Symantec Endpoint Protection v2
Use the Symantec Endpoint Protection integration to manage your organization’s endpoints.
Use Cases
- Scan/Quarantine/content-update an endpoint.
- Assign policy to an endpoint.
- Move client to different group.
Unsupported use cases in the API:
- Get scan results
- Get reports/logs
- Receive system alerts
Required Permissions
The following role is required to use the Symantec Endpoint Protection API:
- sysadmin
Configure Symantec Endpoint Protection V2 on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for Symantec Endpoint Protection V2.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Click Test to validate the new instance.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get endpoint information: sep-endpoints-info
- Get group information: sep-groups-info
- Get system information: sep-system-info
- Get the status of a comment: sep-command-status
- Get a client's content: sep-client-content
- Get a list of all policies: sep-list-policies
- Assign a policy: sep-assign-policy
- Get a list of location IDs for a group: sep-list-locations
- Quarantine an endpoint: sep-endpoint-quarantine
- Scan an endpoint: sep-scan-endpoint
- Update an endpoint's content: sep-update-endpoint-content
- Move a client to a group: sep-move-client-to-group
- Get endpoints for a running version: sep-identify-old-clients
1. Get endpoint information
Returns information about endpoints.
Base Command
sep-endpoints-info
Input
| Argument Name | Description | Required |
|---|---|---|
| columns | A CSV list of the displayed columns. | Optional |
| computerName | Filters by the host name of the computer. A wild card search can be done using '*' at the end of the query. | Optional |
| lastUpdate | Indicates when a computer's status was last updated. The default is "0", which returns all results. | Optional |
| os | The operating system by which to filter. | Optional |
| pageSize | The number of results to include on each page. The default is 20. | Optional |
| groupName | The name of the group to which the endpoint belongs. A wild card search can be done using '*' at the end of the query. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| SEPM.Endpoint.Hostname | String | The hostname of the endpoint. |
| SEPM.Endpoint.Domain | String | The domain of the endpoint. |
| SEPM.Endpoint.IPAddresses | String | The IP addresses of the endpoint. |
| SEPM.Endpoint.OS | String | The OS information of the endpoint. |
| SEPM.Endpoint.Description | String | The description of the endpoint. |
| SEPM.Endpoint.MACAddresses | String | The MAC address of the endpoint. |
| SEPM.Endpoint.BIOSVersion | String | The BIOS version of the endpoint. |
| SEPM.Endpoint.DHCPServer | String | The DHCP server address of the endpoint. |
| SEPM.Endpoint.HardwareKey | String | The hardware key of the client to be moved. |
| SEPM.Endpoint.LastScanTime | String | The last scan time of the endpoint. |
| SEPM.Endpoint.RunningVersion | String | The running version of the endpoint. |
| SEPM.Endpoint.TargetVersion | String | The target version of the endpoint. |
| IP.Address | String | The IP address of the endpoint. |
| IP.Host | String | The IP host of the endpoint. |
| Endpoint.Hostname | Unknown | The hostname of the endpoint. |
| Endpoint.MACAddress | Unknown | The MAC address of the endpoint. |
| Endpoint.Domain | Unknown | The domain of the endpoint. |
| Endpoint.IPAddress | Unknown | The IP address of the endpoint. |
| Endpoint.DHCPServer | Unknown | The DHCP server of the endpoint. |
| Endpoint.OS | String | The OS of the endpoint. |
| Endpoint.OSVersion | String | The OS version of the endpoint. |
| Endpoint.BIOSVersion | String | The BIOS version of the endpoint. |
| Endpoint.Memory | String | The memory of the endpoint. |
| Endpoint.Processors | String | The processors that the endpoint uses. |
| IP.Hostname | String | The hostname that is mapped to this IP address. |
| SEPM.Endpoint.Group | String | The group of the endpoint. |
| SEPM.Endpoint.PatternIdx | String | The PatternIdx of the endpoint. |
| SEPM.Endpoint.OnlineStatus | String | The online status of the endpoint. |
| SEPM.Endpoint.UpdateTime | String | The update time of the endpoint. |
Command Example
!sep-endpoints-info
Human Readable Output
2. Get group information
Returns information about groups.
