Fortinet Document Library

Version:


Table of Contents

2.0.0
Copy Link

About the connector

Symantec Endpoint Detection and Response (EDR) performs the critical security tasks that detect, protect, and respond to threats to your network.

This document provides information about the Symantec EDR connector, which facilitates automated interactions, with a Symantec EDR server using FortiSOAR™ playbooks. Add the Symantec EDR connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving events, incidents, and files from the Symantec EDR server and isolating or rejoining an endpoint.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 5.1.0-464

Symantec EDR Version Tested on: 4.2.1-8

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the Symantec EDR connector in version 2.0.0:

  • Renamed the connector from Symantec ATP to Symantec EDR.
  • Added support for configuring Symantec EDR data ingestion using the FortiSOAR™ Data Ingestion Wizard. For information on the Data Ingestion Wizard, see the FortiSOAR™ Product Documentation.
    The following new playbooks have been added to support data ingestion:
    • > Symantec EDR > Create Alert
    • > Symantec EDR > Fetch
    • Symantec EDR > Ingest
    • >> Symantec EDR > Init Macros
  • Renamed the following operations:
    • Delete Endpoint File renamed to Delete File from Endpoint
  • Added the following new operations and playbooks:
    • Get Incident Comments
    • Add Comment to Incident
    • Search Artifact on Endpoint
    • Search EOC on Endpoint
    • Close Incident
    • Get File from Endpoint
    • Get Entities 
    • Get Domain Entities 
    • Get Domain Instances 
    • Get Domain Instance by Domain Name 
    • Get Endpoint Entities 
    • Get Endpoint Instances 
    • Get Specific Endpoint Instances
    • Get File Entities 
    • Get File Instances
    • Get File Entity by SHA256
    • Create Blacklist Policy
    • Get Blacklist Policies
    • Update Blacklist Policy Comment
    • Delete Blacklist Policy
    • Execute Sandbox Commands
    • Get Sandbox Commands Status
    • Cancel Command
    • Get Command Result
  • Removed the following operations and playbooks
    • Get Blacklist
    • Get Whitelist
    • Add To Blacklist
    • Add To Whitelist
    • Remove From Blacklist
    • Remove From Whitelist
    • Get File Details

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors: 

yum install cyops-connector-symantec-EDR

Prerequisites to configuring the connector

  • You must have the URL of the Symantec EDR server to which you will connect and perform the automated operations.
  • You must have the Client ID and the Client Secret pair that is used to access the Symantec EDR endpoint.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Symantec EDR connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details. 

Parameter Description
Server URL URL of the Symantec EDR server to which you will connect and perform the automated operations.
Port Port of the Symantec EDR server.
Client ID Client ID that is used to access the Symantec EDR endpoint.
You can retrieve the client_id and client_secret pair from the EDR Manager after you have created an OAuth2 client.
Client Secret Client Secret that is used to access the Symantec EDR endpoint.
You can retrieve the client_id and client_secret pair from the EDR Manager after you have created an OAuth2 client.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get Appliance Information Retrieves information about all appliances from the Symantec EDR server. get_information
Investigation
Get Events Retrieves information about all events, or events based on the input parameters that you have specified, from the Symantec EDR server. get_events
Investigation
Get Incidents Retrieves information about all incidents, or incidents based on the input parameters that you have specified, from the Symantec EDR server. get_incidents
Investigation
Get Incident Related Events Retrieves events information related to particular incident based on the input parameters that you have specified, from the Symantec EDR server. get_events
Investigation
Get Command State Retrieves state of the command based on the command ID that you have specified, from the Symantec EDR server. get_status
Investigation
Isolate Endpoint Isolates endpoints by cutting connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in a list or CSV format) that you have specified.
Isolating an endpoint keeps that computer(s) from infecting other computers. EDR supports isolating endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later.
isolate_endpoint
Containment
Rejoin Endpoint Rejoins endpoints by re-establishing connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in a list or CSV format) that you have specified.
You can rejoin only those endpoints that have been isolated. EDR supports rejoining endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later.
unisolate_endpoint
Investigation
Delete File from Endpoint Deletes all instances of the file for which you have specified the hash value, from the specified device based on its device UUID.
EDR supports deleting files on Symantec Endpoint Protection 12.1 RU6 MP3 and later.
delete_file
Remediation
Get Incident Comments Retrieves all comments related to a specific incident UUID that you have specified, from the Symantec EDR server. get_incident_comments
Investigation
Add Comment to Incident Adds a comment to specific incident UUID that you have specified on the Symantec EDR server. add_comments
Containment
Close Incident Closes a particular incident, based on the incident UUID that you have specified on the Symantec EDR server. close_incident
Containment
Get File from Endpoint Retrieves details of a file, based on its hash value, from the specified device, based on its device UUID, from the Symantec EDR server. get_file
Investigation
Search Artifact on Endpoint Searches for an artifact on the endpoint data recorder on the Symantec EDR server, based on the parameters such as the device UUID that you have specified. search_artifact
Investigation
Search EOC on Endpoint Searches for an EOC on the endpoint data recorder on the Symantec EDR server, based on the parameters such as the device UUID that you have specified. search_eoc
Investigation
Get Entities Retrieves information about the entities, such as file, domain, endpoint, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. get_entities
Investigation
Get Domain Entities Retrieves information about all domain entities from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. get_entities
Investigation
Get Domain Instances Retrieves information about all domain instances from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. get_instance
Investigation
Get Domain Instance by Domain Name Retrieves information about a specific domain instance, based on the domain name that you have specified, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. get_instance
Investigation
Get Endpoint Entities Retrieves information about all endpoint entities from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. get_entities
Investigation
Get Endpoint Instances Retrieves information about all endpoint instances from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. get_instance
Investigation
Get Specific Endpoint Instances Retrieves information about a specific endpoint instance, based on the device UUID that you have specified, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. get_instance
Investigation
Get File Entities Retrieves information about all the file entities from the Symantec EDR database. You can specify a query to be applied on the search result. You can also provide the number of records to be displayed per page, and the link to the next page for navigation. get_entities
Investigation
Get File Instances Retrieves information about all the file instances from the Symantec EDR database. You can specify a query to be applied on the search result. You can also provide the number of records to be displayed per page, and the link to the next page for navigation. get_instance
Investigation
Get File Entity by SHA256 Retrieves information about a specific file entity, based on the SHA256 value that you have specified, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. get_entities
Investigation
Create Blacklist Policy Creates a blacklist policy, based on the Target Type and Target Value that you have specified, on the Symantec EDR server. You can also add a comment if required. create_policy
Investigation
Get Blacklist Policies Retrieves information about the blacklist policies, based on the Target Type and Target Value that you have specified, from the Symantec EDR server. You can provide the number of records to be displayed per page, and the link to the next page for navigation. get_policy
Investigation
Update Blacklist Policy Comment Updates a comment for a blacklist policy, based on the policy ID that you have specified, on the Symantec EDR server. update_policy
Investigation
Delete Blacklist Policy Deletes a blacklist policy, based on the policy ID that you have specified, from the Symantec EDR server. delete_policy
Investigation
Execute Sandbox Commands Executes sandbox commands for a specified file, based on its SHA256 value, on the Symantec EDR server. execute_command
Investigation
Get Sandbox Commands Status Retrieves the status of the executed sandbox commands based on the sandbox command ID that you have specified, from the Symantec EDR server. get_command_status
Investigation
Cancel Command Cancels the command execution triggered on the Symantec EDR server, based on the sandbox command ID that you have specified. cancel_command
Investigation
Get Command Result Retrieves the result of the executed command based on the command ID that you have specified, from the Symantec EDR server. You can specify a query to be applied on the search result. You can also provide the number of records to be displayed per page, and the link to the next page for navigation. get_result
Investigation

