Fortinet Document Library

Version:


Table of Contents

Symantec Security Analytics

2.0.0
Copy Link

About the connector

Symantec Security Analytics connector provides automated operations for advanced network forensics, and real-time content inspection for all network traffic.

This document provides information about the Symantec Security Analytics connector, which facilitates automated interactions, with a Symantec Security Analytics server using FortiSOAR™ playbooks. Add the Symantec Security Analytics connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of sensors or alerts from Symantec Security Analytics, based on the input parameters you have specified, or initiating artifact extraction from Symantec Security Analytics, based on the extraction type and other input parameters you have specified.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 4.12.0-746

Authored By: Fortinet 

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the Symantec Security Analytics connector in version 2.0.0:

  • CyberSponse has certified this connector. The earlier release of Symantec Security Analytics connector was uncertified.
  • Added the Advanced Filter parameter to all the operations, except the Get Sensor List and List All Enrichment Providers operations.

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-symantec-security-analytics

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

  • You must have the URL of Symantec Security Analytics server to which you will connect and perform automated operations and the username to access that server.
  • You must have the API key to access Symantec Security Analytics CMC API.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™  instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the connectors page, select the Symantec Security Analytics connector row, and in the Configure tab enter the required configuration details.

Parameter Description
Server URL URL of the Symantec Security Analytics CMC server to which you will connect and perform automated operations.
Port Port number to connect Symantec Security Analytics CMC server.
Username Username to access the Symantec Security Analytics CMC server.
Symantec CMC API Key API key to access Symantec Security Analytics CMC API.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Get Sensor List Retrieves a list of sensors from Symantec Security Analytics, based on the input parameters you have specified. get_sensor
Investigation
Get Alerts Retrieves a list of alerts from Symantec Security Analytics, based on the time range and other input parameters you have specified. get_alerts
Investigation
Get Alerts Timeline Data Retrieve the histogram of alerts from Symantec Security Analytics, based on the time range and other input parameters you have specified. get_alerts
Investigation
Start Artifact Extractions Initiates artifact extraction from Symantec Security Analytics, based on the extraction type and other input parameters you have specified. start_extractions
Investigation
Start Extractions for MD5 Initiates artifact extraction on the MD5 hash from Symantec Security Analytics, based on the extraction type, and other input parameters you have specified. start_extractions
Investigation
Start Extractions for SHA1 Initiates artifact extraction on the SHA1 from Symantec Security Analytics, based on the extraction type, and other input parameters you have specified. start_extractions
Investigation
Start Extractions for SHA256 Initiates artifact extraction on the SHA256 from Symantec Security Analytics, based on the extraction type, and other input parameters you have specified. start_extractions
Investigation
Start Extractions for IP Address Initiates artifact extraction on the IP address from Symantec Security Analytics, based on the extraction type, and other input parameters you have specified. start_extractions
Investigation
Start Extractions for Port Initiates artifact extraction on the port number from Symantec Security Analytics, based on the extraction type, and other input parameters you have specified. start_extractions
Investigation
Start Extractions for Protocol Initiates artifact extraction on the protocol from Symantec Security Analytics, based on the extraction type, and other input parameters you have specified. start_extractions
Investigation
Search for Artifacts in Extraction Retrieves details about an artifact from Symantec Security Analytics, based on the artifact ID, search ID, and other input parameters you have specified. get_sensor
Investigation
Get Artifact Reputation Retrieves the reputation of an artifact from a specified provider, from Symantec Security Analytics based on the artifact ID and other input parameters you have specified. get_artifact_reputation
Investigation
Get Sensors Status Retrieves the status of all sensors or specific sensors from Symantec Security Analytics based on the sensor or appliance ID you have specified. get_sensor_status
Investigation
Get Artifact Rootcause Retrieves the referrer chain of an artifact from Symantec Security Analytics based on the artifact ID, artifact search ID, and other input parameters you have specified. get_artifact_rootcause
Investigation
List All Enrichment Providers Retrieves a list of all enrichment providers from Symantec Security Analytics get_providers
Investigation

operation: Get Sensor List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied, and an unfiltered list is returned.

Parameter Description
Sort Sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
You can use one of the following keys: "Name","Model","Connected","Capturing", or "Last Selected".
Sort By Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order.
Page Number Page number from which you want to request for data from Symantec Security Analytics.
Max Number of Records Per Page Maximum number of records that the operation should fetch per page from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": [
         {
             "Appliance": {
                 "name": "",
                 "cmc_proxy_key": "",
                 "connected": "",
                 "meta_data": {
                     "deepsee": {
                         "licensed": ""
                     },
                     "version": "",
                     "licensed": "",
                     "eval": "",
                     "appliance_box": "",
                     "capture": {
                         "licensed": ""
                     },
                     "manager_box": "",
                     "cmc_management": {
                         "licensed": ""
                     },
                     "build": "",
                     "model": ""
                 },
                 "capturing": false,
                 "api": "",
                 "last_selected": "",
                 "id": "",
                 "model": "",
                 "host": "",
                 "cmc_proxy_key_hash": ""
             },
             "ApplianceAuth": [
                 {
                     "User": {
                         "name": "",
                         "api_key": "",
                         "unit_network": "",
                         "accept_eula": "",
                         "email": "",
                         "role": "",
                         "local": "",
                         "failed_auth_attempts": "",
                         "eula_date": "",
                         "pagination_limit": "",
                         "id": "",
                         "username": "",
                         "account_disabled": ""
                     },
                     "remote_username": "",
                     "user_id": "",
                     "auto_assigned": "",
                     "id": "",
                     "updated": "",
                     "role": "",
                     "appliance_id": ""
                 }
             ],
             "GroupAppliance": [
                 {
                     "id": "",
                     "group_id": "",
                     "Group": {
                         "description": "",
                         "deepsee": "",
                         "groupname": "",
                         "id": "",
                         "remote": "",
                         "default": "",
                         "outside_groups": ""
                     },
                     "appliance_id": ""
                 }
             ],
             "Label": []
         }
     ],
     "validationErrors": {
         "Appliance": [],
         "User": [],
         "UserRemoteGroup": [],
         "Label": [],
         "Group": [],
         "ApplianceAuth": [],
         "GroupAppliance": [],
         "Meta": []
     },
     "paging": {
         "Appliance": {
             "nextPage": "",
             "count": "",
             "prevPage": "",
             "order": {
                 "Appliance.name": ""
             },
             "options": {
                 "page": "",
                 "order": {
                     "Appliance.name": ""
                 }
             },
             "current": "",
             "page": "",
             "paramType": "",
             "limit": "",
             "pageCount": ""
         }
     },
     "messages": []
}

operation: Get Alerts

Input parameters

Parameter Description
Filter Key (Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Filter Operator (Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<="
Filter Value (Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull alerts from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Start Date Start date and time from when you want to pull alerts from Symantec Security Analytics.
End Date End date and time till when you want to pull alerts from Symantec Security Analytics.
Sort By (Optional) Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order.
Page Number (Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1.
Max Number of Records Per Page (Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "rows": [],
         "pageCount": ""
     },
     "validationErrors": {
         "Meta": [],
         "NotificationAlert": [],
         "res": [],
         "NotificationAlertHit": []
     },
     "paging": {
         "NotificationAlert": {
             "nextPage": "",
             "count": "",
             "prevPage": "",
             "order": {
                 "NotificationAlert.modified_date": ""
             },
             "options": {
                 "order": {
                     "NotificationAlert.modified_date": ""
                 }
             },
             "current": "",
             "page": "",
             "paramType": "",
             "limit": "",
             "pageCount": ""
         }
     },
     "messages": []
}

operation: Get Alerts Timeline Data

Input parameters

Parameter Description
Filter Key (Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Filter Operator (Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<="
Filter Value (Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Start Date Start date and time from when you want to pull alerts from Symantec Security Analytics.
End Date End date and time till when you want to pull alerts from Symantec Security Analytics.
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull alerts from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "rows": []
     },
     "validationErrors": {
         "Meta": [],
         "NotificationAlert": [],
         "res": []
     },
     "paging": [],
     "messages": []
}

operation: Start Artifact Extractions

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Select Extraction Type Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts", "Artifacts Timeline", or "IM Conversations".
Filter Key (Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Filter Operator (Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<="
Filter Value (Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Start Date (Optional) Start date and time from when you want to pull records from Symantec Security Analytics.
End Date (Optional) End date and time till when you want to pull records from Symantec Security Analytics.
Page Number (Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1.
Max Number of Records Per Page (Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics.
Check Action Finish Count (Optional) Specify the count up to which the connector will check if the action is completed or not.
Sort By (Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
In case of "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
In case of "IM Conversations", you can choose one of the following options: Date, Source, Type, Size, Sender, Recipient, or Subject.
Direction (Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "percentcomplete": "",
         "numResults": "",
         "numFilteredArtifacts": "",
         "timeDeleted": "",
         "search_status": "",
         "maxpage": "",
         "killed": "",
         "time_place": "",
         "histogram": {
             "total": [],
             "data": [
                 {
                     "columns": [],
                     "extra": {
                         "end_time": ""
                     },
                     "time": ""
                 }
             ],
             "meta": {
                 "columns": [
                     {
                         "type": "",
                         "has_total": "",
                         "text": ""
                     }
                 ],
                 "data_type": {
                     "type": "",
                     "text": ""
                 }
             }
         },
         "background": "",
         "field_counts": {
             "file_type": [],
             "file_extension": []
         },
         "sorted_artifacts": [],
         "artifact_search_id": ""
     },
     "validationErrors": {
         "Artifact": [],
         "UserSetting": [],
         "ArtifactSearch": [],
         "ReportDaemon": [],
         "ArtifactsSummary": [],
         "DeepseeFavorite": [],
         "Meta": [],
         "res": [],
         "SavedResult": []
     },
     "paging": [],
     "messages": []
}

