Skip to main content

Symantec Advanced Threat Protection

This Integration is part of the Symantec Advanced Threat Protection Pack.#

Advanced protection capabilities from Symantec

Configure Symantec Advanced Threat Protection on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Symantec Advanced Threat Protection.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URL (i.e. https://host:port)True
    Client ID as generated in the ATP consoleTrue
    PasswordTrue
    Trust any certificate (not secure)Trust any certificate (not secure).False
    Use system proxy settingsUse system proxy settings.False
    Incident data sourceFalse
    Maximum number of events per fetch.False
    Fetch incidentsFalse
    Incident typeFalse
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days). Maximum is 30 days.False
    Query string for fetch incidents. For example - "updated>='2020-06-06T15:39:55.616Z' and updated<'2020-08-07T00:00:00.000Z' "False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

satp-appliances#


Retrieve the appliances configured with the versions

Base Command#

satp-appliances

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
ATPAppliance.appliance_idunknownID of the ATP appliance
ATPAppliance.appliance_nameunknownName of the ATP appliance
ATPAppliance.software_versionunknownVersion of the ATP appliance
ATPAppliance.appliance_timeunknownCurrent time on the appliance in UTC
ATPAppliance.roleunknownThe roles of the appliance

Command Example#

!satp-appliances

Human Readable Output#

appliance_idappliance_nameappliance_timesoftware_versionrole
56123234-132F-123344-C8EF-1234test-atd2021-11-11T05:52:20.063Z3.0.0-123endpoint, network scanner, management

satp-command#


Issue commands to endpoints managed by Symantec Endpoint Protection

Base Command#

satp-command

Input#

Argument NameDescriptionRequired
actionThe action to perform on the endpoints. Possible values are: isolate_endpoint, rejoin_endpoint, delete_endpoint_file.Required
targetsFor isolate and rejoin a list of endpoint ids (array or comma-separated). For delete, array of objects, each with hash and device_uid attributes (supports comma-delimited hash:uid,hash:uid as well).Required

Context Output#

PathTypeDescription
ATPCommand.IDunknownThe ID of the executing command
ATPCommand.ActionunknownThe requested action for the command

Command Example#

!satp-command action=isolate_endpoint targets="123e4567-e89b-12d3-a456-426614174000"

Human Readable Output#

IDAction
56123234-132F-123344-C8EF-1234isolate_endpoint

satp-command-state#


Retrieve the command state

Base Command#

satp-command-state

Input#

Argument NameDescriptionRequired
commandThe command ID to retrieve state for.Required

Context Output#

PathTypeDescription
ATPCommand.IDunknownThe ID of the executing command
ATPCommand.ActionunknownThe requested action for the command
ATPCommand.Status.targetunknownThe target for the state
ATPCommand.Status.stateunknownThe state of the command
ATPCommand.Status.error_codeunknownError code for the target
ATPCommand.Status.messageunknownMessage for the target

Command Example#

!satp-command-state command="command_id""

Human Readable Output#

Symantec ATP Command ID: command_id#

IDAction
command_idcommand_name

satp-command-cancel#


Cancel the given command

Base Command#

satp-command-cancel

Input#

Argument NameDescriptionRequired
commandThe command ID to cancel.Required

Context Output#

PathTypeDescription
ATPCommand.IDunknownThe ID of the executing command
ATPCommand.ErrorCodeunknownError code for cancelling - 0 if successful
ATPCommand.MessageunknownMessage for the cancellation

Command Example#

!satp-command-cancel command=command_id

Symantec ATP Command Cancel#

Symantec ATP Command ID: command_id#

IDActionErrorCodeMessage
command_idcommand_name0Message for the cancellation

satp-events#


Accepts search requests over a specified time range and returns events that match the search condition. You must specify the time range using the start_time parameter and the end_time parameter (the maximum time range is 7 days). The time in the result schema and is typically the event creation time. This API supports search conditions (such as logical operators and special characters) to narrow the events to be retrieved. See examples at https://help.symantec.com/api-doc/atp_2.2/EN_US/#_events_query_api_example.

