Symantec EDR v2.0.0

About the connector

Symantec Endpoint Detection and Response (EDR) performs the critical security tasks that detect, protect, and respond to threats to your network.

This document provides information about the Symantec EDR connector, which facilitates automated interactions, with a Symantec EDR server using FortiSOAR™ playbooks. Add the Symantec EDR connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving events, incidents, and files from the Symantec EDR server and isolating or rejoining an endpoint.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 5.1.0-464

Symantec EDR Version Tested on: 4.2.1-8

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the Symantec EDR connector in version 2.0.0:

• Renamed the connector from Symantec ATP to Symantec EDR.
• Added support for configuring Symantec EDR data ingestion using the FortiSOAR™ Data Ingestion Wizard. For information on the Data Ingestion Wizard, see the FortiSOAR™ Product Documentation.
  The following new playbooks have been added to support data ingestion:
  • > Symantec EDR > Create Alert
  • > Symantec EDR > Fetch
  • Symantec EDR > Ingest
  • >> Symantec EDR > Init Macros
• Renamed the following operations:
  • Delete Endpoint File renamed to Delete File from Endpoint
• Added the following new operations and playbooks:
  • Get Incident Comments
  • Add Comment to Incident
  • Search Artifact on Endpoint
  • Search EOC on Endpoint
  • Close Incident
  • Get File from Endpoint
  • Get Entities
  • Get Domain Entities
  • Get Domain Instances
  • Get Domain Instance by Domain Name
  • Get Endpoint Entities
  • Get Endpoint Instances
  • Get Specific Endpoint Instances
  • Get File Entities
  • Get File Instances
  • Get File Entity by SHA256
  • Create Blacklist Policy
  • Get Blacklist Policies
  • Update Blacklist Policy Comment
  • Delete Blacklist Policy
  • Execute Sandbox Commands
  • Get Sandbox Commands Status
  • Cancel Command
  • Get Command Result
• Removed the following operations and playbooks
  • Get Blacklist
  • Get Whitelist
  • Add To Blacklist
  • Add To Whitelist
  • Remove From Blacklist
  • Remove From Whitelist
  • Get File Details

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-symantec-EDR

Prerequisites to configuring the connector

• You must have the URL of the Symantec EDR server to which you will connect and perform the automated operations.
• You must have the Client ID and the Client Secret pair that is used to access the Symantec EDR endpoint.
• To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Symantec EDR connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.

