Fortinet black logo

Symantec Email Security.cloud

Symantec Email Security.cloud v2.0.0

2.0.0
Copy Link
Copy Doc ID 7b9d0cf7-49b8-4733-9ad1-3ce0bddf2b70:1

About the connector

Symantec Email Security.cloud stops targeted spear-phishing and other email threats by blocking the sender IPs, domains, URLs, and email addresses, etc.

This document provides information about the Symantec Email Security.cloud connector, which facilitates automated interactions, with Symantec Email Security.cloud server using FortiSOAR™ playbooks. Add the Symantec Email Security.cloud connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blacklisting email addresses, domains, URLs, IP addresses, etc, for specific IOCs, and downloading IOCs from Symantec Email Security.cloud.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 5.1.0-464

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

  • Renamed the connector from Symantec Cloud to Symantec Email Security.cloud.
  • Renamed the following operation and playbooks: Blacklist IP renamed to Blacklist IP Address.
  • Updated the following operations to include new input parameters:
    • Blacklist IP Address
    • Blacklist Domain
    • Blacklist Email Address
  • Removed the following operations and playbooks:
    • Whitelist IP
    • Whitelist Domain
    • Whitelist Email Address
    • Get Threat Intelligence Feed
  • Added the following new operations and playbooks:
    • Blacklist URL
    • Block Subject Text
    • Blacklist MD5
    • Blacklist SHA-2
    • Merge IOCs In Blacklist
    • Replace All IOCs In Blacklist
    • Remove IOC In Blacklist
    • Download IOCs

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-symantec-cloud

Prerequisites to configuring the connector

  • You must have the URL of the Symantec Email Security.cloud server to which you will connect and perform automated operations and credentials to access that server.
  • To access theFortiSOAR™ UI, ensure that port 443 is open through the firewall for theFortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Symantec Email Security.cloud connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL URL of Symantec Email Security.cloud to which you will connect and perform automated operations.
Username Username for accessing Symantec Email Security.cloud to which you will connect and perform the automated operations.
Password Encrypted Password for accessing Symantec Email Security.cloud to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations fromFortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Blacklist IP Address Blocks all emails containing the IP address or IP range that you have specified as an IOC on Symantec Email Security.cloud based on the IP address or IP range and other input parameters you have specified. block_ip
Containment
Blacklist Domain Blocks all emails containing the domain(s) that you have specified as an IOC on Symantec Email Security.cloud based on the Domain IOC type, IOC value, and other input parameters you have specified. block_domain
Containment
Blacklist Email Address Blocks all emails containing the email address(s) that you have specified as an IOC on Symantec Email Security.cloud based on the Email IOC type, IOC value, and other input parameters you have specified. block_email
Containment
Blacklist URL Blocks all emails containing the URL(s) that you have specified as an IOC on Symantec Email Security.cloud based on the URL(s) and other input parameters you have specified. block_url
Containment
Block Subject Text Blocks all emails containing the specified subject that you have specified as an IOC on Symantec Email Security.cloud based on the subject(s) and other input parameters you have specified. block_subject
Containment
Blacklist MD5 Blocks all emails containing the specified MD5 value that you have specified as an IOC on Symantec Email Security.cloud based on the MD5 value(s) and other input parameters you have specified. block_md5
Containment
Blacklist SHA-2 Blocks all emails containing the specified SHA-2 value that you have specified as an IOC on Symantec Email Security.cloud based on the SHA-2 value(s) and other input parameters you have specified. block_sha2
Containment
Merge IOCs In Blacklist Adds or Updates multiple IOCs of any type in blacklist on Symantec Email Security.cloud based on the type and value of the IOCs And other input parameters you have specified. merge_iocs
Containment
Replace All IOCs In Blacklist Replaces multiple IOCs of any type in a blacklist on Symantec Email Security.cloud based on the type and value of the IOCs and other input parameters you have specified. replace_iocs
Containment
Remove IOC from Blacklist Removes IOC of any type from a blacklist on Symantec Email Security.cloud based on the type and value of the IOCs, IOC Blacklist ID and other input parameters you have specified. delete_ioc
Remediation
Download IOCs Downloads a list of all IOCs or IOCs specific to a particular domain from Symantec Email Security.cloud in the JSON or CSV format. download_iocs
Investigation

operation: Blacklist IP Address

Input parameters

Parameter Description
Operation Operation that you want to perform for blacklisting IP address(es), i.e., you can either Add New IOCs or Update an IOC to the IP address.
  • If you choose Add New IOCs, then in the IP Address field, enter either a single IP address and/or the IP address range that you want to specify as an IOC and block on Symantec Email Security.cloud, in the CSV or List format. The IP address must be in the form of xxx.xxx.xxx.xxx, where xxx is a number from 0-255. The IP range must be a valid IP range. For example, xx.x.xx.xx, yy.yy.yy.y, zz.zz.zz.z/zz
  • If you choose Update an IOC, then you must specify the following parameters:
    • IOC Blacklist ID: Enter a unique GUID for the IOC blacklist that you want to update on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
    • IP Address: Enter the IP address that you want to specify as an IOC and block on Symantec Email Security.cloud.
Email Direction Select the direction in which you want to block emails that contain the IP address or IP range that is specified as an IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified IOCs in its IP address. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Blacklist Domain