operation: Start Extractions for MD5

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Select Extraction Type Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts" or "Artifacts Timeline".
Filter Key (Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Filter Operator (Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<="
Filter Value (Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Start Date (Optional) Start date and time from when you want to pull records from Symantec Security Analytics.
End Date (Optional) End date and time till when you want to pull records from Symantec Security Analytics.
Page Number (Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1.
Max Number of Records Per Page (Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics.
Check Action Finish Count (Optional) Specify the count up to which the connector will check if the action is completed or not.
Sort By (Optional) Only applicable if your extraction type "Artifacts Timeline".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
For "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
Direction (Optional) Only applicable if your extraction type "Artifacts Timeline".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "percentcomplete": "",
         "numResults": "",
         "numFilteredArtifacts": "",
         "timeDeleted": "",
         "search_status": "",
         "maxpage": "",
         "killed": "",
         "time_place": "",
         "histogram": {
             "total": [],
             "data": [
                 {
                     "columns": [],
                     "extra": {
                         "end_time": ""
                     },
                     "time": ""
                 }
             ],
             "meta": {
                 "columns": [
                     {
                         "type": "",
                         "has_total": "",
                         "text": ""
                     }
                 ],
                 "data_type": {
                     "type": "",
                     "text": ""
                 }
             }
         },
         "background": "",
         "field_counts": {
             "file_type": [],
             "file_extension": []
         },
         "sorted_artifacts": [
             {
                 "Artifact": {
                     "source_port": "",
                     "pcap_path": "",
                     "destination_port": "",
                     "hw_ratio": "",
                     "derived_type": "",
                     "magic_type": "",
                     "width": "",
                     "host": "",
                     "height": "",
                     "icon": "",
                     "source_ip": "",
                     "meta_info": {
                         "referer": "",
                         "filename": "",
                         "request_headers": "",
                         "method": "",
                         "response_code": "",
                         "parent_artifact_id": "",
                         "response_headers": ""
                     },
                     "flow_id": "",
                     "id": "",
                     "capture_start_time": "",
                     "remote_artifact_id": "",
                     "appliance_id": "",
                     "extension": "",
                     "sha256": "",
                     "mime_type": "",
                     "destination_ip": "",
                     "referer": "",
                     "title": "",
                     "sha1": "",
                     "protocol": "",
                     "filename": "",
                     "capture_end_nanoseconds": "",
                     "md5": "",
                     "fuzzy": "",
                     "children": [],
                     "filesize": "",
                     "capture_start_nanoseconds": "",
                     "session_id": "",
                     "wh_ratio": "",
                     "capture_end_time": "",
                     "artifact_search_id": ""
                 }
             }
         ],
         "artifact_search_id": ""
     },
     "validationErrors": {
         "Artifact": [],
         "UserSetting": [],
         "ArtifactSearch": [],
         "ReportDaemon": [],
         "ArtifactsSummary": [],
         "DeepseeFavorite": [],
         "Meta": [],
         "res": [],
         "SavedResult": []
     },
     "paging": [],
     "messages": []
}

operation: Start Extractions for SHA1

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Select Extraction Type Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts" or "Artifacts Timeline".
Filter Key (Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Filter Operator (Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<="
Filter Value (Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Start Date (Optional) Start date and time from when you want to pull records from Symantec Security Analytics.
End Date (Optional) End date and time till when you want to pull records from Symantec Security Analytics.
Page Number (Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1.
Max Number of Records Per Page (Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics.
Check Action Finish Count (Optional) Specify the count up to which the connector will check if the action is completed or not.
Sort By (Optional) Only applicable if your extraction type "Artifacts Timeline".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
For "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
Direction (Optional) Only applicable if your extraction type "Artifacts Timeline".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "percentcomplete": "",
         "numResults": "",
         "numFilteredArtifacts": "",
         "timeDeleted": "",
         "search_status": "",
         "maxpage": "",
         "killed": "",
         "time_place": "",
         "histogram": {
             "total": [],
             "data": [
                 {
                     "columns": [],
                     "extra": {
                         "end_time": ""
                     },
                     "time": ""
                 }
             ],
             "meta": {
                 "columns": [
                     {
                         "type": "",
                         "has_total": "",
                         "text": ""
                     }
                 ],
       &nbsnbsp;         "data_type": {
                     "type": "",
                     "text": ""
                 }
             }
         },
         "background": "",
         "field_counts": {
             "file_type": [],
             "file_extension": []
         },
         "sorted_artifacts": [
             {
                 "Artifact": {
                     "source_port": "",
                     "pcap_path": "",
                     "destination_port": "",
                     "hw_ratio": "",
                     "derived_type": "",
                     "magic_type": "",
                     "width": "",
                     "host": "",
                     "height": "",
                     "icon": "",
                     "source_ip": "",
                     "meta_info": {
                         "referer": "",
                         "filename": "",
                         "request_headers": "",
                         "method": "",
                         "response_code": "",
                         "parent_artifact_id": "",
                         "response_headers": ""
                     },
                     "flow_id": "",
                     "id": "",
                     "capture_start_time": "",
                     "remote_artifact_id": "",
                     "appliance_id": "",
                     "extension": "",
                     "sha256": "",
                     "mime_type": "",
                     "destination_ip": "",
                     "referer": "",
                     "title": "",
                     "sha1": "",
                     "protocol": "",
                     "filename": "",
                     "capture_end_nanoseconds": "",
                     "md5": "",
                     "fuzzy": "",
                     "children": [],
                     "filesize": "",
                     "capture_start_nanoseconds": "",
                     "session_id": "",
                     "wh_ratio": "",
                     "capture_end_time": "",
                     "artifact_search_id": ""
                 }
             }
         ],
         "artifact_search_id": ""
     },
     "validationErrors": {
         "Artifact": [],
         "UserSetting": [],
         "ArtifactSearch": [],
         "ReportDaemon": [],
         "ArtifactsSummary": [],
         "DeepseeFavorite": [],
         "Meta": [],
         "res": [],
         "SavedResult": []
     },
     "paging": [],
     "messages": []
}

operation: Start Extractions for SHA256

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Select Extraction Type Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts", or "Artifacts Timeline".
Filter Key (Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Filter Operator (Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<="
Filter Value (Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Start Date (Optional) Start date and time from when you want to pull records from Symantec Security Analytics.
End Date (Optional) End date and time till when you want to pull records from Symantec Security Analytics.
Page Number (Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1.
Max Number of Records Per Page (Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics.
Check Action Finish Count (Optional) Specify the count up to which the connector will check if the action is completed or not.
Sort By (Optional) Only applicable if your extraction type "Artifacts Timeline".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
For "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
Direction (Optional) Only applicable if your extraction type "Artifacts Timeline".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "percentcomplete": "",
         "numResults": "",
         "numFilteredArtifacts": "",
         "timeDeleted": "",
         "search_status": "",
         "maxpage": "",
         "killed": "",
         "time_place": "",
         "histogram": {
             "total": [],
             "data": [
                 {
                     "columns": [],
                     "extra": {
                         "end_time": ""
                     },
                     "time": ""
                 }
             ],
             "meta": {
                 "columns": [
                     {
                         "type": "",
                         "has_total": "",
                         "text": ""
                     }
                 ],
                 "data_type": {
                     "type": "",
                     "text": ""
                 }
             }
         },
         "background": "",
         "field_counts": {
             "file_type": [],
             "file_extension": []
         },
         "sorted_artifacts": [
             {
                 "Artifact": {
                     "source_port": "",
                     "pcap_path": "",
                     "destination_port": "",
                     "hw_ratio": "",
                     "derived_type": "",
                     "magic_type": "",
                     "width": "",
                     "host": "",
                     "height": "",
                     "icon": "",
                     "source_ip": "",
                     "meta_info": {
                         "referer": "",
                         "filename": "",
                         "request_headers": "",
                         "method": "",
                         "response_code": "",
                         "parent_artifact_id": "",
                         "response_headers": ""
                     },
                     "flow_id": "",
                     "id": "",
                     "capture_start_time": "",
                     "remote_artifact_id": "",
                     "appliance_id": "",
                     "extension": "",
                     "sha256": "",
                     "mime_type": "",
                     "destination_ip": "",
                     "referer": "",
                     "title": "",
                     "sha1": "",
                     "protocol": "",
                     "filename": "",
                     "capture_end_nanoseconds": "",
                     "md5": "",
                     "fuzzy": "",
                     "children": [],
                     "filesize": "",
                     "capture_start_nanoseconds": "",
                     "session_id": "",
                     "wh_ratio": "",
                     "capture_end_time": "",
                     "artifact_search_id": ""
                 }
             }
         ],
         "artifact_search_id": ""
     },
     "validationErrors": {
         "Artifact": [],
         "UserSetting": [],
         "ArtifactSearch": [],
         "ReportDaemon": [],
         "ArtifactsSummary": [],
         "DeepseeFavorite": [],
         "Meta": [],
         "res": [],
         "SavedResult": []
     },
     "paging": [],
     "messages": []
}

