Symantec Email Security.cloud

Integration version: 2.0

Configure Symantec Email Security.cloud integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
IOC API Root String https://iocapi.emailsecurity.symantec.com Yes IOC API root of the Symantec Email Security.Cloud instance.
Username String N/A Yes Username of the Symantec Email Security.Cloud instance.
Password Secret N/A Yes Password of the Symantec Email Security.Cloud instance.
Verify SSL Checkbox Unchecked Yes If enabled, verifies that the SSL certificate for the connection to the Symantec Email Security.Cloud server is valid.

Use Cases

Block entities.

Actions

Ping

Description

Test connectivity to the Symantec Email Security.Cloud integration with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

This action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
N/A
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the Symantec Email Security.Cloud server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the Symantec Email Security.Cloud server! Error is {0}".format(exception.stacktrace)"

General

Block Entities

Description

Block entities in Symantec Email Security.Cloud. Supported entities: Hostname, IP Address, URL, Filehash, Email Subject, Email Address (user entity that matches email regex).

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Remediation Action DDL

Block and Delete

Possible values:

  • Block and Delete
  • Quarantine
  • Redirect
  • Tag Subject
  • Append Header
No Specify the remediation action for the entities.
Description String Blocked by PRODUCT_NAME Yes Specify a description that should be added to the blocked entities.

Run On

This action runs on the following entities:

  • Hostname
  • IP Address
  • URL
  • Filehash
  • Email Subject
  • Email Address (user entity that matches email regex)

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
{
        "status": "Failure",
        "reason": "Invalid MD5 value"
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available for one entity (is_success=true): "Successfully blocked the following entities in Symantec Email Security.Cloud: {entity.identifier}."

If data is not available for one entity (is_success=true): "Action wasn't able to block the following entities in Symantec Email Security.Cloud: {entity.identifier}."

If data is not available for all entities (is_success=false): "None of the provided entities were blocked."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Block Entities". Reason: {0}''.format(error.Stacktrace)"

General