Symantec Endpoint Detection and Response (EDR) performs the critical security tasks that detect, protect, and respond to threats to your network.
This document provides information about the Symantec EDR connector, which facilitates automated interactions, with a Symantec EDR server using FortiSOAR™ playbooks. Add the Symantec EDR connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving events, incidents, and files from the Symantec EDR server and isolating or rejoining an endpoint.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 5.1.0-464
Symantec EDR Version Tested on: 4.2.1-8
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Symantec EDR connector in version 2.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-symantec-EDR
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Symantec EDR connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Symantec EDR server to which you will connect and perform the automated operations. |
Port | Port of the Symantec EDR server. |
Client ID | Client ID that is used to access the Symantec EDR endpoint. You can retrieve the client_id and client_secret pair from the EDR Manager after you have created an OAuth2 client. |
Client Secret | Client Secret that is used to access the Symantec EDR endpoint. You can retrieve the client_id and client_secret pair from the EDR Manager after you have created an OAuth2 client. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Appliance Information | Retrieves information about all appliances from the Symantec EDR server. | get_information Investigation |
Get Events | Retrieves information about all events, or events based on the input parameters that you have specified, from the Symantec EDR server. | get_events Investigation |
Get Incidents | Retrieves information about all incidents, or incidents based on the input parameters that you have specified, from the Symantec EDR server. | get_incidents Investigation |
Get Incident Related Events | Retrieves events information related to particular incident based on the input parameters that you have specified, from the Symantec EDR server. | get_events Investigation |
Get Command State | Retrieves state of the command based on the command ID that you have specified, from the Symantec EDR server. | get_status Investigation |
Isolate Endpoint | Isolates endpoints by cutting connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in a list or CSV format) that you have specified. Isolating an endpoint keeps that computer(s) from infecting other computers. EDR supports isolating endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later. |
isolate_endpoint Containment |
Rejoin Endpoint | Rejoins endpoints by re-establishing connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in a list or CSV format) that you have specified. You can rejoin only those endpoints that have been isolated. EDR supports rejoining endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later. |
unisolate_endpoint Investigation |
Delete File from Endpoint | Deletes all instances of the file for which you have specified the hash value, from the specified device based on its device UUID. EDR supports deleting files on Symantec Endpoint Protection 12.1 RU6 MP3 and later. |
delete_file Remediation |
Get Incident Comments | Retrieves all comments related to a specific incident UUID that you have specified, from the Symantec EDR server. | get_incident_comments Investigation |
Add Comment to Incident | Adds a comment to specific incident UUID that you have specified on the Symantec EDR server. | add_comments Containment |
Close Incident | Closes a particular incident, based on the incident UUID that you have specified on the Symantec EDR server. | close_incident Containment |
Get File from Endpoint | Retrieves details of a file, based on its hash value, from the specified device, based on its device UUID, from the Symantec EDR server. | get_file Investigation |
Search Artifact on Endpoint | Searches for an artifact on the endpoint data recorder on the Symantec EDR server, based on the parameters such as the device UUID that you have specified. | search_artifact Investigation |
Search EOC on Endpoint | Searches for an EOC on the endpoint data recorder on the Symantec EDR server, based on the parameters such as the device UUID that you have specified. | search_eoc Investigation |
Get Entities | Retrieves information about the entities, such as file, domain, endpoint, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. | get_entities Investigation |
Get Domain Entities | Retrieves information about all domain entities from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. | get_entities Investigation |
Get Domain Instances | Retrieves information about all domain instances from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. | get_instance Investigation |
Get Domain Instance by Domain Name | Retrieves information about a specific domain instance, based on the domain name that you have specified, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. | get_instance Investigation |
Get Endpoint Entities | Retrieves information about all endpoint entities from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. | get_entities Investigation |
Get Endpoint Instances | Retrieves information about all endpoint instances from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. | get_instance Investigation |
Get Specific Endpoint Instances | Retrieves information about a specific endpoint instance, based on the device UUID that you have specified, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. | get_instance Investigation |
Get File Entities | Retrieves information about all the file entities from the Symantec EDR database. You can specify a query to be applied on the search result. You can also provide the number of records to be displayed per page, and the link to the next page for navigation. | get_entities Investigation |
Get File Instances | Retrieves information about all the file instances from the Symantec EDR database. You can specify a query to be applied on the search result. You can also provide the number of records to be displayed per page, and the link to the next page for navigation. | get_instance Investigation |
Get File Entity by SHA256 | Retrieves information about a specific file entity, based on the SHA256 value that you have specified, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. | get_entities Investigation |
Create Blacklist Policy | Creates a blacklist policy, based on the Target Type and Target Value that you have specified, on the Symantec EDR server. You can also add a comment if required. | create_policy Investigation |
Get Blacklist Policies | Retrieves information about the blacklist policies, based on the Target Type and Target Value that you have specified, from the Symantec EDR server. You can provide the number of records to be displayed per page, and the link to the next page for navigation. | get_policy Investigation |
Update Blacklist Policy Comment | Updates a comment for a blacklist policy, based on the policy ID that you have specified, on the Symantec EDR server. | update_policy Investigation |
Delete Blacklist Policy | Deletes a blacklist policy, based on the policy ID that you have specified, from the Symantec EDR server. | delete_policy Investigation |
Execute Sandbox Commands | Executes sandbox commands for a specified file, based on its SHA256 value, on the Symantec EDR server. | execute_command Investigation |
Get Sandbox Commands Status | Retrieves the status of the executed sandbox commands based on the sandbox command ID that you have specified, from the Symantec EDR server. | get_command_status Investigation |
Cancel Command | Cancels the command execution triggered on the Symantec EDR server, based on the sandbox command ID that you have specified. | cancel_command Investigation |
Get Command Result | Retrieves the result of the executed command based on the command ID that you have specified, from the Symantec EDR server. You can specify a query to be applied on the search result. You can also provide the number of records to be displayed per page, and the link to the next page for navigation. | get_result Investigation |
None.