Base Command#

satp-events

Input#

Argument NameDescriptionRequired
querySpecifies a search condition. See full details at https://help.symantec.com/api-doc/atp_2.2/EN_US/#_eventqueryrequest.Optional
start_timeISO8601 date format - 2017-01-01T00:00:00.000Z. Also accepts milliseconds since epoch.Optional
end_timeISO8601 date format - 2017-01-01T00:00:00.000Z. Also accepts milliseconds since epoch.Optional
limitMaximum number of events to return. Default is 100 and max is 1000. Default is 100.Optional
nextUsed for events cursoring. Retrieve the next batch of events.Optional

Context Output#

PathTypeDescription
ATPEvents.TotalunknownTotal number of results
ATPEvents.NextunknownNext batch ID
ATPEvents.Result.type_idunknownThe unique identifier for an event type.
ATPEvents.Result.uuidunknownThe unique id for this event
ATPEvents.Result.messageunknownHuman-readable event message or description of the event
ATPEvents.Result.severity_idunknownSeverity between 1 (info) and 6 (fatal).
ATPEvents.Result.device_timeunknownThe timestamp (in ISO 8601 format) that specifies the time at which the event occurred.
ATPEvents.Result.device_uidunknownUnique ID of the device that originated the event.
ATPEvents.Result.device_nameunknownThe device name (i.e., the name of the endpoint or appliance associated with an event).
ATPEvents.Result.device_ipunknownThe IPv6 or IPv4 address of the device that originated the event.
ATPEvents.Result.device_typeunknownThe type of the device that originated the event.
ATPEvents.Result.device_os_nameunknownThe operating system running on the device_type that originated the event.
ATPEvents.Result.device_os_verunknownThe version of the operating system that is running on the device_type that originated the event.
ATPEvents.Result.user_uidunknownUnique ID of the user that originated the event or the user on whose behalf the event occurred.
ATPEvents.Result.user_nameunknownThe user name or ID that originated or caused the event.
ATPEvents.Result.action_idunknownAction taken with respect to the underlying cause of the event. Possible values are: 0 = BLOCK 1 = MONITOR
ATPEvents.Result.internal_hostnameunknownThe host name of the internal device/machine for the connection
ATPEvents.Result.scanner_nameunknownThe name of the ATP scanner that generated this event
ATPEvents.Result.internal_ipunknownThe IP address of the internal device/machine for the connection
ATPEvents.Result.internal_portunknownThe port number identified as the source port in traffic sent to the target device
ATPEvents.Result.external_ipunknownThe IP address of the device/machine that accepted the connection
ATPEvents.Result.external_portunknownThe port number identified as the target port in traffic sent to the target device
ATPEvents.Result.data_source_urlunknownThe URL that the traffic came from
ATPEvents.Result.data_source_url_domainunknownThe domain from which the file was downloaded. The domain is extracted from the URL for the query performance.
ATPEvents.Result.data_source_url_refererunknownThe referer URL used in the download
ATPEvents.Result.sep_installedunknownIndicates whether SEP was installed when the event was generated
ATPEvents.Result.data_directionunknownThe direction of the data source. Possible values are: 1 = Inbound. Traffic flow from WAN to LAN. 2 = Outbound. Traffic flow from LAN to WAN.
ATPEvents.Result.network_scanner_typeunknownThe type of network scanner that detected the event. Possible values are: 0 = ATP-N Scanner (default) 1 = WSS .cloud Scanner
ATPEvents.Result.vlan_idunknownIndicates the VLAN ID (between 0 and 4095) on which the endpoint is deployed. If the value is 0 or missing, the endpoint is deployed in a non-VLAN setup
ATPEvents.Result.device_end_timeunknownThe end time of an event (in format yyyy-MM-dd’T’HH:mm:ss.SSSZ). This is used with the aggregation count field.
ATPEvents.Result.host_nameunknownThe host name of the client computer
ATPEvents.Result.domain_nameunknownThe domain name of the client computer
ATPEvents.Result.data_source_ipunknownThe source IP address that the file came from (either IPv4 or IPv6).
ATPEvents.Result.target_ipunknownThe local (victim) IP address (IPv4 or IPv6)
ATPEvents.Result.target_portunknownThe local (victim) port number
ATPEvents.Result.source_ipunknownThe remote IP address (IPv4 or IPv6).
ATPEvents.Result.source_portunknownThe remote port number
ATPEvents.Result.parent_file_sha2unknownThe SHA256 of the parent file
ATPEvents.Result.reasonunknownThis field is overloaded and has following possible interpretations (depending on the corresponding type_id). For type_id 4118, it specifies the Blacklist hash function that was used to identify the file. This field has following possible values: 0 = BY_FILE_BLACKLIST_SHA2 1 = BY_FILE_BLACKLIST_MD5 For type_id 4112, it specifies the Blacklist criteria that identify the traffic. This field has following possible values: 0 = BY_SOURCE_IP 1 = BY_DEST_IP 2 = BY_DEST_URL
ATPEvents.Result.manual_submitunknownIndicates whether the file was manually submitted for analysis
ATPEvents.Result.signature_idunknownThe NDC signature ID.
ATPEvents.Result.signature_nameunknownThe name of the signature
ATPEvents.Result.categoriesunknownA list of categories an intrusion event may belong to
ATPEvents.Result.intrusion_urlunknownThe URL from where a malicious script was loaded
ATPEvents.Result.infectedunknownIndicates whether the customer machine is infected
ATPEvents.Result.countunknownEvent aggregation count
ATPEvents.Result.severityunknownThe seriousness of the event. 0 indicates most serious.
ATPEvents.Result.local_host_macunknownThe MAC address of the local computer
ATPEvents.Result.remote_host_macunknownThe MAC address of the remote computer
ATPEvents.Result.app_nameunknownThe full path of the application involved
ATPEvents.Result.event_descunknownA description of the event. Usually, the first line of the description is treated as summary
ATPEvents.Result.network_protocolunknownNetwork protocol as reported by SEP. Possible values are: 1 = Other 2 = TCP 3 = UDP 4 = ICMP
ATPEvents.Result.sourceunknownThis field is overloaded and has possible interpretations (depending on the corresponding type_id).
ATPEvents.Result.no_of_virusesunknownThe number of events for the aggregated event record. This number can be due to client-side aggregation, server-side compression, or both
ATPEvents.Result.actual_action_idxunknownThis is the ID of action taken on the risk
ATPEvents.Result.actual_actionunknownThis is the string version of the action taken on the risk (in actual_action_idx).
ATPEvents.Result.virus_nameunknownName of the virus
ATPEvents.Result.virus_defunknownThe virus definition version number
ATPEvents.Result.agent_versionunknownThe version of the client software
ATPEvents.Result.MessageIdunknownThe unique ID of the email message
ATPEvents.Result.OrigMessageHeaderIdunknownThe message header ID
ATPEvents.Result.EmailReceivedDateunknownThe time when the mail transfer agent received the email. The format is: yyyy-MM-dd’T’HH:mm:ss.SSSZ
ATPEvents.Result.EmailSubjectunknownEmail subject
ATPEvents.Result.EmailActionunknownThe action executed on the email. Possible values are: - blocked - delivered - released
ATPEvents.Result.DirectionunknownIndication direction of the email. Possible values are: 0 = Outbound 1 = Inbound
ATPEvents.Result.incidentunknownThe unique ID of the incident that is related to this event
ATPEvents.Result.event_idunknownThe event ID as reported by Symantec Endpoint Protection security log
ATPEvents.Result.fileunknownThe file object
ATPEvents.Result.threatunknownThe threat object
ATPEvents.Result.avunknownThe AV object
ATPEvents.Result.cynicunknownCynic object
ATPEvents.Result.scanunknownScan object
ATPEvents.Result.bashunknownBash object
ATPEvents.Result.SenderunknownEmail sender object
ATPEvents.Result.ReceiversunknownEmail receivers array of objects
ATPEvents.Result.intrusionunknownIntrusion object

