About the connector
Symantec Messaging Gateway (SMG) delivers inbound and outbound messaging security, real-time antispam and antivirus protection, advanced content filtering, threat detection and sandboxing, and data loss prevention to your enterprise. SMG provides various features such as detection of spam, denial-of-service attacks, and other inbound email threats, filtration of email by policies to remove unwanted content, compliance with regulations, and protection against intellectual property and data loss over email, and integration with Symantec Content Analysis to provide advanced threat detection and virtual sandboxing.
This document provides information about the Symantec Messaging Gateway connector, which facilitates automated interactions, with Symantec Messaging Gateway using FortiSOAR™ playbooks. Add the Symantec Messaging Gateway connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking or unblocking IP addresses, domains, or emails.
Version information
Connector Version: 1.1.1
Authored By: Fortinet
Release Notes for version 1.1.1
The following enhancements have been made to the Symantec Messaging Gateway Connector in version 1.1.1:
- Fixed the code to accommodate changes from Symantec Messaging Gateway related to the action Advanced Audit Log Search.
Installing the connector
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-symantec-messaging-gateway
Prerequisites to configuring the connector
- You must have the URL of the Symantec Messaging Gateway server on which you will perform the automated operations and the username and password configured for your account to access that Symantec Messaging Gateway server.
- The FortiSOAR™ server should have outbound connectivity to port 443 on the Symantec Messaging Gateway server.
Minimum Permissions Required
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Symantec Messaging Gateway connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
| Parameter |
Description |
| Server URL |
URL of the Symantec Messaging Gateway server to which you will connect and perform automated operations. |
| Username |
Username for accessing Symantec Messaging Gateway to which you will connect and perform the automated operations. |
| Password |
Password for accessing Symantec Messaging Gateway to which you will connect and perform the automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
Defaults to True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
| Function |
Description |
Annotation and Category |
| Block Email |
Adds an email address you have specified to the list of bad senders on Symantec Messaging Gateway. |
block_email
Containment |
| Unblock Email |
Removes an email address you have specified from the list of bad senders on Symantec Messaging Gateway. |
unblock_email
Remediation |
| Block Domain |
Adds a domain you have specified to the list of bad senders on Symantec Messaging Gateway. |
block_domain
Containment |
| Unblock Domain |
Removes a domain you have specified from the list of bad senders on Symantec Messaging Gateway. |
unblock_domain
Remediation |
| Block IP |
Adds an IP address you have specified to the list of bad senders on Symantec Messaging Gateway. |
block_ip
Containment |
| Unblock IP |
Removes an IP address you have specified from the list of bad senders on Symantec Messaging Gateway. |
unblock_ip
Remediation |
| Quick Audit Log Search |
Searches for audit logs in Symantec Messaging Gateway based on the filter criteria you have specified. This operation returns the main event fields. |
audit_logs_search
Investigation |
| Advanced Audit Log Search |
Searches for audit logs in Symantec Messaging Gateway based on the filter criteria you have specified. This operation returns all available event fields. |
advanced_audit_logs_search
Investigation |
operation: Block Email
Input parameters
| Parameter |
Description |
| Email Address |
Specify the email address that you want to block, i.e., add to the list of bad senders on Symantec Messaging Gateway. |
Output
The JSON output returns a Success message if the email address that you have specified is successfully added to the list of bad senders on Symantec Messaging Gateway.
The output contains the following populated JSON schema:
{
"data": "",
"status": "",
"message": "",
"operation": "",
"execution_time": ""
}
operation: Unblock Email
Input parameters
| Parameter |
Description |
| Email Address |
Specify the email address that you want to unblock, i.e., remove from the list of bad senders on Symantec Messaging Gateway. |
Output
The JSON output returns a Success message if the email address that you have specified is successfully removed from the list of bad senders on Symantec Messaging Gateway.
The output contains the following populated JSON schema:
{
"data": "",
"status": "",
"message": "",
"operation": "",
"execution_time": ""
}
operation: Block Domain
Input parameters
| Parameter |
Description |
| Domain |
Specify the name of the domain that you want to block, i.e., add to the list of bad senders on Symantec Messaging Gateway. |
Output
The JSON output returns a Success message if the domain name that you have specified is successfully added to the list of bad senders on Symantec Messaging Gateway.