operation: Start Extractions for IP Address

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Select Extraction Type Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts", "Artifacts Timeline", or "IM Conversations".
Filter Key (Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Filter Operator (Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<="
Filter Value (Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Start Date (Optional) Start date and time from when you want to pull records from Symantec Security Analytics.
End Date (Optional) End date and time till when you want to pull records from Symantec Security Analytics.
Page Number (Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1.
Max Number of Records Per Page (Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics.
Check Action Finish Count (Optional) Specify the count up to which the connector will check if the action is completed or not.
Sort By (Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
In case of "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
In case of "IM Conversations", you can choose one of the following options: Date, Source, Type, Size, Sender, Recipient, or Subject.
Direction (Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "percentcomplete": "",
         "numResults": "",
         "numFilteredArtifacts": "",
         "timeDeleted": "",
         "search_status": "",
         "maxpage": "",
         "killed": "",
         "time_place": "",
         "histogram": {
             "total": [],
             "data": [
                 {
                     "columns": [],
                     "extra": {
                         "end_time": ""
                     },
                     "time": ""
                 }
             ],
             "meta": {
                 "columns": [
                     {
                         "type": "",
                         "has_total": "",
                         "text": ""
                     }
                 ],
                 "data_type": {
                     "type": "",
                     "text": ""
                 }
             }
         },
         "background": "",
         "field_counts": {
             "file_type": [],
             "file_extension": []
         },
         "sorted_artifacts": [
             {
                 "Artifact": {
                     "source_port": "",
                     "pcap_path": "",
                     "destination_port": "",
                     "hw_ratio": "",
                     "derived_type": "",
                     "magic_type": "",
                     "width": "",
                     "host": "",
                     "height": "",
                     "icon": "",
                     "source_ip": "",
                     "meta_info": {
                         "referer": "",
                         "filename": "",
                         "request_headers": "",
                         "method": "",
                         "response_code": "",
                         "parent_artifact_id": "",
                         "response_headers": ""
                     },
                     "flow_id": "",
                     "id": "",
                     "capture_start_time": "",
                     "remote_artifact_id": "",
                     "appliance_id": "",
                     "extension": "",
                     "sha256": "",
                     "mime_type": "",
                     "destination_ip": "",
                     "referer": "",
                     "title": "",
                     "sha1": "",
                     "protocol": "",
                     "filename": "",
                     "capture_end_nanoseconds": "",
                     "md5": "",
                     "fuzzy": "",
                     "children": [],
                     "filesize": "",
                     "capture_start_nanoseconds": "",
                     "session_id": "",
                     "wh_ratio": "",
                     "capture_end_time": "",
                     "artifact_search_id": ""
                 }
             }
         ],
         "artifact_search_id": ""
     },
     "validationErrors": {
         "Artifact": [],
         "UserSetting": [],
         "ArtifactSearch": [],
         "ReportDaemon": [],
         "ArtifactsSummary": [],
         "DeepseeFavorite": [],
         "Meta": [],
         "res": [],
         "SavedResult": []
     },
     "paging": [],
     "messages": []
}

operation: Start Extractions for Port

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Select Extraction Type Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts", "Artifacts Timeline", or "IM Conversations".
Filter Key (Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Filter Operator (Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<="
Filter Value (Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Start Date (Optional) Start date and time from when you want to pull records from Symantec Security Analytics.
End Date (Optional) End date and time till when you want to pull records from Symantec Security Analytics.
Page Number (Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1.
Max Number of Records Per Page (Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics.
Check Action Finish Count (Optional) Specify the count up to which the connector will check if the action is completed or not.
Sort By (Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
In case of "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
In case of "IM Conversations", you can choose one of the following options: Date, Source, Type, Size, Sender, Recipient, or Subject.
Direction (Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "percentcomplete": "",
         "numResults": "",
         "numFilteredArtifacts": "",
         "timeDeleted": "",
         "search_status": "",
         "maxpage": "",
         "killed": "",
         "time_place": "",
         "histogram": {
             "total": [],
             "data": [
                 {
                     "columns": [],
                     "extra": {
                         "end_time": ""
                     },
                     "time": ""
                 }
             ],
             "meta": {
                 "columns": [
                     {
                         "type": "",
                         "has_total": "",
                         "text": ""
                     }
                 ],
                 "data_type": {
                     "type": "",
                     "text": ""
                 }
             }
         },
         "background": "",
         "field_counts": {
             "file_type": [],
             "file_extension": []
         },
         "sorted_artifacts": [
             {
                 "Artifact": {
                     "source_port": "",
                     "pcap_path": "",
                     "destination_port": "",
                     "hw_ratio": "",
                     "derived_type": "",
                     "magic_type": "",
                     "width": "",
                     "host": "",
                     "height": "",
                     "icon": "",
                     "source_ip": "",
                     "meta_info": {
                         "referer": "",
                         "filename": "",
                         "request_headers": "",
                         "method": "",
                         "response_code": "",
                         "parent_artifact_id": "",
                         "response_headers": ""
                     },
                     "flow_id": "",
                     "id": "",
                     "capture_start_time": "",
                     "remote_artifact_id": "",
                     "appliance_id": "",
                     "extension": "",
                     "sha256": "",
                     "mime_type": "",
                     "destination_ip": "",
                     "referer": "",
                     "title": "",
                     "sha1": "",
                     "protocol": "",
                     "filename": "",
                     "capture_end_nanoseconds": "",
                     "md5": "",
                     "fuzzy": "",
                     "children": [],
                     "filesize": "",
                     "capture_start_nanoseconds": "",
                     "session_id": "",
                     "wh_ratio": "",
                     "capture_end_time": "",
                     "artifact_search_id": ""
                 }
             }
         ],
         "artifact_search_id": ""
     },
     "validationErrors": {
         "Artifact": [],
         "UserSetting": [],
         "ArtifactSearch": [],
         "ReportDaemon": [],
         "ArtifactsSummary": [],
         "DeepseeFavorite": [],
         "Meta": [],
         "res": [],
         "SavedResult": []
     },
     "paging": [],
     "messages": []
}

operation: Start Extractions for Protocol

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Select Extraction Type Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts", "Artifacts Timeline", or "IM Conversations".
Filter Key (Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Filter Operator (Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<="
Filter Value (Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Start Date (Optional) Start date and time from when you want to pull records from Symantec Security Analytics.
End Date (Optional) End date and time till when you want to pull records from Symantec Security Analytics.
Page Number (Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1.
Max Number of Records Per Page (Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics.
Check Action Finish Count (Optional) Specify the count up to which the connector will check if the action is completed or not.
Sort By (Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
In case of "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
In case of "IM Conversations", you can choose one of the following options: Date, Source, Type, Size, Sender, Recipient, or Subject.
Direction (Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "percentcomplete": "",
         "numResults": "",
         "numFilteredArtifacts": "",
         "timeDeleted": "",
         "search_status": "",
         "maxpage": "",
         "killed": "",
         "time_place": "",
         "histogram": {
             "total": [],
             "data": [
                 {
                     "columns": [],
                     "extra": {
                         "end_time": ""
                     },
                     "time": ""
                 }
             ],
             "meta": {
                 "columns": [
                     {
                         "type": "",
                         "has_total": "",
                         "text": ""
                     }
                 ],
                 "data_type": {
                     "type": "",
                     "text": ""
                 }
             }
         },
         "background": "",
         "field_counts": {
             "file_type": [],
             "file_extension": []
         },
         "sorted_artifacts": [
             {
                 "Artifact": {
                     "source_port": "",
                     "pcap_path": "",
                     "destination_port": "",
                     "hw_ratio": "",
                     "derived_type": "",
                     "magic_type": "",
                     "width": "",
                     "host": "",
                     "height": "",
                     "icon": "",
                     "source_ip": "",
                     "meta_info": {
                         "referer": "",
                         "filename": "",
                         "request_headers": "",
                         "method": "",
                         "response_code": "",
                         "parent_artifact_id": "",
                         "response_headers": ""
                     },
                     "flow_id": "",
                     "id": "",
                     "capture_start_time": "",
                     "remote_artifact_id": "",
                     "appliance_id": "",
                     "extension": "",
                     "sha256": "",
                     "mime_type": "",
                     "destination_ip": "",
                     "referer": "",
                     "title": "",
                     "sha1": "",
                     "protocol": "",
                     "filename": "",
                     "capture_end_nanoseconds": "",
                     "md5": "",
                     "fuzzy": "",
                     "children": [],
                     "filesize": "",
                     "capture_start_nanoseconds": "",
                     "session_id": "",
                     "wh_ratio": "",
                     "capture_end_time": "",
                     "artifact_search_id": ""
                 }
             }
         ],
         "artifact_search_id": ""
     },
     "validationErrors": {
         "Artifact": [],
         "UserSetting": [],
         "ArtifactSearch": [],
         "ReportDaemon": [],
         "ArtifactsSummary": [],
         "DeepseeFavorite": [],
         "Meta": [],
         "res": [],
         "SavedResult": []
     },
     "paging": [],
     "messages": []
}