The JSON output contains information about all appliances retrieved from the Symantec EDR server.
The output contains the following populated JSON schema:
{
"appliance_list": [
{
"role": [],
"appliance_name": "",
"software_version": "",
"appliance_id": "",
"appliance_time": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Start Time | DateTime from when you want to retrieve information about events from the Symantec EDR server. |
End Time | DateTime till when you want to retrieve information about events from the Symantec EDR server. |
Open Query | Query using which you want to retrieve information about events from the Symantec EDR server. For example, \"atp_incident_id:100602 || state:1 && time:[2019-09-18T05:24:25.914Z TO *]\" |
Number of Events Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The JSON output contains information about all events or events based on the input parameters that you have specified, retrieved from the Symantec EDR server.
The output contains the following populated JSON schema:
{
"next": "",
"total": "",
"result": [
{
"log_name": "",
"user_name": "",
"device_uid": "",
"device_os_name": "",
"device_ip": "",
"uuid": "",
"device_time": "",
"device_name": "",
"enriched_data": {},
"device_domain": "",
"operation": "",
"severity_id": "",
"process": {},
"log_time": "",
"type_id": "",
"event_actor": {}
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Start Time | DateTime from when you want to retrieve information about incidents from the Symantec EDR server. |
End Time | DateTime till when you want to retrieve information about incidents from the Symantec EDR server. |
Open Query | Query using which you want to retrieve information about incidents from the Symantec EDR server. For example, "atp_incident_id:100602 || state:1 && time:[2019-09-18T05:24:25.914Z TO *]\" |
Number of Events Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The JSON output contains information about all incidents or incidents based on the input parameters that you have specified, retrieved from the Symantec EDR server.
The output contains the following populated JSON schema:
{
"next": "",
"total": 1,
"result": [
{
"log_name": "",
"domainId": [],
"time": "",
"updated": "",
"state": "",
"uuid": "",
"first_event_seen": "",
"deviceUid": [],
"device_time": "",
"priority_level": "",
"last_event_seen": "",
"scanners": [],
"summary": "",
"recommended_action": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Start Time | DateTime from when you want to retrieve information about events related to a particular incident from the Symantec EDR server. |
End Time | DateTime till when you want to retrieve information about events related to a particular incident from the Symantec EDR server. |
Incident UUID | UUID of the Incident whose related events you want to retrieve from the Symantec EDR server. |
Open Query | Query using which you want to retrieve information about events related to a particular incident from the Symantec EDR server.\"atp_incident_id:100602 || state:1 && time:[2019-09-18T05:24:25.914Z TO *]\" |
Number of Incident Related Events Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The JSON output contains information about events related to a particular incident ID, retrieved from the Symantec EDR server.
The output contains the following populated JSON schema:
{
"next": "",
"total": "",
"result": [
{
"user_name": "",
"incident": "",
"uuid": "",
"source": "",
"sep_installed": "",
"actual_action": "",
"local_host_mac": "",
"log_time": "",
"virus_def": "",
"type_id": "",
"external_ip": "",
"file": {},
"log_name": "",
"host_name": "",
"agent_version": "",
"no_of_viruses": "",
"threat": {},
"device_time": "",
"device_uid": "",
"actual_action_idx": "",
"data_source_url_domain": "",
"device_ip": "",
"domain_name": "",
"virus_name": "",
"device_name": "",
"internal_ip": ""
}
]
}
Parameter | Description |
---|---|
Command ID | ID of the command whose state you want to retrieve from the Symantec EDR server. |
Number of Incident Related Events Limit | (Optional) Number of records to be displayed per page. |
Next | (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The JSON output contains information about the state of the command based on the command ID that you have specified retrieved from the Symantec EDR server.