The output contains the following populated JSON schema:
{
"data": "",
"status": "",
"message": "",
"operation": "",
"execution_time": ""
}
operation: Unblock Domain
Input parameters
| Parameter |
Description |
| Domain |
Specify the name of the domain that you want to unblock, i.e., remove from the list of bad senders on Symantec Messaging Gateway. |
Output
The JSON output returns a Success message if the domain name that you have specified is successfully removed from the list of bad senders on Symantec Messaging Gateway.
The output contains the following populated JSON schema:
{
"data": "",
"status": "",
"message": "",
"operation": "",
"execution_time": ""
}
operation: Block IP
Input parameters
| Parameter |
Description |
| IP Address |
Specify the IP address that you want to block, i.e., add to the list of bad senders on Symantec Messaging Gateway. |
Output
The JSON output returns a Success message if the IP address that you have specified is successfully added to the list of bad senders on Symantec Messaging Gateway.
The output contains the following populated JSON schema:
{
"data": "",
"status": "",
"message": "",
"operation": "",
"execution_time": ""
}
operation: Unblock IP
Input parameters
| Parameter |
Description |
| IP Address |
Specify the IP address that you want to unblock, i.e., remove from the list of bad senders on Symantec Messaging Gateway. |
Output
The JSON output returns a Success message if the IP address that you have specified is successfully removed from the list of bad senders on Symantec Messaging Gateway.
The output contains the following populated JSON schema:
{
"data": "",
"status": "",
"message": "",
"operation": "",
"execution_time": ""
}
operation: Quick Audit Log Search
Input parameters
| Parameter |
Description |
| Search By |
Select the search filter based on which you want to search the audit logs in Symantec Messaging Gateway. You can choose from the following options: Sender, Recipient, Subject, Audit ID, Connection IP, or Logical IP. |
| Search Value |
Specify the value using which you want to search the audit logs in Symantec Messaging Gateway, based on the filter selected in the 'Search By' drop-down list. For example, enter baduser@badomain.com if you have selected 'Sender' in the 'Search By' drop-down list. |
| Start Time |
(Optional) Select the DateTime using which you want to filter the result set to only include only those items that have been created after the specified timestamp. |
| End Time |
(Optional) Select the DateTime using which you want to filter the result set to only include only those items that have been created before the specified timestamp. |
| Limit |
(Optional) Specify the maximum number of results, per page, that this operation should return. By default, this option is set as 10. |
| Offset |
(Optional) Specify the index of the first item to be returned by this operation. This parameter is useful for pagination and for getting a subset of items. By default, this is set as 1. |
Output
The output contains the following populated JSON schema:
{
"Time": "",
"From": "",
"auditUID": "",
"To": "",
"Original Subject": "",
"Verdict(s)": "",
"Action(s)": ""
}
operation: Advanced Audit Log Search
Input parameters
| Parameter |
Description |
| Search By |
Select the search filter based on which you want to search the audit logs in Symantec Messaging Gateway. You can choose from the following available options: Sender, Recipient, Subject, Audit ID, Connection IP, or Logical IP. |
| Search Value |
Specify the value using which you want to search the audit logs in Symantec Messaging Gateway, based on the filter selected in the 'Search By' drop-down list. For example, enter baduser@badomain.com if you have selected 'Sender' in the 'Search By' drop-down list. |
| Start Time |
Select the DateTime using which you want to filter the result set to only include only those items that have been created after the specified timestamp. |
| End Time |
Select the DateTime using which you want to filter the result set to only include only those items that have been created before the specified timestamp. |
| Remove None ASCII characters |
Select this option to remove 'none' ASCII characters from the search results. |
Output
The output contains the following populated JSON schema:
{
"Audit ID": "",
"Hosts": "",
"Accept From": "",
"Accept Time": "",
"Source": "",
"Message ID": "",
"Sender": "",
"Recipient": "",
"Original Recipients": "",
"Intended Recipients": "",
"Subject": "",
"Filter Policy": "",
"Policy Group": "",
"Verdict": "",
"Details": "",
"Viruses": "",
"Attachments": "",
"Suspect Attachments": "",
"Scanner Actions": "",
"Quarantine Actions": "",
"Day Zero Actions": "",
"Content Incident Folder Actions": "",
"Deliver To": "",
"Deliver Time": "",
"Untested Verdicts": ""
}
Included playbooks
The Sample - Symantec Messaging Gateway - 1.1.1 playbook collection comes bundled with the Symantec Messaging Gateway connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec Messaging Gateway connector.
- Advanced Audit Log Search
- Block Domain
- Block Email
- Block IP
- Quick Audit Log Search
- Unblock Domain
- Unblock Email
- Unblock IP
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