Input parameters

Parameter Description
Domain IOC Type Type of domain IOC that you want to block on Symantec Email Security.cloud. You can choose from the following types:
  • Body Sender Domain
  • Body Sender Toplevel Domain
  • Envelope Sender Domain
  • Envelope Sender Toplevel Domain
  • Recipient Domain
Operation Operation that you want to perform for blacklisting domain(s), i.e., you can either Add New IOCs or Update an IOC to the domain.
  • If you choose Add New IOCs, then in the IOC Value field, enter the actual IOC value, as per the type of domain you have selected, that you want to block on Symantec Email Security.cloud, in the CSV or List format.
    Note: The maximum length of an IOC value is 255 characters.
  • If you choose Update an IOC, then you must specify the following parameters:
    • IOC Blacklist ID: Enter a unique GUID for the IOC blacklist that you want to update on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
    • IOC Value: Actual IOC values as per the type of domain you have specified.
      Note: The maximum length of an IOC value is 255 characters.
Email Direction Select the direction in which you want to block emails that contain the domain(s) that is specified as an IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified IOCs in its domain. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Blacklist Email Address

Input parameters

Parameter Description
Email IOC Type Type of Email IOC that you want to block on Symantec Email Security.cloud. You can choose from the following types:
  • Body Sender Email
  • Envelope Sender Email
  • Recipient Email
Operation Operation that you want to perform for blacklisting domain(s), i.e., you can either Add New IOCs or Update an IOC to the Email Address.
  • If you choose Add New IOCs, then in the IOC Value field, enter the actual IOC value, as per the type of email address you have selected, that you want to block on Symantec Email Security.cloud, in the CSV or List format.
    Note: The maximum length of an IOC value is 255 characters.
  • If you choose Update an IOC, then you must specify the following parameters:
    • IOC Blacklist ID: Enter a unique GUID for the IOC blacklist that you want to update on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
    • IOC Value: Actual IOC values as per the type of email address you have specified.
      Note: The maximum length of an IOC value is 255 characters.
Email Direction Select the direction in which you want to block emails that contain the email address(es) that is specified as an IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified IOCs in its email address. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Blacklist URL

Input parameters

Parameter Description
Operation Operation that you want to perform for blacklisting URL(s), i.e., you can either Add New IOCs or Update an IOC to the URL.
  • If you choose Add New IOCs, then in the URL field, enter URL(s) that you want to specify as an IOC and block on Symantec Email Security.cloud, in the CSV or List format.
    Note: The maximum length of a URL is 720 characters. You can use the standard wildcard characters "*" and "?". Use "\" (backslash) as the escape character.
  • If you choose Update an IOC, then you must specify the following parameters:
    • IOC Blacklist ID: Enter a unique GUID for the IOC blacklist that you want to update on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
    • URL: Enter the URL that you want to specify as an IOC and block on Symantec Email Security.cloud.
      Note: The maximum length of a URL is 720 characters. You can use the standard wildcard characters "*" and "?". Use "\" (backslash) as the escape character.
Email Direction Select the direction in which you want to block emails that contain the URL(s) that is specified as an IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified IOCs in its URL. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Block Subject Text

Input parameters

Parameter Description
Operation Operation that you want to perform for blocking the subject(s), i.e., you can either Add New IOCs or Update an IOC to the Subject Text.
  • If you choose Add New IOCs, then in the Subject field, enter the subject that you want to specify as an IOC and block on Symantec Email Security.cloud, in the CSV or List format.
    Note: The maximum length of a subject is 1024 characters. You can use the standard wildcard characters "*" and "?". Use "\" (backslash) as the escape character.
  • If you choose Update an IOC, then you must specify the following parameters:
    • IOC Blacklist ID: Enter a unique GUID for the IOC blacklist that you want to update on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
    • Subject: Enter the subject that you want to specify as an IOC and block on Symantec Email Security.cloud.
      Note: The maximum length of a subject is 1024 characters.
Email Direction Select the direction in which you want to block emails that contain the subject that is specified as an IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified IOCs in its subject. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Blacklist MD5