operation: Get Appliance Information

Input parameters

None.

Output

The JSON output contains information about all appliances retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
     "appliance_list": [
         {
             "role": [],
             "appliance_name": "",
             "software_version": "",
             "appliance_id": "",
             "appliance_time": ""
         }
     ]
}

operation: Get Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Start Time DateTime from when you want to retrieve information about events from the Symantec EDR server.
End Time DateTime till when you want to retrieve information about events from the Symantec EDR server.
Open Query Query using which you want to retrieve information about events from the Symantec EDR server.
For example, \"atp_incident_id:100602 || state:1 && time:[2019-09-18T05:24:25.914Z TO *]\"
Number of Events Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The JSON output contains information about all events or events based on the input parameters that you have specified, retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
     "next": "",
     "total": "",
     "result": [
         {
             "log_name": "",
             "user_name": "",
             "device_uid": "",
             "device_os_name": "",
             "device_ip": "",
             "uuid": "",
             "device_time": "",
             "device_name": "",
             "enriched_data": {},
             "device_domain": "",
             "operation": "",
             "severity_id": "",
             "process": {},
             "log_time": "",
             "type_id": "",
             "event_actor": {}
         }
     ]
}

operation: Get Incidents

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Start Time DateTime from when you want to retrieve information about incidents from the Symantec EDR server.
End Time DateTime till when you want to retrieve information about incidents from the Symantec EDR server.
Open Query Query using which you want to retrieve information about incidents from the Symantec EDR server.
For example, "atp_incident_id:100602 || state:1 && time:[2019-09-18T05:24:25.914Z TO *]\"
Number of Events Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The JSON output contains information about all incidents or incidents based on the input parameters that you have specified, retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
     "next": "",
     "total": 1,
     "result": [
         {
             "log_name": "",
             "domainId": [],
             "time": "",
             "updated": "",
             "state": "",
             "uuid": "",
             "first_event_seen": "",
             "deviceUid": [],
             "device_time": "",
             "priority_level": "",
             "last_event_seen": "",
             "scanners": [],
             "summary": "",
             "recommended_action": ""
         }
     ]
}

operation: Get Incident Related Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Start Time DateTime from when you want to retrieve information about events related to a particular incident from the Symantec EDR server.
End Time DateTime till when you want to retrieve information about events related to a particular incident from the Symantec EDR server.
Incident UUID UUID of the Incident whose related events you want to retrieve from the Symantec EDR server.
Open Query Query using which you want to retrieve information about events related to a particular incident from the Symantec EDR server.
\"atp_incident_id:100602 || state:1 && time:[2019-09-18T05:24:25.914Z TO *]\"
Number of Incident Related Events Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The JSON output contains information about events related to a particular incident ID, retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
     "next": "",
     "total": "",
     "result": [
         {
             "user_name": "",
             "incident": "",
             "uuid": "",
             "source": "",
             "sep_installed": "",
             "actual_action": "",
             "local_host_mac": "",
             "log_time": "",
             "virus_def": "",
             "type_id": "",
             "external_ip": "",
             "file": {},
             "log_name": "",
             "host_name": "",
             "agent_version": "",
             "no_of_viruses": "",
             "threat": {},
             "device_time": "",
             "device_uid": "",
             "actual_action_idx": "",
             "data_source_url_domain": "",
             "device_ip": "",
             "domain_name": "",
             "virus_name": "",
             "device_name": "",
             "internal_ip": ""
         }
     ]
}

operation: Get Command State

Input parameters

Parameter Description
Command ID ID of the command whose state you want to retrieve from the Symantec EDR server.
Number of Incident Related Events Limit (Optional) Number of records to be displayed per page.
Next (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The JSON output contains information about the state of the command based on the command ID that you have specified retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
     "command_id": "",
     "action": "",
     "status": [
         {
             "state": "",
             "message": "",
             "target": {
                 "device_uid": "",
                 "hash": ""
             },
             "error_code": ""
         }
     ]
}

operation: Isolate Endpoint

Input parameters

Parameter Description
Endpoint ID (In CSV or List Format) ID(s) of the endpoint(s) that you want to isolate from the network.
You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8".

