Skip to main content

Symantec Endpoint Protection v2

This Integration is part of the Symantec Endpoint Protection Pack.#

Query the Symantec Endpoint Protection Manager using the official REST API.

Use Cases#

  • Scan/Quarantine/content-update an endpoint.
  • Assign policy to an endpoint.
  • Move client to different group.

Unsupported use cases in the API:

  • Get scan results
  • Get reports/logs
  • Receive system alerts

Required Permissions#

The following role is required to use the Symantec Endpoint Protection API:

  • sysadmin

Configure Symantec Endpoint Protection V2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Symantec Endpoint Protection V2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Server (e.g., https://1.2.3.4:8446)True
    AuthenticationTrue
    PasswordTrue
    SEPM domain for the userFalse
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Local time zone (e.g., +02:30,-06:00)False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

sep-endpoints-info#


Returns information about endpoints.

Base Command#

sep-endpoints-info

Input#

Argument NameDescriptionRequired
columnsA CSV list of the displayed columns.Optional
computerNameFilters by the host name of the computer. A wild card search can be done using '*' at the end of the query.Optional
lastUpdateIndicates when a computer's status was last updated. The default is "0", which returns all results. Default is 0.Optional
osThe operating system by which to filter. Possible values are: CentOs, Debian, Fedora, MacOSX, Oracle, OSX, RedHat, SUSE, Ubuntu, Win10, Win2K, Win7, Win8, WinEmb7, WinEmb8, WinEmb81, WinFundamental, WinNT, Win2K3, Win2K8, Win2K8R2, WinVista, WinXP, WinXPEmb, WinXPProf64.Optional
pageSizeThe number of results to include on each page. The default is 20.Optional
groupNameThe name of the group to which the endpoint belongs. A wild card search can be done using '*' at the end of the query.Optional

Context Output#

PathTypeDescription
SEPM.Endpoint.HostnameStringThe hostname of the endpoint.
SEPM.Endpoint.DomainStringThe domain of the endpoint.
SEPM.Endpoint.IPAddressesStringThe IP addresses of the endpoint.
SEPM.Endpoint.OSStringThe OS information of the endpoint.
SEPM.Endpoint.DescriptionStringThe description of the endpoint.
SEPM.Endpoint.MACAddressesStringThe MAC address of the endpoint.
SEPM.Endpoint.BIOSVersionStringThe BIOS version of the endpoint.
SEPM.Endpoint.DHCPServerStringThe DHCP server address of the endpoint.
SEPM.Endpoint.HardwareKeyStringThe hardware key of the client to be moved.
SEPM.Endpoint.LastScanTimeStringThe last scan time of the endpoint.
SEPM.Endpoint.RunningVersionStringThe running version of the endpoint.
SEPM.Endpoint.TargetVersionStringThe target version of the endpoint.
IP.AddressStringThe IP address of the endpoint.
IP.HostStringThe IP host of the endpoint.
Endpoint.HostnameUnknownThe hostname of the endpoint.
Endpoint.MACAddressUnknownThe MAC address of the endpoint.
Endpoint.DomainUnknownThe domain of the endpoint.
Endpoint.IPAddressUnknownThe IP address of the endpoint.
Endpoint.DHCPServerUnknownThe DHCP server of the endpoint.
Endpoint.OSStringThe OS of the endpoint.
Endpoint.OSVersionStringThe OS version of the endpoint.
Endpoint.BIOSVersionStringThe BIOS version of the endpoint.
Endpoint.MemoryStringThe memory of the endpoint.
Endpoint.ProcessorsStringThe processors that the endpoint uses.
IP.HostnameStringThe hostname that is mapped to this IP address.
SEPM.Endpoint.GroupStringThe group of the endpoint.
SEPM.Endpoint.PatternIdxStringThe PatternIdx of the endpoint.
SEPM.Endpoint.OnlineStatusStringThe online status of the endpoint.
SEPM.Endpoint.UpdateTimeStringThe update time of the endpoint.

Command Example#

!sep-endpoints-info

Human Readable Output#

Human_Readable_Output_1

sep-groups-info#


Returns information about groups.