operation: Search for Artifacts in Extraction

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Artifact ID Artifact ID that is generated from the extraction whose details you want to retrieve from Symantec Security Analytics. Defaults to 1.
Search ID Search ID that is generated from the extraction based on which you want to retrieve artifact details from Symantec Security Analytics. Defaults to 1.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "artifacts": [
             {
                 "Artifact": {
                     "capture_end_nanoseconds": "",
                     "source_port": "",
                     "pcap_path": "",
                     "hw_ratio": "",
                     "derived_type": "",
                     "magic_type": "",
                     "width": "",
                     "host": "",
                     "referer": "",
                     "filesize": "",
                     "meta_info": [],
                     "flow_id": "",
                     "id": "",
                     "capture_start_time": "",
                     "extension": "",
                     "sha256": "",
                     "mime_type": "",
                     "destination_ip": "",
                     "protocol": "",
                     "title": "",
                     "destination_port": "",
                     "sha1": "",
                     "filename": "",
                     "icon": "",
                     "md5": "",
                     "fuzzy": "",
                     "capture_start_nanoseconds": "",
                     "source_ip": "",
                     "session_id": "",
                     "height": "",
                     "wh_ratio": "",
                     "capture_end_time": "",
                     "artifact_search_id": ""
                 },
                 "PresentedFilename": {
                     "value": ""
                 }
             }
         ]
     },
     "validationErrors": {
         "Artifact": [],
         "UserSetting": [],
         "res": [],
         "DeepseeFavorite": [],
         "Meta": [],
         "MetaInfo": []
     },
     "paging": [],
     "messages": []
}

operation: Get Artifact Reputation

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Artifact ID Artifact ID that is generated from the extraction whose reputation you want to retrieve from Symantec Security Analytics. Defaults to 1.
Provider UUID (Optional) UUID of the provider whose artifact reputation you want to retrieve from Symantec Security Analytics.
Artifact Field (Optional) Artifact field based on which you want to retrieve the reputation of the artifact from Symantec Security Analytics.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "reputation_results": {
             "provider_responses": [
                 {
                     "name": "",
                     "value": "",
                     "success": "",
                     "response": {
                         "flags": [],
                         "responses": {
                             "Anti Virus Engine Count": "",
                             "Artifact": "",
                             "SHA256 Hash": "",
                             "First Seen Date": "",
                             "GIN Blacklist": "",
                             "SHA1 Hash": "",
                             "Whitelist Lookup": "",
                             "Anti Virus Engines": "",
                             "MD5 Hash": "",
                             "score": ""
                         },
                         "result": "",
                         "score": "",
                         "status": "",
                         "value": ""
                     },
                     "score": "",
                     "integration_provider": {
                         "name": "",
                         "licensed": "",
                         "uuid": "",
                         "integration_provider_tonic_actions": [],
                         "last_modified_date": "",
                         "integration_provider_category_uuid": "",
                         "integration_provider_type": {
                             "name": "",
                             "creatable": "",
                             "last_modified_date": "",
                             "bigfile": "",
                             "deletable": "",
                             "internal_name": "",
                             "league": "",
                             "edit_type": "",
                             "pivot_only": "",
                             "abyssal": "",
                             "associate_with_action": "",
                             "user_initiated": ""
                         },
                         "integration_provider_category": {
                             "name": ""
                         },
                         "data": {
                             "type": "",
                             "integration_provider_uuid": "",
                             "category": ""
                         },
                         "active": "",
                         "integration_provider_type_field_set": {
                             "name": ""
                         },
                         "pivot_url": "",
                         "description": "",
                         "integration_provider_type_uuid": "",
                         "ordinal": "",
                         "class_type": "",
                         "appliance_id": ""
                     },
                     "request_id": ""
                 }
             ],
             "cacheIds": [],
             "score": "",
             "flags": [],
             "result": "",
             "artifact": {
                 "capture_end_nanoseconds": "",
                 "source_port": "",
                 "flow_id": "",
                 "hw_ratio": "",
                 "derived_type": "",
                 "magic_type": "",
                 "width": "",
                 "host": "",
                 "height": "",
                 "meta_info": {
                     "method": "",
                     "filename": "",
                     "response_code": "",
                     "request_headers": "",
                     "response_headers": ""
                 },
                 "filesize": "",
                 "wh_ratio": "",
                 "capture_start_nanoseconds": "",
                 "pcap_path": "",
                 "id": "",
                 "capture_start_time": "",
                 "extension": "",
                 "capture_end_time": "",
                 "original_filename": "",
                 "sha256": "",
                 "mime_type": "",
                 "destination_ip": "",
                 "protocol": "",
                 "title": "",
                 "destination_port": "",
                 "icon": "",
                 "filename": "",
                 "md5": "",
                 "fuzzy": "",
                 "sha1": "",
                 "source_ip": "",
                 "session_id": "",
                 "referer": "",
                 "artifact_search_id": ""
             },
             "status": "",
             "responses": []
         }
     },
     "validationErrors": {
         "Artifact": [],
         "ipt": [],
         "res": [],
         "Reputation": [],
         "ip": [],
         "Meta": [],
         "MetaInfo": []
     },
     "paging": [],
     "messages": []
}

operation: Get Sensors Status

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID whose status you want to retrieve from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "applianceStatuses": {}
     },
     "validationErrors": {
         "Appliance": [],
         "LocalRepository": [],
         "UserRemoteGroup": [],
         "Label": [],
         "ApplianceAuth": [],
         "Meta": [],
         "User": []
     },
     "paging": [],
     "messages": ""
}

operation: Get Artifact Rootcause

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull artifacts rootcause from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Artifact ID Artifact ID that is generated from the extraction whose rootcause you want to retrieve from Symantec Security Analytics. Defaults to 1.
Artifact Search ID Artifact Search ID that is generated from the extraction based on which you want to retrieve artifacts rootcause from Symantec Security Analytics.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "referer": [],
         "ims": "",
         "applianceArtifactSearches": [],
         "emails": ""
     },
     "validationErrors": {
         "Appliance": [],
         "ApplianceAuth": [],
         "Artifact": [],
         "UserRemoteGroup": [],
         "ArtifactSearch": [],
         "Label": [],
         "Meta": [],
         "User": [],
         "ApplianceArtifactSearch": []
     },
     "paging": [],
     "messages": []
}

operation: List All Enrichment Providers

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "pageCount": "",
         "rows": [
             {
                 "name": "",
                 "licensed": "",
                 "uuid": "",
                 "integration_provider_tonic_actions": [],
                 "last_modified_date": "",
                 "integration_provider_category_uuid": "",
                 "integration_provider_type": {
                     "name": "",
                     "creatable": "",
                     "last_modified_date": "",
                     "pivot_only": "",
                     "deletable": "",
                     "associate_with_action": "",
                     "league": "",
                     "edit_type": "",
                     "bigfile": "",
                     "abyssal": "",
                     "internal_name": "",
                     "user_initiated": ""
                 },
                 "description": "",
                 "data": "",
                 "active": "",
                 "integration_provider_type_field_set": {
                     "name": ""
                 },
                 "pivot_url": "",
                 "integration_provider_category": {
                     "name": ""
                 },
                 "integration_provider_type_uuid": "",
                 "ordinal": "",
                 "class_type": "",
                 "appliance_id": ""
             }
         ]
     },
     "validationErrors": {
         "User": [],
         "Appliance": [],
         "UserRemoteGroup": [],
         "Label": [],
         "ApplianceAuth": [],
         "ip": [],
         "Meta": [],
         "ipt": []
     },
     "paging": [],
     "messages": []
}

Included playbooks

The Sample - Symantec Security Analytics - 2.0.0 playbook collection comes bundled with the Symantec Security Analytics connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec Security Analytics connector.

  • Get Alerts
  • Get Alerts Timeline Data
  • Get Artifact Reputation
  • Get Artifact Rootcause
  • Get Sensor List
  • Get Sensors Status
  • List All Enrichment Providers
  • Search for Artifacts in Extraction
  • Start Artifact Extractions
  • Start Extractions for IP Address
  • Start Extractions for MD5
  • Start Extractions for Port
  • Start Extractions for Protocol
  • Start Extractions for SHA1
  • Start Extractions for SHA256

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

Symantec Security Analytics connector provides automated operations for advanced network forensics, and real-time content inspection for all network traffic.

