Symantec™ Endpoint Detection and Response (EDR) Cloud delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. Symantec EDR Cloud enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.
This document provides information about the Symantec EDR Cloud Connector, which facilitates automated interactions, with your Symantec EDR Cloud using FortiSOAR™ playbooks. Add the Symantec EDR Cloud Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving alerts and reports from the Symantec EDR Cloud and adding a whitelist entry to Symantec EDR Cloud.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 5.1.0-464
Symantec EDR Cloud Version Tested on: v3.2.0.84
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Symantec EDR Cloud Connector in version 2.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-symantec-edr-cloud
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Symantec EDR Cloud connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Symantec EDR Cloud API to which you will connect and perform the automated operations. |
API Key | API key used to access the Symantec EDR Cloud to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Alerts | Retrieves a list and details of all alerts from the Symantec EDR Cloud, based on the category of alert and other parameters that you have specified. | get_alerts Investigation |
Get Alert Details | Retrieves details for an alert from the Symantec EDR Cloud, based on the alert ID that you have specified. | get_alert_details Investigation |
Add SHA256 to Whitelist | Adds a whitelist entry to Symantec EDR Cloud, based on the value of the sha256 hash that you have specified. | add_whitelist Remediation |
Get Whitelist | Retrieves a list and details of all whitelisted sha256s from the Symantec EDR Cloud. | list_whitelist Investigation |
Delete SHA256 from Whitelist | Removes a whitelisted entry from Symantec EDR Cloud, based on the value of the sha256 hash that you have specified. | delete_whitelist Containment |
Important: Every action returns “Id” and “RequestId” along with the data from Symantec EDR Cloud API, where “Id” contains a unique ID and “RequestId” contains “00000000-0000-0000-0000-000000000000”.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied and an unfiltered list is returned.
Parameter | Description |
---|---|
Fetch Count | Number of alerts that you want to fetch from EDR Cloud. |
Duration | Duration or time range for which you want to retrieve alerts from EDR Cloud. You can choose from the following options: Today, Yesterday, Last 7 days, or Last 30 days. |
Remediation Status | Remediation Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Remediated, Not Remediated, or Both. |
Alert Status | Alert Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Alerted, Not Alerted, or Both. |
Read Status | Read Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Read, Unread, or Both. |
Sort | Filter the alerts that you retrieve from EDR Cloud based on the selected criterion. You can choose from the following options: Created Date, Name, or Score. |
Category | Category of the alert based on which you want to retrieve alerts from EDR Cloud. You can choose from the following options: EScribe Recording, Commercial Blacklist, Persistence, Temporal Analysis, Open Source Intelligence, Estate Statistics, Lateral Movement, Memory Injection, Machine Reasoning, Rootkit, or User Behavior. |
Sorting Order | Order in which the alerts are sorted once they are retrieved from EDR Cloud. You can choose from the following options: Ascending or Descending. |
The JSON output contains a list and details of alerts retrieved from Symantec EDR Cloud, based on the alert category and other parameters that you have specified.
The output contains the following populated JSON schema:
{
"Start": 0,
"Count": 0,
"Errors": [],
"TotalCount": 0,
"Id": "",
"RequestId": "",
"Warnings": [],
"Items": [
{
"Origin": "",
"RecommendedAction": "",
"Enrichments": "",
"Priority": "",
"NetworkScanner": "",
"Created": "",
"AskExpertHistory": "",
"ApplianceName": "",
"Name": "",
"Conclusions": "",
"IncidentLastUpdated": "",
"LastSeen": "",
"ApplianceId": "",
"SuspectedBreach": "",
"DeviceTime": "",
"Score": "",
"Version": "",
"Guid": "",
"Read": "",
"State": "",
"IsTargetedAttack": "",
"Severity": "",
"Resolution": "",
"Description": "",
"DetectionTypes": "",
"IncidentId": "",
"Actor": "",
"AssociatedKM": "",
"Updated": "",
"FirstSeen": ""
}
]
}
Parameter | Description |
---|---|
Alert ID | ID of the alert whose details you want to retrieve from Symantec EDR Cloud. |
The JSON output contains the detailed report for the specified alert retrieved from Symantec EDR Cloud, based on the alert ID that you have specified.