Output

The JSON output contains the ID of the command used to isolate the endpoint(s) retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
     "command_id": ""
}

operation: Rejoin Endpoint

Input parameters

Parameter Description
Endpoint ID (In CSV or List Format) ID(s) of the endpoint(s) that you want to rejoin to the network.
You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8".

Output

The JSON output contains the ID of the command used to rejoin the endpoint(s) retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
     "command_id": ""
}

operation: Delete File from Endpoint

Input parameters

Parameter Description
File Hash SHA-256 value of the file that you want to delete from the specified device.
Device UUID UUID of the device from which you want to delete the specified file.

Output

The JSON output contains the ID of the command used to delete the endpoint file retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
     "error_code": "",
     "message": "",
     "command_id": ""
}

operation: Get Incident Comments

Input parameters

Parameter Description
Incident UUID UUID of the Incident whose related comments you want to retrieve from the Symantec EDR server.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "user_id": "",
             "time": "",
             "comment": ""
         }
     ]
}

operation: Add Comment to Incident

Input parameters

Parameter Description
Incident UUID UUID of the Incident to which you want to add the comment on the Symantec EDR server.
Comment Comment that you want to add to the specified incident.

Output

The output contains a non-dictionary value.

operation: Close Incident

Input parameters

Parameter Description
Incident UUID UUID of the incident that you want to close on the Symantec EDR server.

Output

The output contains a non-dictionary value.

operation: Get File from Endpoint

Input parameters

Parameter Description
File Hash (SHA256) SHA-256 value of the file that you want to fetch from the specified device.
Device UUID UUID of the device from which you want to retrieve details of the file from the Symantec EDR server.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "error_code": "",
     "command_id": ""
}

operation: Search Artifact on Endpoint

Input parameters

Parameter Description
Device UUID UUID of the device on the Symantec EDR server in which you want to search for the artifact.
You can enter one or more Device UUIDs.
Device Hostname Hostname of the device on the Symantec EDR server in which you want to search for the artifact.
You can enter one or more Device Hostnames.
SEPM Group SEPM group on the Symantec EDR server in which you want to search for the artifact.
You can enter one or more SEPM Groups.
IPv4 Address IPv4 address on the Symantec EDR server in which you want to search for the artifact.
You can enter one or more IPv4 Addresses.
Start Time (Optional) Start DateTime of the search recorder on the Symantec EDR server from when you want to search for the artifact.
End Time (Optional) End DateTime of the search recorder on the Symantec EDR server till when you want to search for the artifact.
Query (Optional) Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve the artifacts from the Symantec EDR server.

Output

The output contains a non-dictionary value.

operation: Search EOC on Endpoint

Input parameters

Parameter Description
Device UUID UUID of the device on the Symantec EDR server in which you want to search for the EOC.
You can enter one or more Device UUIDs.
Device Hostname Hostname of the device on the Symantec EDR server in which you want to search for the EOC.
You can enter one or more Device Hostnames.
SEPM Group SEPM group on the Symantec EDR server in which you want to search for the EOC.
You can enter more than one SEPM group.
IPv4 Address IPv4 Address on the Symantec EDR server in which you want to search for the EOC.
You can enter one or more IPv4 Addresses.
Query (Optional) Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve EOCs from the Symantec EDR server.

Output

The output contains a non-dictionary value.

operation: Get Entities

Input parameters

Note: All the input parameters are optional.

Parameter Description
Number of Records Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "domain_or_workgroup": "",
             "agent_version": "",
             "first_seen": "",
             "mac_addresses": [
                 ""
             ],
             "last_seen": "",
             "disposition_endpoint": "",
             "ip_addresses": [
                 ""
             ],
             "operating_system": {
                 "is_64_bit": "",
                 "osfullname": ""
             },
             "managed_sepm_version": "",
             "device_ip": "",
             "device_name": "",
             "device_uid": "",
             "type": "",
             "user_name": "",
             "managed_sepm_ip": "",
             "sep_group_summary": {
                 "name": "",
                 "sep_domain_summary": {
                     "name": ""
                 }
             }
         }
     ]
}

operation: Get Domain Entities

Input parameters

Note: All the input parameters are optional.

Parameter Description
Number of Records Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "disposition": "",
             "first_seen": "",
             "external_ip": "",
             "data_source_url": "",
             "data_source_url_domain": "",
             "last_seen": "",
             "domain_threat_data": {
                 "confidence": "",
                 "behavior": "",
                 "reputation_band": "",
                 "hostility": "",
                 "urls": [
                     "",
                     ""
                 ],
                 "ips_domain_hosted": [
                     {
                         "address": "",
                         "ip_version": "",
                         "country": "",
                         "state": "",
                         "city": "",
                         "organization": ""
                     }
                 ]
             },
             "type": ""
         }
     ]
}

operation: Get Domain Instances

Input parameters

Note: All the input parameters are optional.