Parameter	Description
Server URL	URL of the Symantec EDR server to which you will connect and perform the automated operations.
Port	Port of the Symantec EDR server.
Client ID	Client ID that is used to access the Symantec EDR endpoint. You can retrieve the client_id and client_secret pair from the EDR Manager after you have created an OAuth2 client.
Client Secret	Client Secret that is used to access the Symantec EDR endpoint. You can retrieve the client_id and client_secret pair from the EDR Manager after you have created an OAuth2 client.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function	Description	Annotation and Category
Get Appliance Information	Retrieves information about all appliances from the Symantec EDR server.	get_information Investigation
Get Events	Retrieves information about all events, or events based on the input parameters that you have specified, from the Symantec EDR server.	get_events Investigation
Get Incidents	Retrieves information about all incidents, or incidents based on the input parameters that you have specified, from the Symantec EDR server.	get_incidents Investigation
Get Incident Related Events	Retrieves events information related to particular incident based on the input parameters that you have specified, from the Symantec EDR server.	get_events Investigation
Get Command State	Retrieves state of the command based on the command ID that you have specified, from the Symantec EDR server.	get_status Investigation
Isolate Endpoint	Isolates endpoints by cutting connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in a list or CSV format) that you have specified. Isolating an endpoint keeps that computer(s) from infecting other computers. EDR supports isolating endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later.	isolate_endpoint Containment
Rejoin Endpoint	Rejoins endpoints by re-establishing connections that the endpoint(s) has to internal networks and external networks, based on the endpoint IDs (in a list or CSV format) that you have specified. You can rejoin only those endpoints that have been isolated. EDR supports rejoining endpoints on Symantec Endpoint Protection 12.1 RU6 MP3 and later.	unisolate_endpoint Investigation
Delete File from Endpoint	Deletes all instances of the file for which you have specified the hash value, from the specified device based on its device UUID. EDR supports deleting files on Symantec Endpoint Protection 12.1 RU6 MP3 and later.	delete_file Remediation
Get Incident Comments	Retrieves all comments related to a specific incident UUID that you have specified, from the Symantec EDR server.	get_incident_comments Investigation
Add Comment to Incident	Adds a comment to specific incident UUID that you have specified on the Symantec EDR server.	add_comments Containment
Close Incident	Closes a particular incident, based on the incident UUID that you have specified on the Symantec EDR server.	close_incident Containment
Get File from Endpoint	Retrieves details of a file, based on its hash value, from the specified device, based on its device UUID, from the Symantec EDR server.	get_file Investigation
Search Artifact on Endpoint	Searches for an artifact on the endpoint data recorder on the Symantec EDR server, based on the parameters such as the device UUID that you have specified.	search_artifact Investigation
Search EOC on Endpoint	Searches for an EOC on the endpoint data recorder on the Symantec EDR server, based on the parameters such as the device UUID that you have specified.	search_eoc Investigation
Get Entities	Retrieves information about the entities, such as file, domain, endpoint, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation.	get_entities Investigation
Get Domain Entities	Retrieves information about all domain entities from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation.	get_entities Investigation
Get Domain Instances	Retrieves information about all domain instances from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation.	get_instance Investigation
Get Domain Instance by Domain Name	Retrieves information about a specific domain instance, based on the domain name that you have specified, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation.	get_instance Investigation
Get Endpoint Entities	Retrieves information about all endpoint entities from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation.	get_entities Investigation
Get Endpoint Instances	Retrieves information about all endpoint instances from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation.	get_instance Investigation
Get Specific Endpoint Instances	Retrieves information about a specific endpoint instance, based on the device UUID that you have specified, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation.	get_instance Investigation
Get File Entities	Retrieves information about all the file entities from the Symantec EDR database. You can specify a query to be applied on the search result. You can also provide the number of records to be displayed per page, and the link to the next page for navigation.	get_entities Investigation
Get File Instances	Retrieves information about all the file instances from the Symantec EDR database. You can specify a query to be applied on the search result. You can also provide the number of records to be displayed per page, and the link to the next page for navigation.	get_instance Investigation
Get File Entity by SHA256	Retrieves information about a specific file entity, based on the SHA256 value that you have specified, from the Symantec EDR database. You can provide the number of records to be displayed per page, and the link to the next page for navigation.	get_entities Investigation
Create Blacklist Policy	Creates a blacklist policy, based on the Target Type and Target Value that you have specified, on the Symantec EDR server. You can also add a comment if required.	create_policy Investigation
Get Blacklist Policies	Retrieves information about the blacklist policies, based on the Target Type and Target Value that you have specified, from the Symantec EDR server. You can provide the number of records to be displayed per page, and the link to the next page for navigation.	get_policy Investigation
Update Blacklist Policy Comment	Updates a comment for a blacklist policy, based on the policy ID that you have specified, on the Symantec EDR server.	update_policy Investigation
Delete Blacklist Policy	Deletes a blacklist policy, based on the policy ID that you have specified, from the Symantec EDR server.	delete_policy Investigation
Execute Sandbox Commands	Executes sandbox commands for a specified file, based on its SHA256 value, on the Symantec EDR server.	execute_command Investigation
Get Sandbox Commands Status	Retrieves the status of the executed sandbox commands based on the sandbox command ID that you have specified, from the Symantec EDR server.	get_command_status Investigation
Cancel Command	Cancels the command execution triggered on the Symantec EDR server, based on the sandbox command ID that you have specified.	cancel_command Investigation
Get Command Result	Retrieves the result of the executed command based on the command ID that you have specified, from the Symantec EDR server. You can specify a query to be applied on the search result. You can also provide the number of records to be displayed per page, and the link to the next page for navigation.	get_result Investigation

operation: Get Appliance Information

Input parameters

None.