The output contains the following populated JSON schema:
{
"Item": {
"graphCustom": {},
"MachineId": "",
"Created": "",
"CustomerId": "",
"AskExpertHistory": [],
"ApplianceName": "",
"Name": "",
"Alerted": "",
"IncidentLastUpdated": "",
"graphComments": [],
"SuspectedBreach": "",
"DeviceTime": "",
"Score": "",
"graphTags": [],
"Priority": "",
"Read": "",
"graphTemplates": [
{
"InboundUpperValue": "",
"Focus": "",
"FocusValue": "",
"OutboundTimelineSprout": "",
"Initiator": "",
"InboundTimelineValue": "",
"FocusLabel": "",
"InboundTimelineIcon": "",
"InboundLowerLabel": "",
"InboundLowerSprout": "",
"InitiatorSprout": "",
"Score": "",
"InboundLowerIcon": "",
"InboundLower": "",
"InitiatorValue": "",
"Title": "",
"FocusSubValue": "",
"OutboundTimelineLabel": "",
"Categories": [],
"InboundLowerValue": "",
"InitiatorLabel": "",
"OutboundTimelineValue": "",
"OutboundLowerValue": "",
"OutboundUpperIcon": "",
"OutboundTimelineIcon": "",
"OutboundUpperSprout": "",
"FocusSprout": "",
"OutboundUpperValue": "",
"OutboundUpperLabel": "",
"OutboundLowerIcon": "",
"OutboundLowerLabel": "",
"OutboundUpper": "",
"InitiatorIcon": "",
"InboundUpperLabel": "",
"OutboundLower": "",
"FocusIcon": "",
"InboundTimelineSprout": "",
"OutboundLowerSprout": "",
"InboundUpper": "",
"InboundUpperIcon": "",
"OutboundTimeline": "",
"InboundTimelineLabel": "",
"InboundUpperSprout": "",
"InboundTimeline": "",
"EntityGroups": [
{
"RootEntity": "",
"FlavorText": "",
"Entities": [
{
"EntryType": "",
"Value": ""
}
],
"RootEntityType": "",
"Comments": [],
"Name": ""
}
]
}
],
"Remediated": "",
"State": "",
"IncidentRuleId": "",
"Severity": "",
"Resolution": "",
"DetectionTypes": [],
"graphFlavorText": [],
"IncidentId": "",
"reportTemplates": [],
"Actor": "",
"AssociatedKM": "",
"Updated": "",
"Origin": "",
"graphNodes": [
{
"Id": "",
"NodeLabels": [],
"Properties": {
"Path": "",
"Guid": "",
"NodeUpdated": "",
"InstanceId": "",
"Created": "",
"Modified": "",
"CustomerId": "",
"Name": "",
"ResultId": "",
"AssociatedJob": "",
"Size": "",
"AssociatedKM": "",
"NodeCreated": "",
"CollectionId": "",
"HashsweepResultId": "",
"WontGrow": "",
"CollectedDate": "",
"Hash": "",
"Accessed": ""
},
"Source": ""
}
],
"Guid": "",
"graphEdges": [
{
"GlobalEndNodeId": "",
"IsHidden": "",
"NativeEndNodeId": "",
"Source": "",
"NativeStartNodeId": "",
"Properties": {
"ResultId": ""
},
"GlobalStartNodeId": "",
"Type": "",
"Id": ""
}
],
"RecommendedAction": "",
"LastSeen": "",
"ApplianceId": "",
"NetworkScanner": "",
"Version": "",
"graphCategories": [],
"Enrichments": [],
"DefaultIcon": "",
"Conclusions": [],
"AssociatedJob": "",
"Description": "",
"IsTargetedAttack": "",
"FirstSeen": ""
},
"Errors": [],
"Status": "",
"Id": "",
"RequestId": "",
"Warnings": []
}
Parameter | Description |
---|---|
SHA256 | Value of the SHA256 hash that you want to add as a whitelist entry in Symantec EDR Cloud. |
Description | Brief description of the SHA256 that you want to add as a whitelist entry in Symantec EDR Cloud. |
The JSON output contains a Success
message if the specified sha256 value is successfully added as a whitelist entry in Symantec EDR Cloud.