Input parameters

Parameter Description
Operation Operation that you want to perform for blacklisting the MD5(s), i.e., you can either Add New IOCs or Update an IOC to the MD5.
  • If you choose Add New IOCs, then in the MD5 field, enter the hash value of the MD5 that you want to specify as an IOC and block on Symantec Email Security.cloud, in the CSV or List format.
    Note: The maximum length of the hash value of an MD5 is 32 characters.
  • If you choose Update an IOC, then you must specify the following parameters:
    • IOC Blacklist ID: Enter a unique GUID for the IOC blacklist that you want to update on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
    • MD5: Enter the hash value of the MD5 that you want to specify as an IOC and block on Symantec Email Security.cloud.
      Note: The maximum length of the hash value of an MD5 is 32 characters.
Email Direction Select the direction in which you want to block emails that contain the MD5 value that is specified as an IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified MD5 values. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Blacklist SHA-2

Input parameters

Parameter Description
Operation Operation that you want to perform for blacklisting the SHA-2(s), i.e., you can either Add New IOCs or Update an IOC to the SH-2.
  • If you choose Add New IOCs, then in the SHA-2 field, enter the value of SHA-2 that you want to specify as an IOC and block on Symantec Email Security.cloud, in the CSV or List format.
    Note: The maximum length of the value of an SHA-2 is 64 characters.
  • If you choose Update an IOC, then you must specify the following parameters:
    • IOC Blacklist ID: Enter a unique GUID for the IOC blacklist that you want to update on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
    • SHA-2: Enter the value of SHA-2 that you want to specify as an IOC and block on Symantec Email Security.cloud.
      Note: The maximum length of the value of an SHA-2 is 64 characters.
Email Direction Select the direction in which you want to block emails that contain the SHA-2 value that is specified as an IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified SHA-2 values. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Merge IOCs In Blacklist

Input parameters

Parameter Description
IOC Type IOC type that describes the IOC Value, which you want to add or update in a blacklist on Symantec Email Security.cloud. You can choose from the following options: IP Address, Domain, Email, URL, Subject Text, MD5, or SHA-2.
  • If you choose IP address, then in the IP Address field, enter either a single IP address or an IP address range that you want to specify as an IOC and add or update in a blacklist on Symantec Email Security.cloud, in the CSV or List format.
  • If you choose Domain, then you must specify the following parameters:
    • In the Domain IOC Type field, select the type of Domain IOC that you want to add or update in a blacklist on Symantec Email Security.cloud. You can choose from the following types:
      • Body Sender Domain
      • Body Sender Toplevel Domain
      • Envelope Sender Domain
      • Envelope Sender Toplevel Domain
      • Recipient Domain
    • In the Domain field, enter either a single domain or multiple domains, in the CSV or List format, that you want to specify as an IOC and add or update in a blacklist on Symantec Email Security.cloud.
  • If you choose Email, then you must specify the following parameters:
    • In the Email IOC Type field, select the type of Email IOC that you want to add or update in a blacklist on Symantec Email Security.cloud. You can choose from the following types:
      • Body Sender Email
      • Envelope Sender Email
      • Recipient Email
    • In the Email field, enter either a single email or multiple emails, in the CSV or List format, that you want to specify as an IOC and add or update in a blacklist on Symantec Email Security.cloud.
  • If you choose URL, then in the URL field, enter either a single URL or multiple URLs, in the CSV or List format, that you want to specify as an IOC and add or update in a blacklist on Symantec Email Security.cloud.
  • If you choose Subject, then in the Subject field, enter either a single subject text or multiple subject texts, in the CSV or List format, that you want to specify as an IOC and add or update in a blacklist on Symantec Email Security.cloud.
  • If you choose MD5, then in the MD5 field, enter either a single MD5 or multiple MD5s, in the CSV or List format, that you want to specify as an IOC and add or update in a blacklist on Symantec Email Security.cloud.
  • If you choose SHA-2, then in the SHA-2 field, enter either a single SHA-2 or multiple SHA-2s, in the CSV or List format, that you want to specify as an IOC and add or update in a blacklist on Symantec Email Security.cloud.
Email Direction Select the direction in which you want to block emails that contain the specified IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified IOCs. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Replace All IOCs In Blacklist