Output

The JSON output contains information about all appliances retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
"appliance_list": [
{
"role": [],
"appliance_name": "",
"software_version": "",
"appliance_id": "",
"appliance_time": ""
}
]
}

operation: Get Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter	Description
Start Time	DateTime from when you want to retrieve information about events from the Symantec EDR server.
End Time	DateTime till when you want to retrieve information about events from the Symantec EDR server.
Open Query	Query using which you want to retrieve information about events from the Symantec EDR server. For example, \"atp_incident_id:100602 || state:1 && time:[2019-09-18T05:24:25.914Z TO *]\"
Number of Events Limit	Number of records to be displayed per page.
Next	Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The JSON output contains information about all events or events based on the input parameters that you have specified, retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
"next": "",
"total": "",
"result": [
{
"log_name": "",
"user_name": "",
"device_uid": "",
"device_os_name": "",
"device_ip": "",
"uuid": "",
"device_time": "",
"device_name": "",
"enriched_data": {},
"device_domain": "",
"operation": "",
"severity_id": "",
"process": {},
"log_time": "",
"type_id": "",
"event_actor": {}
}
]
}

operation: Get Incidents

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter	Description
Start Time	DateTime from when you want to retrieve information about incidents from the Symantec EDR server.
End Time	DateTime till when you want to retrieve information about incidents from the Symantec EDR server.
Open Query	Query using which you want to retrieve information about incidents from the Symantec EDR server. For example, "atp_incident_id:100602 || state:1 && time:[2019-09-18T05:24:25.914Z TO *]\"
Number of Events Limit	Number of records to be displayed per page.
Next	Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The JSON output contains information about all incidents or incidents based on the input parameters that you have specified, retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
"next": "",
"total": 1,
"result": [
{
"log_name": "",
"domainId": [],
"time": "",
"updated": "",
"state": "",
"uuid": "",
"first_event_seen": "",
"deviceUid": [],
"device_time": "",
"priority_level": "",
"last_event_seen": "",
"scanners": [],
"summary": "",
"recommended_action": ""
}
]
}

operation: Get Incident Related Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter	Description
Start Time	DateTime from when you want to retrieve information about events related to a particular incident from the Symantec EDR server.
End Time	DateTime till when you want to retrieve information about events related to a particular incident from the Symantec EDR server.
Incident UUID	UUID of the Incident whose related events you want to retrieve from the Symantec EDR server.
Open Query	Query using which you want to retrieve information about events related to a particular incident from the Symantec EDR server. \"atp_incident_id:100602 || state:1 && time:[2019-09-18T05:24:25.914Z TO *]\"
Number of Incident Related Events Limit	Number of records to be displayed per page.
Next	Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The JSON output contains information about events related to a particular incident ID, retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
"next": "",
"total": "",
"result": [
{
"user_name": "",
"incident": "",
"uuid": "",
"source": "",
"sep_installed": "",
"actual_action": "",
"local_host_mac": "",
"log_time": "",
"virus_def": "",
"type_id": "",
"external_ip": "",
"file": {},
"log_name": "",
"host_name": "",
"agent_version": "",
"no_of_viruses": "",
"threat": {},
"device_time": "",
"device_uid": "",
"actual_action_idx": "",
"data_source_url_domain": "",
"device_ip": "",
"domain_name": "",
"virus_name": "",
"device_name": "",
"internal_ip": ""
}
]
}

operation: Get Command State

Input parameters

Parameter	Description
Command ID	ID of the command whose state you want to retrieve from the Symantec EDR server.
Number of Incident Related Events Limit	(Optional) Number of records to be displayed per page.
Next	(Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The JSON output contains information about the state of the command based on the command ID that you have specified retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
"command_id": "",
"action": "",
"status": [
{
"state": "",
"message": "",
"target": {
"device_uid": "",
"hash": ""
},
"error_code": ""
}
]
}

operation: Isolate Endpoint

Input parameters

Parameter	Description
Endpoint ID (In CSV or List Format)	ID(s) of the endpoint(s) that you want to isolate from the network. You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8".