Base Command
sep-groups-info
Input
| Argument Name | Description | Required |
|---|---|---|
| columns | The column by which the results are sorted. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| SEPM.Groups | Unknown | The list of groups. |
| SEPM.Groups.created | number | The time of creation time (in Epoch). |
| SEPM.Groups.fullPathName | string | The name of the group. |
| SEPM.Groups.id | string | The ID of the group. |
| SEPM.Groups.numberOfPhysicalComputers | number | The number of physical computers in the group. |
| SEPM.Groups.numberOfRegisteredUsers | number | The number of registered users in the group. |
| SEPM.Groups.policyDate | number | The date of the policy (in Epoch). |
| SEPM.Groups.policySerialNumber | number | The serial number of the policy. |
Command Example
!sep-groups-info
Human Readable Output
3. Get system information
Returns information about the system, such as version or AV definition.
Base Command
sep-system-info
Context Output
| Path | Type | Description |
|---|---|---|
| SEPM.ServerAVDefVersion | string |
The version or anti-virus definition of the server
.
|
Command Example
!sep-system-info
Human Readable Output
4. Get the status of a command
Retrieves the status of a command.
Base Command
sep-command-status
Input
| Argument Name | Description | Required |
|---|---|---|
| commandId | The ID of the command. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SEPM.LastCommand.CommandDetails | string | The details of the command. |
| SEPM.LastCommand.CommandId | string | The ID of the command. |
Command Example
!sep-command-status commandId=04A68CA5952B4726AAFEB421E0EB436C
Human Readable Output
5. Get a client's content
Retrieves the content of the client.
Base Command
sep-client-content
Context Output
| Path | Type | Description |
|---|---|---|
| SEPM.ClientContentVersions | string | Displays the versions for each client. |
| SEPM.LastUpdated | string |
The last time that the client's content was updated.
|
Command Example
!sep-client-content
Human Readable Output
6. Get a list of all policies
Retrieves a list of existing policies.
Base Command
sep-list-policies
Context Output
| Path | Type | Description |
|---|---|---|
| SEPM.PoliciesList.PolicyName | string | The name of the policy. |
| SEPM.PoliciesList.Type | string | The type of the policy. |
| SEPM.PoliciesList.ID | string | The ID of the policy. |
| SEPM.PoliciesList.Description | string | The description of the policy. |
| SEPM.PoliciesList.Enabled | boolean | Whether the list of polices is enabled. Enabled if "True". |
| SEPM.PoliciesList.AssignedLocations.GroupID | string | The ID of the group of the locations assigned to this policy. |
| SEPM.PoliciesList.AssignedLocations.Locations | string | The list of location IDs assigned to this policy. |
| SEPM.PoliciesList.AssignedCloudGroups.GroupID | string | The ID of the cloud group of the locations assigned to this policy. |
| SEPM.PoliciesList.AssignedCloudGroups.Locations | string | The list of location IDs belonging to a cloud group assigned to this policy. |
Command Example
!sep-list-policies
Human Readable Output
7. Assign a policy
Assigns an existing policy to a specified location.
Base Command
sep-assign-policy
Input
| Argument Name | Description | Required |
|---|---|---|
| groupID | The ID of the group to which the endpoint belongs. | Required |
| locationID | The ID of the location of the endpoint. | Required |
| policyType | The type of policy to be assigned. | Required |
| policyID | The ID of the policy to be assigned. | Required |
Command Example
!sep-assign-policy groupID=44BE96AFC0A8010B0CFACB30929326C2 locationID=50FEEA3FC0A8010B739E49CB0C321A7E policyID=A00ADE188AA148D7AD319CBCA1FA2F23 policyType=hi
Human Readable Output
8. Get a list of location IDs for a group
Retrieves a list of location IDs for a specified group.
