Symantec Endpoint Security (ICDM)
SymantecICDM Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.10.0 and later.
Query the Symantec Endpoint Security Cloud Portal (ICDM). This integration was integrated and tested with version 1 of SymantecICDM.
#
Configure Symantec Endpoint Security (ICDM) in CortexParameter | Description | Required |
---|---|---|
Source Reliability | Reliability of the source providing the intelligence data. | True |
Server URL (e.g. https://api.sep.securitycloud.symantec.com) | True | |
Fetch incidents | False | |
Incident type | False | |
Maximum number of incidents per fetch | False | |
API Key | True | |
First fetch time | False | |
Trust any certificate (not secure) | False | |
Use system proxy settings | False | |
Incidents Fetch Interval | False | |
Ignore Domains (e.g. domain.local) | Comma-separated list of domains that shall be ignored for Urls and (Sub-)Domains reputation lookup | False |
Ignore Private IPs (e.g. 192.168.0.1) | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
fileGet file reputation for given SHA256.
#
Base Commandfile
#
InputArgument Name | Description | Required |
---|---|---|
file | List of files. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
File.SHA256 | String | The SHA256 hash of the file. |
#
ipGet ip reputation.
#
Base Commandip
#
InputArgument Name | Description | Required |
---|---|---|
ip | List of IPs. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
IP.Address | String | IP address. |
#
urlGet reputation for given url.
#
Base Commandurl
#
InputArgument Name | Description | Required |
---|---|---|
url | List of URLs. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
URL.Data | String | The URL. |
#
domainGet reputation for given domain.
#
Base Commanddomain
#
InputArgument Name | Description | Required |
---|---|---|
domain | List of domains. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
Domain.Name | String | The domain name. |
#
symantec-protection-fileGet information whether a given file has been blocked by any Symantec technologies.
#
Base Commandsymantec-protection-file
#
InputArgument Name | Description | Required |
---|---|---|
file | Comma-separated list of file Sha256 hashes. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Symantec.Protection.File.file | String | input file sha256. |
Symantec.Protection.File.state.technology | String | Symantec technology providing protection. |
Symantec.Protection.File.state.firstDefsetVersion | String | The first definition version with protection. |
Symantec.Protection.File.state.threatName | String | The name of the threat the file is detected as. |
#
symantec-protection-networkGet information whether given domain or ip has been blocked by any Symantec technologies.
#
Base Commandsymantec-protection-network
#
InputArgument Name | Description | Required |
---|---|---|
network | Comma-separated list of domains or IPs. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Symantec.Protection.Network.network | String | input domain or ip. |
Symantec.Protection.Network.state.technology | String | Symantec technology providing protection. |
Symantec.Protection.Network.state.firstDefsetVersion | String | The first definition version with protections. |
Symantec.Protection.Network.state.threatName | String | The name of the threat the domain or is detected as. |
#
symantec-protection-cveGet returns information whether a given CVE has been blocked by any Symantec technologies.
#
Base Commandsymantec-protection-cve
#
InputArgument Name | Description | Required |
---|---|---|
cve | Comma-separated list of CVEs. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Symantec.Protection.CVE.cve | String | input CVE. |
Symantec.Protection.CVE.state.technology | String | Symantec technology providing protection. |
Symantec.Protection.CVE.state.firstDefsetVersion | String | The first definition version with protections. |
Symantec.Protection.CVE.state.threatName | String | The name of the threat the domain or is detected as. |