The output contains the following populated JSON schema:
{
"command_id": "",
"action": "",
"status": [
{
"state": "",
"message": "",
"target": {
"device_uid": "",
"hash": ""
},
"error_code": ""
}
]
}
Parameter | Description |
---|---|
Endpoint ID (In CSV or List Format) | ID(s) of the endpoint(s) that you want to isolate from the network. You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8" . |
The JSON output contains the ID of the command used to isolate the endpoint(s) retrieved from the Symantec EDR server.
The output contains the following populated JSON schema:
{
"command_id": ""
}
Parameter | Description |
---|---|
Endpoint ID (In CSV or List Format) | ID(s) of the endpoint(s) that you want to rejoin to the network. You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8" . |
The JSON output contains the ID of the command used to rejoin the endpoint(s) retrieved from the Symantec EDR server.
The output contains the following populated JSON schema:
{
"command_id": ""
}
Parameter | Description |
---|---|
File Hash | SHA-256 value of the file that you want to delete from the specified device. |
Device UUID | UUID of the device from which you want to delete the specified file. |
The JSON output contains the ID of the command used to delete the endpoint file retrieved from the Symantec EDR server.
The output contains the following populated JSON schema:
{
"error_code": "",
"message": "",
"command_id": ""
}
Parameter | Description |
---|---|
Incident UUID | UUID of the Incident whose related comments you want to retrieve from the Symantec EDR server. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"user_id": "",
"time": "",
"comment": ""
}
]
}
Parameter | Description |
---|---|
Incident UUID | UUID of the Incident to which you want to add the comment on the Symantec EDR server. |
Comment | Comment that you want to add to the specified incident. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Incident UUID | UUID of the incident that you want to close on the Symantec EDR server. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
File Hash (SHA256) | SHA-256 value of the file that you want to fetch from the specified device. |
Device UUID | UUID of the device from which you want to retrieve details of the file from the Symantec EDR server. |
The output contains the following populated JSON schema:
{
"message": "",
"error_code": "",
"command_id": ""
}
Parameter | Description |
---|---|
Device UUID | UUID of the device on the Symantec EDR server in which you want to search for the artifact. You can enter one or more Device UUIDs. |
Device Hostname | Hostname of the device on the Symantec EDR server in which you want to search for the artifact. You can enter one or more Device Hostnames. |
SEPM Group | SEPM group on the Symantec EDR server in which you want to search for the artifact. You can enter one or more SEPM Groups. |
IPv4 Address | IPv4 address on the Symantec EDR server in which you want to search for the artifact. You can enter one or more IPv4 Addresses. |
Start Time | (Optional) Start DateTime of the search recorder on the Symantec EDR server from when you want to search for the artifact. |
End Time | (Optional) End DateTime of the search recorder on the Symantec EDR server till when you want to search for the artifact. |
Query | (Optional) Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve the artifacts from the Symantec EDR server. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Device UUID | UUID of the device on the Symantec EDR server in which you want to search for the EOC. You can enter one or more Device UUIDs. |
Device Hostname | Hostname of the device on the Symantec EDR server in which you want to search for the EOC. You can enter one or more Device Hostnames. |
SEPM Group | SEPM group on the Symantec EDR server in which you want to search for the EOC. You can enter more than one SEPM group. |
IPv4 Address | IPv4 Address on the Symantec EDR server in which you want to search for the EOC. You can enter one or more IPv4 Addresses. |
Query | (Optional) Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve EOCs from the Symantec EDR server. |
The output contains a non-dictionary value.
Note: All the input parameters are optional.
Parameter | Description |
---|---|
Number of Records Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"domain_or_workgroup": "",
"agent_version": "",
"first_seen": "",
"mac_addresses": [
""
],
"last_seen": "",
"disposition_endpoint": "",
"ip_addresses": [
""
],
"operating_system": {
"is_64_bit": "",
"osfullname": ""
},
"managed_sepm_version": "",
"device_ip": "",
"device_name": "",
"device_uid": "",
"type": "",
"user_name": "",
"managed_sepm_ip": "",
"sep_group_summary": {
"name": "",
"sep_domain_summary": {
"name": ""
}
}
}
]
}
Note: All the input parameters are optional.
Parameter | Description |
---|---|
Number of Records Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"disposition": "",
"first_seen": "",
"external_ip": "",
"data_source_url": "",
"data_source_url_domain": "",
"last_seen": "",
"domain_threat_data": {
"confidence": "",
"behavior": "",
"reputation_band": "",
"hostility": "",
"urls": [
"",
""
],
"ips_domain_hosted": [
{
"address": "",
"ip_version": "",
"country": "",
"state": "",
"city": "",
"organization": ""
}
]
},
"type": ""
}
]
}
Note: All the input parameters are optional.
Parameter | Description |
---|---|
Number of Records Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"data_source_url_domain": "",
"last_seen": "",
"disposition": "",
"first_seen": ""
}
]
}
Parameter | Description |
---|---|
Domain Name | Name of the domain whose instance information you want to retrieve from the Symantec EDR database. |
Number of Records Limit | (Optional) Number of records to be displayed per page. |
Next | (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"data_source_url_domain": "",
"last_seen": "",
"disposition": "",
"first_seen": ""
}
]
}
Note: All the input parameters are optional.