The output contains the following populated JSON schema:
{
"Id": "",
"RequestId": "",
"Warnings": [],
"Errors": []
}
None.
The JSON output contains a list and details of all whitelisted sha256s retrieved from the Symantec EDR Cloud.
The output contains the following populated JSON schema:
{
"Id": "",
"RequestId": "",
"Warnings": [],
"Errors": [],
"Items": [
{
"DateCreated": "",
"Id": "",
"CreatedBy": "",
"CustomerId": "",
"Hash": "",
"Description": ""
}
]
}
Parameter | Description |
---|---|
SHA256 | Value of the SHA256 hash that you want to remove as a whitelist entry from Symantec EDR Cloud. |
ID | ID of the hash entry that you want to remove as a whitelist entry from Symantec EDR Cloud. |
Note: You can specify either the sha256 or ID as the input parameter.
The JSON output contains a Success
message if the specified sha256 value is successfully removed as a whitelist entry from Symantec EDR Cloud.
The output contains the following populated JSON schema:
{
"Id": "",
"RequestId": "",
"Warnings": [],
"Errors": []
}
The Sample - Symantec EDR Cloud - 2.0.0
playbook collection comes bundled with the Symantec EDR Cloud connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EDR Cloud connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Symantec™ Endpoint Detection and Response (EDR) Cloud delivers in-depth endpoint visibility, automated threat hunting and breach response across the entire enterprise. Symantec EDR Cloud enhances investigator productivity with extensive rules and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization, resulting in significantly lower costs.
This document provides information about the Symantec EDR Cloud Connector, which facilitates automated interactions, with your Symantec EDR Cloud using FortiSOAR™ playbooks. Add the Symantec EDR Cloud Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving alerts and reports from the Symantec EDR Cloud and adding a whitelist entry to Symantec EDR Cloud.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 5.1.0-464
Symantec EDR Cloud Version Tested on: v3.2.0.84
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Symantec EDR Cloud Connector in version 2.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-symantec-edr-cloud
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Symantec EDR Cloud connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Symantec EDR Cloud API to which you will connect and perform the automated operations. |
API Key | API key used to access the Symantec EDR Cloud to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Alerts | Retrieves a list and details of all alerts from the Symantec EDR Cloud, based on the category of alert and other parameters that you have specified. | get_alerts Investigation |
Get Alert Details | Retrieves details for an alert from the Symantec EDR Cloud, based on the alert ID that you have specified. | get_alert_details Investigation |
Add SHA256 to Whitelist | Adds a whitelist entry to Symantec EDR Cloud, based on the value of the sha256 hash that you have specified. | add_whitelist Remediation |
Get Whitelist | Retrieves a list and details of all whitelisted sha256s from the Symantec EDR Cloud. | list_whitelist Investigation |
Delete SHA256 from Whitelist | Removes a whitelisted entry from Symantec EDR Cloud, based on the value of the sha256 hash that you have specified. | delete_whitelist Containment |
Important: Every action returns “Id” and “RequestId” along with the data from Symantec EDR Cloud API, where “Id” contains a unique ID and “RequestId” contains “00000000-0000-0000-0000-000000000000”.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied and an unfiltered list is returned.
