Symantec Endpoint Security Complete Cloud
Integration version: 1.0
Use Cases
Perform enrichment actions.
Configure Symantec Endpoint Security Complete Cloud integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | https://api.sep.securitycloud.symantec.com | Yes | Symantec Endpoint Security Complete API root |
| Client ID | String | N/A | Yes | Symantec Endpoint Security Complete Client ID |
| Client Secret | Password | Yes | Symantec Endpoint Security Complete Client Secret | |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verify the SSL certificate for the connection to the Symantec Endpoint Security Complete server is valid. |
Actions
Ping
Description
Test connectivity to Symantec Endpoint Security Complete with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: The action should fail and stop a playbook execution: |
General |
Enrich Entities
Description
Enrich entities using information from Symantec Endpoint Security Complete. Supported entities: Hostname, Hash, URL and IP Address. Only SHA256 hashes are supported.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Device Group | String | Default | Yes | Specify the name of the device group that should be used to retrieve information about endpoints. |
| Create Endpoint Insight | Checkbox | Checked | No | If enabled, action will create an insight containing information about the endpoints. |
| Create IOC Insight | Checkbox | Checked | No | If enabled, action will create an insight containing information about enriched IOCs. |
Run On
This action runs on the following entities:
- Hostname
- Hash
- URL
- IP Address
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result - for Endpoint
{
"id": "x10bQZJsRi6z87se02g3Vw",
"os": {
"ver": "10.0.18363",
"name": "Windows 10 Enterprise Edition",
"type": "WINDOWS_WORKSTATION",
"64_bit": true,
"lang": "en",
"major_ver": 10,
"minor_ver": 0,
"sp": 0,
"tz_offset": -480,
"user": "Admin",
"user_domain": "LocalComputer",
"vol_avail_mb": 5443,
"vol_cap_mb": 30138
},
"name": "DESKTOP-8P0TH6Q",
"host": "DESKTOP-8P0TH6Q",
"domain": "WORKGROUP",
"created": "2020-11-19T12:24:23.422Z",
"modified": "2021-03-05T10:39:03.884Z",
"adapters": [
{
"addr": "00:50:56:A2:A4:4B",
"category": "Public",
"ipv4Address": "172.30.201.182",
"ipv4_gw": "172.30.201.1",
"ipv4_prefix": 24,
"ipv6Address": "fe80::9c8f:dc54:7fd5:ebca",
"ipv6_gw": "172.30.201.1",
"ipv6_prefix": 64,
"mask": "255.255.255.0"
}
],
"device_status": "SECURE",
"parent_device_group_id": "rujWDk9WTcKsnLkCeZKl7A",
"products": [
{
"name": "Symantec Endpoint Protection",
"product_status": "SECURE",
"version": "14.3.3384.1000",
"agent_status": "ONLINE",
"last_connected_time": "2021-03-05T10:39:23.271Z",
"features": [
{
"name": "APP_ISOLATION",
"state": "ENABLED",
"feature_status": "SECURE",
"engine_version": "6.7.0.2033"
},
{
"name": "FIREWALL",
"state": "ENABLED",
"feature_status": "SECURE"
}
]
}
]
}
JSON Result - for IOC's
{
"reputation": "BAD",
"prevalence": "LessThanFifty",
"firstSeen": "2021-04-01",
"lastSeen": "2021-04-03",
"targetOrgs": {
"topCountries": [
"us",
"cm",
"sg"
],
"topIndustries": [
"financial services"
]
},
"state": "blocked",
"process_chain": [
{
"parent": {
"parent": {
"file": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a",
"processName": "explorer.exe"
},
"file": "f686f2ff41923bb5c106c76d5f3df30146eb37683b81c4a57110dcc63032526a",
"processName": "chrome.exe"
}
}
]
}
Entity Enrichment - for Endpoint
| Enrichment Field Name | Logic - When to apply |
|---|---|
| id | When available in JSON |
| os | When available in JSON |
| hostname | When available in JSON |
| domain | When available in JSON |
| ips | When available in JSON |
| mac | |
| status | When available in JSON |
| link | When available in JSON |
Entity Enrichment - for IOC's
| Enrichment Field Name | Logic - When to apply |
|---|---|
| reputation | When available in JSON |
| prevalence | When available in JSON |
| countries | When available in JSON |
| first_seen | When available in JSON |
| last_seen | When available in JSON |
| industries | When available in JSON |
| state | When available in JSON |
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If didn't enrich some (is_success = true): "Action wasn't able to enrich the following entities using Symantec Endpoint Security Complete:\n".format(entity.identifier) If didn't enrich all (is_success = false): "No entities were enriched". The action should fail and stop a playbook execution: If invalid device group: "Error executing action "Enrich Entities". Reason: the provided device group wasn't found. Please check the spelling.' |
General |
| Entity Table | **** | Entity |
List Device Groups
Description
List available device groups in Symantec Endpoint Security Complete.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Filter Logic | DDL | Equal DDL Equal Contains |
No | Specify what filter logic should be applied. |
| Filter Value | String | N/A | No | Specify what value should be used in the filter. |
| Max Groups To Return | Integer | 50 | No | Specify how many groups to return. Default: 50. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"total": 1,
"device_groups": [
{
"id": "rujWDk9WTcKsnLkCeZKl7A",
"name": "Default",
"created": "2020-11-19T02:17:15.236Z",
"modified": "2020-11-19T02:17:17.482Z",
"parent_id": ""
}
]
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If 200 and no data is available (is_success=false) "No device groups were found based on the provided criteria in Symantec Endpoint Security Complete." The action should fail and stop a playbook execution: |
General |
| Case Wall Table | Name: Available Device Groups Columns: ID Name |
General |
Get Related IOCs
Description
Get IOCs related to the entities from Symantec Endpoint Security Complete. Supported entities: Hash, URL and IP Address. Only SHA256 hashes are supported.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Source Filter | CSV | byThreatActor, |
No | Specify the source filter. If nothing is provided, action will return related entities, based on all sources. byThreatActor, byProcessChain, bySignature, bySampleTraits, byNetworkingTrait, bySimilarIncidents |
Run On
This action runs on the following entities:
- Hash
- URL
- IP Address
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"total": 1,
"device_groups": [
{
"id": "rujWDk9WTcKsnLkCeZKl7A",
"name": "Default",
"created": "2020-11-19T02:17:15.236Z",
"modified": "2020-11-19T02:17:17.482Z",
"parent_id": ""
}
]
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if no IOCs were found (is_success = false): "No related IOCs were found for the provided entities from Symantec Endpoint Security Complete.". The action should fail and stop a playbook execution: |
General |