This document provides information about the Symantec Security Analytics connector, which facilitates automated interactions, with a Symantec Security Analytics server using FortiSOAR™ playbooks. Add the Symantec Security Analytics connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of sensors or alerts from Symantec Security Analytics, based on the input parameters you have specified, or initiating artifact extraction from Symantec Security Analytics, based on the extraction type and other input parameters you have specified.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 4.12.0-746

Authored By: Fortinet 

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the Symantec Security Analytics connector in version 2.0.0:

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-symantec-security-analytics

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the connectors page, select the Symantec Security Analytics connector row, and in the Configure tab enter the required configuration details.

Parameter Description
Server URL URL of the Symantec Security Analytics CMC server to which you will connect and perform automated operations.
Port Port number to connect Symantec Security Analytics CMC server.
Username Username to access the Symantec Security Analytics CMC server.
Symantec CMC API Key API key to access Symantec Security Analytics CMC API.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Get Sensor List Retrieves a list of sensors from Symantec Security Analytics, based on the input parameters you have specified. get_sensor
Investigation
Get Alerts Retrieves a list of alerts from Symantec Security Analytics, based on the time range and other input parameters you have specified. get_alerts
Investigation
Get Alerts Timeline Data Retrieve the histogram of alerts from Symantec Security Analytics, based on the time range and other input parameters you have specified. get_alerts
Investigation
Start Artifact Extractions Initiates artifact extraction from Symantec Security Analytics, based on the extraction type and other input parameters you have specified. start_extractions
Investigation
Start Extractions for MD5 Initiates artifact extraction on the MD5 hash from Symantec Security Analytics, based on the extraction type, and other input parameters you have specified. start_extractions
Investigation
Start Extractions for SHA1 Initiates artifact extraction on the SHA1 from Symantec Security Analytics, based on the extraction type, and other input parameters you have specified. start_extractions
Investigation
Start Extractions for SHA256 Initiates artifact extraction on the SHA256 from Symantec Security Analytics, based on the extraction type, and other input parameters you have specified. start_extractions
Investigation
Start Extractions for IP Address Initiates artifact extraction on the IP address from Symantec Security Analytics, based on the extraction type, and other input parameters you have specified. start_extractions
Investigation
Start Extractions for Port Initiates artifact extraction on the port number from Symantec Security Analytics, based on the extraction type, and other input parameters you have specified. start_extractions
Investigation
Start Extractions for Protocol Initiates artifact extraction on the protocol from Symantec Security Analytics, based on the extraction type, and other input parameters you have specified. start_extractions
Investigation
Search for Artifacts in Extraction Retrieves details about an artifact from Symantec Security Analytics, based on the artifact ID, search ID, and other input parameters you have specified. get_sensor
Investigation
Get Artifact Reputation Retrieves the reputation of an artifact from a specified provider, from Symantec Security Analytics based on the artifact ID and other input parameters you have specified. get_artifact_reputation
Investigation
Get Sensors Status Retrieves the status of all sensors or specific sensors from Symantec Security Analytics based on the sensor or appliance ID you have specified. get_sensor_status
Investigation
Get Artifact Rootcause Retrieves the referrer chain of an artifact from Symantec Security Analytics based on the artifact ID, artifact search ID, and other input parameters you have specified. get_artifact_rootcause
Investigation
List All Enrichment Providers Retrieves a list of all enrichment providers from Symantec Security Analytics get_providers
Investigation

operation: Get Sensor List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied, and an unfiltered list is returned.

Parameter Description
Sort Sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
You can use one of the following keys: "Name","Model","Connected","Capturing", or "Last Selected".
Sort By Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order.
Page Number Page number from which you want to request for data from Symantec Security Analytics.
Max Number of Records Per Page Maximum number of records that the operation should fetch per page from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": [
         {
             "Appliance": {
                 "name": "",
                 "cmc_proxy_key": "",
                 "connected": "",
                 "meta_data": {
                     "deepsee": {
                         "licensed": ""
                     },
                     "version": "",
                     "licensed": "",
                     "eval": "",
                     "appliance_box": "",
                     "capture": {
                         "licensed": ""
                     },
                     "manager_box": "",
                     "cmc_management": {
                         "licensed": ""
                     },
                     "build": "",
                     "model": ""
                 },
                 "capturing": false,
                 "api": "",
                 "last_selected": "",
                 "id": "",
                 "model": "",
                 "host": "",
                 "cmc_proxy_key_hash": ""
             },
             "ApplianceAuth": [
                 {
                     "User": {
                         "name": "",
                         "api_key": "",
                         "unit_network": "",
                         "accept_eula": "",
                         "email": "",
                         "role": "",
                         "local": "",
                         "failed_auth_attempts": "",
                         "eula_date": "",
                         "pagination_limit": "",
                         "id": "",
                         "username": "",
                         "account_disabled": ""
                     },
                     "remote_username": "",
                     "user_id": "",
                     "auto_assigned": "",
                     "id": "",
                     "updated": "",
                     "role": "",
                     "appliance_id": ""
                 }
             ],
             "GroupAppliance": [
                 {
                     "id": "",
                     "group_id": "",
                     "Group": {
                         "description": "",
                         "deepsee": "",
                         "groupname": "",
                         "id": "",
                         "remote": "",
                         "default": "",
                         "outside_groups": ""
                     },
                     "appliance_id": ""
                 }
             ],
             "Label": []
         }
     ],
     "validationErrors": {
         "Appliance": [],
         "User": [],
         "UserRemoteGroup": [],
         "Label": [],
         "Group": [],
         "ApplianceAuth": [],
         "GroupAppliance": [],
         "Meta": []
     },
     "paging": {
         "Appliance": {
             "nextPage": "",
             "count": "",
             "prevPage": "",
             "order": {
                 "Appliance.name": ""
             },
             "options": {
                 "page": "",
                 "order": {
                     "Appliance.name": ""
                 }
             },
             "current": "",
             "page": "",
             "paramType": "",
             "limit": "",
             "pageCount": ""
         }
     },
     "messages": []
}

operation: Get Alerts

Input parameters

Parameter Description
Filter Key (Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Filter Operator (Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<="
Filter Value (Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull alerts from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Start Date Start date and time from when you want to pull alerts from Symantec Security Analytics.
End Date End date and time till when you want to pull alerts from Symantec Security Analytics.
Sort By (Optional) Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order.
Page Number (Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1.
Max Number of Records Per Page (Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "rows": [],
         "pageCount": ""
     },
     "validationErrors": {
         "Meta": [],
         "NotificationAlert": [],
         "res": [],
         "NotificationAlertHit": []
     },
     "paging": {
         "NotificationAlert": {
             "nextPage": "",
             "count": "",
             "prevPage": "",
             "order": {
                 "NotificationAlert.modified_date": ""
             },
             "options": {
                 "order": {
                     "NotificationAlert.modified_date": ""
                 }
             },
             "current": "",
             "page": "",
             "paramType": "",
             "limit": "",
             "pageCount": ""
         }
     },
     "messages": []
}

operation: Get Alerts Timeline Data

Input parameters

Parameter Description
Filter Key (Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Filter Operator (Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<="
Filter Value (Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Start Date Start date and time from when you want to pull alerts from Symantec Security Analytics.
End Date End date and time till when you want to pull alerts from Symantec Security Analytics.
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull alerts from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "rows": []
     },
     "validationErrors": {
         "Meta": [],
         "NotificationAlert": [],
         "res": []
     },
     "paging": [],
     "messages": []
}

operation: Start Artifact Extractions

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Select Extraction Type Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts", "Artifacts Timeline", or "IM Conversations".
Filter Key (Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Filter Operator (Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<="
Filter Value (Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Start Date (Optional) Start date and time from when you want to pull records from Symantec Security Analytics.
End Date (Optional) End date and time till when you want to pull records from Symantec Security Analytics.
Page Number (Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1.
Max Number of Records Per Page (Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics.
Check Action Finish Count (Optional) Specify the count up to which the connector will check if the action is completed or not.
Sort By (Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
In case of "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
In case of "IM Conversations", you can choose one of the following options: Date, Source, Type, Size, Sender, Recipient, or Subject.
Direction (Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "percentcomplete": "",
         "numResults": "",
         "numFilteredArtifacts": "",
         "timeDeleted": "",
         "search_status": "",
         "maxpage": "",
         "killed": "",
         "time_place": "",
         "histogram": {
             "total": [],
             "data": [
                 {
                     "columns": [],
                     "extra": {
                         "end_time": ""
                     },
                     "time": ""
                 }
             ],
             "meta": {
                 "columns": [
                     {
                         "type": "",
                         "has_total": "",
                         "text": ""
                     }
                 ],
                 "data_type": {
                     "type": "",
                     "text": ""
                 }
             }
         },
         "background": "",
         "field_counts": {
             "file_type": [],
             "file_extension": []
         },
         "sorted_artifacts": [],
         "artifact_search_id": ""
     },
     "validationErrors": {
         "Artifact": [],
         "UserSetting": [],
         "ArtifactSearch": [],
         "ReportDaemon": [],
         "ArtifactsSummary": [],
         "DeepseeFavorite": [],
         "Meta": [],
         "res": [],
         "SavedResult": []
     },
     "paging": [],
     "messages": []
}