Parameter | Description |
---|---|
Fetch Count | Number of alerts that you want to fetch from EDR Cloud. |
Duration | Duration or time range for which you want to retrieve alerts from EDR Cloud. You can choose from the following options: Today, Yesterday, Last 7 days, or Last 30 days. |
Remediation Status | Remediation Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Remediated, Not Remediated, or Both. |
Alert Status | Alert Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Alerted, Not Alerted, or Both. |
Read Status | Read Status of the alerts that you want to retrieve alerts from EDR Cloud. You can choose from the following options: Read, Unread, or Both. |
Sort | Filter the alerts that you retrieve from EDR Cloud based on the selected criterion. You can choose from the following options: Created Date, Name, or Score. |
Category | Category of the alert based on which you want to retrieve alerts from EDR Cloud. You can choose from the following options: EScribe Recording, Commercial Blacklist, Persistence, Temporal Analysis, Open Source Intelligence, Estate Statistics, Lateral Movement, Memory Injection, Machine Reasoning, Rootkit, or User Behavior. |
Sorting Order | Order in which the alerts are sorted once they are retrieved from EDR Cloud. You can choose from the following options: Ascending or Descending. |
The JSON output contains a list and details of alerts retrieved from Symantec EDR Cloud, based on the alert category and other parameters that you have specified.
The output contains the following populated JSON schema:
{
"Start": 0,
"Count": 0,
"Errors": [],
"TotalCount": 0,
"Id": "",
"RequestId": "",
"Warnings": [],
"Items": [
{
"Origin": "",
"RecommendedAction": "",
"Enrichments": "",
"Priority": "",
"NetworkScanner": "",
"Created": "",
"AskExpertHistory": "",
"ApplianceName": "",
"Name": "",
"Conclusions": "",
"IncidentLastUpdated": "",
"LastSeen": "",
"ApplianceId": "",
"SuspectedBreach": "",
"DeviceTime": "",
"Score": "",
"Version": "",
"Guid": "",
"Read": "",
"State": "",
"IsTargetedAttack": "",
"Severity": "",
"Resolution": "",
"Description": "",
"DetectionTypes": "",
"IncidentId": "",
"Actor": "",
"AssociatedKM": "",
"Updated": "",
"FirstSeen": ""
}
]
}
Parameter | Description |
---|---|
Alert ID | ID of the alert whose details you want to retrieve from Symantec EDR Cloud. |
The JSON output contains the detailed report for the specified alert retrieved from Symantec EDR Cloud, based on the alert ID that you have specified.
The output contains the following populated JSON schema:
{
"Item": {
"graphCustom": {},
"MachineId": "",
"Created": "",
"CustomerId": "",
"AskExpertHistory": [],
"ApplianceName": "",
"Name": "",
"Alerted": "",
"IncidentLastUpdated": "",
"graphComments": [],
"SuspectedBreach": "",
"DeviceTime": "",
"Score": "",
"graphTags": [],
"Priority": "",
"Read": "",
"graphTemplates": [
{
"InboundUpperValue": "",
"Focus": "",
"FocusValue": "",
"OutboundTimelineSprout": "",
"Initiator": "",
"InboundTimelineValue": "",
"FocusLabel": "",
"InboundTimelineIcon": "",
"InboundLowerLabel": "",
"InboundLowerSprout": "",
"InitiatorSprout": "",
"Score": "",
"InboundLowerIcon": "",
"InboundLower": "",
"InitiatorValue": "",
"Title": "",
"FocusSubValue": "",
"OutboundTimelineLabel": "",
"Categories": [],
"InboundLowerValue": "",
"InitiatorLabel": "",
"OutboundTimelineValue": "",
"OutboundLowerValue": "",
"OutboundUpperIcon": "",
"OutboundTimelineIcon": "",