Parameter | Description |
---|---|
Number of Records Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"domain_or_workgroup": "",
"agent_version": "",
"first_seen": "",
"mac_addresses": [
""
],
"last_seen": "",
"disposition_endpoint": "",
"ip_addresses": [
""
],
"operating_system": {
"is_64_bit": "",
"osfullname": ""
},
"managed_sepm_version": "",
"device_ip": "",
"device_name": "",
"device_uid": "",
"type": "",
"user_name": "",
"managed_sepm_ip": "",
"sep_group_summary": {
"name": "",
"sep_domain_summary": {
"name": ""
}
}
}
]
}
Note: All the input parameters are optional.
Parameter | Description |
---|---|
Number of Records Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"domain_or_workgroup": "",
"time": "",
"device_ip": "",
"device_name": "",
"device_uid": "",
"ip_addresses": [
""
]
}
]
}
Parameter | Description |
---|---|
Device UUID | UUID of the device whose instance information you want to retrieve from the Symantec EDR database. |
Number of Records Limit | (Optional) Number of records to be displayed per page. |
Next | (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"domain_or_workgroup": "",
"time": "",
"device_ip": "",
"device_name": "",
"device_uid": "",
"ip_addresses": [
""
]
}
]
}
Note: All the input parameters are optional.
Parameter | Description |
---|---|
Query | Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve file entities from the Symantec EDR server. |
Number of Records Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"first_seen": "",
"global_first_seen": "",
"sha2": "",
"last_seen": "",
"file_health": "",
"type": "",
"size": "",
"threat_name": "",
"name": "",
"prevalence_band": "",
"md5": ""
}
]
}
Note: All the input parameters are optional.
Parameter | Description |
---|---|
Query | Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve file entities from the Symantec EDR server. |
Number of Records Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"last_seen": "",
"folder": "",
"first_seen": "",
"name": "",
"sha2": ""
}
]
}
Parameter | Description |
---|---|
File SHA256 | SHA256 value of the file whose entity information you want to retrieve from the Symantec EDR database. |
Number of Records Limit | (Optional) Number of records to be displayed per page. |
Next | (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"first_seen": "",
"global_first_seen": "",
"sha2": "",
"last_seen": "",
"file_health": "",
"type": "",
"size": "",
"threat_name": "",
"name": "",
"prevalence_band": "",
"md5": ""
}
Parameter | Description |
---|---|
Target Type | Type of the blacklist policy that you want to create on the Symantec EDR server. You can choose from the following values: IP, Domain, URL, SHA256, or MD5. |
Target Value | Value of the blacklist elements that you want to add the blacklist policy that you want to create on the Symantec EDR server, based on the type you have selected. For example, if you have selected URL, then you must add the value of the blacklist elements in the URL format, such as "1.1.1.1", "2.2.2.2". |
Comment | Comment about the blacklist policy that you want to create on the Symantec EDR server. |
The output contains the following populated JSON schema:
{
"ids": []
}
Parameter | Description |
---|---|
Target Type | Type of the blacklist policy whose information you want to retrieve from the Symantec EDR server. You can choose from the following values: IP, Domain, URL, SHA256, or MD5. |
Target Value | Value of the type based on which you want to retrieve the blacklist policy information from the Symantec EDR server. For example, if you have selected MD5, then you must enter an MD5 value in this field |
Number of Records Limit | (Optional) Number of records to be displayed per page. |
Next | (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"result": [
{
"comment": "",
"id": "",
"target_type": "",
"target_value": ""
}
]
}
Parameter | Description |
---|---|
Policy ID | ID of the blacklist policy in which you want to add/update a comment on the Symantec EDR server. |
Comment | Comment that you want to add to the specified blacklist policy on the Symantec EDR server. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Policy ID | ID of the blacklist policy which you want to delete from the Symantec EDR server. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
File sha256 | SHA256 value of the file on which you want to execute the sandbox commands on the Symantec EDR server. |
The output contains the following populated JSON schema:
{
"command_id": ""
}
Parameter | Description |
---|---|
Sandbox Command ID | ID of the sandbox command whose state you want to retrieve from the Symantec EDR server. |
The output contains the following populated JSON schema:
{
"status": [
{
"error_code": "",
"message": "",
"state": "",
"target": ""
}
]
}
Parameter | Description |
---|---|
Command ID | ID of the triggered command that you want to cancel on the Symantec EDR server. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Command ID | ID of the command whose result you want to retrieve from the Symantec EDR server. |
Query | (Optional) Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve the command results from the Symantec EDR server. |
Number of Incident Related Events Limit | (Optional) Number of records to be displayed per page. |
Next | (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains a non-dictionary value.
The Sample - Symantec EDR - 2.0.0
playbook collection comes bundled with the Symantec EDR connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EDR connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Symantec Endpoint Detection and Response (EDR) performs the critical security tasks that detect, protect, and respond to threats to your network.