operation: Start Extractions for MD5

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Select Extraction Type Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts" or "Artifacts Timeline".
Filter Key (Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Filter Operator (Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<="
Filter Value (Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Start Date (Optional) Start date and time from when you want to pull records from Symantec Security Analytics.
End Date (Optional) End date and time till when you want to pull records from Symantec Security Analytics.
Page Number (Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1.
Max Number of Records Per Page (Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics.
Check Action Finish Count (Optional) Specify the count up to which the connector will check if the action is completed or not.
Sort By (Optional) Only applicable if your extraction type "Artifacts Timeline".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
For "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
Direction (Optional) Only applicable if your extraction type "Artifacts Timeline".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "percentcomplete": "",
         "numResults": "",
         "numFilteredArtifacts": "",
         "timeDeleted": "",
         "search_status": "",
         "maxpage": "",
         "killed": "",
         "time_place": "",
         "histogram": {
             "total": [],
             "data": [
                 {
                     "columns": [],
                     "extra": {
                         "end_time": ""
                     },
                     "time": ""
                 }
             ],
             "meta": {
                 "columns": [
                     {
                         "type": "",
                         "has_total": "",
                         "text": ""
                     }
                 ],
                 "data_type": {
                     "type": "",
                     "text": ""
                 }
             }
         },
         "background": "",
         "field_counts": {
             "file_type": [],
             "file_extension": []
         },
         "sorted_artifacts": [
             {
                 "Artifact": {
                     "source_port": "",
                     "pcap_path": "",
                     "destination_port": "",
                     "hw_ratio": "",
                     "derived_type": "",
                     "magic_type": "",
                     "width": "",
                     "host": "",
                     "height": "",
                     "icon": "",
                     "source_ip": "",
                     "meta_info": {
                         "referer": "",
                         "filename": "",
                         "request_headers": "",
                         "method": "",
                         "response_code": "",
                         "parent_artifact_id": "",
                         "response_headers": ""
                     },
                     "flow_id": "",
                     "id": "",
                     "capture_start_time": "",
                     "remote_artifact_id": "",
                     "appliance_id": "",
                     "extension": "",
                     "sha256": "",
                     "mime_type": "",
                     "destination_ip": "",
                     "referer": "",
                     "title": "",
                     "sha1": "",
                     "protocol": "",
                     "filename": "",
                     "capture_end_nanoseconds": "",
                     "md5": "",
                     "fuzzy": "",
                     "children": [],
                     "filesize": "",
                     "capture_start_nanoseconds": "",
                     "session_id": "",
                     "wh_ratio": "",
                     "capture_end_time": "",
                     "artifact_search_id": ""
                 }
             }
         ],
         "artifact_search_id": ""
     },
     "validationErrors": {
         "Artifact": [],
         "UserSetting": [],
         "ArtifactSearch": [],
         "ReportDaemon": [],
         "ArtifactsSummary": [],
         "DeepseeFavorite": [],
         "Meta": [],
         "res": [],
         "SavedResult": []
     },
     "paging": [],
     "messages": []
}

operation: Start Extractions for SHA1

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Select Extraction Type Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts" or "Artifacts Timeline".
Filter Key (Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Filter Operator (Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<="
Filter Value (Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Start Date (Optional) Start date and time from when you want to pull records from Symantec Security Analytics.
End Date (Optional) End date and time till when you want to pull records from Symantec Security Analytics.
Page Number (Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1.
Max Number of Records Per Page (Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics.
Check Action Finish Count (Optional) Specify the count up to which the connector will check if the action is completed or not.
Sort By (Optional) Only applicable if your extraction type "Artifacts Timeline".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
For "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
Direction (Optional) Only applicable if your extraction type "Artifacts Timeline".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "percentcomplete": "",
         "numResults": "",
         "numFilteredArtifacts": "",
         "timeDeleted": "",
         "search_status": "",
         "maxpage": "",
         "killed": "",
         "time_place": "",
         "histogram": {
             "total": [],
             "data": [
                 {
                     "columns": [],
                     "extra": {
                         "end_time": ""
                     },
                     "time": ""
                 }
             ],
             "meta": {
                 "columns": [
                     {
                         "type": "",
                         "has_total": "",
                         "text": ""
                     }
                 ],
       &nbsnbsp;         "data_type": {
                     "type": "",
                     "text": ""
                 }
             }
         },
         "background": "",
         "field_counts": {
             "file_type": [],
             "file_extension": []
         },
         "sorted_artifacts": [
             {
                 "Artifact": {
                     "source_port": "",
                     "pcap_path": "",
                     "destination_port": "",
                     "hw_ratio": "",
                     "derived_type": "",
                     "magic_type": "",
                     "width": "",
                     "host": "",
                     "height": "",
                     "icon": "",
                     "source_ip": "",
                     "meta_info": {
                         "referer": "",
                         "filename": "",
                         "request_headers": "",
                         "method": "",
                         "response_code": "",
                         "parent_artifact_id": "",
                         "response_headers": ""
                     },
                     "flow_id": "",
                     "id": "",
                     "capture_start_time": "",
                     "remote_artifact_id": "",
                     "appliance_id": "",
                     "extension": "",
                     "sha256": "",
                     "mime_type": "",
                     "destination_ip": "",
                     "referer": "",
                     "title": "",
                     "sha1": "",
                     "protocol": "",
                     "filename": "",
                     "capture_end_nanoseconds": "",
                     "md5": "",
                     "fuzzy": "",
                     "children": [],
                     "filesize": "",
                     "capture_start_nanoseconds": "",
                     "session_id": "",
                     "wh_ratio": "",
                     "capture_end_time": "",
                     "artifact_search_id": ""
                 }
             }
         ],
         "artifact_search_id": ""
     },
     "validationErrors": {
         "Artifact": [],
         "UserSetting": [],
         "ArtifactSearch": [],
         "ReportDaemon": [],
         "ArtifactsSummary": [],
         "DeepseeFavorite": [],
         "Meta": [],
         "res": [],
         "SavedResult": []
     },
     "paging": [],
     "messages": []
}

operation: Start Extractions for SHA256

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Select Extraction Type Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts", or "Artifacts Timeline".
Filter Key (Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Filter Operator (Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<="
Filter Value (Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Start Date (Optional) Start date and time from when you want to pull records from Symantec Security Analytics.
End Date (Optional) End date and time till when you want to pull records from Symantec Security Analytics.
Page Number (Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1.
Max Number of Records Per Page (Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics.
Check Action Finish Count (Optional) Specify the count up to which the connector will check if the action is completed or not.
Sort By (Optional) Only applicable if your extraction type "Artifacts Timeline".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
For "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
Direction (Optional) Only applicable if your extraction type "Artifacts Timeline".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "percentcomplete": "",
         "numResults": "",
         "numFilteredArtifacts": "",
         "timeDeleted": "",
         "search_status": "",
         "maxpage": "",
         "killed": "",
         "time_place": "",
         "histogram": {
             "total": [],
             "data": [
                 {
                     "columns": [],
                     "extra": {
                         "end_time": ""
                     },
                     "time": ""
                 }
             ],
             "meta": {
                 "columns": [
                     {
                         "type": "",
                         "has_total": "",
                         "text": ""
                     }
                 ],
                 "data_type": {
                     "type": "",
                     "text": ""
                 }
             }
         },
         "background": "",
         "field_counts": {
             "file_type": [],
             "file_extension": []
         },
         "sorted_artifacts": [
             {
                 "Artifact": {
                     "source_port": "",
                     "pcap_path": "",
                     "destination_port": "",
                     "hw_ratio": "",
                     "derived_type": "",
                     "magic_type": "",
                     "width": "",
                     "host": "",
                     "height": "",
                     "icon": "",
                     "source_ip": "",
                     "meta_info": {
                         "referer": "",
                         "filename": "",
                         "request_headers": "",
                         "method": "",
                         "response_code": "",
                         "parent_artifact_id": "",
                         "response_headers": ""
                     },
                     "flow_id": "",
                     "id": "",
                     "capture_start_time": "",
                     "remote_artifact_id": "",
                     "appliance_id": "",
                     "extension": "",
                     "sha256": "",
                     "mime_type": "",
                     "destination_ip": "",
                     "referer": "",
                     "title": "",
                     "sha1": "",
                     "protocol": "",
                     "filename": "",
                     "capture_end_nanoseconds": "",
                     "md5": "",
                     "fuzzy": "",
                     "children": [],
                     "filesize": "",
                     "capture_start_nanoseconds": "",
                     "session_id": "",
                     "wh_ratio": "",
                     "capture_end_time": "",
                     "artifact_search_id": ""
                 }
             }
         ],
         "artifact_search_id": ""
     },
     "validationErrors": {
         "Artifact": [],
         "UserSetting": [],
         "ArtifactSearch": [],
         "ReportDaemon": [],
         "ArtifactsSummary": [],
         "DeepseeFavorite": [],
         "Meta": [],
         "res": [],
         "SavedResult": []
     },
     "paging": [],
     "messages": []
}