Command Example#

!satp-events

Human Readable Output#

satp-files#


Retrieve details about file based on given hash

Base Command#

satp-files

Input#

Argument NameDescriptionRequired
hashHash of the file. Supports either SHA256 or MD5.Required

Context Output#

PathTypeDescription
File.MD5unknownFile MD5
File.SHA256unknownFile SHA256
File.Instances.nameunknownName of file
File.Instances.pathunknownPath of file
File.TypeunknownMIME type of the file
File.SizeunknownSize of file in bytes
File.SignatureCompanyunknownThe company that signed the file
File.SignatureIssuerunknownThe signature issuer
File.AgeunknownA code between 1 and 4 representing the file’s global age defined by the time the file was first reported to Symantec. This data is collected from telemetry sent to Symantec by in-field endpoint clients like Symantec Endpoint Protection and Norton. Possible values are: 1 = Years ago 2 = Months ago 3 = Weeks ago 4 = Days ago
File.ThreatunknownName of the threat if the file is determined to be a malware
File.CynicunknownA code between 0 and 2 representing the verdict given by Symantec’s Cynic sandbox analysis. Possible values are: 0 = Malware 1 = Good 2 = Unknown
File.TargetedAttackunknownA flag that indicates whether this file is a part of targeted attack launched against an organization
File.ReputationBandunknownA code between 1 and 6 representing the file’s reputation. This data is generated by Symantec’s analysis engines based on the telemetry sent to Symantec by in-field endpoint clients like Symantec Endpoint Protection and Norton. Possible values are: 1 = Symantec-trusted 2 = Good 3 = Trending Good 4 = Unproven 5 = Poor 6 = Untrusted
File.PrevalenceBandunknownA code between 1 and 8 representing the file’s prevalence. This data is collected from telemetry sent to Symantec by in-field endpoint clients like Symantec Endpoint Protection and Norton. Possible values are: 1 = Fewer than 5 users 2 = Fewer than 50 users 3 = Fewer than 100 users 4 = Hundreds of users 5 = Thousands of users 6 = Tens of thousands of users 7 = Hundreds of thousands of users 8 = Millions of users
File.HealthunknownA code between 0 and 3 representing the file’s health. Possible values are: 0 = Good 1 = Neutral 2 = Suspicious 3 = Bad 4 = Analyzing

Command Example#

!satp-events

Human Readable Output#

Symantec ATP Events#

data_directiondata_source_ipdata_source_urldata_source_url_domaindevice_ipdevice_namedevice_timedevice_uidexternal_ipfilelog_namelog_timesep_installedtype_iduuid
inbound62.324.344.170path_to_sourcetest.1231234.1234.1234.12341234.1234.1234.12342021-11-10T23:42:15.779Z712da396-2dc6-44a9-bb8f-e12341241234.1234.1234.1234{"sha2":"b75aa777","md5":"4c2e3","name":"AM_Delta.exe","folder":"CSIDL_WINDOWS\","size":2413000,"signature_company_name":"test","signature_issuer":"test","signature_serial_number":"1234","reputation_band":1344,"prevalence_band":04354}test2021-11-10T23:42:16.706Ztrue4096345345-427f-11ec-345345-4t4554

satp-incident-events#


Get events that are related to incidents

Base Command#

satp-incident-events

Input#

Argument NameDescriptionRequired
querySpecifies a search condition.Optional
start_timeISO8601 date format - 2017-01-01T00:00:00.000Z. Also accepts milliseconds since epoch.Optional
end_timeISO8601 date format - 2017-01-01T00:00:00.000Z. Also accepts milliseconds since epoch.Optional
limitMaximum number of events to return. Default is 20 and max is 1000. Default is 20.Optional
nextUsed for events cursoring. Retrieve the next batch of events.Optional