Input parameters

Parameter Description
IOC Type IOC type that describes the IOC Value, which you want to replace in a blacklist on Symantec Email Security.cloud. You can choose from the following options: IP Address, Domain, Email, or URL.
  • If you choose IP address, then in the IP Address field, enter either a single IP address or an IP address range that you want to specify as an IOC and replace in a blacklist on Symantec Email Security.cloud, in the CSV or List format.
  • If you choose Domain, then you must specify the following parameters:
    • In the Domain IOC Type field, select the type of Domain IOC that you want to replace in a blacklist on Symantec Email Security.cloud. You can choose from the following types:
      • Body Sender Domain
      • Body Sender Toplevel Domain
      • Envelope Sender Domain
      • Envelope Sender Toplevel Domain
      • Recipient Domain
    • In the Domain field, enter either a single domain or multiple domains, in the CSV or List format, that you want to specify as an IOC and replace in a blacklist on Symantec Email Security.cloud.
  • If you choose Email, then you must specify the following parameters:
    • In the Email IOC Type field, select the type of Email IOC that you want to replace in a blacklist on Symantec Email Security.cloud. You can choose from the following types:
      • Body Sender Email
      • Envelope Sender Email
      • Recipient Email
    • In the Email field, enter either a single email or multiple emails, in the CSV or List format, that you want to specify as an IOC and replace in a blacklist on Symantec Email Security.cloud.
  • If you choose URL, then in the URL field, enter either a URL or multiple URLs, in the CSV or List format, that you want to specify as an IOC and replace in a blacklist on Symantec Email Security.cloud.
  • If you choose Subject, then in the Subject field, enter either a subject or multiple subjects, in the CSV or List format, that you want to specify as an IOC and replace in a blacklist on Symantec Email Security.cloud.
  • If you choose MD5, then in the MD5 field, enter either the hash value of an MD5 or hash values of multiple MD5s, in the CSV or List format, that you want to specify as an IOC and replace in a blacklist on Symantec Email Security.cloud.
  • If you choose SHA-2, then in the SHA-2 field, enter either the value of an SHA-2 or hash values of multiple SHA-2s, in the CSV or List format, that you want to specify as an IOC and replace in a blacklist on Symantec Email Security.cloud.
Email Direction Select the direction in which you want to block emails that contain the specified IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified IOCs. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Remove IOC from Blacklist

Input parameters

Parameter Description
IOC Type IOC type that describes the IOC Value, which you want to remove from a blacklist on Symantec Email Security.cloud. You can choose from the following options: IP Address, Domain, Email, or URL.
  • If you choose IP address, then you must specify the following parameters:
    • In the IOC Value field, enter the value of the IP Address IOC that you want to remove from a blacklist on Symantec Email Security.cloud.
    • In the IOC Blacklist ID field, enter the unique GUID for the IOC blacklist from which you want to remove the specified IOC on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
  • If you choose Domain, then you must specify the following parameters:
    • In the Domain IOC Type field, select the type of Domain IOC that you want to remove from a blacklist on Symantec Email Security.cloud. You can choose from the following types:
      • Body Sender Domain
      • Body Sender Toplevel Domain
      • Envelope Sender Domain
      • Envelope Sender Toplevel Domain
      • Recipient Domain
    • In the IOC Value field, enter the value of the Domain IOC that you want to remove from a blacklist on Symantec Email Security.cloud.
    • In the IOC Blacklist ID field, enter the unique GUID for the IOC Blacklist from which you want to remove the specified IOC on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
  • If you choose Email, then you must specify the following parameters:
    • In the Email IOC Type field, select the type of Email IOC that you want to remove from a blacklist on Symantec Email Security.cloud. You can choose from the following types:
      • Body Sender Email
      • Envelope Sender Email
      • Recipient Email
    • In the IOC Value field, enter the value of the Email IOC that you want to remove from a blacklist on Symantec Email Security.cloud.
    • In the IOC Blacklist ID field, enter the unique GUID for the IOC Blacklist from which you want to remove the specified IOC on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
  • If you choose URL, then you must specify the following parameters:
    • In the IOC Value field, enter the value of the URL IOC that you want to remove from a blacklist on Symantec Email Security.cloud.
    • In the IOC Blacklist ID field, enter the unique GUID for the IOC blacklist from which you want to remove the specified IOC on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
  • If you choose Subject, then you must specify the following parameters:
    • In the IOC Value field, enter the value of the Subject IOC that you want to remove from a blacklist on Symantec Email Security.cloud.
    • In the IOC Blacklist ID field, enter the unique GUID for the IOC blacklist from which you want to remove the specified IOC on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
  • If you choose MD5, then you must specify the following parameters:
    • In the IOC Value field, enter the value of the MD5 IOC that you want to remove from a blacklist on Symantec Email Security.cloud.
    • In the IOC Blacklist ID field, enter the unique GUID for the IOC blacklist from which you want to remove the specified IOC on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
  • If you choose SHA-2, then you must specify the following parameters:
    • In the IOC Value field, enter the value of the SHA-2 IOC that you want to remove from a blacklist on Symantec Email Security.cloud.
    • In the IOC Blacklist ID field, enter the unique GUID for the IOC blacklist from which you want to remove the specified IOC on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
Email Direction Select the direction in which you want to block emails that contain the specified IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified IOCs. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Download IOCs

Input parameters

Parameter Description
Response Format Select the format in which you want to download the IOCs from Symantec Email Security.cloud. You can choose between the CSV or JSON formats.
Domain Name Specify the name of the domain whose associated IOCs you want to download from Symantec Email Security.cloud or you can specify global to download IOCs for all domains.

Output

The output contains the following populated JSON schema:
{
"attachments_iri": "",
"file_iri": ""
}

Included playbooks

The Sample - Symantec Cloud Email Security.cloud - 2.0.0 playbook collection comes bundled with the Symantec Email Security.cloud connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec Email Security.cloud connector.

