Symantec ATP

Integration version: 9.0

Configure Symantec ATP to work with Google Security Operations SOAR

To generate an OAuth client:

  1. In Symantec ATP Manager, navigate to Settings, and then Data Sharing.
  2. Click Add Application in the OAuth Clients section.
  3. Please type the name of the application that you intend to register in the App Name field, and then select the API version you will be using (default setting is version 2).
  4. If you select enabling version 2 APIs, a Role option will appear. Select the user role for the app from the drop-down menu.
  5. Click Generate.
  6. The client ID and client secret will appear.
  7. Click Done.

Configure Symantec ATP integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Actions

Add Comment to Incident

Description

Attach a comment to an incident.

  1. For the incident in which you want to make a comment, click on the Comments field.
  2. Type your comment in the New Comment box. Extended ASCII characters do not render properly in .csv format.
  3. Click Add Comments.

Parameters

Parameter Type Default Value Description
Incident UUID String N/A N/A
Comment String N/A N/A

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_added True/False is_added:False
JSON Result
N/A

Add to Blacklist

Description

Create a blacklist policy for an entity. Symantec maintains a worldwide blacklist of external computers and files that is updated regularly and integrated with Symantec Advanced Threat Protection (ATP). You can supplement this list by creating blacklist policies for external computers or the files that you deem untrustworthy. For example, you may want to create a blacklist policy for a file that recently appeared in your cybersecurity intelligence that Symantec has yet to identify as a threat.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the following entities:

  • Filehash
  • Hostname
  • IP Address
  • URL

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
  N/A

Add to Whitelist

Description

When you whitelist an external computer, ATP considers it trustworthy and does not inspect traffic to or from it from your endpoints (even if it's blacklisted). You can whitelist an external computer based on its IP address, subnet, domain, or URL.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the following entities:

  • Filehash
  • Hostname
  • IP Address
  • URL

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Close Incident

Description

Change incident status to closed. The outcome of the incident has to be specified in order to close it.

Parameters

Parameter Type Default Value Description
Incident UUID String N/A N/A

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_closed True/False is_closed:False
JSON Result
N/A

Delete File

Description

When a file is selected for deletion in Advanced Threat Protection (ATP), it is not actually deleted, but will be quarantined by the selected endpoint.

Parameters

Parameter Type Default Value Description
Filehash String N/A File hash to delete.

Use cases

N/A

Run On

This action runs on the following entities:

  • Filehash
  • Hostname

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
command_ids N/A N/A
JSON Result
N/A

Delete Whitelist Policy

Description

Delete a whitelist policy for an entity.

Parameters

N/A

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Enrich Filehash

Description

Enrich a file hash entity.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the Filehash entity.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
max_file_health N/A N/A
JSON Result
N/A

Get Events for Entity

Description

Fetch all events for an entity since time.

Parameters

Parameter Type Default Value Description
Minutes Back to Fetch String N/A Fetch the event x minutes back.

Use cases

N/A

Run On

This action runs on the following entities:

  • Hostname
  • IP Address

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
events_amount N/A N/A
JSON Result
N/A

Get Events Free Query

Description

Fetch events by free query.

Parameters

Parameter Type Default Value Description
Query String N/A Free query text.
Limit String N/A Limit of query results.

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
events_amount N/A N/A
JSON Result
N/A

Get Sandbox Commands Status

Description

Get commands status by the ID.

Parameters

Parameter Type Default Value Description
Command IDs String N/A Command ID to fetch the status for.

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Isolate Endpoint

Description

To isolate endpoints from ATP Manager, a quarantine firewall policy and host integrity policy in Symantec Endpoint Protection Manager is required.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the following entities:

  • Hostname
  • IP Address

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
command_ids N/A N/A
JSON Result
N/A

Ping

Description

Verifies that the user has a connection to Symantec ATP via the user's device.