operation: Start Extractions for IP Address

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Select Extraction Type Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts", "Artifacts Timeline", or "IM Conversations".
Filter Key (Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Filter Operator (Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<="
Filter Value (Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Start Date (Optional) Start date and time from when you want to pull records from Symantec Security Analytics.
End Date (Optional) End date and time till when you want to pull records from Symantec Security Analytics.
Page Number (Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1.
Max Number of Records Per Page (Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics.
Check Action Finish Count (Optional) Specify the count up to which the connector will check if the action is completed or not.
Sort By (Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
In case of "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
In case of "IM Conversations", you can choose one of the following options: Date, Source, Type, Size, Sender, Recipient, or Subject.
Direction (Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "percentcomplete": "",
         "numResults": "",
         "numFilteredArtifacts": "",
         "timeDeleted": "",
         "search_status": "",
         "maxpage": "",
         "killed": "",
         "time_place": "",
         "histogram": {
             "total": [],
             "data": [
                 {
                     "columns": [],
                     "extra": {
                         "end_time": ""
                     },
                     "time": ""
                 }
             ],
             "meta": {
                 "columns": [
                     {
                         "type": "",
                         "has_total": "",
                         "text": ""
                     }
                 ],
                 "data_type": {
                     "type": "",
                     "text": ""
                 }
             }
         },
         "background": "",
         "field_counts": {
             "file_type": [],
             "file_extension": []
         },
         "sorted_artifacts": [
             {
                 "Artifact": {
                     "source_port": "",
                     "pcap_path": "",
                     "destination_port": "",
                     "hw_ratio": "",
                     "derived_type": "",
                     "magic_type": "",
                     "width": "",
                     "host": "",
                     "height": "",
                     "icon": "",
                     "source_ip": "",
                     "meta_info": {
                         "referer": "",
                         "filename": "",
                         "request_headers": "",
                         "method": "",
                         "response_code": "",
                         "parent_artifact_id": "",
                         "response_headers": ""
                     },
                     "flow_id": "",
                     "id": "",
                     "capture_start_time": "",
                     "remote_artifact_id": "",
                     "appliance_id": "",
                     "extension": "",
                     "sha256": "",
                     "mime_type": "",
                     "destination_ip": "",
                     "referer": "",
                     "title": "",
                     "sha1": "",
                     "protocol": "",
                     "filename": "",
                     "capture_end_nanoseconds": "",
                     "md5": "",
                     "fuzzy": "",
                     "children": [],
                     "filesize": "",
                     "capture_start_nanoseconds": "",
                     "session_id": "",
                     "wh_ratio": "",
                     "capture_end_time": "",
                     "artifact_search_id": ""
                 }
             }
         ],
         "artifact_search_id": ""
     },
     "validationErrors": {
         "Artifact": [],
         "UserSetting": [],
         "ArtifactSearch": [],
         "ReportDaemon": [],
         "ArtifactsSummary": [],
         "DeepseeFavorite": [],
         "Meta": [],
         "res": [],
         "SavedResult": []
     },
     "paging": [],
     "messages": []
}

operation: Start Extractions for Port

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Select Extraction Type Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts", "Artifacts Timeline", or "IM Conversations".
Filter Key (Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Filter Operator (Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<="
Filter Value (Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Start Date (Optional) Start date and time from when you want to pull records from Symantec Security Analytics.
End Date (Optional) End date and time till when you want to pull records from Symantec Security Analytics.
Page Number (Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1.
Max Number of Records Per Page (Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics.
Check Action Finish Count (Optional) Specify the count up to which the connector will check if the action is completed or not.
Sort By (Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
In case of "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
In case of "IM Conversations", you can choose one of the following options: Date, Source, Type, Size, Sender, Recipient, or Subject.
Direction (Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "percentcomplete": "",
         "numResults": "",
         "numFilteredArtifacts": "",
         "timeDeleted": "",
         "search_status": "",
         "maxpage": "",
         "killed": "",
         "time_place": "",
         "histogram": {
             "total": [],
             "data": [
                 {
                     "columns": [],
                     "extra": {
                         "end_time": ""
                     },
                     "time": ""
                 }
             ],
             "meta": {
                 "columns": [
                     {
                         "type": "",
                         "has_total": "",
                         "text": ""
                     }
                 ],
                 "data_type": {
                     "type": "",
                     "text": ""
                 }
             }
         },
         "background": "",
         "field_counts": {
             "file_type": [],
             "file_extension": []
         },
         "sorted_artifacts": [
             {
                 "Artifact": {
                     "source_port": "",
                     "pcap_path": "",
                     "destination_port": "",
                     "hw_ratio": "",
                     "derived_type": "",
                     "magic_type": "",
                     "width": "",
                     "host": "",
                     "height": "",
                     "icon": "",
                     "source_ip": "",
                     "meta_info": {
                         "referer": "",
                         "filename": "",
                         "request_headers": "",
                         "method": "",
                         "response_code": "",
                         "parent_artifact_id": "",
                         "response_headers": ""
                     },
                     "flow_id": "",
                     "id": "",
                     "capture_start_time": "",
                     "remote_artifact_id": "",
                     "appliance_id": "",
                     "extension": "",
                     "sha256": "",
                     "mime_type": "",
                     "destination_ip": "",
                     "referer": "",
                     "title": "",
                     "sha1": "",
                     "protocol": "",
                     "filename": "",
                     "capture_end_nanoseconds": "",
                     "md5": "",
                     "fuzzy": "",
                     "children": [],
                     "filesize": "",
                     "capture_start_nanoseconds": "",
                     "session_id": "",
                     "wh_ratio": "",
                     "capture_end_time": "",
                     "artifact_search_id": ""
                 }
             }
         ],
         "artifact_search_id": ""
     },
     "validationErrors": {
         "Artifact": [],
         "UserSetting": [],
         "ArtifactSearch": [],
         "ReportDaemon": [],
         "ArtifactsSummary": [],
         "DeepseeFavorite": [],
         "Meta": [],
         "res": [],
         "SavedResult": []
     },
     "paging": [],
     "messages": []
}

operation: Start Extractions for Protocol

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Select Extraction Type Extraction type based on which you want to pull records from Symantec Security Analytics.
You can use one of the following extraction types: "Artifacts", "Artifacts Timeline", or "IM Conversations".
Filter Key (Optional) Filter key to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Filter Operator (Optional) Filter operator to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
You can use one of the following operators: "=","!=","~","!~",">",">=","<","<="
Filter Value (Optional) Filter value to apply an advanced filter on the result that is retrieved from Symantec Security Analytics.
Start Date (Optional) Start date and time from when you want to pull records from Symantec Security Analytics.
End Date (Optional) End date and time till when you want to pull records from Symantec Security Analytics.
Page Number (Optional) Page number from which you want to request for data from Symantec Security Analytics. Defaults to 1.
Max Number of Records Per Page (Optional) Maximum number of records that the operation should fetch per page from Symantec Security Analytics.
Check Action Finish Count (Optional) Specify the count up to which the connector will check if the action is completed or not.
Sort By (Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
This is the sort keys that you can apply to the result that is retrieved from Symantec Security Analytics.
In case of "Artifacts Timeline", you can choose one of the following options: Date, Source, Type, or Size.
In case of "IM Conversations", you can choose one of the following options: Date, Source, Type, Size, Sender, Recipient, or Subject.
Direction (Optional) Only applicable if your extraction type "Artifacts Timeline" or "IM Conversations".
Sort order that you can apply to the result that is retrieved from Symantec Security Analytics.
You can choose either the Ascending or Descending order.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "percentcomplete": "",
         "numResults": "",
         "numFilteredArtifacts": "",
         "timeDeleted": "",
         "search_status": "",
         "maxpage": "",
         "killed": "",
         "time_place": "",
         "histogram": {
             "total": [],
             "data": [
                 {
                     "columns": [],
                     "extra": {
                         "end_time": ""
                     },
                     "time": ""
                 }
             ],
             "meta": {
                 "columns": [
                     {
                         "type": "",
                         "has_total": "",
                         "text": ""
                     }
                 ],
                 "data_type": {
                     "type": "",
                     "text": ""
                 }
             }
         },
         "background": "",
         "field_counts": {
             "file_type": [],
             "file_extension": []
         },
         "sorted_artifacts": [
             {
                 "Artifact": {
                     "source_port": "",
                     "pcap_path": "",
                     "destination_port": "",
                     "hw_ratio": "",
                     "derived_type": "",
                     "magic_type": "",
                     "width": "",
                     "host": "",
                     "height": "",
                     "icon": "",
                     "source_ip": "",
                     "meta_info": {
                         "referer": "",
                         "filename": "",
                         "request_headers": "",
                         "method": "",
                         "response_code": "",
                         "parent_artifact_id": "",
                         "response_headers": ""
                     },
                     "flow_id": "",
                     "id": "",
                     "capture_start_time": "",
                     "remote_artifact_id": "",
                     "appliance_id": "",
                     "extension": "",
                     "sha256": "",
                     "mime_type": "",
                     "destination_ip": "",
                     "referer": "",
                     "title": "",
                     "sha1": "",
                     "protocol": "",
                     "filename": "",
                     "capture_end_nanoseconds": "",
                     "md5": "",
                     "fuzzy": "",
                     "children": [],
                     "filesize": "",
                     "capture_start_nanoseconds": "",
                     "session_id": "",
                     "wh_ratio": "",
                     "capture_end_time": "",
                     "artifact_search_id": ""
                 }
             }
         ],
         "artifact_search_id": ""
     },
     "validationErrors": {
         "Artifact": [],
         "UserSetting": [],
         "ArtifactSearch": [],
         "ReportDaemon": [],
         "ArtifactsSummary": [],
         "DeepseeFavorite": [],
         "Meta": [],
         "res": [],
         "SavedResult": []
     },
     "paging": [],
     "messages": []
}