  • Blacklist Domain
  • Blacklist Email Address
  • Blacklist IP Address
  • Blacklist MD5
  • Blacklist SHA-2
  • Blacklist URL
  • Block Subject Text
  • Download IOCs
  • Merge IOCs In Blacklist
  • Replace All IOCs In Blacklist
  • Remove IOC from Blacklist

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Previous
Next

About the connector

Symantec Email Security.cloud stops targeted spear-phishing and other email threats by blocking the sender IPs, domains, URLs, and email addresses, etc.

This document provides information about the Symantec Email Security.cloud connector, which facilitates automated interactions, with Symantec Email Security.cloud server using FortiSOAR™ playbooks. Add the Symantec Email Security.cloud connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blacklisting email addresses, domains, URLs, IP addresses, etc, for specific IOCs, and downloading IOCs from Symantec Email Security.cloud.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 5.1.0-464

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-symantec-cloud

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Symantec Email Security.cloud connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL URL of Symantec Email Security.cloud to which you will connect and perform automated operations.
Username Username for accessing Symantec Email Security.cloud to which you will connect and perform the automated operations.
Password Encrypted Password for accessing Symantec Email Security.cloud to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations fromFortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Blacklist IP Address Blocks all emails containing the IP address or IP range that you have specified as an IOC on Symantec Email Security.cloud based on the IP address or IP range and other input parameters you have specified. block_ip
Containment
Blacklist Domain Blocks all emails containing the domain(s) that you have specified as an IOC on Symantec Email Security.cloud based on the Domain IOC type, IOC value, and other input parameters you have specified. block_domain
Containment
Blacklist Email Address Blocks all emails containing the email address(s) that you have specified as an IOC on Symantec Email Security.cloud based on the Email IOC type, IOC value, and other input parameters you have specified. block_email
Containment
Blacklist URL Blocks all emails containing the URL(s) that you have specified as an IOC on Symantec Email Security.cloud based on the URL(s) and other input parameters you have specified. block_url
Containment
Block Subject Text Blocks all emails containing the specified subject that you have specified as an IOC on Symantec Email Security.cloud based on the subject(s) and other input parameters you have specified. block_subject
Containment
Blacklist MD5 Blocks all emails containing the specified MD5 value that you have specified as an IOC on Symantec Email Security.cloud based on the MD5 value(s) and other input parameters you have specified. block_md5
Containment
Blacklist SHA-2 Blocks all emails containing the specified SHA-2 value that you have specified as an IOC on Symantec Email Security.cloud based on the SHA-2 value(s) and other input parameters you have specified. block_sha2
Containment
Merge IOCs In Blacklist Adds or Updates multiple IOCs of any type in blacklist on Symantec Email Security.cloud based on the type and value of the IOCs And other input parameters you have specified. merge_iocs
Containment
Replace All IOCs In Blacklist Replaces multiple IOCs of any type in a blacklist on Symantec Email Security.cloud based on the type and value of the IOCs and other input parameters you have specified. replace_iocs
Containment
Remove IOC from Blacklist Removes IOC of any type from a blacklist on Symantec Email Security.cloud based on the type and value of the IOCs, IOC Blacklist ID and other input parameters you have specified. delete_ioc
Remediation
Download IOCs Downloads a list of all IOCs or IOCs specific to a particular domain from Symantec Email Security.cloud in the JSON or CSV format. download_iocs
Investigation

operation: Blacklist IP Address

Input parameters

Parameter Description
Operation Operation that you want to perform for blacklisting IP address(es), i.e., you can either Add New IOCs or Update an IOC to the IP address.
  • If you choose Add New IOCs, then in the IP Address field, enter either a single IP address and/or the IP address range that you want to specify as an IOC and block on Symantec Email Security.cloud, in the CSV or List format. The IP address must be in the form of xxx.xxx.xxx.xxx, where xxx is a number from 0-255. The IP range must be a valid IP range. For example, xx.x.xx.xx, yy.yy.yy.y, zz.zz.zz.z/zz
  • If you choose Update an IOC, then you must specify the following parameters:
    • IOC Blacklist ID: Enter a unique GUID for the IOC blacklist that you want to update on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
    • IP Address: Enter the IP address that you want to specify as an IOC and block on Symantec Email Security.cloud.
Email Direction Select the direction in which you want to block emails that contain the IP address or IP range that is specified as an IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified IOCs in its IP address. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Blacklist Domain