Base Command#

sep-groups-info

Input#

Argument NameDescriptionRequired
columnsThe column by which the results are sorted.Optional

Context Output#

PathTypeDescription
SEPM.GroupsUnknownThe list of groups.
SEPM.Groups.creatednumberThe time of creation time (in Epoch).
SEPM.Groups.fullPathNamestringThe name of the group.
SEPM.Groups.idstringThe ID of the group.
SEPM.Groups.numberOfPhysicalComputersnumberThe number of physical computers in the group.
SEPM.Groups.numberOfRegisteredUsersnumberThe number of registered users in the group.
SEPM.Groups.policyDatenumberThe date of the policy (in Epoch).
SEPM.Groups.policySerialNumbernumberThe serial number of the policy.

Command Example#

!sep-groups-info

Human Readable Output#

Human_Readable_Output_2

sep-system-info#


Returns information about the system, such as version or AV definition.

Base Command#

sep-system-info

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
SEPM.ServerAVDefVersionstringThe version of the AV definition.

Command Example#

!sep-system-info

Human Readable Output#

Human_Readable_Output_3

sep-command-status#


Retrieves the status of a command.

Base Command#

sep-command-status

Input#

Argument NameDescriptionRequired
commandIdThe ID of the command.Required

Context Output#

PathTypeDescription
SEPM.LastCommand.CommandDetailsstringThe details of the command.
SEPM.LastCommand.CommandIdstringThe ID of the command.

Command Example#

!sep-command-status commandId=04A68CA5952B4726AAFEB421E0EB436C

Human Readable Output#

Human_Readable_Output_4

sep-client-content#


Retrieves the content of the client.

Base Command#

sep-client-content

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
SEPM.ClientContentVersionsstringDisplays the versions for each client.
SEPM.LastUpdatedstringThe last update of a date.

Command Example#

!sep-client-content

Human Readable Output#

Human_Readable_Output_5

sep-list-policies#


Retrieves a list of existing policies.

Base Command#

sep-list-policies

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
SEPM.PoliciesList.PolicyNamestringThe name of the policy.
SEPM.PoliciesList.TypestringThe type of the policy.
SEPM.PoliciesList.IDstringThe ID of the policy.
SEPM.PoliciesList.DescriptionstringThe description of the policy.
SEPM.PoliciesList.EnabledbooleanWhether the list of polices is enabled. Enabled if "True".
SEPM.PoliciesList.AssignedLocations.GroupIDstringThe ID of the group of the locations assigned to this policy.
SEPM.PoliciesList.AssignedLocations.LocationsstringThe list of location IDs assigned to this policy.
SEPM.PoliciesList.AssignedCloudGroups.GroupIDstringThe ID of the cloud group of the locations assigned to this policy.
SEPM.PoliciesList.AssignedCloudGroups.LocationsstringThe list of location IDs belonging to a cloud group assigned to this policy.

Command Example#

!sep-list-policies

Human Readable Output#

Human_Readable_Output_6

sep-assign-policy#


Assigns an existing policy to a specified location.

Base Command#

sep-assign-policy

Input#

Argument NameDescriptionRequired
groupIDThe ID of the group to which the endpoint belongs.Required
locationIDThe ID of the location of the endpoint.Required
policyTypeThe type of policy to be assigned.Required
policyIDThe ID of the policy to be assigned.Required

Context Output#

There is no context output for this command.

Command Example#

!sep-assign-policy groupID=44BE96AFC0A8010B0CFACB30929326C2 locationID=50FEEA3FC0A8010B739E49CB0C321A7E policyID=A00ADE188AA148D7AD319CBCA1FA2F23 policyType=hi

Human Readable Output#

Human_Readable_Output_7

sep-list-locations#


Retrieves a list of location IDs for a specified group.

Base Command#

sep-list-locations

Input#

Argument NameDescriptionRequired
groupIDThe group ID for which to list locations.Required

Context Output#

PathTypeDescription
SEPM.Locations.IDUnknownThe ID of the location.