This document provides information about the Symantec EDR connector, which facilitates automated interactions, with a Symantec EDR server using FortiSOAR™ playbooks. Add the Symantec EDR connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving events, incidents, and files from the Symantec EDR server and isolating or rejoining an endpoint.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 5.1.0-464
Symantec EDR Version Tested on: 4.2.1-8
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Symantec EDR connector in version 2.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-symantec-EDR
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Symantec EDR connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Symantec EDR server to which you will connect and perform the automated operations. |
Port | Port of the Symantec EDR server. |
Client ID | Client ID that is used to access the Symantec EDR endpoint. You can retrieve the client_id and client_secret pair from the EDR Manager after you have created an OAuth2 client. |
Client Secret | Client Secret that is used to access the Symantec EDR endpoint. You can retrieve the client_id and client_secret pair from the EDR Manager after you have created an OAuth2 client. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Appliance Information | Retrieves information about all appliances from the Symantec EDR server. | get_information Investigation |
Get Events | Retrieves information about all events, or events based on the input parameters that you have specified, from the Symantec EDR server. | get_events Investigation |
Get Incidents | Retrieves information about all incidents, or incidents based on the input parameters that you have specified, from the Symantec EDR server. | get_incidents Investigation |
Get Incident Related Events | Retrieves events information related to particular incident based on the input parameters that you have specified, from the Symantec EDR server. | get_events Investigation |
Get Command State | Retrieves state of the command based on the command ID that you have specified, from the Symantec EDR server. | get_status Investigation |
Isolate Endpoint | Isolates endpoints by cutting connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in a list or CSV format) that you have specified. Isolating an endpoint keeps that computer(s) from infecting other computers. EDR supports isolating endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later. |
isolate_endpoint Containment |
Rejoin Endpoint | Rejoins endpoints by re-establishing connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in a list or CSV format) that you have specified. You can rejoin only those endpoints that have been isolated. EDR supports rejoining endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later. |
unisolate_endpoint Investigation |
Delete File from Endpoint | Deletes all instances of the file for which you have specified the hash value, from the specified device based on its device UUID. EDR supports deleting files on Symantec Endpoint Protection 12.1 RU6 MP3 and later. |
delete_file Remediation |
Get Incident Comments | Retrieves all comments related to a specific incident UUID that you have specified, from the Symantec EDR server. | get_incident_comments Investigation |
Add Comment to Incident | Adds a comment to specific incident UUID that you have specified on the Symantec EDR server. | add_comments Containment |
Close Incident | Closes a particular incident, based on the incident UUID that you have specified on the Symantec EDR server. | close_incident Containment |
Get File from Endpoint | Retrieves details of a file, based on its hash value, from the specified device, based on its device UUID, from the Symantec EDR server. | get_file Investigation |
Search Artifact on Endpoint | Searches for an artifact on the endpoint data recorder on the Symantec EDR server, based on the parameters such as the device UUID that you have specified. | search_artifact Investigation |
Search EOC on Endpoint | Searches for an EOC on the endpoint data recorder on the Symantec EDR server, based on the parameters such as the device UUID that you have specified. | search_eoc Investigation |
Get Entities | Retrieves information about the entities, such as file, domain, endpoint, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. | get_entities Investigation |
Get Domain Entities | Retrieves information about all domain entities from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. | get_entities Investigation |
Get Domain Instances | Retrieves information about all domain instances from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. | get_instance Investigation |
Get Domain Instance by Domain Name | Retrieves information about a specific domain instance, based on the domain name that you have specified, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. | get_instance Investigation |
Get Endpoint Entities | Retrieves information about all endpoint entities from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. | get_entities Investigation |
Get Endpoint Instances | Retrieves information about all endpoint instances from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. | get_instance Investigation |
Get Specific Endpoint Instances | Retrieves information about a specific endpoint instance, based on the device UUID that you have specified, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. | get_instance Investigation |
Get File Entities | Retrieves information about all the file entities from the Symantec EDR database. You can specify a query to be applied on the search result. You can also provide the number of records to be displayed per page, and the link to the next page for navigation. | get_entities Investigation |
Get File Instances | Retrieves information about all the file instances from the Symantec EDR database. You can specify a query to be applied on the search result. You can also provide the number of records to be displayed per page, and the link to the next page for navigation. | get_instance Investigation |
Get File Entity by SHA256 | Retrieves information about a specific file entity, based on the SHA256 value that you have specified, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. | get_entities Investigation |
Create Blacklist Policy | Creates a blacklist policy, based on the Target Type and Target Value that you have specified, on the Symantec EDR server. You can also add a comment if required. | create_policy Investigation |
Get Blacklist Policies | Retrieves information about the blacklist policies, based on the Target Type and Target Value that you have specified, from the Symantec EDR server. You can provide the number of records to be displayed per page, and the link to the next page for navigation. | get_policy Investigation |
Update Blacklist Policy Comment | Updates a comment for a blacklist policy, based on the policy ID that you have specified, on the Symantec EDR server. | update_policy Investigation |
Delete Blacklist Policy | Deletes a blacklist policy, based on the policy ID that you have specified, from the Symantec EDR server. | delete_policy Investigation |
Execute Sandbox Commands | Executes sandbox commands for a specified file, based on its SHA256 value, on the Symantec EDR server. | execute_command Investigation |
Get Sandbox Commands Status | Retrieves the status of the executed sandbox commands based on the sandbox command ID that you have specified, from the Symantec EDR server. | get_command_status Investigation |
Cancel Command | Cancels the command execution triggered on the Symantec EDR server, based on the sandbox command ID that you have specified. | cancel_command Investigation |
Get Command Result | Retrieves the result of the executed command based on the command ID that you have specified, from the Symantec EDR server. You can specify a query to be applied on the search result. You can also provide the number of records to be displayed per page, and the link to the next page for navigation. | get_result Investigation |
None.
