"licenseExpiry": "",
"fbwf": "",
"elamOnOff": "",
"lastUpdateTime": "",
"totalDiskSpace": "",
"vsicStatus": "",
"daOnOff": "",
"agentUsn": "",
"osName": "",
"biosVersion": "",
"deploymentRunningVersion": "",
"dhcpServer": "",
"loginDomain": "",
"osname": "",
"osFlavorNumber": "",
"agentId": "",
"deploymentPreVersion": "",
"idsChecksum": "",
"processorType": "",
"logicalCpus": "",
"lastServerName": "",
"computerDescription": "",
"lastConnectedIpAddr": "",
"publicKey": "",
"gateways": [],
"memory": "",
"deploymentStatus": "",
"jobTitle": "",
"oslanguage": "",
"cidsDefsetVersion": "",
"email": "",
"osversion": "",
"licenseId": "",
"employeeNumber": "",
"lastScanTime": "",
"encryptedDevicePassword": "",
"processorClock": "",
"pepOnOff": "",
"lastSiteId": "",
"isGrace": "",
"osmajor": "",
"profileChecksum": "",
"agentType": "",
"kernel": "",
"writeFiltersStatus": "",
"installType": "",
"majorVersion": ""
}
]
}
operation: List Domains
Input parameters
None.
Output
The JSON output contains details for all accessible domains retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"companyName": "",
"enable": "",
"description": "",
"id": "",
"name": "",
"contactInfo": "",
"createdTime": "",
"administratorCount": ""
}
operation: Create Domain
Input parameters
| Parameter |
Description |
| Domain Name |
Name of the domain that you want to create on the Symantec EPM (SEPM) server. |
| Max Client Idle Time In Days |
(Optional) The number of days after which Symantec EPM (SEPM) deletes clients that have not connected.
The minimum value is set as 1. |
| Max Npvdi Client Idle Time In Days |
(Optional) The number of days after which Symantec EPM (SEPM) deletes virtual desktop infrastructure (VDI) clients that have not connected.
The minimum value is set as 1. |
| Delete Idle Clients |
(Optional) Select this option to delete clients that have not connected to Symantec EPM (SEPM) for a specified number of days.
By default, this is set to False. |
| Delete Idle Npvdi Clients |
(Optional) Select this option to delete virtual desktop infrastructure (VDI) clients that have not connected to Symantec EPM (SEPM) for a specified number of days.
By default, this is set to False. |
| Allow Saving Credentials |
(Optional) Select this option to allow users to save credentials when logging on to Symantec EPM (SEPM).
By default, this is set to False. |
| Allow Never Expiring Passwords |
(Optional) Select this option to allow passwords in the Symantec EPM (SEPM) domain to never expire.
By default, this is set to False. |
| Display Logon Banner |
(Optional) Select this option to display a logon banner when an administrator logs on to this domain on Symantec EPM (SEPM).
By default, this is set to False. |
Output
The JSON output contains details of the newly created domain on the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"enable": "",
"contactInfo": "",
"bannerText": "",
"allowUsersToSaveCredentials": "",
"companyName": "",
"createdTime": "",
"description": "",
"deleteOldClients": "",
"administratorCount": "",
"deleteOldVDIClients": "",
"showBanner": "",
"bannerTitle": "",
"deleteOldClientsDays": "",
"id": "",
"allowNeverExpiresPasswords": "",
"name": "",
"deleteOldVDIClientsDays": ""
}
operation: Get Domain Name
Input parameters
| Parameter |
Description |
| Domain ID |
The ID of the domain whose name you want to retrieve from the Symantec EPM (SEPM) server. |
Output
The JSON output contains the domain name based on the domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"name": "",
"value": ""
}
operation: Get Domain Information
Input parameters
| Parameter |
Description |
| Domain ID |
The ID of the domain for which you want to retrieve details from the Symantec EPM (SEPM) server. |
Output
The JSON output contains detailed information about the domain based on the domain ID that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"enable": "",
"contactInfo": "",
"bannerText": "",
"allowUsersToSaveCredentials": "",
"companyName": "",
"createdTime": "",
"description": "",
"deleteOldClients": "",
"administratorCount": "",
"deleteOldVDIClients": "",
"showBanner": "",
"bannerTitle": "",
"deleteOldClientsDays": "",
"id": "",
"allowNeverExpiresPasswords": "",
"name": "",
"deleteOldVDIClientsDays": ""
}
operation: Update Domain
Input parameters
| Parameter |
Description |
| Domain ID |
The ID of the domain that you want to update on the Symantec EPM (SEPM) server. |
| Domain Name |
Name of the domain that you want to update on the Symantec EPM (SEPM) server. |
| Max Client Idle Time In Days |
(Optional) The number of days after which Symantec EPM (SEPM) deletes clients that have not connected.