Output

The JSON output contains the ID of the command used to isolate the endpoint(s) retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
"command_id": ""
}

operation: Rejoin Endpoint

Input parameters

Parameter	Description
Endpoint ID (In CSV or List Format)	ID(s) of the endpoint(s) that you want to rejoin to the network. You can specify multiple endpoint IDs using the list or CSV format or a single endpoint ID in this field. For example, [\"cb46d251-151d-4583-a8fb-ebff7c42cfd8\", \"cb46d251-151d-4583-a8fb-ebff7c42cfd8\"] or "cb46d251-151d-4583-a8fb-ebff7c42cfd8".

Output

The JSON output contains the ID of the command used to rejoin the endpoint(s) retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
"command_id": ""
}

operation: Delete File from Endpoint

Input parameters

Parameter	Description
File Hash	SHA-256 value of the file that you want to delete from the specified device.
Device UUID	UUID of the device from which you want to delete the specified file.

Output

The JSON output contains the ID of the command used to delete the endpoint file retrieved from the Symantec EDR server.

The output contains the following populated JSON schema:
{
"error_code": "",
"message": "",
"command_id": ""
}

operation: Get Incident Comments

Input parameters

Parameter	Description
Incident UUID	UUID of the Incident whose related comments you want to retrieve from the Symantec EDR server.

Output

The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"user_id": "",
"time": "",
"comment": ""
}
]
}

operation: Add Comment to Incident

Input parameters

Parameter	Description
Incident UUID	UUID of the Incident to which you want to add the comment on the Symantec EDR server.
Comment	Comment that you want to add to the specified incident.

Output

The output contains a non-dictionary value.

operation: Close Incident

Input parameters

Parameter	Description
Incident UUID	UUID of the incident that you want to close on the Symantec EDR server.

Output

The output contains a non-dictionary value.

operation: Get File from Endpoint

Input parameters

Parameter	Description
File Hash (SHA256)	SHA-256 value of the file that you want to fetch from the specified device.
Device UUID	UUID of the device from which you want to retrieve details of the file from the Symantec EDR server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"error_code": "",
"command_id": ""
}

operation: Search Artifact on Endpoint

Input parameters

Parameter	Description
Device UUID	UUID of the device on the Symantec EDR server in which you want to search for the artifact. You can enter one or more Device UUIDs.
Device Hostname	Hostname of the device on the Symantec EDR server in which you want to search for the artifact. You can enter one or more Device Hostnames.
SEPM Group	SEPM group on the Symantec EDR server in which you want to search for the artifact. You can enter one or more SEPM Groups.
IPv4 Address	IPv4 address on the Symantec EDR server in which you want to search for the artifact. You can enter one or more IPv4 Addresses.
Start Time	(Optional) Start DateTime of the search recorder on the Symantec EDR server from when you want to search for the artifact.
End Time	(Optional) End DateTime of the search recorder on the Symantec EDR server till when you want to search for the artifact.
Query	(Optional) Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve the artifacts from the Symantec EDR server.

Output

The output contains a non-dictionary value.

operation: Search EOC on Endpoint

Input parameters

Parameter	Description
Device UUID	UUID of the device on the Symantec EDR server in which you want to search for the EOC. You can enter one or more Device UUIDs.
Device Hostname	Hostname of the device on the Symantec EDR server in which you want to search for the EOC. You can enter one or more Device Hostnames.
SEPM Group	SEPM group on the Symantec EDR server in which you want to search for the EOC. You can enter more than one SEPM group.
IPv4 Address	IPv4 Address on the Symantec EDR server in which you want to search for the EOC. You can enter one or more IPv4 Addresses.
Query	(Optional) Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve EOCs from the Symantec EDR server.

Output

The output contains a non-dictionary value.

operation: Get Entities

Input parameters

Note: All the input parameters are optional.

Parameter	Description
Number of Records Limit	Number of records to be displayed per page.
Next	Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"domain_or_workgroup": "",
"agent_version": "",
"first_seen": "",
"mac_addresses": [
""
],
"last_seen": "",
"disposition_endpoint": "",
"ip_addresses": [
""
],
"operating_system": {
"is_64_bit": "",
"osfullname": ""
},
"managed_sepm_version": "",
"device_ip": "",
"device_name": "",
"device_uid": "",
"type": "",
"user_name": "",
"managed_sepm_ip": "",
"sep_group_summary": {
"name": "",
"sep_domain_summary": {
"name": ""
}
}
}
]
}

operation: Get Domain Entities

Input parameters

Note: All the input parameters are optional.

