Fortinet black logo

Symantec EDR Cloud

Symantec EDR Cloud v2.0.0

2.0.0
Copy Link
Copy Doc ID 366bf629-ce97-4902-9cee-1475140b5fa6:1

About the connector

Symantec™ Endpoint Detection and Response (EDR) Cloud delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. Symantec EDR Cloud enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.

This document provides information about the Symantec EDR Cloud Connector, which facilitates automated interactions, with your Symantec EDR Cloud using FortiSOAR™ playbooks. Add the Symantec EDR Cloud Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving alerts and reports from the Symantec EDR Cloud and adding a whitelist entry to Symantec EDR Cloud.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 5.1.0-464

Symantec EDR Cloud Version Tested on: v3.2.0.84

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the Symantec EDR Cloud Connector in version 2.0.0:

  • Added support for configuring Symantec EDR Cloud data ingestion using the FortiSOAR™ Data Ingestion Wizard, a new feature in FortiSOAR™ 5.0.0. The following new playbooks have been added to support data ingestion:
    • > Symantec EDR Cloud > Create Alert
    • > Symantec EDR Cloud > Fetch
    • >> Symantec EDR Cloud > Fetch Alert Details
    • >>Symantec EDR Cloud > Handle Update Alert
    • Symantec EDR Cloud > Ingest
    • > Symantec EDR Cloud > Post Create Alert
  • Added Fetch Count as an optional input parameter in the Get Alerts action.
  • Renamed the Get Report action to Get Alert Details.

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-symantec-edr-cloud

Prerequisites to configuring the connector

  • You must have the URL of the Symantec EDR Cloud to which you will connect and perform automated operations and the API key to access that Symantec EDR Cloud.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Symantec EDR Cloud connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL URL of the Symantec EDR Cloud API to which you will connect and perform the automated operations.
API Key API key used to access the Symantec EDR Cloud to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get Alerts Retrieves a list and details of all alerts from the Symantec EDR Cloud, based on the category of alert and other parameters that you have specified. get_alerts
Investigation
Get Alert Details Retrieves details for an alert from the Symantec EDR Cloud, based on the alert ID that you have specified. get_alert_details
Investigation
Add SHA256 to Whitelist Adds a whitelist entry to Symantec EDR Cloud, based on the value of the sha256 hash that you have specified. add_whitelist
Remediation
Get Whitelist Retrieves a list and details of all whitelisted sha256s from the Symantec EDR Cloud. list_whitelist
Investigation
Delete SHA256 from Whitelist Removes a whitelisted entry from Symantec EDR Cloud, based on the value of the sha256 hash that you have specified. delete_whitelist
Containment

Important: Every action returns “Id” and “RequestId” along with the data from Symantec EDR Cloud API, where “Id” contains a unique ID and “RequestId” contains “00000000-0000-0000-0000-000000000000”.

operation: Get Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied and an unfiltered list is returned.

Parameter Description
Fetch Count Number of alerts that you want to fetch from EDR Cloud.
Duration Duration or time range for which you want to retrieve alerts from EDR Cloud. You can choose from the following options: Today, Yesterday, Last 7 days, or Last 30 days.
Remediation Status Remediation Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Remediated, Not Remediated, or Both.
Alert Status Alert Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Alerted, Not Alerted, or Both.
Read Status Read Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Read, Unread, or Both.
Sort Filter the alerts that you retrieve from EDR Cloud based on the selected criterion. You can choose from the following options: Created Date, Name, or Score.
Category Category of the alert based on which you want to retrieve alerts from EDR Cloud. You can choose from the following options: EScribe Recording, Commercial Blacklist, Persistence, Temporal Analysis, Open Source Intelligence, Estate Statistics, Lateral Movement, Memory Injection, Machine Reasoning, Rootkit, or User Behavior.
Sorting Order Order in which the alerts are sorted once they are retrieved from EDR Cloud. You can choose from the following options: Ascending or Descending.

Output

The JSON output contains a list and details of alerts retrieved from Symantec EDR Cloud, based on the alert category and other parameters that you have specified.