Parameter Description
Number of Records Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "data_source_url_domain": "",
             "last_seen": "",
             "disposition": "",
             "first_seen": ""
         }
     ]
}

operation: Get Domain Instance by Domain Name

Input parameters

Parameter Description
Domain Name Name of the domain whose instance information you want to retrieve from the Symantec EDR database.
Number of Records Limit (Optional) Number of records to be displayed per page.
Next (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "data_source_url_domain": "",
             "last_seen": "",
             "disposition": "",
             "first_seen": ""
         }
     ]
}

operation: Get Endpoint Entities

Input parameters

Note: All the input parameters are optional.

Parameter Description
Number of Records Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "domain_or_workgroup": "",
             "agent_version": "",
             "first_seen": "",
             "mac_addresses": [
                 ""
             ],
             "last_seen": "",
             "disposition_endpoint": "",
             "ip_addresses": [
                 ""
             ],
             "operating_system": {
                 "is_64_bit": "",
                 "osfullname": ""
             },
             "managed_sepm_version": "",
             "device_ip": "",
             "device_name": "",
             "device_uid": "",
             "type": "",
             "user_name": "",
             "managed_sepm_ip": "",
             "sep_group_summary": {
                 "name": "",
                 "sep_domain_summary": {
                     "name": ""
                 }
             }
         }
     ]
}

operation: Get Endpoint Instances

Input parameters

Note: All the input parameters are optional.

Parameter Description
Number of Records Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "domain_or_workgroup": "",
             "time": "",
             "device_ip": "",
             "device_name": "",
             "device_uid": "",
             "ip_addresses": [
                 ""
             ]
         }
     ]
}

operation: Get Specific Endpoint Instances

Input parameters

Parameter Description
Device UUID UUID of the device whose instance information you want to retrieve from the Symantec EDR database.
Number of Records Limit (Optional) Number of records to be displayed per page.
Next (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "domain_or_workgroup": "",
             "time": "",
             "device_ip": "",
             "device_name": "",
             "device_uid": "",
             "ip_addresses": [
                 ""
             ]
         }
     ]
}

operation: Get File Entities

Input parameters

Note: All the input parameters are optional.

Parameter Description
Query Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve file entities from the Symantec EDR server.
Number of Records Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "first_seen": "",
             "global_first_seen": "",
             "sha2": "",
             "last_seen": "",
             "file_health": "",
             "type": "",
             "size": "",
             "threat_name": "",
             "name": "",
             "prevalence_band": "",
             "md5": ""
         }
     ]
}

operation: Get File Instances

Input parameters

Note: All the input parameters are optional.

Parameter Description
Query Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve file entities from the Symantec EDR server.
Number of Records Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "last_seen": "",
             "folder": "",
             "first_seen": "",
             "name": "",
             "sha2": ""
         }
     ]
}

operation: Get File Entity by SHA256

Input parameters

Parameter Description
File SHA256 SHA256 value of the file whose entity information you want to retrieve from the Symantec EDR database.
Number of Records Limit (Optional) Number of records to be displayed per page.
Next (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "first_seen": "",
     "global_first_seen": "",
     "sha2": "",
     "last_seen": "",
     "file_health": "",
     "type": "",
     "size": "",
     "threat_name": "",
     "name": "",
     "prevalence_band": "",
     "md5": ""
}

operation: Create Blacklist Policy

Input parameters

Parameter Description
Target Type Type of the blacklist policy that you want to create on the Symantec EDR server.
You can choose from the following values: IP, Domain, URL, SHA256, or MD5.
Target Value Value of the blacklist elements that you want to add the blacklist policy that you want to create on the Symantec EDR server, based on the type you have selected.
For example, if you have selected URL, then you must add the value of the blacklist elements in the URL format, such as "1.1.1.1", "2.2.2.2".
Comment Comment about the blacklist policy that you want to create on the Symantec EDR server. 

Output

The output contains the following populated JSON schema:
{
     "ids": []
}

operation: Get Blacklist Policies

Input parameters

Parameter Description
Target Type Type of the blacklist policy whose information you want to retrieve from the Symantec EDR server.
You can choose from the following values: IP, Domain, URL, SHA256, or MD5.
Target Value Value of the type based on which you want to retrieve the blacklist policy information from the Symantec EDR server.
For example, if you have selected MD5, then you must enter an MD5 value in this field
Number of Records Limit (Optional) Number of records to be displayed per page.
Next (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "result": [
         {
             "comment": "",
             "id": "",
             "target_type": "",
             "target_value": ""
         }
     ]
}

operation: Update Blacklist Policy Comment

Input parameters

Parameter Description
Policy ID ID of the blacklist policy in which you want to add/update a comment on the Symantec EDR server.
Comment Comment that you want to add to the specified blacklist policy on the Symantec EDR server.

Output

The output contains a non-dictionary value.

operation: Delete Blacklist Policy

Input parameters

Parameter Description
Policy ID ID of the blacklist policy which you want to delete from the Symantec EDR server.

Output

The output contains a non-dictionary value.

operation: Execute Sandbox Commands

Input parameters

Parameter Description
File sha256 SHA256 value of the file on which you want to execute the sandbox commands on the Symantec EDR server.

Output

The output contains the following populated JSON schema:
{
     "command_id": ""
}

operation: Get Sandbox Commands Status

Input parameters

Parameter Description
Sandbox Command ID ID of the sandbox command whose state you want to retrieve from the Symantec EDR server.

Output

The output contains the following populated JSON schema:


     "status": [
         {
             "error_code": "",
             "message": "",
             "state": "",
             "target": ""
         }
     ]
}

operation: Cancel Command

Input parameters

Parameter Description
Command ID ID of the triggered command that you want to cancel on the Symantec EDR server.

