Skip to main content

Symantec Managed Security Services

This Integration is part of the Symantec Managed Security Services Pack.#

Use the Symantec Managed Security Services (Symantec MSS) integration to create Cortex XSOAR incidents from Symantec incidents.

Prerequisites

  1. Export a Production certificate that enables you to access your organization’s information in
    SWS ( https://api.monitoredsecurity.com/SWS/ ) .p12 format.
  2. Use any "File to Base64" converter to encode the .p12 file into a base64 string.

If not authorized, make sure that the exported .p12 certificate is for the production API and not the test API.

Verify that you can make HTTPS requests from your machine.

Make sure you use the correct proxy, and enable it in the configuration.

Configure the Symantec MSS Integration on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Symantec MSS.
  3. Click Add instance to create and configure a new integration instance.
    • Name : A textual name for the integration instance.
    • Server URL : URL of Symantec MSS server
    • Certificate : The base64 representation of the exported production certificate
    • Certificate Passphrase : The passphrase used to create the .p12 certificate.
    • Use system proxy settings
    • Fetch Incidents
    • Incident type : Incident type to trigger incident creation.
    • Cortex XSOAR engine
  4. Click Test to to validate that the certificate is authenticated and the SWS server is responsive.

Fetched Incidents Data

Incidents with the severities of "Emergency" or "Critical" will be fetched. When importing events for the first time, incidents from the last 10 minutes are imported. A maximum of 500 incidents will be created in one import.

Use Cases

  • Close an incident, change it's resolution to "Resolved" and assign to a person named "John"
    Example: "!symantec-mss-update-incident number=123 resolution=Resolved status=Closed assignPerson=John"
  • Query for a specific incident (Incident number 1 in this example)
    Example: "!symantec-mss-get-incident number=1"
  • Retreive a list of alerts and them as incidents into Cortex XSOAR
    Check "Import events as incidents" when configuring the integration.
    To get a list of incidents from the War Room, since 2017, with severity of "Informational" or "Warning" from the source IP "127.0.0.1", with a maximum of 20 entries: "!symantec-mss-incidents-list time=2017-01-01T00:00:00.000Z severities=Informational,Warning max=20 sourceIp=127.0.0.1"

Commands

  1. List all incidents: symantec-mss-incidents-list
  2. Get incident information: symantec-mss-incident
  3. Update an incident: symantec-mss-update-incident

1. List all incidents

Gets a list of incidents. You can filters the results by like time, source IP, severity, and max incidents. If no time is specified, incidents from the last 24 hours are returned.

Base Command

symantec-mss-incidents-list

Input
Parameter Description
list time List timestamp
severities Informational, Warning
max Maximum number of incidents to return
sourceIp Source incidents list IP address

Raw Output 
[  
   {  
      "Category":"No Category",
      "Severity":"Warning",
      "DaysSeenGlobally":"0",
      "HostNameList":null,
      "GlobalLookbackDays":"2",
      "CustomerSeverity":null,
      "CountryCode":"CC0",
      "DaysSeenInLast30Days":"0",
      "DestOrganizationName":"Org0",
      "SourceOrganizationName":"Org1",
      "UserList":null,
      "IncidentNumber":"565656",
      "CountryOfOrigin":null,
      "SourceIPString":"127.0.0.1",
      "Correlation":"No",
      "IsInternalExternal":null,
      "LatestKeyEvent":"2017-12-20T10:04:35.4355923+00:00",
      "Classification":"Scan for Web Servers",
      "TimeCreated":"2017-12-20T10:04:35.4355923+00:00",
      "FirstSeenInLast30Days":"2017-12-20T10:04:35.4355923+00:00",
      "FirstSeenGlobally":"2017-12-20T10:04:35.4355923+00:00",
      "CountryName":"CName0",
      "UpdateTimestampGMT":"2017-12-20T10:04:35.4355923+00:00",
      "PrevalenceGlobally":"L"
   },
   {  
      "Category":"Authorized Activity",
      "Severity":"Warning",
      "DaysSeenGlobally":"0",
      "HostNameList":null,
      "GlobalLookbackDays":"2",
      "CustomerSeverity":null,
      "CountryCode":"CC1",
      "DaysSeenInLast30Days":"0",
      "DestOrganizationName":"Org1",
      "SourceOrganizationName":"Org2",
      "UserList":null,
      "IncidentNumber":"565657",
      "CountryOfOrigin":null,
      "SourceIPString":"127.0.0.1",
      "Correlation":"Yes",
      "IsInternalExternal":null,
      "LatestKeyEvent":"2017-12-20T10:03:35.4355923+00:00",
      "Classification":"Scan for Web Servers",
      "TimeCreated":"2017-12-20T10:03:35.4355923+00:00",
      "FirstSeenInLast30Days":"2017-12-20T10:03:35.4355923+00:00",
      "FirstSeenGlobally":"2017-12-20T10:03:35.4355923+00:00",
      "CountryName":"CName1",
      "UpdateTimestampGMT":"2017-12-20T10:03:35.4355923+00:00",
      "PrevalenceGlobally":"L"
   },
   ............................
]

War Room Output

2. Get incident information

Query an incident by number.

Base Command

symantec-mss-get-incident

Input
Parameter Description
number Incident number

Raw Output 
{  
   "Signaturtes":"[{"   NumberBlocked":"0",
   "SourceIPString":"0.0.0.0",
   "VendorSignature":null,
   "NumberNotBlocked":"0",
   "SignatureName":"Symantec AV Alert"
},
{  
   "NumberBlocked":"0",
   "SourceIPString":"1.1.1.1",
   "VendorSignature":null,
   "NumberNotBlocked":"0",
   "SignatureName":"Symantec AV Alert"
},
{  
   "NumberBlocked":"0",
   "SourceIPString":"2.2.2.2",
   "VendorSignature":null,
   "NumberNotBlocked":"0",
   "SignatureName":"Symantec AV Alert"
},
{  
   "NumberBlocked":"0",
   "SourceIPString":"3.3.3.3",
   "VendorSignature":null,
   "NumberNotBlocked":"0",
   "SignatureName":"Symantec AV Alert"
},
{  
   "NumberBlocked":"0",
   "SourceIPString":"4.4.4.4",
   "VendorSignature":null,
   "NumberNotBlocked":"0",
   "SignatureName":"Symantec AV Alert"
},
{  
   "NumberBlocked":"0",
   "SourceIPString":"5.5.5.5",
   "VendorSignature":null,
   "NumberNotBlocked":"0",
   "SignatureName":"Symantec AV Alert"
}
]", 
"Incident Number":"565656",
"Number of Analyzed Signatures":"5",
"Analyst Assessment":"Lorem ipsum dolor sit amet, consectetur 
 adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.",
"Status":"",
"Description":"Scans for Web Servers have been detected",
"Classification":"Activity Summary - Scans for Web Servers",
"Assigned Person":"",
"Time Created":"2017-12-20T09:53:18.1855923+00:00",
"Related Incidents":"["1235", "123456", "123457"]",
"Comment":"CommentTest"
}
War Room Output

3. Update an incident

Updates an incident's workflow, specified by number. Optional parameters that are not specified are taken from the current workflow. If there are none, an error is thrown, requiring a value for the parameter.

Base Command

symantec-mss-update-incident

Input
Parameter Description
number Incident number
resolution Resolved status, for example, Closed
assignPerson User assigned to the incident

Raw Output 
Update status: Updated successfully
War Room Output

Edit this page
Report an Issue