The output contains the following populated JSON schema:
{
"Start": 0,
"Count": 0,
"Errors": [],
"TotalCount": 0,
"Id": "",
"RequestId": "",
"Warnings": [],
"Items": [
{
"Origin": "",
"RecommendedAction": "",
"Enrichments": "",
"Priority": "",
"NetworkScanner": "",
"Created": "",
"AskExpertHistory": "",
"ApplianceName": "",
"Name": "",
"Conclusions": "",
"IncidentLastUpdated": "",
"LastSeen": "",
"ApplianceId": "",
"SuspectedBreach": "",
"DeviceTime": "",
"Score": "",
"Version": "",
"Guid": "",
"Read": "",
"State": "",
"IsTargetedAttack": "",
"Severity": "",
"Resolution": "",
"Description": "",
"DetectionTypes": "",
"IncidentId": "",
"Actor": "",
"AssociatedKM": "",
"Updated": "",
"FirstSeen": ""
}
]
}

operation: Get Alert Details

Input parameters

Parameter Description
Alert ID ID of the alert whose details you want to retrieve from Symantec EDR Cloud.

Output

The JSON output contains the detailed report for the specified alert retrieved from Symantec EDR Cloud, based on the alert ID that you have specified.

The output contains the following populated JSON schema:
{
"Item": {
"graphCustom": {},
"MachineId": "",
"Created": "",
"CustomerId": "",
"AskExpertHistory": [],
"ApplianceName": "",
"Name": "",
"Alerted": "",
"IncidentLastUpdated": "",
"graphComments": [],
"SuspectedBreach": "",
"DeviceTime": "",
"Score": "",
"graphTags": [],
"Priority": "",
"Read": "",
"graphTemplates": [
{
"InboundUpperValue": "",
"Focus": "",
"FocusValue": "",
"OutboundTimelineSprout": "",
"Initiator": "",
"InboundTimelineValue": "",
"FocusLabel": "",
"InboundTimelineIcon": "",
"InboundLowerLabel": "",
"InboundLowerSprout": "",
"InitiatorSprout": "",
"Score": "",
"InboundLowerIcon": "",
"InboundLower": "",
"InitiatorValue": "",
"Title": "",
"FocusSubValue": "",
"OutboundTimelineLabel": "",
"Categories": [],
"InboundLowerValue": "",
"InitiatorLabel": "",
"OutboundTimelineValue": "",
"OutboundLowerValue": "",
"OutboundUpperIcon": "",
"OutboundTimelineIcon": "",
"OutboundUpperSprout": "",
"FocusSprout": "",
"OutboundUpperValue": "",
"OutboundUpperLabel": "",
"OutboundLowerIcon": "",
"OutboundLowerLabel": "",
"OutboundUpper": "",
"InitiatorIcon": "",
"InboundUpperLabel": "",
"OutboundLower": "",
"FocusIcon": "",
"InboundTimelineSprout": "",
"OutboundLowerSprout": "",
"InboundUpper": "",
"InboundUpperIcon": "",
"OutboundTimeline": "",
"InboundTimelineLabel": "",
"InboundUpperSprout": "",
"InboundTimeline": "",
"EntityGroups": [
{
"RootEntity": "",
"FlavorText": "",
"Entities": [
{
"EntryType": "",
"Value": ""
}
],
"RootEntityType": "",
"Comments": [],
"Name": ""
}
]
}
],
"Remediated": "",
"State": "",
"IncidentRuleId": "",
"Severity": "",
"Resolution": "",
"DetectionTypes": [],
"graphFlavorText": [],
"IncidentId": "",
"reportTemplates": [],
"Actor": "",
"AssociatedKM": "",
"Updated": "",
"Origin": "",
"graphNodes": [
{
"Id": "",
"NodeLabels": [],
"Properties": {
"Path": "",
"Guid": "",
"NodeUpdated": "",
"InstanceId": "",
"Created": "",
"Modified": "",
"CustomerId": "",
"Name": "",
"ResultId": "",
"AssociatedJob": "",
"Size": "",
"AssociatedKM": "",
"NodeCreated": "",
"CollectionId": "",
"HashsweepResultId": "",
"WontGrow": "",
"CollectedDate": "",
"Hash": "",
"Accessed": ""
},
"Source": ""
}
],
"Guid": "",
"graphEdges": [
{
"GlobalEndNodeId": "",
"IsHidden": "",
"NativeEndNodeId": "",
"Source": "",
"NativeStartNodeId": "",
"Properties": {
"ResultId": ""
},
"GlobalStartNodeId": "",
"Type": "",
"Id": ""
}
],
"RecommendedAction": "",
"LastSeen": "",
"ApplianceId": "",
"NetworkScanner": "",
"Version": "",
"graphCategories": [],
"Enrichments": [],
"DefaultIcon": "",
"Conclusions": [],
"AssociatedJob": "",
"Description": "",
"IsTargetedAttack": "",
"FirstSeen": ""
},
"Errors": [],
"Status": "",
"Id": "",
"RequestId": "",
"Warnings": []
}