The JSON output contains information about all appliances retrieved from the Symantec EDR server.
The output contains the following populated JSON schema:
{
"appliance_list": [
{
"role": [],
"appliance_name": "",
"software_version": "",
"appliance_id": "",
"appliance_time": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Start Time | DateTime from when you want to retrieve information about events from the Symantec EDR server. |
End Time | DateTime till when you want to retrieve information about events from the Symantec EDR server. |
Open Query | Query using which you want to retrieve information about events from the Symantec EDR server. For example, \"atp_incident_id:100602 || state:1 && time:[2019-09-18T05:24:25.914Z TO *]\" |
Number of Events Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The JSON output contains information about all events or events based on the input parameters that you have specified, retrieved from the Symantec EDR server.
The output contains the following populated JSON schema:
{
"next": "",
"total": "",
"result": [
{
"log_name": "",
"user_name": "",
"device_uid": "",
"device_os_name": "",
"device_ip": "",
"uuid": "",
"device_time": "",
"device_name": "",
"enriched_data": {},
"device_domain": "",
"operation": "",
"severity_id": "",
"process": {},
"log_time": "",
"type_id": "",
"event_actor": {}
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Start Time | DateTime from when you want to retrieve information about incidents from the Symantec EDR server. |
End Time | DateTime till when you want to retrieve information about incidents from the Symantec EDR server. |
Open Query | Query using which you want to retrieve information about incidents from the Symantec EDR server. For example, "atp_incident_id:100602 || state:1 && time:[2019-09-18T05:24:25.914Z TO *]\" |
Number of Events Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The JSON output contains information about all incidents or incidents based on the input parameters that you have specified, retrieved from the Symantec EDR server.
The output contains the following populated JSON schema:
{
"next": "",
"total": 1,
"result": [
{
"log_name": "",
"domainId": [],
"time": "",
"updated": "",
"state": "",
"uuid": "",
"first_event_seen": "",
"deviceUid": [],
"device_time": "",
"priority_level": "",
"last_event_seen": "",
"scanners": [],
"summary": "",
"recommended_action": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Start Time | DateTime from when you want to retrieve information about events related to a particular incident from the Symantec EDR server. |
End Time | DateTime till when you want to retrieve information about events related to a particular incident from the Symantec EDR server. |
Incident UUID | UUID of the Incident whose related events you want to retrieve from the Symantec EDR server. |
Open Query | Query using which you want to retrieve information about events related to a particular incident from the Symantec EDR server.\"atp_incident_id:100602 || state:1 && time:[2019-09-18T05:24:25.914Z TO *]\" |
Number of Incident Related Events Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The JSON output contains information about events related to a particular incident ID, retrieved from the Symantec EDR server.
The output contains the following populated JSON schema:
{
"next": "",
"total": "",
"result": [
{
"user_name": "",
"incident": "",
"uuid": "",
"source": "",
"sep_installed": "",
"actual_action": "",
"local_host_mac": "",
"log_time": "",
"virus_def": "",
"type_id": "",
"external_ip": "",
"file": {},
"log_name": "",
"host_name": "",
"agent_version": "",
"no_of_viruses": "",
"threat": {},
"device_time": "",
"device_uid": "",
"actual_action_idx": "",
"data_source_url_domain": "",
"device_ip": "",
"domain_name": "",
"virus_name": "",
"device_name": "",
"internal_ip": ""
}
]
}
Parameter | Description |
---|---|
Command ID | ID of the command whose state you want to retrieve from the Symantec EDR server. |
Number of Incident Related Events Limit | (Optional) Number of records to be displayed per page. |
Next | (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The JSON output contains information about the state of the command based on the command ID that you have specified retrieved from the Symantec EDR server.
The output contains the following populated JSON schema:
{
"command_id": "",
"action": "",
"status": [
{
"state": "",
"message": "",
"target": {
"device_uid": "",
"hash": ""
},
"error_code": ""
}
]
}
Parameter | Description |
---|---|
Endpoint ID (In CSV or List Format) | ID(s) of the endpoint(s) that you want to isolate from the network. You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8" . |
The JSON output contains the ID of the command used to isolate the endpoint(s) retrieved from the Symantec EDR server.