The minimum value is set as 1. |
| Max Npvdi Client Idle Time In Days |
(Optional) The number of days after which Symantec EPM (SEPM) deletes virtual desktop infrastructure (VDI) clients that have not connected.
The minimum value is set as 1. |
| Delete Idle Clients |
(Optional) Select this option to delete clients that have not connected to Symantec EPM (SEPM) for a specified number of days.
By default, this is set to False. |
| Delete Idle Npvdi Clients |
(Optional) Select this option to delete virtual desktop infrastructure (VDI) clients that have not connected to Symantec EPM (SEPM) for a specified number of days.
By default, this is set to False. |
| Allow Saving Credentials |
(Optional) Select this option to allow users to save credentials when logging on to Symantec EPM (SEPM).
By default, this is set to False. |
| Allow Never Expiring Passwords |
(Optional) Select this option to allow passwords in the Symantec EPM (SEPM) domain to never expire.
By default, this is set to False. |
| Display Logon Banner |
(Optional) Select this option to display a logon banner when an administrator logs on to this domain on Symantec EPM (SEPM).
By default, this is set to False. |
Output
The JSON output contains the updated domain information, based on the domain ID and domain name you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"enable": "",
"contactInfo": "",
"bannerText": "",
"allowUsersToSaveCredentials": "",
"companyName": "",
"createdTime": "",
"description": "",
"deleteOldClients": "",
"administratorCount": "",
"deleteOldVDIClients": "",
"showBanner": "",
"bannerTitle": "",
"deleteOldClientsDays": "",
"id": "",
"allowNeverExpiresPasswords": "",
"name": "",
"deleteOldVDIClientsDays": ""
}
operation: Delete Domain
Input parameters
| Parameter |
Description |
| Domain ID |
The ID of the domain that you want to delete from the Symantec EPM (SEPM) server. |
Output
The JSON output contains a Success message if the specified domain is successfully deleted from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"response": ""
}
operation: Get Critical Events Information
Input parameters
None.
Output
The JSON output contains details associated with critical events retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"criticalEventsInfoList": [],
"totalUnacknowledgedMessages": "",
"lastUpdated": ""
}
operation: Get Client Groups By Content Source
Input parameters
None.
Output
The JSON output contains a list and count of client groups, filtered by content download sources, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"downloadSources": [
{
"clientCount": "",
"sourceName": "",
"sourceKey": ""
}
],
"lastUpdated": ""
}
operation: List Client For Group By Content Version
Input parameters
None.
Output
The JSON output contains a list of clients for a group, filtered by content version, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"lastUpdated": "",
"clientDefStatusList": [
{
"clientsCount": "",
"version": ""
}
]
}
operation: List Infected Client
Input parameters
| Parameter |
Description |
| Report Type |
The type of report based on which you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server.
You can choose from the following options: Hour, Day, Week, or Month.