operation: Search for Artifacts in Extraction

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Artifact ID Artifact ID that is generated from the extraction whose details you want to retrieve from Symantec Security Analytics. Defaults to 1.
Search ID Search ID that is generated from the extraction based on which you want to retrieve artifact details from Symantec Security Analytics. Defaults to 1.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "artifacts": [
             {
                 "Artifact": {
                     "capture_end_nanoseconds": "",
                     "source_port": "",
                     "pcap_path": "",
                     "hw_ratio": "",
                     "derived_type": "",
                     "magic_type": "",
                     "width": "",
                     "host": "",
                     "referer": "",
                     "filesize": "",
                     "meta_info": [],
                     "flow_id": "",
                     "id": "",
                     "capture_start_time": "",
                     "extension": "",
                     "sha256": "",
                     "mime_type": "",
                     "destination_ip": "",
                     "protocol": "",
                     "title": "",
                     "destination_port": "",
                     "sha1": "",
                     "filename": "",
                     "icon": "",
                     "md5": "",
                     "fuzzy": "",
                     "capture_start_nanoseconds": "",
                     "source_ip": "",
                     "session_id": "",
                     "height": "",
                     "wh_ratio": "",
                     "capture_end_time": "",
                     "artifact_search_id": ""
                 },
                 "PresentedFilename": {
                     "value": ""
                 }
             }
         ]
     },
     "validationErrors": {
         "Artifact": [],
         "UserSetting": [],
         "res": [],
         "DeepseeFavorite": [],
         "Meta": [],
         "MetaInfo": []
     },
     "paging": [],
     "messages": []
}

operation: Get Artifact Reputation

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull records from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Artifact ID Artifact ID that is generated from the extraction whose reputation you want to retrieve from Symantec Security Analytics. Defaults to 1.
Provider UUID (Optional) UUID of the provider whose artifact reputation you want to retrieve from Symantec Security Analytics.
Artifact Field (Optional) Artifact field based on which you want to retrieve the reputation of the artifact from Symantec Security Analytics.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "reputation_results": {
             "provider_responses": [
                 {
                     "name": "",
                     "value": "",
                     "success": "",
                     "response": {
                         "flags": [],
                         "responses": {
                             "Anti Virus Engine Count": "",
                             "Artifact": "",
                             "SHA256 Hash": "",
                             "First Seen Date": "",
                             "GIN Blacklist": "",
                             "SHA1 Hash": "",
                             "Whitelist Lookup": "",
                             "Anti Virus Engines": "",
                             "MD5 Hash": "",
                             "score": ""
                         },
                         "result": "",
                         "score": "",
                         "status": "",
                         "value": ""
                     },
                     "score": "",
                     "integration_provider": {
                         "name": "",
                         "licensed": "",
                         "uuid": "",
                         "integration_provider_tonic_actions": [],
                         "last_modified_date": "",
                         "integration_provider_category_uuid": "",
                         "integration_provider_type": {
                             "name": "",
                             "creatable": "",
                             "last_modified_date": "",
                             "bigfile": "",
                             "deletable": "",
                             "internal_name": "",
                             "league": "",
                             "edit_type": "",
                             "pivot_only": "",
                             "abyssal": "",
                             "associate_with_action": "",
                             "user_initiated": ""
                         },
                         "integration_provider_category": {
                             "name": ""
                         },
                         "data": {
                             "type": "",
                             "integration_provider_uuid": "",
                             "category": ""
                         },
                         "active": "",
                         "integration_provider_type_field_set": {
                             "name": ""
                         },
                         "pivot_url": "",
                         "description": "",
                         "integration_provider_type_uuid": "",
                         "ordinal": "",
                         "class_type": "",
                         "appliance_id": ""
                     },
                     "request_id": ""
                 }
             ],
             "cacheIds": [],
             "score": "",
             "flags": [],
             "result": "",
             "artifact": {
                 "capture_end_nanoseconds": "",
                 "source_port": "",
                 "flow_id": "",
                 "hw_ratio": "",
                 "derived_type": "",
                 "magic_type": "",
                 "width": "",
                 "host": "",
                 "height": "",
                 "meta_info": {
                     "method": "",
                     "filename": "",
                     "response_code": "",
                     "request_headers": "",
                     "response_headers": ""
                 },
                 "filesize": "",
                 "wh_ratio": "",
                 "capture_start_nanoseconds": "",
                 "pcap_path": "",
                 "id": "",
                 "capture_start_time": "",
                 "extension": "",
                 "capture_end_time": "",
                 "original_filename": "",
                 "sha256": "",
                 "mime_type": "",
                 "destination_ip": "",
                 "protocol": "",
                 "title": "",
                 "destination_port": "",
                 "icon": "",
                 "filename": "",
                 "md5": "",
                 "fuzzy": "",
                 "sha1": "",
                 "source_ip": "",
                 "session_id": "",
                 "referer": "",
                 "artifact_search_id": ""
             },
             "status": "",
             "responses": []
         }
     },
     "validationErrors": {
         "Artifact": [],
         "ipt": [],
         "res": [],
         "Reputation": [],
         "ip": [],
         "Meta": [],
         "MetaInfo": []
     },
     "paging": [],
     "messages": []
}

operation: Get Sensors Status

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID whose status you want to retrieve from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "applianceStatuses": {}
     },
     "validationErrors": {
         "Appliance": [],
         "LocalRepository": [],
         "UserRemoteGroup": [],
         "Label": [],
         "ApplianceAuth": [],
         "Meta": [],
         "User": []
     },
     "paging": [],
     "messages": ""
}

operation: Get Artifact Rootcause

Input parameters

Parameter Description
Sensor ID(Appliance ID) (Optional) Sensor ID or Appliance ID based on which you want to pull artifacts rootcause from Symantec Security Analytics. Defaults to All Sensors.
Note: You can specify IDs in the CSV or list format.
Artifact ID Artifact ID that is generated from the extraction whose rootcause you want to retrieve from Symantec Security Analytics. Defaults to 1.
Artifact Search ID Artifact Search ID that is generated from the extraction based on which you want to retrieve artifacts rootcause from Symantec Security Analytics.
Advanced Filter (Optional) Advanced filter that you want to apply to the result that is retrieved from Symantec Security Analytics.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "referer": [],
         "ims": "",
         "applianceArtifactSearches": [],
         "emails": ""
     },
     "validationErrors": {
         "Appliance": [],
         "ApplianceAuth": [],
         "Artifact": [],
         "UserRemoteGroup": [],
         "ArtifactSearch": [],
         "Label": [],
         "Meta": [],
         "User": [],
         "ApplianceArtifactSearch": []
     },
     "paging": [],
     "messages": []
}

operation: List All Enrichment Providers

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "errors": [],
     "resultCode": "",
     "result": {
         "pageCount": "",
         "rows": [
             {
                 "name": "",
                 "licensed": "",
                 "uuid": "",
                 "integration_provider_tonic_actions": [],
                 "last_modified_date": "",
                 "integration_provider_category_uuid": "",
                 "integration_provider_type": {
                     "name": "",
                     "creatable": "",
                     "last_modified_date": "",
                     "pivot_only": "",
                     "deletable": "",
                     "associate_with_action": "",
                     "league": "",
                     "edit_type": "",
                     "bigfile": "",
                     "abyssal": "",
                     "internal_name": "",
                     "user_initiated": ""
                 },
                 "description": "",
                 "data": "",
                 "active": "",
                 "integration_provider_type_field_set": {
                     "name": ""
                 },
                 "pivot_url": "",
                 "integration_provider_category": {
                     "name": ""
                 },
                 "integration_provider_type_uuid": "",
                 "ordinal": "",
                 "class_type": "",
                 "appliance_id": ""
             }
         ]
     },
     "validationErrors": {
         "User": [],
         "Appliance": [],
         "UserRemoteGroup": [],
         "Label": [],
         "ApplianceAuth": [],
         "ip": [],
         "Meta": [],
         "ipt": []
     },
     "paging": [],
     "messages": []
}

Included playbooks

The Sample - Symantec Security Analytics - 2.0.0 playbook collection comes bundled with the Symantec Security Analytics connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec Security Analytics connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.