Input parameters

Parameter Description
Domain IOC Type Type of domain IOC that you want to block on Symantec Email Security.cloud. You can choose from the following types:
  • Body Sender Domain
  • Body Sender Toplevel Domain
  • Envelope Sender Domain
  • Envelope Sender Toplevel Domain
  • Recipient Domain
Operation Operation that you want to perform for blacklisting domain(s), i.e., you can either Add New IOCs or Update an IOC to the domain.
  • If you choose Add New IOCs, then in the IOC Value field, enter the actual IOC value, as per the type of domain you have selected, that you want to block on Symantec Email Security.cloud, in the CSV or List format.
    Note: The maximum length of an IOC value is 255 characters.
  • If you choose Update an IOC, then you must specify the following parameters:
    • IOC Blacklist ID: Enter a unique GUID for the IOC blacklist that you want to update on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
    • IOC Value: Actual IOC values as per the type of domain you have specified.
      Note: The maximum length of an IOC value is 255 characters.
Email Direction Select the direction in which you want to block emails that contain the domain(s) that is specified as an IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified IOCs in its domain. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Blacklist Email Address

Input parameters

Parameter Description
Email IOC Type Type of Email IOC that you want to block on Symantec Email Security.cloud. You can choose from the following types:
  • Body Sender Email
  • Envelope Sender Email
  • Recipient Email
Operation Operation that you want to perform for blacklisting domain(s), i.e., you can either Add New IOCs or Update an IOC to the Email Address.
  • If you choose Add New IOCs, then in the IOC Value field, enter the actual IOC value, as per the type of email address you have selected, that you want to block on Symantec Email Security.cloud, in the CSV or List format.
    Note: The maximum length of an IOC value is 255 characters.
  • If you choose Update an IOC, then you must specify the following parameters:
    • IOC Blacklist ID: Enter a unique GUID for the IOC blacklist that you want to update on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
    • IOC Value: Actual IOC values as per the type of email address you have specified.
      Note: The maximum length of an IOC value is 255 characters.
Email Direction Select the direction in which you want to block emails that contain the email address(es) that is specified as an IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified IOCs in its email address. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Blacklist URL

Input parameters

Parameter Description
Operation Operation that you want to perform for blacklisting URL(s), i.e., you can either Add New IOCs or Update an IOC to the URL.
  • If you choose Add New IOCs, then in the URL field, enter URL(s) that you want to specify as an IOC and block on Symantec Email Security.cloud, in the CSV or List format.
    Note: The maximum length of a URL is 720 characters. You can use the standard wildcard characters "*" and "?". Use "\" (backslash) as the escape character.
  • If you choose Update an IOC, then you must specify the following parameters:
    • IOC Blacklist ID: Enter a unique GUID for the IOC blacklist that you want to update on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
    • URL: Enter the URL that you want to specify as an IOC and block on Symantec Email Security.cloud.
      Note: The maximum length of a URL is 720 characters. You can use the standard wildcard characters "*" and "?". Use "\" (backslash) as the escape character.
Email Direction Select the direction in which you want to block emails that contain the URL(s) that is specified as an IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified IOCs in its URL. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Block Subject Text

Input parameters

Parameter Description
Operation Operation that you want to perform for blocking the subject(s), i.e., you can either Add New IOCs or Update an IOC to the Subject Text.
  • If you choose Add New IOCs, then in the Subject field, enter the subject that you want to specify as an IOC and block on Symantec Email Security.cloud, in the CSV or List format.
    Note: The maximum length of a subject is 1024 characters. You can use the standard wildcard characters "*" and "?". Use "\" (backslash) as the escape character.
  • If you choose Update an IOC, then you must specify the following parameters:
    • IOC Blacklist ID: Enter a unique GUID for the IOC blacklist that you want to update on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
    • Subject: Enter the subject that you want to specify as an IOC and block on Symantec Email Security.cloud.
      Note: The maximum length of a subject is 1024 characters.
Email Direction Select the direction in which you want to block emails that contain the subject that is specified as an IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified IOCs in its subject. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Blacklist MD5

Input parameters

Parameter Description
Operation Operation that you want to perform for blacklisting the MD5(s), i.e., you can either Add New IOCs or Update an IOC to the MD5.
  • If you choose Add New IOCs, then in the MD5 field, enter the hash value of the MD5 that you want to specify as an IOC and block on Symantec Email Security.cloud, in the CSV or List format.
    Note: The maximum length of the hash value of an MD5 is 32 characters.
  • If you choose Update an IOC, then you must specify the following parameters:
    • IOC Blacklist ID: Enter a unique GUID for the IOC blacklist that you want to update on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
    • MD5: Enter the hash value of the MD5 that you want to specify as an IOC and block on Symantec Email Security.cloud.
      Note: The maximum length of the hash value of an MD5 is 32 characters.
Email Direction Select the direction in which you want to block emails that contain the MD5 value that is specified as an IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified MD5 values. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Blacklist SHA-2