"OutboundUpperSprout": "",
"FocusSprout": "",
"OutboundUpperValue": "",
"OutboundUpperLabel": "",
"OutboundLowerIcon": "",
"OutboundLowerLabel": "",
"OutboundUpper": "",
"InitiatorIcon": "",
"InboundUpperLabel": "",
"OutboundLower": "",
"FocusIcon": "",
"InboundTimelineSprout": "",
"OutboundLowerSprout": "",
"InboundUpper": "",
"InboundUpperIcon": "",
"OutboundTimeline": "",
"InboundTimelineLabel": "",
"InboundUpperSprout": "",
"InboundTimeline": "",
"EntityGroups": [
{
"RootEntity": "",
"FlavorText": "",
"Entities": [
{
"EntryType": "",
"Value": ""
}
],
"RootEntityType": "",
"Comments": [],
"Name": ""
}
]
}
],
"Remediated": "",
"State": "",
"IncidentRuleId": "",
"Severity": "",
"Resolution": "",
"DetectionTypes": [],
"graphFlavorText": [],
"IncidentId": "",
"reportTemplates": [],
"Actor": "",
"AssociatedKM": "",
"Updated": "",
"Origin": "",
"graphNodes": [
{
"Id": "",
"NodeLabels": [],
"Properties": {
"Path": "",
"Guid": "",
"NodeUpdated": "",
"InstanceId": "",
"Created": "",
"Modified": "",
"CustomerId": "",
"Name": "",
"ResultId": "",
"AssociatedJob": "",
"Size": "",
"AssociatedKM": "",
"NodeCreated": "",
"CollectionId": "",
"HashsweepResultId": "",
"WontGrow": "",
"CollectedDate": "",
"Hash": "",
"Accessed": ""
},
"Source": ""
}
],
"Guid": "",
"graphEdges": [
{
"GlobalEndNodeId": "",
"IsHidden": "",
"NativeEndNodeId": "",
"Source": "",
"NativeStartNodeId": "",
"Properties": {
"ResultId": ""
},
"GlobalStartNodeId": "",
"Type": "",
"Id": ""
}
],
"RecommendedAction": "",
"LastSeen": "",
"ApplianceId": "",
"NetworkScanner": "",
"Version": "",
"graphCategories": [],
"Enrichments": [],
"DefaultIcon": "",
"Conclusions": [],
"AssociatedJob": "",
"Description": "",
"IsTargetedAttack": "",
"FirstSeen": ""
},
"Errors": [],
"Status": "",
"Id": "",
"RequestId": "",
"Warnings": []
}
Parameter | Description |
---|---|
SHA256 | Value of the SHA256 hash that you want to add as a whitelist entry in Symantec EDR Cloud. |
Description | Brief description of the SHA256 that you want to add as a whitelist entry in Symantec EDR Cloud. |
The JSON output contains a Success
message if the specified sha256 value is successfully added as a whitelist entry in Symantec EDR Cloud.
The output contains the following populated JSON schema:
{
"Id": "",
"RequestId": "",
"Warnings": [],
"Errors": []
}
None.
The JSON output contains a list and details of all whitelisted sha256s retrieved from the Symantec EDR Cloud.
The output contains the following populated JSON schema:
{
"Id": "",
"RequestId": "",
"Warnings": [],
"Errors": [],
"Items": [
{
"DateCreated": "",
"Id": "",
"CreatedBy": "",
"CustomerId": "",
"Hash": "",
"Description": ""
}
]
}
Parameter | Description |
---|---|
SHA256 | Value of the SHA256 hash that you want to remove as a whitelist entry from Symantec EDR Cloud. |
ID | ID of the hash entry that you want to remove as a whitelist entry from Symantec EDR Cloud. |
Note: You can specify either the sha256 or ID as the input parameter.
The JSON output contains a Success
message if the specified sha256 value is successfully removed as a whitelist entry from Symantec EDR Cloud.
The output contains the following populated JSON schema:
{
"Id": "",
"RequestId": "",
"Warnings": [],
"Errors": []
}
The Sample - Symantec EDR Cloud - 2.0.0
playbook collection comes bundled with the Symantec EDR Cloud connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EDR Cloud connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.