Parameters

N/A

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Rejoin Endpoints

Description

To rejoin endpoints from ATP Manager, a quarantine firewall policy and host integrity policy in Symantec Endpoint Protection Manager is required.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the following entities:

  • Hostname
  • IP Address

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
command_ids N/A N/A
JSON Result
N/A

Revoke From Blacklist

Description

Delete a blacklist policy for a given entity.

Parameters

N/A

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Submit Files to Sandbox

Description

Submit file hashes to sandbox.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the Filehash entity.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
command_ids N/A N/A
JSON Result
N/A

Get Incident Comments

Description

Retrieve comments related to the incident.

Parameters

Parameter Display Name Type Default Value Is mandatory Description
Incident UUID String N/A True Specify the UUID of the incident.
Max Comments To Return Integer 20 False

Specify how many comments to return.

Maximum is 1000 comments. This is a Symantec ATP limitation.

Run On

This action doesn't run on entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "next": "MSwyMDIwLTA1LTAzVDEyOjU4OjMwLjc2Mlo=",
    "result": [
        {
            "comment": "TExt",
            "time": "2020-05-03T09:57:10.348Z",
            "user_id": 2,
            "incident_responder_name": "Admin"
        }
    ],
    "total": 3
}

{
    "entity": "{Incident UUID} comments"
    "Entity Results": [
"1": {
            "comment": "TExt",
            "time": "2020-05-03T09:57:10.348Z",
            "user_id": 2,
            "incident_responder_name": "Admin"
        },
"2" : {
 {
            "comment": "TExt",
            "time": "2020-05-03T09:57:10.348Z",
            "user_id": 2,
            "incident_responder_name": "Admin"
        },
"3":
 {
            "comment": "TExt",
            "time": "2020-05-03T09:57:10.348Z",
            "user_id": 2,
            "incident_responder_name": "Admin"
        }

]

           ],
    "total": 3
}

Update Incident Resolution

Description

Update resolution on the incident.

Parameters

Parameter Display Name Type Default Value Is mandatory Description
Incident UUID String N/A True Specify the UUID of the incident.
Resolution Status DDL

INSUFFICIENT DATA

Possible values:

INSUFFICIENT DATA

SECURITY RISK

FALSE POSITIVE

MANAGED EXTERNALLY

NOT SET

BENIGN

TEST

True Specify what resolution status to set on the incident.

Run On

This action doesn't run on entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Delete BlackList Policy

Description

Delete a blacklist policy for a Google Security Operations SOAR entity.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Connectors

Symantec ATP - Incidents Connector

Connector Permissions

In order for the connector to work you need the following permissions for your API token:

  • atp_view_incidents

Configure Symantec ATP - Incidents Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name Type Default Value Is mandatory Description
Product Field Name String Product Name True Enter the source field name in order to retrieve the Product Field name.
Event Field Name String AlertName True Enter the source field name in order to retrieve the Event Field name.
Environment Field Name String "" False

Describes the name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

Environment Regex Pattern String .* False

A regex pattern to run on the value found in the "Environment Field Name" field.

Default is .* to catch all and return the value unchanged.

Used to allow the user to manipulate the environment field via regex logic

If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Integer 180 True Timeout limit for the python process running the current script.
API Root String https://x.x.x.x:port True API root of Symantec ATP server.
Client ID Password N/A True Symantec ATP Client ID
Client Secret Password True Symantec ATP Client Secret
Priority Filter CSV Low, Medium, High True

Priority filter for the incidents.

If you want to ingest all of the incidents specify:
Low,Medium,High.

Fetch Max Hours Backwards Integer 1 False

Amount of hours from where to fetch incidents.

Limit: 30 days. This is a Symantec ATP limitation.

Max Incidents To Fetch Integer 25 False

How many incidents to process per one connector iteration.

Max: 1000.

Use whitelist as a blacklist Boolean Unchecked True If enabled, whitelist will be used as a blacklist.
Use SSL Boolean Checked True Option to enable SSL/TLS connection
Proxy Server Address String False The address of the proxy server to use
Proxy Username String False The proxy username to authenticate with
Proxy Password Password False The proxy password to authenticate with

Connector rules

Proxy support

The connector supports proxy.