Symantec Advanced Threat Protection
App Vendor: Symantec
App Category: Forensics & Malware Analysis
Connector Version: 1.0.0
API Version: 2.0.0
About App
Symantec Advanced Threat Protection is a single unified solution that uncovers, prioritizes, and remediates advanced attacks. The Symantec Advanced Threat Protection app enables security teams to integrate with the Symantec Advanced Threat Protection enterprise application to uncover, prioritize, investigate, and remediate advanced threats across endpoint, network, email, and web traffic.
The Symantec Advanced Threat Protection app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Cancel a Command | This action cancels a command. |
Fetch Appliances | This action retrieves a list of appliances that are configured with the versions. |
Fetch a Command State | This action retrieves the state of a command. |
Fetch Events | This action retrieves a list of events. |
Fetch File Content | This action retrieves the details of a file based on the given hash. |
Fetch Incident Events | This action retrieves a list of events that are related to incidents. |
Run a Query for an Incident | This action runs a query for an incident. |
Send a Command | This action issues a command to the endpoints. |
Configuration Parameters
The following configuration parameters are required for the Symantec Advanced Threat Protection app to communicate with the Symantec Advanced Threat Protection enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL. Example: "sample base url" | Text | Required | |
Username | Enter the username. | Text | Required | |
Password | Enter the password | Password | Required | |
TLS verification | Optional preference to either verify or skip the TLS certificate verification. Example: true | Boolean | Optional | Allowed values:
Default value: false |
Action: Cancel a Command
This action cancels a command.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Target | Enter the target details to cancel the command. Example" {"hash":"8692251329fef60490be1c26281710b7e88250fd82b3f679f87d6785db854ed5", "device_uid":"cb46d251-151d-4583-a8fb-ebff7c42cfd8"} | Text | Required |
Example Request
[
{
"target":
{
"hash":"8692251329fef60490be1c26281710b7e88250fd82b3f679f87d6785db854ed5",
"device_uid":"cb46d251-151d-4583-a8fb-ebff7c42cfd8"
}
}
]Action: Fetch appliances
This action retrieves a list of appliances that are configured with the versions.
Action Input Parameters
This action does not require any input parameter.
Action: Fetch a Command State
This action retrieves the state of a command.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Command ID | Enter the command ID to retrieve the state. Example: "de9a10b993ec4980a774a268f55ed1c0-2018-02-20" | Text | Required |
Example Request
[
{
"cmdId": "de9a10b993ec4980a774a268f55ed1c0-2018-02-20"
}
]Action: Fetch Events
This action retrieves a list of events.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Start Time | Enter the start time from when the Events are to be fetched. Example: "2018-03-13t03:06:24.800z" | Text | Required | |
End Time | Enter the end time till when the Events are to be fetched. Example: "2018-03-13t03:06:24.800z" | Text | Required | |
Query | Enter the query parameters. Example: "log_time:[2016-06-08t15:39:55.616z to *] and (type_id:(4096 or 4098 or 4123))" | Text | Required |
Example Request
[
{
"start_time": "2018-03-13t03:06:24.800z",
"end_time": "2018-03-13t03:06:24.800z",
"query": "<Sample query>"
}
]Action: Fetch File Content
This action retrieves the details of a file based on the given hash.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hash | Enter the hash value. Example: "4cbaa39e03c088b7e44d31722f099fb8030753bad30ba09edcb27490f7802cd9" | Text | Required | |
Device ID | Enter the device ID. Example: "c2937757-3968-4eb2-a1f3-4f7efbfdaafd" | Text | Required |
Example Request
[
{
"hash": "4cbaa39e03c088b7e44d31722f099fb8030753bad30ba09edcb27490f7802cd9",
"deviceId": "c2937757-3968-4eb2-a1f3-4f7efbfdaafd"
}
]Action: Fetch Incident Events
This action retrieves a list of events that are related to incidents.
Action Input Parameters
This action does not require any input parameter.
Action: Run a Query for an Incident
This action executes a query for an incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query to run. Example: {"uuid": "83b78a00-266b-11e8-f1ac-000000000a95"} | Text | Required |
Example Request
[
{
"query":
{
"uuid": "83b78a00-266b-11e8-f1ac-000000000a95"
}
}
]Action: Send a command
This action issues a command to the endpoints.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Action | Enter the action. Example: "send" | Text | Required | Allowed values:
|
Target | Enter the targets. Example: {"hash": "8692251329fef60490be1c26281710b7e88250fd82b3f679f87d6785db854ed5", "device_uid":"cb46d251-151d-4583-a8fb-ebff7c42cfd8"} | Any | Required |
Example Request
[
{
"action": "send",
"target":
{
"hash": "8692251329fef60490be1c26281710b7e88250fd82b3f679f87d6785db854ed5",
"device_uid": "device_uid":"cb46d251-151d-4583-a8fb-ebff7c42cfd8"
}
}
]