Context Output#

PathTypeDescription
ATPIncidentEvents.TotalunknownTotal number of results
ATPIncidentEvents.NextunknownNext batch ID
ATPIncidentEvents.Result.type_idunknownThe unique identifier for an event type.
ATPIncidentEvents.Result.uuidunknownThe unique id for this event
ATPIncidentEvents.Result.messageunknownHuman-readable event message or description of the event
ATPIncidentEvents.Result.severity_idunknownSeverity between 1 (info) and 6 (fatal).
ATPIncidentEvents.Result.device_timeunknownThe timestamp (in ISO 8601 format) that specifies the time at which the event occurred.
ATPIncidentEvents.Result.device_uidunknownUnique ID of the device that originated the event.
ATPIncidentEvents.Result.device_nameunknownThe device name (i.e., the name of the endpoint or appliance associated with an event).
ATPIncidentEvents.Result.device_ipunknownThe IPv6 or IPv4 address of the device that originated the event.
ATPIncidentEvents.Result.device_typeunknownThe type of the device that originated the event.
ATPIncidentEvents.Result.device_os_nameunknownThe operating system running on the device_type that originated the event.
ATPIncidentEvents.Result.device_os_verunknownThe version of the operating system that is running on the device_type that originated the event.
ATPIncidentEvents.Result.user_uidunknownUnique ID of the user that originated the event or the user on whose behalf the event occurred.
ATPIncidentEvents.Result.user_nameunknownThe user name or ID that originated or caused the event.
ATPIncidentEvents.Result.action_idunknownAction taken with respect to the underlying cause of the event. Possible values are: 0 = BLOCK 1 = MONITOR
ATPIncidentEvents.Result.internal_hostnameunknownThe host name of the internal device/machine for the connection
ATPIncidentEvents.Result.scanner_nameunknownThe name of the ATP scanner that generated this event
ATPIncidentEvents.Result.internal_ipunknownThe IP address of the internal device/machine for the connection
ATPIncidentEvents.Result.internal_portunknownThe port number identified as the source port in traffic sent to the target device
ATPIncidentEvents.Result.external_ipunknownThe IP address of the device/machine that accepted the connection
ATPIncidentEvents.Result.external_portunknownThe port number identified as the target port in traffic sent to the target device
ATPIncidentEvents.Result.data_source_urlunknownThe URL that the traffic came from
ATPIncidentEvents.Result.data_source_url_domainunknownThe domain from which the file was downloaded. The domain is extracted from the URL for the query performance.
ATPIncidentEvents.Result.data_source_url_refererunknownThe referer URL used in the download
ATPIncidentEvents.Result.sep_installedunknownIndicates whether SEP was installed when the event was generated
ATPIncidentEvents.Result.data_directionunknownThe direction of the data source. Possible values are: 1 = Inbound. Traffic flow from WAN to LAN. 2 = Outbound. Traffic flow from LAN to WAN.
ATPIncidentEvents.Result.network_scanner_typeunknownThe type of network scanner that detected the event. Possible values are: 0 = ATP-N Scanner (default) 1 = WSS .cloud Scanner
ATPIncidentEvents.Result.vlan_idunknownIndicates the VLAN ID (between 0 and 4095) on which the endpoint is deployed. If the value is 0 or missing, the endpoint is deployed in a non-VLAN setup
ATPIncidentEvents.Result.device_end_timeunknownThe end time of an event (in format yyyy-MM-dd’T’HH:mm:ss.SSSZ). This is used with the aggregation count field.
ATPIncidentEvents.Result.host_nameunknownThe host name of the client computer
ATPIncidentEvents.Result.domain_nameunknownThe domain name of the client computer
ATPIncidentEvents.Result.data_source_ipunknownThe source IP address that the file came from (either IPv4 or IPv6).
ATPIncidentEvents.Result.target_ipunknownThe local (victim) IP address (IPv4 or IPv6)
ATPIncidentEvents.Result.target_portunknownThe local (victim) port number