Parameter	Description
Number of Records Limit	Number of records to be displayed per page.
Next	Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"disposition": "",
"first_seen": "",
"external_ip": "",
"data_source_url": "",
"data_source_url_domain": "",
"last_seen": "",
"domain_threat_data": {
"confidence": "",
"behavior": "",
"reputation_band": "",
"hostility": "",
"urls": [
"",
""
],
"ips_domain_hosted": [
{
"address": "",
"ip_version": "",
"country": "",
"state": "",
"city": "",
"organization": ""
}
]
},
"type": ""
}
]
}

operation: Get Domain Instances

Input parameters

Note: All the input parameters are optional.

Parameter	Description
Number of Records Limit	Number of records to be displayed per page.
Next	Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"data_source_url_domain": "",
"last_seen": "",
"disposition": "",
"first_seen": ""
}
]
}

operation: Get Domain Instance by Domain Name

Input parameters

Parameter	Description
Domain Name	Name of the domain whose instance information you want to retrieve from the Symantec EDR database.
Number of Records Limit	(Optional) Number of records to be displayed per page.
Next	(Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"data_source_url_domain": "",
"last_seen": "",
"disposition": "",
"first_seen": ""
}
]
}

operation: Get Endpoint Entities

Input parameters

Note: All the input parameters are optional.

Parameter	Description
Number of Records Limit	Number of records to be displayed per page.
Next	Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"domain_or_workgroup": "",
"agent_version": "",
"first_seen": "",
"mac_addresses": [
""
],
"last_seen": "",
"disposition_endpoint": "",
"ip_addresses": [
""
],
"operating_system": {
"is_64_bit": "",
"osfullname": ""
},
"managed_sepm_version": "",
"device_ip": "",
"device_name": "",
"device_uid": "",
"type": "",
"user_name": "",
"managed_sepm_ip": "",
"sep_group_summary": {
"name": "",
"sep_domain_summary": {
"name": ""
}
}
}
]
}

operation: Get Endpoint Instances

Input parameters

Note: All the input parameters are optional.

Parameter	Description
Number of Records Limit	Number of records to be displayed per page.
Next	Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"domain_or_workgroup": "",
"time": "",
"device_ip": "",
"device_name": "",
"device_uid": "",
"ip_addresses": [
""
]
}
]
}

operation: Get Specific Endpoint Instances

Input parameters

Parameter	Description
Device UUID	UUID of the device whose instance information you want to retrieve from the Symantec EDR database.
Number of Records Limit	(Optional) Number of records to be displayed per page.
Next	(Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"domain_or_workgroup": "",
"time": "",
"device_ip": "",
"device_name": "",
"device_uid": "",
"ip_addresses": [
""
]
}
]
}

operation: Get File Entities

Input parameters

Note: All the input parameters are optional.

Parameter	Description
Query	Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve file entities from the Symantec EDR server.
Number of Records Limit	Number of records to be displayed per page.
Next	Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"first_seen": "",
"global_first_seen": "",
"sha2": "",
"last_seen": "",
"file_health": "",
"type": "",
"size": "",
"threat_name": "",
"name": "",
"prevalence_band": "",
"md5": ""
}
]
}

operation: Get File Instances

Input parameters

Note: All the input parameters are optional.

Parameter	Description
Query	Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve file entities from the Symantec EDR server.
Number of Records Limit	Number of records to be displayed per page.
Next	Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
"total": "",
"next": "",
"result": [
{
"last_seen": "",
"folder": "",
"first_seen": "",
"name": "",
"sha2": ""
}
]
}

operation: Get File Entity by SHA256

Input parameters

Parameter	Description
File SHA256	SHA256 value of the file whose entity information you want to retrieve from the Symantec EDR database.
Number of Records Limit	(Optional) Number of records to be displayed per page.
Next	(Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
"first_seen": "",
"global_first_seen": "",
"sha2": "",
"last_seen": "",
"file_health": "",
"type": "",
"size": "",
"threat_name": "",
"name": "",
"prevalence_band": "",
"md5": ""
}

operation: Create Blacklist Policy

Input parameters

Parameter	Description
Target Type	Type of the blacklist policy that you want to create on the Symantec EDR server. You can choose from the following values: IP, Domain, URL, SHA256, or MD5.
Target Value	Value of the blacklist elements that you want to add the blacklist policy that you want to create on the Symantec EDR server, based on the type you have selected. For example, if you have selected URL, then you must add the value of the blacklist elements in the URL format, such as "1.1.1.1", "2.2.2.2".
Comment	Comment about the blacklist policy that you want to create on the Symantec EDR server.