Command Example#

!sep-list-locations groupID=44BE96AFC0A8010B0CFACB30929326C2

Human Readable Output#

Human_Readable_Output_8

sep-endpoint-quarantine#


Quarantines an endpoint according to its policy.

Base Command#

sep-endpoint-quarantine

Input#

Argument NameDescriptionRequired
endpointThe IP or hostname of the endpoint.Required
actionTypeAdds or removes an endpoint from quarantine. Possible values are: Add, Remove.Required

Context Output#

PathTypeDescription
SEPM.Quarantine.CommandIDstringThe ID of the command that was run.
SEPM.Quarantine.ActionstringThe type of the action type. Can be "Add" or "Remove".
SEPM.Quarantine.EndpointstringThe IP or hostname of the identifier of the endpoint.

Command Example#

!sep-endpoint-quarantine actionType=add endpoint=demisto-PC

Human Readable Output#

Human_Readable_Output_9

sep-scan-endpoint#


Scans an endpoint.

Base Command#

sep-scan-endpoint

Input#

Argument NameDescriptionRequired
endpointThe IP address or hostname of the endpoint.Required
scanTypeThe scan type of the endpoint. Can be "ScanNow_Quick", "ScanNow_Full", or "ScanNow_Custom". Possible values are: ScanNow_Quick, ScanNow_Full, ScanNow_Custom.Required

Context Output#

PathTypeDescription
SEPM.Scan.CommandIDstringThe ID of the command that was run.
SEPM.Scan.TypestringThe type of the scan. Can be "ScanNow_Quick", "ScanNow_Full", or "ScanNow_Custom".
SEPM.Scan.EndpointUnknownThe IP or hostname of the identifier of the endpoint.

Command Example#

!sep-scan-endpoint endpoint=demisto-PC scanType=ScanNow_Quick

Human Readable Output#

Human_Readable_Output_10

sep-update-endpoint-content#


Updates the content of a specified client.

Base Command#

sep-update-endpoint-content

Input#

Argument NameDescriptionRequired
endpointThe IP address or hostname of the endpoint.Required

Context Output#

PathTypeDescription
SEPM.Update.EndpointStringThe endpoint that is being updated.
SEPM.Update.CommandIDStringThe ID of the command for which to check the status.

Command Example#

!sep-update-endpoint-content endpoint=demisto-PC

Human Readable Output#

Human_Readable_Output_11

sep-move-client-to-group#


Moves a client to a group.

Base Command#

sep-move-client-to-group

Input#

Argument NameDescriptionRequired
groupIDThe ID of the group to which to move the client.Required
hardwareKeyThe hardware key of the client to be moved.Required

Context Output#

There is no context output for this command.

Command Example#

!sep-move-client-to-group groupID=AA51516BC0A8010B3BFBBE37F7B71214 hardwareKey=269CE816FDB1BA25A2505D0A5A59294C

Human Readable Output#

Human_Readable_Output_12

sep-identify-old-clients#


Get endpoints for a running version that is different than the target version or the desired version (if specified).

Base Command#

sep-identify-old-clients

Input#

Argument NameDescriptionRequired
columnsSets which columns will be displayed.Optional
computerNameFilters by the host name of the computer. A wild card search can be done using '*' at the end of the query.Optional
lastUpdateIndicates when a computer's status was last updated. The default is "0", which returns all results.Optional
osThe operating system by which to filter.Optional
pageSizeThe number of results to include on each page. The default is 20.Optional
groupNameThe name of the group to which the endpoint belongs. A wild card search can be done using '*'at the end of the query.Optional
desiredVersiondesiredVersion.Optional

Context Output#

There is no context output for this command.

Command Example#

!sep-identify-old-clients desiredVersion=10

Human Readable Output#

Human_Readable_Output_13

Known Limitations#

  • SEPM REST- API currently exposes statistics, but does not expose extended information about Risks, Application and Device control, and Network logs.
  • SEPM REST- API currently does not support an operation to get Host Names or IP addresses of clients who don’t have an update content version.
  • SEPM REST- API currently does not support an operation to create or download reports.