ATPIncidentEvents.Result.source_ipunknownThe remote IP address (IPv4 or IPv6).
ATPIncidentEvents.Result.source_portunknownThe remote port number
ATPIncidentEvents.Result.parent_file_sha2unknownThe SHA256 of the parent file
ATPIncidentEvents.Result.reasonunknownThis field is overloaded and has following possible interpretations (depending on the corresponding type_id). For type_id 4118, it specifies the Blacklist hash function that was used to identify the file. This field has following possible values: 0 = BY_FILE_BLACKLIST_SHA2 1 = BY_FILE_BLACKLIST_MD5 For type_id 4112, it specifies the Blacklist criteria that identify the traffic. This field has following possible values: 0 = BY_SOURCE_IP 1 = BY_DEST_IP 2 = BY_DEST_URL
ATPIncidentEvents.Result.manual_submitunknownIndicates whether the file was manually submitted for analysis
ATPIncidentEvents.Result.signature_idunknownThe NDC signature ID.
ATPIncidentEvents.Result.signature_nameunknownThe name of the signature
ATPIncidentEvents.Result.categoriesunknownA list of categories an intrusion event may belong to
ATPIncidentEvents.Result.intrusion_urlunknownThe URL from where a malicious script was loaded
ATPIncidentEvents.Result.infectedunknownIndicates whether the customer machine is infected
ATPIncidentEvents.Result.countunknownEvent aggregation count
ATPIncidentEvents.Result.severityunknownThe seriousness of the event. 0 indicates most serious.
ATPIncidentEvents.Result.local_host_macunknownThe MAC address of the local computer
ATPIncidentEvents.Result.remote_host_macunknownThe MAC address of the remote computer
ATPIncidentEvents.Result.app_nameunknownThe full path of the application involved
ATPIncidentEvents.Result.event_descunknownA description of the event. Usually, the first line of the description is treated as summary
ATPIncidentEvents.Result.network_protocolunknownNetwork protocol as reported by SEP. Possible values are: 1 = Other 2 = TCP 3 = UDP 4 = ICMP
ATPIncidentEvents.Result.sourceunknownThis field is overloaded and has possible interpretations (depending on the corresponding type_id).
ATPIncidentEvents.Result.no_of_virusesunknownThe number of events for the aggregated event record. This number can be due to client-side aggregation, server-side compression, or both
ATPIncidentEvents.Result.actual_action_idxunknownThis is the ID of action taken on the risk
ATPIncidentEvents.Result.actual_actionunknownThis is the string version of the action taken on the risk (in actual_action_idx).
ATPIncidentEvents.Result.virus_nameunknownName of the virus
ATPIncidentEvents.Result.virus_defunknownThe virus definition version number
ATPIncidentEvents.Result.agent_versionunknownThe version of the client software
ATPIncidentEvents.Result.MessageIdunknownThe unique ID of the email message
ATPIncidentEvents.Result.OrigMessageHeaderIdunknownThe message header ID
ATPIncidentEvents.Result.EmailReceivedDateunknownThe time when the mail transfer agent received the email. The format is: yyyy-MM-dd’T’HH:mm:ss.SSSZ
ATPIncidentEvents.Result.EmailSubjectunknownEmail subject
ATPIncidentEvents.Result.EmailActionunknownThe action executed on the email. Possible values are: - blocked - delivered - released
ATPIncidentEvents.Result.DirectionunknownIndication direction of the email. Possible values are: 0 = Outbound 1 = Inbound
ATPIncidentEvents.Result.incidentunknownThe unique ID of the incident that is related to this event
ATPIncidentEvents.Result.event_idunknownThe event ID as reported by Symantec Endpoint Protection security log
ATPIncidentEvents.Result.fileunknownThe file object
ATPIncidentEvents.Result.threatunknownThe threat object
ATPIncidentEvents.Result.avunknownThe AV object
ATPIncidentEvents.Result.cynicunknownCynic object
ATPIncidentEvents.Result.scanunknownScan object
ATPIncidentEvents.Result.bashunknownBash object
ATPIncidentEvents.Result.SenderunknownEmail sender object
ATPIncidentEvents.Result.ReceiversunknownEmail receivers array of objects
ATPIncidentEvents.Result.intrusionunknownIntrusion object