Output

The output contains the following populated JSON schema:
{
"ids": []
}

operation: Get Blacklist Policies

Input parameters

Parameter	Description
Target Type	Type of the blacklist policy whose information you want to retrieve from the Symantec EDR server. You can choose from the following values: IP, Domain, URL, SHA256, or MD5.
Target Value	Value of the type based on which you want to retrieve the blacklist policy information from the Symantec EDR server. For example, if you have selected MD5, then you must enter an MD5 value in this field
Number of Records Limit	(Optional) Number of records to be displayed per page.
Next	(Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains the following populated JSON schema:
{
"result": [
{
"comment": "",
"id": "",
"target_type": "",
"target_value": ""
}
]
}

operation: Update Blacklist Policy Comment

Input parameters

Parameter	Description
Policy ID	ID of the blacklist policy in which you want to add/update a comment on the Symantec EDR server.
Comment	Comment that you want to add to the specified blacklist policy on the Symantec EDR server.

Output

The output contains a non-dictionary value.

operation: Delete Blacklist Policy

Input parameters

Parameter	Description
Policy ID	ID of the blacklist policy which you want to delete from the Symantec EDR server.

Output

The output contains a non-dictionary value.

operation: Execute Sandbox Commands

Input parameters

Parameter	Description
File sha256	SHA256 value of the file on which you want to execute the sandbox commands on the Symantec EDR server.

Output

The output contains the following populated JSON schema:
{
"command_id": ""
}

operation: Get Sandbox Commands Status

Input parameters

Parameter	Description
Sandbox Command ID	ID of the sandbox command whose state you want to retrieve from the Symantec EDR server.

Output

The output contains the following populated JSON schema:

{
"status": [
{
"error_code": "",
"message": "",
"state": "",
"target": ""
}
]
}

operation: Cancel Command

Input parameters

Parameter	Description
Command ID	ID of the triggered command that you want to cancel on the Symantec EDR server.

Output

The output contains a non-dictionary value.

operation: Get Command Result

Input parameters

Parameter	Description
Command ID	ID of the command whose result you want to retrieve from the Symantec EDR server.
Query	(Optional) Query (or filter) that you can define to specify the search criteria, based on which you want to retrieve the command results from the Symantec EDR server.
Number of Incident Related Events Limit	(Optional) Number of records to be displayed per page.
Next	(Optional) Hyperlink to the next page, in case the search results span across multiple pages. Specify this field only if you want to get results on the next page.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - Symantec EDR - 2.0.0 playbook collection comes bundled with the Symantec EDR connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec EDR connector.

• Add Comment to Incident
• Cancel Command
• Close Incident
• Create Blacklist Policy
• Delete Blacklist Policy
• Delete File from Endpoint
• Execute Sandbox Commands
• Get Appliance Information
• Get Blacklist Policies
• Get Command Result
• Get Command State
• Get Domain Entities
• Get Domain Instance by Domain Name
• Get Domain Instances
• Get Endpoint Entities
• Get Endpoint Instances
• Get Entities
• Get Events
• Get File Entities
• Get File Entity by SHA256
• Get File from Endpoint
• Get File Instances
• Get Incident Comments
• Get Incident Related Events
• Get Incidents
• Get Sandbox Commands Status
• Get Specific Endpoint Instances
• Isolate Endpoint
• Rejoin Endpoint
• Search Artifact on Endpoint
• Search EOC on Endpoint
• > Symantec EDR > Create Alert
• > Symantec EDR > Fetch
• Symantec EDR > Ingest
• >> Symantec EDR > Init Macros
• Update Blacklist Policy Comment

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.