Skip to main content

Symantec Endpoint Security (ICDM)

This Integration is part of the SymantecICDM Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

Query the Symantec Endpoint Security Cloud Portal (ICDM). This integration was integrated and tested with version 1 of SymantecICDM.

Configure Symantec Endpoint Security (ICDM) in Cortex#

ParameterDescriptionRequired
Source ReliabilityReliability of the source providing the intelligence data.True
Server URL (e.g. https://api.sep.securitycloud.symantec.com)True
Fetch incidentsFalse
Incident typeFalse
Maximum number of incidents per fetchFalse
API KeyTrue
First fetch timeFalse
Trust any certificate (not secure)False
Use system proxy settingsFalse
Incidents Fetch IntervalFalse
Ignore Domains (e.g. domain.local)Comma-separated list of domains that shall be ignored for Urls and (Sub-)Domains reputation lookupFalse
Ignore Private IPs (e.g. 192.168.0.1)False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

file#


Get file reputation for given SHA256.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileList of files.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
File.SHA256StringThe SHA256 hash of the file.

ip#


Get ip reputation.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipList of IPs.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
IP.AddressStringIP address.

url#


Get reputation for given url.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlList of URLs.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
URL.DataStringThe URL.

domain#


Get reputation for given domain.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainList of domains.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
Domain.NameStringThe domain name.

symantec-protection-file#


Get information whether a given file has been blocked by any Symantec technologies.

Base Command#

symantec-protection-file

Input#

Argument NameDescriptionRequired
fileComma-separated list of file Sha256 hashes.Optional

Context Output#

PathTypeDescription
Symantec.Protection.File.fileStringinput file sha256.
Symantec.Protection.File.state.technologyStringSymantec technology providing protection.
Symantec.Protection.File.state.firstDefsetVersionStringThe first definition version with protection.
Symantec.Protection.File.state.threatNameStringThe name of the threat the file is detected as.

symantec-protection-network#


Get information whether given domain or ip has been blocked by any Symantec technologies.

Base Command#

symantec-protection-network

Input#

Argument NameDescriptionRequired
networkComma-separated list of domains or IPs.Optional

Context Output#

PathTypeDescription
Symantec.Protection.Network.networkStringinput domain or ip.
Symantec.Protection.Network.state.technologyStringSymantec technology providing protection.
Symantec.Protection.Network.state.firstDefsetVersionStringThe first definition version with protections.
Symantec.Protection.Network.state.threatNameStringThe name of the threat the domain or is detected as.

symantec-protection-cve#


Get returns information whether a given CVE has been blocked by any Symantec technologies.

Base Command#

symantec-protection-cve

Input#

Argument NameDescriptionRequired
cveComma-separated list of CVEs.Optional

Context Output#

PathTypeDescription
Symantec.Protection.CVE.cveStringinput CVE.
Symantec.Protection.CVE.state.technologyStringSymantec technology providing protection.
Symantec.Protection.CVE.state.firstDefsetVersionStringThe first definition version with protections.
Symantec.Protection.CVE.state.threatNameStringThe name of the threat the domain or is detected as.