Output

The output contains a non-dictionary value.

operation: Get Command Result

Input parameters

Parameter Description
Command ID ID of the command whose result you want to retrieve from the Symantec EDR server.
Query (Optional) Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve the command results from the Symantec EDR server.
Number of Incident Related Events Limit (Optional) Number of records to be displayed per page.
Next (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - Symantec EDR - 2.0.0 playbook collection comes bundled with the Symantec EDR connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EDR connector.

  • Add Comment to Incident
  • Cancel Command
  • Close Incident
  • Create Blacklist Policy
  • Delete Blacklist Policy
  • Delete File from Endpoint
  • Execute Sandbox Commands
  • Get Appliance Information
  • Get Blacklist Policies
  • Get Command Result
  • Get Command State
  • Get Domain Entities
  • Get Domain Instance by Domain Name 
  • Get Domain Instances
  • Get Endpoint Entities
  • Get Endpoint Instances
  • Get Entities
  • Get Events
  • Get File Entities
  • Get File Entity by SHA256
  • Get File from Endpoint
  • Get File Instances
  • Get Incident Comments
  • Get Incident Related Events
  • Get Incidents
  • Get Sandbox Commands Status
  • Get Specific Endpoint Instances
  • Isolate Endpoint
  • Rejoin Endpoint
  • Search Artifact on Endpoint
  • Search EOC on Endpoint
  • > Symantec EDR > Create Alert
  • > Symantec EDR > Fetch
  • Symantec EDR > Ingest
  • >> Symantec EDR > Init Macros 
  • Update Blacklist Policy Comment

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

Symantec Endpoint Detection and Response (EDR) performs the critical security tasks that detect, protect, and respond to threats to your network.

This document provides information about the Symantec EDR connector, which facilitates automated interactions, with a Symantec EDR server using FortiSOAR™ playbooks. Add the Symantec EDR connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving events, incidents, and files from the Symantec EDR server and isolating or rejoining an endpoint.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 5.1.0-464

Symantec EDR Version Tested on: 4.2.1-8

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the Symantec EDR connector in version 2.0.0:

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors: 

yum install cyops-connector-symantec-EDR

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Symantec EDR connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details. 

Parameter Description
Server URL URL of the Symantec EDR server to which you will connect and perform the automated operations.
Port Port of the Symantec EDR server.
Client ID Client ID that is used to access the Symantec EDR endpoint.
You can retrieve the client_id and client_secret pair from the EDR Manager after you have created an OAuth2 client.
Client Secret Client Secret that is used to access the Symantec EDR endpoint.
You can retrieve the client_id and client_secret pair from the EDR Manager after you have created an OAuth2 client.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get Appliance Information Retrieves information about all appliances from the Symantec EDR server. get_information
Investigation
Get Events Retrieves information about all events, or events based on the input parameters that you have specified, from the Symantec EDR server. get_events
Investigation
Get Incidents Retrieves information about all incidents, or incidents based on the input parameters that you have specified, from the Symantec EDR server. get_incidents
Investigation
Get Incident Related Events Retrieves events information related to particular incident based on the input parameters that you have specified, from the Symantec EDR server. get_events
Investigation
Get Command State Retrieves state of the command based on the command ID that you have specified, from the Symantec EDR server. get_status
Investigation
Isolate Endpoint Isolates endpoints by cutting connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in a list or CSV format) that you have specified.
Isolating an endpoint keeps that computer(s) from infecting other computers. EDR supports isolating endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later.
isolate_endpoint
Containment
Rejoin Endpoint Rejoins endpoints by re-establishing connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in a list or CSV format) that you have specified.
You can rejoin only those endpoints that have been isolated. EDR supports rejoining endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later.
unisolate_endpoint
Investigation
Delete File from Endpoint Deletes all instances of the file for which you have specified the hash value, from the specified device based on its device UUID.
EDR supports deleting files on Symantec Endpoint Protection 12.1 RU6 MP3 and later.
delete_file
Remediation
Get Incident Comments Retrieves all comments related to a specific incident UUID that you have specified, from the Symantec EDR server. get_incident_comments
Investigation
Add Comment to Incident Adds a comment to specific incident UUID that you have specified on the Symantec EDR server. add_comments
Containment
Close Incident Closes a particular incident, based on the incident UUID that you have specified on the Symantec EDR server. close_incident
Containment
Get File from Endpoint Retrieves details of a file, based on its hash value, from the specified device, based on its device UUID, from the Symantec EDR server. get_file
Investigation
Search Artifact on Endpoint Searches for an artifact on the endpoint data recorder on the Symantec EDR server, based on the parameters such as the device UUID that you have specified. search_artifact
Investigation
Search EOC on Endpoint Searches for an EOC on the endpoint data recorder on the Symantec EDR server, based on the parameters such as the device UUID that you have specified. search_eoc
Investigation
Get Entities Retrieves information about the entities, such as file, domain, endpoint, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. get_entities
Investigation
Get Domain Entities Retrieves information about all domain entities from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. get_entities
Investigation
Get Domain Instances Retrieves information about all domain instances from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. get_instance
Investigation
Get Domain Instance by Domain Name Retrieves information about a specific domain instance, based on the domain name that you have specified, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. get_instance
Investigation
Get Endpoint Entities Retrieves information about all endpoint entities from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. get_entities
Investigation
Get Endpoint Instances Retrieves information about all endpoint instances from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. get_instance
Investigation
Get Specific Endpoint Instances Retrieves information about a specific endpoint instance, based on the device UUID that you have specified, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. get_instance
Investigation
Get File Entities Retrieves information about all the file entities from the Symantec EDR database. You can specify a query to be applied on the search result. You can also provide the number of records to be displayed per page, and the link to the next page for navigation. get_entities
Investigation
Get File Instances Retrieves information about all the file instances from the Symantec EDR database. You can specify a query to be applied on the search result. You can also provide the number of records to be displayed per page, and the link to the next page for navigation. get_instance
Investigation
Get File Entity by SHA256 Retrieves information about a specific file entity, based on the SHA256 value that you have specified, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation. get_entities
Investigation
Create Blacklist Policy Creates a blacklist policy, based on the Target Type and Target Value that you have specified, on the Symantec EDR server. You can also add a comment if required. create_policy
Investigation
Get Blacklist Policies Retrieves information about the blacklist policies, based on the Target Type and Target Value that you have specified, from the Symantec EDR server. You can provide the number of records to be displayed per page, and the link to the next page for navigation. get_policy
Investigation
Update Blacklist Policy Comment Updates a comment for a blacklist policy, based on the policy ID that you have specified, on the Symantec EDR server. update_policy
Investigation
Delete Blacklist Policy Deletes a blacklist policy, based on the policy ID that you have specified, from the Symantec EDR server. delete_policy
Investigation
Execute Sandbox Commands Executes sandbox commands for a specified file, based on its SHA256 value, on the Symantec EDR server. execute_command
Investigation
Get Sandbox Commands Status Retrieves the status of the executed sandbox commands based on the sandbox command ID that you have specified, from the Symantec EDR server. get_command_status
Investigation
Cancel Command Cancels the command execution triggered on the Symantec EDR server, based on the sandbox command ID that you have specified. cancel_command
Investigation
Get Command Result Retrieves the result of the executed command based on the command ID that you have specified, from the Symantec EDR server. You can specify a query to be applied on the search result. You can also provide the number of records to be displayed per page, and the link to the next page for navigation. get_result
Investigation