operation: Add SHA256 to Whitelist

Input parameters

Parameter Description
SHA256 Value of the SHA256 hash that you want to add as a whitelist entry in Symantec EDR Cloud.
Description Brief description of the SHA256 that you want to add as a whitelist entry in Symantec EDR Cloud.

Output

The JSON output contains a Success message if the specified sha256 value is successfully added as a whitelist entry in Symantec EDR Cloud.

The output contains the following populated JSON schema:
{
"Id": "",
"RequestId": "",
"Warnings": [],
"Errors": []
}

operation: Get Whitelist

Input parameters

None.

Output

The JSON output contains a list and details of all whitelisted sha256s retrieved from the Symantec EDR Cloud.

The output contains the following populated JSON schema:
{
"Id": "",
"RequestId": "",
"Warnings": [],
"Errors": [],
"Items": [
{
"DateCreated": "",
"Id": "",
"CreatedBy": "",
"CustomerId": "",
"Hash": "",
"Description": ""
}
]
}

operation: Delete SHA256 from Whitelist

Input parameters

Parameter Description
SHA256 Value of the SHA256 hash that you want to remove as a whitelist entry from Symantec EDR Cloud.
ID ID of the hash entry that you want to remove as a whitelist entry from Symantec EDR Cloud.

Note: You can specify either the sha256 or ID as the input parameter.

Output

The JSON output contains a Success message if the specified sha256 value is successfully removed as a whitelist entry from Symantec EDR Cloud.

The output contains the following populated JSON schema:
{
"Id": "",
"RequestId": "",
"Warnings": [],
"Errors": []
}

Included playbooks

The Sample - Symantec EDR Cloud - 2.0.0 playbook collection comes bundled with the Symantec EDR Cloud connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EDR Cloud connector.

  • Add SHA256 to Whitelist
  • Delete SHA256 from Whitelist
  • Get Alert Details
  • Get Alerts
  • Get Whitelist
  • > Symantec EDR Cloud > Create Alert
  • > Symantec EDR Cloud > Fetch
  • >> Symantec EDR Cloud > Fetch Alert Details
  • >>Symantec EDR Cloud > Handle Update Alert
  • Symantec EDR Cloud > Ingest
  • > Symantec EDR Cloud > Post Create Alert

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Previous
Next

About the connector

Symantec™ Endpoint Detection and Response (EDR) Cloud delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. Symantec EDR Cloud enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.

This document provides information about the Symantec EDR Cloud Connector, which facilitates automated interactions, with your Symantec EDR Cloud using FortiSOAR™ playbooks. Add the Symantec EDR Cloud Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving alerts and reports from the Symantec EDR Cloud and adding a whitelist entry to Symantec EDR Cloud.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 5.1.0-464

Symantec EDR Cloud Version Tested on: v3.2.0.84

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the Symantec EDR Cloud Connector in version 2.0.0:

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-symantec-edr-cloud

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Symantec EDR Cloud connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL URL of the Symantec EDR Cloud API to which you will connect and perform the automated operations.
API Key API key used to access the Symantec EDR Cloud to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get Alerts Retrieves a list and details of all alerts from the Symantec EDR Cloud, based on the category of alert and other parameters that you have specified. get_alerts
Investigation
Get Alert Details Retrieves details for an alert from the Symantec EDR Cloud, based on the alert ID that you have specified. get_alert_details
Investigation
Add SHA256 to Whitelist Adds a whitelist entry to Symantec EDR Cloud, based on the value of the sha256 hash that you have specified. add_whitelist
Remediation
Get Whitelist Retrieves a list and details of all whitelisted sha256s from the Symantec EDR Cloud. list_whitelist
Investigation
Delete SHA256 from Whitelist Removes a whitelisted entry from Symantec EDR Cloud, based on the value of the sha256 hash that you have specified. delete_whitelist
Containment

Important: Every action returns “Id” and “RequestId” along with the data from Symantec EDR Cloud API, where “Id” contains a unique ID and “RequestId” contains “00000000-0000-0000-0000-000000000000”.

operation: Get Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied and an unfiltered list is returned.