Input parameters

Parameter Description
Operation Operation that you want to perform for blacklisting the SHA-2(s), i.e., you can either Add New IOCs or Update an IOC to the SH-2.
  • If you choose Add New IOCs, then in the SHA-2 field, enter the value of SHA-2 that you want to specify as an IOC and block on Symantec Email Security.cloud, in the CSV or List format.
    Note: The maximum length of the value of an SHA-2 is 64 characters.
  • If you choose Update an IOC, then you must specify the following parameters:
    • IOC Blacklist ID: Enter a unique GUID for the IOC blacklist that you want to update on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
    • SHA-2: Enter the value of SHA-2 that you want to specify as an IOC and block on Symantec Email Security.cloud.
      Note: The maximum length of the value of an SHA-2 is 64 characters.
Email Direction Select the direction in which you want to block emails that contain the SHA-2 value that is specified as an IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified SHA-2 values. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Merge IOCs In Blacklist

Input parameters

Parameter Description
IOC Type IOC type that describes the IOC Value, which you want to add or update in a blacklist on Symantec Email Security.cloud. You can choose from the following options: IP Address, Domain, Email, URL, Subject Text, MD5, or SHA-2.
  • If you choose IP address, then in the IP Address field, enter either a single IP address or an IP address range that you want to specify as an IOC and add or update in a blacklist on Symantec Email Security.cloud, in the CSV or List format.
  • If you choose Domain, then you must specify the following parameters:
    • In the Domain IOC Type field, select the type of Domain IOC that you want to add or update in a blacklist on Symantec Email Security.cloud. You can choose from the following types:
      • Body Sender Domain
      • Body Sender Toplevel Domain
      • Envelope Sender Domain
      • Envelope Sender Toplevel Domain
      • Recipient Domain
    • In the Domain field, enter either a single domain or multiple domains, in the CSV or List format, that you want to specify as an IOC and add or update in a blacklist on Symantec Email Security.cloud.
  • If you choose Email, then you must specify the following parameters:
    • In the Email IOC Type field, select the type of Email IOC that you want to add or update in a blacklist on Symantec Email Security.cloud. You can choose from the following types:
      • Body Sender Email
      • Envelope Sender Email
      • Recipient Email
    • In the Email field, enter either a single email or multiple emails, in the CSV or List format, that you want to specify as an IOC and add or update in a blacklist on Symantec Email Security.cloud.
  • If you choose URL, then in the URL field, enter either a single URL or multiple URLs, in the CSV or List format, that you want to specify as an IOC and add or update in a blacklist on Symantec Email Security.cloud.
  • If you choose Subject, then in the Subject field, enter either a single subject text or multiple subject texts, in the CSV or List format, that you want to specify as an IOC and add or update in a blacklist on Symantec Email Security.cloud.
  • If you choose MD5, then in the MD5 field, enter either a single MD5 or multiple MD5s, in the CSV or List format, that you want to specify as an IOC and add or update in a blacklist on Symantec Email Security.cloud.
  • If you choose SHA-2, then in the SHA-2 field, enter either a single SHA-2 or multiple SHA-2s, in the CSV or List format, that you want to specify as an IOC and add or update in a blacklist on Symantec Email Security.cloud.
Email Direction Select the direction in which you want to block emails that contain the specified IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified IOCs. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Replace All IOCs In Blacklist

Input parameters

Parameter Description
IOC Type IOC type that describes the IOC Value, which you want to replace in a blacklist on Symantec Email Security.cloud. You can choose from the following options: IP Address, Domain, Email, or URL.
  • If you choose IP address, then in the IP Address field, enter either a single IP address or an IP address range that you want to specify as an IOC and replace in a blacklist on Symantec Email Security.cloud, in the CSV or List format.
  • If you choose Domain, then you must specify the following parameters:
    • In the Domain IOC Type field, select the type of Domain IOC that you want to replace in a blacklist on Symantec Email Security.cloud. You can choose from the following types:
      • Body Sender Domain
      • Body Sender Toplevel Domain
      • Envelope Sender Domain
      • Envelope Sender Toplevel Domain
      • Recipient Domain
    • In the Domain field, enter either a single domain or multiple domains, in the CSV or List format, that you want to specify as an IOC and replace in a blacklist on Symantec Email Security.cloud.
  • If you choose Email, then you must specify the following parameters:
    • In the Email IOC Type field, select the type of Email IOC that you want to replace in a blacklist on Symantec Email Security.cloud. You can choose from the following types:
      • Body Sender Email
      • Envelope Sender Email
      • Recipient Email
    • In the Email field, enter either a single email or multiple emails, in the CSV or List format, that you want to specify as an IOC and replace in a blacklist on Symantec Email Security.cloud.
  • If you choose URL, then in the URL field, enter either a URL or multiple URLs, in the CSV or List format, that you want to specify as an IOC and replace in a blacklist on Symantec Email Security.cloud.
  • If you choose Subject, then in the Subject field, enter either a subject or multiple subjects, in the CSV or List format, that you want to specify as an IOC and replace in a blacklist on Symantec Email Security.cloud.
  • If you choose MD5, then in the MD5 field, enter either the hash value of an MD5 or hash values of multiple MD5s, in the CSV or List format, that you want to specify as an IOC and replace in a blacklist on Symantec Email Security.cloud.
  • If you choose SHA-2, then in the SHA-2 field, enter either the value of an SHA-2 or hash values of multiple SHA-2s, in the CSV or List format, that you want to specify as an IOC and replace in a blacklist on Symantec Email Security.cloud.
Email Direction Select the direction in which you want to block emails that contain the specified IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified IOCs. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Remove IOC from Blacklist