By default, this is set as Day. |
| From |
The DateTime from when you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server. |
| To |
The DateTime till when you want to retrieve a list of infected clients from the Symantec EPM (SEPM) server. |
Output
The JSON output contains a list and count of infected clients, based on the time range and report type that you have specified, from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"infectedClientStats": [
{
"epochTime": "",
"clientsCount": ""
}
],
"lastUpdated": ""
}
operation: Get Malware Reporting Clients
Input parameters
| Parameter |
Description |
| Report Type |
The type of report based on which you want to retrieve a list of clients which have reported malware events from the Symantec EPM (SEPM) server.
You can choose from the following options: Hour, Day, Week, or Month.
By default, this is set as Day. |
| From |
The DateTime from when you want to retrieve a list of clients that have reported malware events from the Symantec EPM (SEPM) server. |
| To |
The DateTime till when you want to retrieve a list of clients that have reported malware events from the Symantec EPM (SEPM) server. |
Output
The JSON output contains a list of clients reporting malware events, based on the time range that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"malwareClientStats": [
{
"epochTime": "",
"clientsCount": ""
}
],
"lastUpdated": ""
}
operation: Get Threat Status
Input parameters
None.
Output
The JSON output contains details for all threat statistics retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"Stats": {
"lastUpdated": "",
"infectedClients": ""
}
}
operation: Scan Endpoint
Input parameters
| Parameter |
Description |
| Scan Groups or Computers |
Choose whether you want to perform the scan action on Groups or Computers.
By default, this is set as Computers. |
| IDs |
The list of Computer IDs or Group IDs that you want to scan. |
| Body |
The evidence of compromise command in XML. |
Output
The JSON output contains detailed information about the scan operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains a non-dictionary value.
operation: Quarantine Endpoints
Input parameters
| Parameter |
Description |
| Apply Quarantine |
Choose whether you want to perform the quarantine action on Groups or Computers.
By default, this is set as Computers. |
| IDs |
The list of Computer IDs or Group IDs that you want to quarantine. |
Output
The JSON output contains detailed information about the quarantine operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"commandID_computer": ""
}
operation: Unquarantine Endpoints
Input parameters
| Parameter |
Description |
| Apply Unquarantine |
Choose whether you want to perform the unquarantine action on Groups or Computers.
By default, this is set as Computers. |
| IDs |
The list of Computer IDs or Group IDs that you want to unquarantine. |
Output
The JSON output contains detailed information about the unquarantine operation performed on groups or computers that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"commandID_computer": ""
}
operation: Get Command Status
Input parameters
| Parameter |
Description |
| Command ID |
The ID of the command whose status you want to retrieve from the Symantec EPM (SEPM) server. |
Output
The JSON output contains information about the status of the command based on the command ID that you have specified retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"size": "",
"sort": [
{
"property": "",
"direction": "",
"ascending": ""
}
],
"firstPage": "",
"totalElements": "",
"totalPages": "",
"numberOfElements": "",
"number": "",
"lastPage": "",
"content": [
{
"stateId": "",
"beginTime": "",
"computerId": "",
"currentLoginUserName": "",
"computerIp": "",
"binaryFileId": "",
"computerName": "",
"resultInXML": "",
"lastUpdateTime": "",
"domainName": "",
"subStateDesc": "",
"hardwareKey": "",
"subStateId": ""
}
]
}
operation: Get Fingerprint List Information
Input parameters
| Parameter |
Description |
| Name |
The ID of the file fingerprint based on which you want to retrieve the file fingerprint list from the Symantec EPM (SEPM) server. |
Output
The JSON output contains the file fingerprint list as a set of hash values, based on the file fingerprint name that you have specified, retrieved from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"hashType": "",
"source": "",
"description": "",
"data": [],
"groupIds": []
}
operation: Assign Fingerprint List To Group
Input parameters
| Parameter |
Description |
| Fingerprint ID |
The ID of the file fingerprint list that you want to assign to a group on the Symantec EPM (SEPM) server. |
| Group ID |
The ID of the group to which you want to assign the file fingerprint list on the Symantec EPM (SEPM) server. |
Output
The JSON output contains a Success message if the specified file fingerprint list is successfully assigned to the specified group on the Symantec EPM (SEPM) server.