operation: Get Appliance Information

Input parameters

None.

Output

The JSON output contains information about all appliances retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
     "appliance_list": [
         {
             "role": [],
             "appliance_name": "",
             "software_version": "",
             "appliance_id": "",
             "appliance_time": ""
         }
     ]
}

operation: Get Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Start Time DateTime from when you want to retrieve information about events from the Symantec EDR server.
End Time DateTime till when you want to retrieve information about events from the Symantec EDR server.
Open Query Query using which you want to retrieve information about events from the Symantec EDR server.
For example, \"atp_incident_id:100602 || state:1 && time:[2019-09-18T05:24:25.914Z TO *]\"
Number of Events Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The JSON output contains information about all events or events based on the input parameters that you have specified, retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
     "next": "",
     "total": "",
     "result": [
         {
             "log_name": "",
             "user_name": "",
             "device_uid": "",
             "device_os_name": "",
             "device_ip": "",
             "uuid": "",
             "device_time": "",
             "device_name": "",
             "enriched_data": {},
             "device_domain": "",
             "operation": "",
             "severity_id": "",
             "process": {},
             "log_time": "",
             "type_id": "",
             "event_actor": {}
         }
     ]
}

operation: Get Incidents

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Start Time DateTime from when you want to retrieve information about incidents from the Symantec EDR server.
End Time DateTime till when you want to retrieve information about incidents from the Symantec EDR server.
Open Query Query using which you want to retrieve information about incidents from the Symantec EDR server.
For example, "atp_incident_id:100602 || state:1 && time:[2019-09-18T05:24:25.914Z TO *]\"
Number of Events Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The JSON output contains information about all incidents or incidents based on the input parameters that you have specified, retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
     "next": "",
     "total": 1,
     "result": [
         {
             "log_name": "",
             "domainId": [],
             "time": "",
             "updated": "",
             "state": "",
             "uuid": "",
             "first_event_seen": "",
             "deviceUid": [],
             "device_time": "",
             "priority_level": "",
             "last_event_seen": "",
             "scanners": [],
             "summary": "",
             "recommended_action": ""
         }
     ]
}

operation: Get Incident Related Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Start Time DateTime from when you want to retrieve information about events related to a particular incident from the Symantec EDR server.
End Time DateTime till when you want to retrieve information about events related to a particular incident from the Symantec EDR server.
Incident UUID UUID of the Incident whose related events you want to retrieve from the Symantec EDR server.
Open Query Query using which you want to retrieve information about events related to a particular incident from the Symantec EDR server.
\"atp_incident_id:100602 || state:1 && time:[2019-09-18T05:24:25.914Z TO *]\"
Number of Incident Related Events Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The JSON output contains information about events related to a particular incident ID, retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
     "next": "",
     "total": "",
     "result": [
         {
             "user_name": "",
             "incident": "",
             "uuid": "",
             "source": "",
             "sep_installed": "",
             "actual_action": "",
             "local_host_mac": "",
             "log_time": "",
             "virus_def": "",
             "type_id": "",
             "external_ip": "",
             "file": {},
             "log_name": "",
             "host_name": "",
             "agent_version": "",
             "no_of_viruses": "",
             "threat": {},
             "device_time": "",
             "device_uid": "",
             "actual_action_idx": "",
             "data_source_url_domain": "",
             "device_ip": "",
             "domain_name": "",
             "virus_name": "",
             "device_name": "",
             "internal_ip": ""
         }
     ]
}

operation: Get Command State

Input parameters

Parameter Description
Command ID ID of the command whose state you want to retrieve from the Symantec EDR server.
Number of Incident Related Events Limit (Optional) Number of records to be displayed per page.
Next (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The JSON output contains information about the state of the command based on the command ID that you have specified retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
     "command_id": "",
     "action": "",
     "status": [
         {
             "state": "",
             "message": "",
             "target": {
                 "device_uid": "",
                 "hash": ""
             },
             "error_code": ""
         }
     ]
}

operation: Isolate Endpoint

Input parameters

Parameter Description
Endpoint ID (In CSV or List Format) ID(s) of the endpoint(s) that you want to isolate from the network.
You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8".