Input parameters

Parameter Description
IOC Type IOC type that describes the IOC Value, which you want to remove from a blacklist on Symantec Email Security.cloud. You can choose from the following options: IP Address, Domain, Email, or URL.
  • If you choose IP address, then you must specify the following parameters:
    • In the IOC Value field, enter the value of the IP Address IOC that you want to remove from a blacklist on Symantec Email Security.cloud.
    • In the IOC Blacklist ID field, enter the unique GUID for the IOC blacklist from which you want to remove the specified IOC on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
  • If you choose Domain, then you must specify the following parameters:
    • In the Domain IOC Type field, select the type of Domain IOC that you want to remove from a blacklist on Symantec Email Security.cloud. You can choose from the following types:
      • Body Sender Domain
      • Body Sender Toplevel Domain
      • Envelope Sender Domain
      • Envelope Sender Toplevel Domain
      • Recipient Domain
    • In the IOC Value field, enter the value of the Domain IOC that you want to remove from a blacklist on Symantec Email Security.cloud.
    • In the IOC Blacklist ID field, enter the unique GUID for the IOC Blacklist from which you want to remove the specified IOC on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
  • If you choose Email, then you must specify the following parameters:
    • In the Email IOC Type field, select the type of Email IOC that you want to remove from a blacklist on Symantec Email Security.cloud. You can choose from the following types:
      • Body Sender Email
      • Envelope Sender Email
      • Recipient Email
    • In the IOC Value field, enter the value of the Email IOC that you want to remove from a blacklist on Symantec Email Security.cloud.
    • In the IOC Blacklist ID field, enter the unique GUID for the IOC Blacklist from which you want to remove the specified IOC on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
  • If you choose URL, then you must specify the following parameters:
    • In the IOC Value field, enter the value of the URL IOC that you want to remove from a blacklist on Symantec Email Security.cloud.
    • In the IOC Blacklist ID field, enter the unique GUID for the IOC blacklist from which you want to remove the specified IOC on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
  • If you choose Subject, then you must specify the following parameters:
    • In the IOC Value field, enter the value of the Subject IOC that you want to remove from a blacklist on Symantec Email Security.cloud.
    • In the IOC Blacklist ID field, enter the unique GUID for the IOC blacklist from which you want to remove the specified IOC on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
  • If you choose MD5, then you must specify the following parameters:
    • In the IOC Value field, enter the value of the MD5 IOC that you want to remove from a blacklist on Symantec Email Security.cloud.
    • In the IOC Blacklist ID field, enter the unique GUID for the IOC blacklist from which you want to remove the specified IOC on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
  • If you choose SHA-2, then you must specify the following parameters:
    • In the IOC Value field, enter the value of the SHA-2 IOC that you want to remove from a blacklist on Symantec Email Security.cloud.
    • In the IOC Blacklist ID field, enter the unique GUID for the IOC blacklist from which you want to remove the specified IOC on Symantec Email Security.cloud.
      Note: You can get the IOC Blacklist ID using the Download IOCs action.
Email Direction Select the direction in which you want to block emails that contain the specified IOC on Symantec Email Security.cloud. You can choose between Inbound, Outbound, or Both.
Description Description of the IOCs(s), in the string format, that you are adding or updating on Symantec Email Security.cloud.
Note: The maximum length of the description is 255 characters.
Remediation Action Remediation action that you want to perform on the email on Symantec Email Security.cloud, which contains the specified IOCs. You can choose from the following actions:
  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header

Output

The output contains the following populated JSON schema:
{
"failure_response": [],
"blacklisted_iocs": []
}

operation: Download IOCs

Input parameters

Parameter Description
Response Format Select the format in which you want to download the IOCs from Symantec Email Security.cloud. You can choose between the CSV or JSON formats.
Domain Name Specify the name of the domain whose associated IOCs you want to download from Symantec Email Security.cloud or you can specify global to download IOCs for all domains.

Output

The output contains the following populated JSON schema:
{
"attachments_iri": "",
"file_iri": ""
}

Included playbooks

The Sample - Symantec Cloud Email Security.cloud - 2.0.0 playbook collection comes bundled with the Symantec Email Security.cloud connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec Email Security.cloud connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Previous
Next