Parameter Description
Fetch Count Number of alerts that you want to fetch from EDR Cloud.
Duration Duration or time range for which you want to retrieve alerts from EDR Cloud. You can choose from the following options: Today, Yesterday, Last 7 days, or Last 30 days.
Remediation Status Remediation Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Remediated, Not Remediated, or Both.
Alert Status Alert Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Alerted, Not Alerted, or Both.
Read Status Read Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Read, Unread, or Both.
Sort Filter the alerts that you retrieve from EDR Cloud based on the selected criterion. You can choose from the following options: Created Date, Name, or Score.
Category Category of the alert based on which you want to retrieve alerts from EDR Cloud. You can choose from the following options: EScribe Recording, Commercial Blacklist, Persistence, Temporal Analysis, Open Source Intelligence, Estate Statistics, Lateral Movement, Memory Injection, Machine Reasoning, Rootkit, or User Behavior.
Sorting Order Order in which the alerts are sorted once they are retrieved from EDR Cloud. You can choose from the following options: Ascending or Descending.

Output

The JSON output contains a list and details of alerts retrieved from Symantec EDR Cloud, based on the alert category and other parameters that you have specified.

The output contains the following populated JSON schema:
{
"Start": 0,
"Count": 0,
"Errors": [],
"TotalCount": 0,
"Id": "",
"RequestId": "",
"Warnings": [],
"Items": [
{
"Origin": "",
"RecommendedAction": "",
"Enrichments": "",
"Priority": "",
"NetworkScanner": "",
"Created": "",
"AskExpertHistory": "",
"ApplianceName": "",
"Name": "",
"Conclusions": "",
"IncidentLastUpdated": "",
"LastSeen": "",
"ApplianceId": "",
"SuspectedBreach": "",
"DeviceTime": "",
"Score": "",
"Version": "",
"Guid": "",
"Read": "",
"State": "",
"IsTargetedAttack": "",
"Severity": "",
"Resolution": "",
"Description": "",
"DetectionTypes": "",
"IncidentId": "",
"Actor": "",
"AssociatedKM": "",
"Updated": "",
"FirstSeen": ""
}
]
}

operation: Get Alert Details

Input parameters

Parameter Description
Alert ID ID of the alert whose details you want to retrieve from Symantec EDR Cloud.

Output

The JSON output contains the detailed report for the specified alert retrieved from Symantec EDR Cloud, based on the alert ID that you have specified.