The output contains the following populated JSON schema:
{
"command_id": ""
}
Parameter | Description |
---|---|
Endpoint ID (In CSV or List Format) | ID(s) of the endpoint(s) that you want to rejoin to the network. You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8" . |
The JSON output contains the ID of the command used to rejoin the endpoint(s) retrieved from the Symantec EDR server.
The output contains the following populated JSON schema:
{
"command_id": ""
}
Parameter | Description |
---|---|
File Hash | SHA-256 value of the file that you want to delete from the specified device. |
Device UUID | UUID of the device from which you want to delete the specified file. |
The JSON output contains the ID of the command used to delete the endpoint file retrieved from the Symantec EDR server.
The output contains the following populated JSON schema:
{
"error_code": "",
"message": "",
"command_id": ""
}
Parameter | Description |
---|---|
Incident UUID | UUID of the Incident whose related comments you want to retrieve from the Symantec EDR server. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"user_id": "",
"time": "",
"comment": ""
}
]
}
Parameter | Description |
---|---|
Incident UUID | UUID of the Incident to which you want to add the comment on the Symantec EDR server. |
Comment | Comment that you want to add to the specified incident. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Incident UUID | UUID of the incident that you want to close on the Symantec EDR server. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
File Hash (SHA256) | SHA-256 value of the file that you want to fetch from the specified device. |
Device UUID | UUID of the device from which you want to retrieve details of the file from the Symantec EDR server. |
The output contains the following populated JSON schema:
{
"message": "",
"error_code": "",
"command_id": ""
}
Parameter | Description |
---|---|
Device UUID | UUID of the device on the Symantec EDR server in which you want to search for the artifact. You can enter one or more Device UUIDs. |
Device Hostname | Hostname of the device on the Symantec EDR server in which you want to search for the artifact. You can enter one or more Device Hostnames. |
SEPM Group | SEPM group on the Symantec EDR server in which you want to search for the artifact. You can enter one or more SEPM Groups. |
IPv4 Address | IPv4 address on the Symantec EDR server in which you want to search for the artifact. You can enter one or more IPv4 Addresses. |
Start Time | (Optional) Start DateTime of the search recorder on the Symantec EDR server from when you want to search for the artifact. |
End Time | (Optional) End DateTime of the search recorder on the Symantec EDR server till when you want to search for the artifact. |
Query | (Optional) Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve the artifacts from the Symantec EDR server. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Device UUID | UUID of the device on the Symantec EDR server in which you want to search for the EOC. You can enter one or more Device UUIDs. |
Device Hostname | Hostname of the device on the Symantec EDR server in which you want to search for the EOC. You can enter one or more Device Hostnames. |
SEPM Group | SEPM group on the Symantec EDR server in which you want to search for the EOC. You can enter more than one SEPM group. |
IPv4 Address | IPv4 Address on the Symantec EDR server in which you want to search for the EOC. You can enter one or more IPv4 Addresses. |
Query | (Optional) Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve EOCs from the Symantec EDR server. |
The output contains a non-dictionary value.
Note: All the input parameters are optional.
Parameter | Description |
---|---|
Number of Records Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"domain_or_workgroup": "",
"agent_version": "",
"first_seen": "",
"mac_addresses": [
""
],
"last_seen": "",
"disposition_endpoint": "",
"ip_addresses": [
""
],
"operating_system": {
"is_64_bit": "",
"osfullname": ""
},
"managed_sepm_version": "",
"device_ip": "",
"device_name": "",
"device_uid": "",
"type": "",
"user_name": "",
"managed_sepm_ip": "",
"sep_group_summary": {
"name": "",
"sep_domain_summary": {
"name": ""
}
}
}
]
}
Note: All the input parameters are optional.
Parameter | Description |
---|---|
Number of Records Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"disposition": "",
"first_seen": "",
"external_ip": "",
"data_source_url": "",
"data_source_url_domain": "",
"last_seen": "",
"domain_threat_data": {
"confidence": "",
"behavior": "",
"reputation_band": "",
"hostility": "",
"urls": [
"",
""
],
"ips_domain_hosted": [
{
"address": "",
"ip_version": "",
"country": "",
"state": "",
"city": "",
"organization": ""
}
]
},
"type": ""
}
]
}
Note: All the input parameters are optional.
Parameter | Description |
---|---|
Number of Records Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"data_source_url_domain": "",
"last_seen": "",
"disposition": "",
"first_seen": ""
}
]
}
Parameter | Description |
---|---|
Domain Name | Name of the domain whose instance information you want to retrieve from the Symantec EDR database. |
Number of Records Limit | (Optional) Number of records to be displayed per page. |
Next | (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"data_source_url_domain": "",
"last_seen": "",
"disposition": "",
"first_seen": ""
}
]
}
Note: All the input parameters are optional.