The output contains a non-dictionary value.
operation: Add Blacklist
Input parameters
| Parameter |
Description |
| Blacklist Name |
The name of the blacklist that you want to add to the Symantec EPM (SEPM) server. |
| Hash Type |
The hash type of the blacklist file that you want to add to the Symantec EPM (SEPM) server. You can choose between MD5 or SHA256
By default, this is set as MD5. |
| Hash Value |
The file hashes that you want to add to the blacklist as a file fingerprint list on the Symantec EPM (SEPM) server. |
| Domain ID |
The domain ID to which the blacklist file will be applied on the Symantec EPM (SEPM) server. |
| Description |
The description of the blacklist file that you want to add to the Symantec EPM (SEPM) server. |
Output
The JSON output contains details of the blacklist file added on the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"id": ""
}
operation: Update Blacklist
Input parameters
| Parameter |
Description |
| Fingerprint ID |
The ID of the file fingerprint list that you want to update on the Symantec EPM (SEPM) server. |
| Blacklist Name |
The name of the blacklist whose details you want to update in the Symantec EPM (SEPM) server. |
| Hash Type |
The hash type of the blacklist file that you want to update in the Symantec EPM (SEPM) server. You can choose between MD5 or SHA256
By default, this is set as MD5. |
| Hash Value |
The file hashes that you want to update to the blacklist as a file fingerprint list on the Symantec EPM (SEPM) server. |
| Domain ID |
The domain ID to which the blacklist file will be applied on the Symantec EPM (SEPM) server. |
| Description |
The description of the blacklist file that you want to add to the Symantec EPM (SEPM) server. |
OUTPUT
The JSON output contains details of the updated blacklist from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"response": ""
}
operation: Delete Blacklist
Input parameters
| Parameter |
Description |
| Fingerprint ID |
The ID of the file fingerprint list that you want to delete from the Symantec EPM (SEPM) server. |
Output
The JSON output contains a Success message if the specified blacklist file is successfully deleted from the Symantec EPM (SEPM) server.
The output contains the following populated JSON schema:
{
"response": ""
}
operation: Full Scan Endpoint
Input parameters
| Parameter |
Description |
| Endpoint ID Type |
Select the type of endpoint ID on whose associated endpoints you want to perform a full scan. You can choose between Group IDs or Computer IDs.
- If you select Group IDs, then in the Group IDs field specify the Group IDs on whose associated endpoints you want to perform a full scan.
- If you select Computer IDs, then in the Computer IDs field specify the Computer IDs on whose associated endpoints you want to perform a full scan.
|
Output
The output contains a non-dictionary value.
operation: Active Scan Endpoint
Input parameters
| Parameter |
Description |
| Endpoint ID Type |
Select the type of endpoint ID on whose associated endpoints you want to perform an active scan. You can choose between Group IDs or Computer IDs.
- If you select Group IDs, then in the Group IDs field specify the Group IDs on whose associated endpoints you want to perform an active scan.
- If you select Computer IDs, then in the Computer IDs field specify the Computer IDs on whose associated endpoints you want to perform an active scan.
|
Output
The output contains a non-dictionary value.
Included playbooks
The Sample - Symantec-EPM (SEPM) - 1.1.1 playbook collection comes bundled with the Symantec EPM (SEPM) connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EPM (SEPM) connector.
- Active Scan Endpoint
- Add Blacklist
- Assign Fingerprint List To Group
- Create Domain
- Delete Blacklist
- Delete Domain
- Full Scan Endpoint
- Get Client Groups By Content Source
- Get Command Status
- Get Critical Events Information
- Get Domain Information
- Get Domain Name
- Get Fingerprint List Information
- Get Group Information
- Get Malware Reporting Clients
- Get Threat Status
- List Client For Group By Content Version
- List Domains
- List Endpoints
- List Infected Client
- List Groups
- Scan Endpoint
- Quarantine Endpoints
- Unquarantine Endpoints
- Update Blacklist
- Update Domain
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