The output contains the following populated JSON schema:
{
"Item": {
"graphCustom": {},
"MachineId": "",
"Created": "",
"CustomerId": "",
"AskExpertHistory": [],
"ApplianceName": "",
"Name": "",
"Alerted": "",
"IncidentLastUpdated": "",
"graphComments": [],
"SuspectedBreach": "",
"DeviceTime": "",
"Score": "",
"graphTags": [],
"Priority": "",
"Read": "",
"graphTemplates": [
{
"InboundUpperValue": "",
"Focus": "",
"FocusValue": "",
"OutboundTimelineSprout": "",
"Initiator": "",
"InboundTimelineValue": "",
"FocusLabel": "",
"InboundTimelineIcon": "",
"InboundLowerLabel": "",
"InboundLowerSprout": "",
"InitiatorSprout": "",
"Score": "",
"InboundLowerIcon": "",
"InboundLower": "",
"InitiatorValue": "",
"Title": "",
"FocusSubValue": "",
"OutboundTimelineLabel": "",
"Categories": [],
"InboundLowerValue": "",
"InitiatorLabel": "",
"OutboundTimelineValue": "",
"OutboundLowerValue": "",
"OutboundUpperIcon": "",
"OutboundTimelineIcon": "",
"OutboundUpperSprout": "",
"FocusSprout": "",
"OutboundUpperValue": "",
"OutboundUpperLabel": "",
"OutboundLowerIcon": "",
"OutboundLowerLabel": "",
"OutboundUpper": "",
"InitiatorIcon": "",
"InboundUpperLabel": "",
"OutboundLower": "",
"FocusIcon": "",
"InboundTimelineSprout": "",
"OutboundLowerSprout": "",
"InboundUpper": "",
"InboundUpperIcon": "",
"OutboundTimeline": "",
"InboundTimelineLabel": "",
"InboundUpperSprout": "",
"InboundTimeline": "",
"EntityGroups": [
{
"RootEntity": "",
"FlavorText": "",
"Entities": [
{
"EntryType": "",
"Value": ""
}
],
"RootEntityType": "",
"Comments": [],
"Name": ""
}
]
}
],
"Remediated": "",
"State": "",
"IncidentRuleId": "",
"Severity": "",
"Resolution": "",
"DetectionTypes": [],
"graphFlavorText": [],
"IncidentId": "",
"reportTemplates": [],
"Actor": "",
"AssociatedKM": "",
"Updated": "",
"Origin": "",
"graphNodes": [
{
"Id": "",
"NodeLabels": [],
"Properties": {
"Path": "",
"Guid": "",
"NodeUpdated": "",
"InstanceId": "",
"Created": "",
"Modified": "",
"CustomerId": "",
"Name": "",
"ResultId": "",
"AssociatedJob": "",
"Size": "",
"AssociatedKM": "",
"NodeCreated": "",
"CollectionId": "",
"HashsweepResultId": "",
"WontGrow": "",
"CollectedDate": "",
"Hash": "",
"Accessed": ""
},
"Source": ""
}
],
"Guid": "",
"graphEdges": [
{
"GlobalEndNodeId": "",
"IsHidden": "",
"NativeEndNodeId": "",
"Source": "",
"NativeStartNodeId": "",
"Properties": {
"ResultId": ""
},
"GlobalStartNodeId": "",
"Type": "",
"Id": ""
}
],
"RecommendedAction": "",
"LastSeen": "",
"ApplianceId": "",
"NetworkScanner": "",
"Version": "",
"graphCategories": [],
"Enrichments": [],
"DefaultIcon": "",
"Conclusions": [],
"AssociatedJob": "",
"Description": "",
"IsTargetedAttack": "",
"FirstSeen": ""
},
"Errors": [],
"Status": "",
"Id": "",
"RequestId": "",
"Warnings": []
}

operation: Add SHA256 to Whitelist

Input parameters

Parameter Description
SHA256 Value of the SHA256 hash that you want to add as a whitelist entry in Symantec EDR Cloud.
Description Brief description of the SHA256 that you want to add as a whitelist entry in Symantec EDR Cloud.

Output

The JSON output contains a Success message if the specified sha256 value is successfully added as a whitelist entry in Symantec EDR Cloud.

The output contains the following populated JSON schema:
{
"Id": "",
"RequestId": "",
"Warnings": [],
"Errors": []
}

operation: Get Whitelist

Input parameters

None.

Output

The JSON output contains a list and details of all whitelisted sha256s retrieved from the Symantec EDR Cloud.

The output contains the following populated JSON schema:
{
"Id": "",
"RequestId": "",
"Warnings": [],
"Errors": [],
"Items": [
{
"DateCreated": "",
"Id": "",
"CreatedBy": "",
"CustomerId": "",
"Hash": "",
"Description": ""
}
]
}

operation: Delete SHA256 from Whitelist

Input parameters

Parameter Description
SHA256 Value of the SHA256 hash that you want to remove as a whitelist entry from Symantec EDR Cloud.
ID ID of the hash entry that you want to remove as a whitelist entry from Symantec EDR Cloud.

Note: You can specify either the sha256 or ID as the input parameter.

Output

The JSON output contains a Success message if the specified sha256 value is successfully removed as a whitelist entry from Symantec EDR Cloud.

The output contains the following populated JSON schema:
{
"Id": "",
"RequestId": "",
"Warnings": [],
"Errors": []
}

Included playbooks

The Sample - Symantec EDR Cloud - 2.0.0 playbook collection comes bundled with the Symantec EDR Cloud connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EDR Cloud connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Previous
Next