Parameter | Description |
---|---|
Number of Records Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"domain_or_workgroup": "",
"agent_version": "",
"first_seen": "",
"mac_addresses": [
""
],
"last_seen": "",
"disposition_endpoint": "",
"ip_addresses": [
""
],
"operating_system": {
"is_64_bit": "",
"osfullname": ""
},
"managed_sepm_version": "",
"device_ip": "",
"device_name": "",
"device_uid": "",
"type": "",
"user_name": "",
"managed_sepm_ip": "",
"sep_group_summary": {
"name": "",
"sep_domain_summary": {
"name": ""
}
}
}
]
}
Note: All the input parameters are optional.
Parameter | Description |
---|---|
Number of Records Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"domain_or_workgroup": "",
"time": "",
"device_ip": "",
"device_name": "",
"device_uid": "",
"ip_addresses": [
""
]
}
]
}
Parameter | Description |
---|---|
Device UUID | UUID of the device whose instance information you want to retrieve from the Symantec EDR database. |
Number of Records Limit | (Optional) Number of records to be displayed per page. |
Next | (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"domain_or_workgroup": "",
"time": "",
"device_ip": "",
"device_name": "",
"device_uid": "",
"ip_addresses": [
""
]
}
]
}
Note: All the input parameters are optional.
Parameter | Description |
---|---|
Query | Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve file entities from the Symantec EDR server. |
Number of Records Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"first_seen": "",
"global_first_seen": "",
"sha2": "",
"last_seen": "",
"file_health": "",
"type": "",
"size": "",
"threat_name": "",
"name": "",
"prevalence_band": "",
"md5": ""
}
]
}
Note: All the input parameters are optional.
Parameter | Description |
---|---|
Query | Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve file entities from the Symantec EDR server. |
Number of Records Limit | Number of records to be displayed per page. |
Next | Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"last_seen": "",
"folder": "",
"first_seen": "",
"name": "",
"sha2": ""
}
]
}
Parameter | Description |
---|---|
File SHA256 | SHA256 value of the file whose entity information you want to retrieve from the Symantec EDR database. |
Number of Records Limit | (Optional) Number of records to be displayed per page. |
Next | (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"first_seen": "",
"global_first_seen": "",
"sha2": "",
"last_seen": "",
"file_health": "",
"type": "",
"size": "",
"threat_name": "",
"name": "",
"prevalence_band": "",
"md5": ""
}
Parameter | Description |
---|---|
Target Type | Type of the blacklist policy that you want to create on the Symantec EDR server. You can choose from the following values: IP, Domain, URL, SHA256, or MD5. |
Target Value | Value of the blacklist elements that you want to add the blacklist policy that you want to create on the Symantec EDR server, based on the type you have selected. For example, if you have selected URL, then you must add the value of the blacklist elements in the URL format, such as "1.1.1.1", "2.2.2.2". |
Comment | Comment about the blacklist policy that you want to create on the Symantec EDR server. |
The output contains the following populated JSON schema:
{
"ids": []
}
Parameter | Description |
---|---|
Target Type | Type of the blacklist policy whose information you want to retrieve from the Symantec EDR server. You can choose from the following values: IP, Domain, URL, SHA256, or MD5. |
Target Value | Value of the type based on which you want to retrieve the blacklist policy information from the Symantec EDR server. For example, if you have selected MD5, then you must enter an MD5 value in this field |
Number of Records Limit | (Optional) Number of records to be displayed per page. |
Next | (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains the following populated JSON schema:
{
"result": [
{
"comment": "",
"id": "",
"target_type": "",
"target_value": ""
}
]
}
Parameter | Description |
---|---|
Policy ID | ID of the blacklist policy in which you want to add/update a comment on the Symantec EDR server. |
Comment | Comment that you want to add to the specified blacklist policy on the Symantec EDR server. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Policy ID | ID of the blacklist policy which you want to delete from the Symantec EDR server. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
File sha256 | SHA256 value of the file on which you want to execute the sandbox commands on the Symantec EDR server. |
The output contains the following populated JSON schema:
{
"command_id": ""
}
Parameter | Description |
---|---|
Sandbox Command ID | ID of the sandbox command whose state you want to retrieve from the Symantec EDR server. |
The output contains the following populated JSON schema:
{
"status": [
{
"error_code": "",
"message": "",
"state": "",
"target": ""
}
]
}
Parameter | Description |
---|---|
Command ID | ID of the triggered command that you want to cancel on the Symantec EDR server. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Command ID | ID of the command whose result you want to retrieve from the Symantec EDR server. |
Query | (Optional) Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve the command results from the Symantec EDR server. |
Number of Incident Related Events Limit | (Optional) Number of records to be displayed per page. |
Next | (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page. |
The output contains a non-dictionary value.
The Sample - Symantec EDR - 2.0.0
playbook collection comes bundled with the Symantec EDR connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EDR connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.