Base Command
sep-list-locations
Input
| Argument Name | Description | Required |
|---|---|---|
| groupID | The group ID for which to list locations. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SEPM.Locations.ID | Unknown | The ID of the location. |
Command Example
!sep-list-locations groupID=44BE96AFC0A8010B0CFACB30929326C2
Human Readable Output
9. Quarantine an endpoint
Quarantines an endpoint according to its policy.
Base Command
sep-endpoint-quarantine
Input
| Argument Name | Description | Required |
|---|---|---|
| endpoint | The IP or hostname of the endpoint. | Required |
| actionType | Adds or removes an endpoint from quarantine. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SEPM.Quarantine.CommandID | string | The ID of the command that was run. |
| SEPM.Quarantine.Action | string | The type of the action type. Can be "Add" or "Remove". |
| SEPM.Quarantine.Endpoint | string | The IP or hostname of the identifier of the endpoint. |
Command Example
!sep-endpoint-quarantine actionType=add endpoint=demisto-PC
Human Readable Output
10. Scan an endpoint
Scans an endpoint.
Base Command
sep-scan-endpoint
Input
| Argument Name | Description | Required |
|---|---|---|
| endpoint | The IP address or hostname of the endpoint. | Required |
| scanType | The scan type of the endpoint. Can be "ScanNow_Quick", "ScanNow_Full", or "ScanNow_Custom". | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SEPM.Scan.CommandID | string | The ID of the command that was run. |
| SEPM.Scan.Type | string | The type of the scan. Can be "ScanNow_Quick", "ScanNow_Full", or "ScanNow_Custom". |
| SEPM.Scan.Endpoint | Unknown | The IP or hostname of the identifier of the endpoint. |
Command Example
!sep-scan-endpoint endpoint=demisto-PC scanType=ScanNow_Quick
Human Readable Output
11. Update an endpoint's content
Updates the content of a specified client.
Base Command
sep-update-endpoint-content
Input
| Argument Name | Description | Required |
|---|---|---|
| endpoint | The IP address or hostname of the endpoint. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SEPM.Update.Endpoint | String | The endpoint that is being updated. |
| SEPM.Update.CommandID | String | The ID of the command for which to check the status. |
Command Example
!sep-update-endpoint-content endpoint=demisto-PC
Human Readable Output
12. Move a client to a group
Moves a client to a group.
Base Command
sep-move-client-to-group
Input
| Argument Name | Description | Required |
|---|---|---|
| groupID | The ID of the group to which to move the client. | Required |
| hardwareKey | The hardware key of the client to be moved. | Required |
Command Example
!sep-move-client-to-group groupID=AA51516BC0A8010B3BFBBE37F7B71214 hardwareKey=269CE816FDB1BA25A2505D0A5A59294C
Human Readable Output
13. Get endpoints for a running version
Get endpoints for a running version that is different than the target version or the desired version (if specified).
Base Command
sep-identify-old-clients
Input
| Argument Name | Description | Required |
|---|---|---|
| columns | Sets which columns will be displayed. | Optional |
| computerName | Filters by the hostname of the computer. A wild card search can be done using '*' at the end of the query. | Optional |
| lastUpdate | Indicates when a computer's status was last updated. The default is "0", which returns all results. | Optional |
| os | The operating system by which to filter. | Optional |
| pageSize | The number of results to include on each page. The default is 20. | Optional |
| groupName | The name of the group to which the endpoint belongs. A wild card search can be done using '*'at the end of the query. | Optional |
| desiredVersion | desiredVersion | Optional |
Command Example
!sep-identify-old-clients desiredVersion=10
Human Readable Output
Known Limitations
- SEPM REST- API currently exposes statistics, but does not expose extended information about Risks, Application and Device control, and Network logs.
- SEPM REST- API currently does not support an operation to get Host Names or IP addresses of clients who don’t have an update content version.
- SEPM REST- API currently does not support an operation to create or download reports.