Output

The JSON output contains the ID of the command used to isolate the endpoint(s) retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
     "command_id": ""
}

operation: Rejoin Endpoint

Input parameters

Parameter Description
Endpoint ID (In CSV or List Format) ID(s) of the endpoint(s) that you want to rejoin to the network.
You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8".

Output

The JSON output contains the ID of the command used to rejoin the endpoint(s) retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
     "command_id": ""
}

operation: Delete File from Endpoint

Input parameters

Parameter Description
File Hash SHA-256 value of the file that you want to delete from the specified device.
Device UUID UUID of the device from which you want to delete the specified file.

Output

The JSON output contains the ID of the command used to delete the endpoint file retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
     "error_code": "",
     "message": "",
     "command_id": ""
}

operation: Get Incident Comments

Input parameters

Parameter Description
Incident UUID UUID of the Incident whose related comments you want to retrieve from the Symantec EDR server.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "user_id": "",
             "time": "",
             "comment": ""
         }
     ]
}

operation: Add Comment to Incident

Input parameters

Parameter Description
Incident UUID UUID of the Incident to which you want to add the comment on the Symantec EDR server.
Comment Comment that you want to add to the specified incident.

Output

The output contains a non-dictionary value.

operation: Close Incident

Input parameters

Parameter Description
Incident UUID UUID of the incident that you want to close on the Symantec EDR server.

Output

The output contains a non-dictionary value.

operation: Get File from Endpoint

Input parameters

Parameter Description
File Hash (SHA256) SHA-256 value of the file that you want to fetch from the specified device.
Device UUID UUID of the device from which you want to retrieve details of the file from the Symantec EDR server.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "error_code": "",
     "command_id": ""
}

operation: Search Artifact on Endpoint

Input parameters

Parameter Description
Device UUID UUID of the device on the Symantec EDR server in which you want to search for the artifact.
You can enter one or more Device UUIDs.
Device Hostname Hostname of the device on the Symantec EDR server in which you want to search for the artifact.
You can enter one or more Device Hostnames.
SEPM Group SEPM group on the Symantec EDR server in which you want to search for the artifact.
You can enter one or more SEPM Groups.
IPv4 Address IPv4 address on the Symantec EDR server in which you want to search for the artifact.
You can enter one or more IPv4 Addresses.
Start Time (Optional) Start DateTime of the search recorder on the Symantec EDR server from when you want to search for the artifact.
End Time (Optional) End DateTime of the search recorder on the Symantec EDR server till when you want to search for the artifact.
Query (Optional) Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve the artifacts from the Symantec EDR server.

Output

The output contains a non-dictionary value.

operation: Search EOC on Endpoint

Input parameters

Parameter Description
Device UUID UUID of the device on the Symantec EDR server in which you want to search for the EOC.
You can enter one or more Device UUIDs.
Device Hostname Hostname of the device on the Symantec EDR server in which you want to search for the EOC.
You can enter one or more Device Hostnames.
SEPM Group SEPM group on the Symantec EDR server in which you want to search for the EOC.
You can enter more than one SEPM group.
IPv4 Address IPv4 Address on the Symantec EDR server in which you want to search for the EOC.
You can enter one or more IPv4 Addresses.
Query (Optional) Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve EOCs from the Symantec EDR server.

Output

The output contains a non-dictionary value.

operation: Get Entities

Input parameters

Note: All the input parameters are optional.

Parameter Description
Number of Records Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "domain_or_workgroup": "",
             "agent_version": "",
             "first_seen": "",
             "mac_addresses": [
                 ""
             ],
             "last_seen": "",
             "disposition_endpoint": "",
             "ip_addresses": [
                 ""
             ],
             "operating_system": {
                 "is_64_bit": "",
                 "osfullname": ""
             },
             "managed_sepm_version": "",
             "device_ip": "",
             "device_name": "",
             "device_uid": "",
             "type": "",
             "user_name": "",
             "managed_sepm_ip": "",
             "sep_group_summary": {
                 "name": "",
                 "sep_domain_summary": {
                     "name": ""
                 }
             }
         }
     ]
}

operation: Get Domain Entities

Input parameters

Note: All the input parameters are optional.

Parameter Description
Number of Records Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "disposition": "",
             "first_seen": "",
             "external_ip": "",
             "data_source_url": "",
             "data_source_url_domain": "",
             "last_seen": "",
             "domain_threat_data": {
                 "confidence": "",
                 "behavior": "",
                 "reputation_band": "",
                 "hostility": "",
                 "urls": [
                     "",
                     ""
                 ],
                 "ips_domain_hosted": [
                     {
                         "address": "",
                         "ip_version": "",
                         "country": "",
                         "state": "",
                         "city": "",
                         "organization": ""
                     }
                 ]
             },
             "type": ""
         }
     ]
}

operation: Get Domain Instances

Input parameters

Note: All the input parameters are optional.

Parameter Description
Number of Records Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "data_source_url_domain": "",
             "last_seen": "",
             "disposition": "",
             "first_seen": ""
         }
     ]
}

operation: Get Domain Instance by Domain Name

Input parameters

Parameter Description
Domain Name Name of the domain whose instance information you want to retrieve from the Symantec EDR database.
Number of Records Limit (Optional) Number of records to be displayed per page.
Next (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "data_source_url_domain": "",
             "last_seen": "",
             "disposition": "",
             "first_seen": ""
         }
     ]
}

operation: Get Endpoint Entities

Input parameters

Note: All the input parameters are optional.