Command Example#

!satp-incident-events

satp-incidents#


Query incidents from ATP

Base Command#

satp-incidents

Input#

Argument NameDescriptionRequired
querySpecifies a search condition.Optional
start_timeISO8601 date format - 2017-01-01T00:00:00.000Z. Also accepts milliseconds since epoch.Optional
end_timeISO8601 date format - 2017-01-01T00:00:00.000Z. Also accepts milliseconds since epoch.Optional
limitMaximum number of events to return. Default is 20 and max is 1000. Default is 20.Optional
nextUsed for events cursoring. Retrieve the next batch of events.Optional

Context Output#

PathTypeDescription
ATPIncidents.Result.atp_incident_idunknownA unique identifier for this incident
ATPIncidents.Result.priority_levelunknownPriority level of the incident. 1 = LOW, 2 = MED, 3 = HIGH
ATPIncidents.Result.stateunknownThe state of the incident. 1 = OPEN,2 = WAITING,3 = IN_WORK,4 = CLOSED
ATPIncidents.Result.recommended_actionunknownRecommended action for this incident
ATPIncidents.Result.first_event_seenunknownWhen the first event associated with the incident was created
ATPIncidents.Result.last_event_seenunknownWhen the last event associated with the incident was created
ATPIncidents.Result.event_countunknownThe number of events associated with the incident
ATPIncidents.Result.device_timeunknownThe timestamp that specifies the time at which the event occurred
ATPIncidents.Result.deviceUidunknownA list of ATP endpoint devices UID on which the events occurred
ATPIncidents.Result.scannersunknownA list of ATP scanners that discovered the threat
ATPIncidents.Result.filehashunknownA list of SHA256 hashes associated with this incident
ATPIncidents.Result.domainidunknownA list of domains associated with this incident
ATPIncidents.Result.summaryunknownSummary information about the incident
ATPIncidents.Result.timeunknownThe creation time (in ISO 8601 format) of the incident
ATPIncidents.Result.updatedunknownThe time (in ISO 8601 format) of last modification
ATPIncidents.Result.log_nameunknownThe index/type of the originating event
ATPIncidents.Result.uuidunknownThe GUID assigned for this incident

Command Example#

!satp-incidents