Parameter Description
Number of Records Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "domain_or_workgroup": "",
             "agent_version": "",
             "first_seen": "",
             "mac_addresses": [
                 ""
             ],
             "last_seen": "",
             "disposition_endpoint": "",
             "ip_addresses": [
                 ""
             ],
             "operating_system": {
                 "is_64_bit": "",
                 "osfullname": ""
             },
             "managed_sepm_version": "",
             "device_ip": "",
             "device_name": "",
             "device_uid": "",
             "type": "",
             "user_name": "",
             "managed_sepm_ip": "",
             "sep_group_summary": {
                 "name": "",
                 "sep_domain_summary": {
                     "name": ""
                 }
             }
         }
     ]
}

operation: Get Endpoint Instances

Input parameters

Note: All the input parameters are optional.

Parameter Description
Number of Records Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "domain_or_workgroup": "",
             "time": "",
             "device_ip": "",
             "device_name": "",
             "device_uid": "",
             "ip_addresses": [
                 ""
             ]
         }
     ]
}

operation: Get Specific Endpoint Instances

Input parameters

Parameter Description
Device UUID UUID of the device whose instance information you want to retrieve from the Symantec EDR database.
Number of Records Limit (Optional) Number of records to be displayed per page.
Next (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "domain_or_workgroup": "",
             "time": "",
             "device_ip": "",
             "device_name": "",
             "device_uid": "",
             "ip_addresses": [
                 ""
             ]
         }
     ]
}

operation: Get File Entities

Input parameters

Note: All the input parameters are optional.

Parameter Description
Query Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve file entities from the Symantec EDR server.
Number of Records Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "first_seen": "",
             "global_first_seen": "",
             "sha2": "",
             "last_seen": "",
             "file_health": "",
             "type": "",
             "size": "",
             "threat_name": "",
             "name": "",
             "prevalence_band": "",
             "md5": ""
         }
     ]
}

operation: Get File Instances

Input parameters

Note: All the input parameters are optional.

Parameter Description
Query Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve file entities from the Symantec EDR server.
Number of Records Limit Number of records to be displayed per page.
Next Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "next": "",
     "result": [
         {
             "last_seen": "",
             "folder": "",
             "first_seen": "",
             "name": "",
             "sha2": ""
         }
     ]
}

operation: Get File Entity by SHA256

Input parameters

Parameter Description
File SHA256 SHA256 value of the file whose entity information you want to retrieve from the Symantec EDR database.
Number of Records Limit (Optional) Number of records to be displayed per page.
Next (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "first_seen": "",
     "global_first_seen": "",
     "sha2": "",
     "last_seen": "",
     "file_health": "",
     "type": "",
     "size": "",
     "threat_name": "",
     "name": "",
     "prevalence_band": "",
     "md5": ""
}

operation: Create Blacklist Policy

Input parameters

Parameter Description
Target Type Type of the blacklist policy that you want to create on the Symantec EDR server.
You can choose from the following values: IP, Domain, URL, SHA256, or MD5.
Target Value Value of the blacklist elements that you want to add the blacklist policy that you want to create on the Symantec EDR server, based on the type you have selected.
For example, if you have selected URL, then you must add the value of the blacklist elements in the URL format, such as "1.1.1.1", "2.2.2.2".
Comment Comment about the blacklist policy that you want to create on the Symantec EDR server. 

Output

The output contains the following populated JSON schema:
{
     "ids": []
}

operation: Get Blacklist Policies

Input parameters

Parameter Description
Target Type Type of the blacklist policy whose information you want to retrieve from the Symantec EDR server.
You can choose from the following values: IP, Domain, URL, SHA256, or MD5.
Target Value Value of the type based on which you want to retrieve the blacklist policy information from the Symantec EDR server.
For example, if you have selected MD5, then you must enter an MD5 value in this field
Number of Records Limit (Optional) Number of records to be displayed per page.
Next (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
     "result": [
         {
             "comment": "",
             "id": "",
             "target_type": "",
             "target_value": ""
         }
     ]
}

operation: Update Blacklist Policy Comment

Input parameters

Parameter Description
Policy ID ID of the blacklist policy in which you want to add/update a comment on the Symantec EDR server.
Comment Comment that you want to add to the specified blacklist policy on the Symantec EDR server.

Output

The output contains a non-dictionary value.

operation: Delete Blacklist Policy

Input parameters

Parameter Description
Policy ID ID of the blacklist policy which you want to delete from the Symantec EDR server.

Output

The output contains a non-dictionary value.

operation: Execute Sandbox Commands

Input parameters

Parameter Description
File sha256 SHA256 value of the file on which you want to execute the sandbox commands on the Symantec EDR server.

Output

The output contains the following populated JSON schema:
{
     "command_id": ""
}

operation: Get Sandbox Commands Status

Input parameters

Parameter Description
Sandbox Command ID ID of the sandbox command whose state you want to retrieve from the Symantec EDR server.

Output

The output contains the following populated JSON schema:


     "status": [
         {
             "error_code": "",
             "message": "",
             "state": "",
             "target": ""
         }
     ]
}

operation: Cancel Command

Input parameters

Parameter Description
Command ID ID of the triggered command that you want to cancel on the Symantec EDR server.

Output

The output contains a non-dictionary value.

operation: Get Command Result

Input parameters

Parameter Description
Command ID ID of the command whose result you want to retrieve from the Symantec EDR server.
Query (Optional) Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve the command results from the Symantec EDR server.
Number of Incident Related Events Limit (Optional) Number of records to be displayed per page.
Next (Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - Symantec EDR - 2.0.0 playbook collection comes bundled with the Symantec EDR connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EDR connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.