Publisher: Splunk
Connector Version: 2.1.9
Product Vendor: Symantec
Product Name: Symantec Endpoint Protection 14
Product Version Supported (regex): "14.*"
Minimum Product Version: 5.1.0
Integrate with Symantec Endpoint Protection 14 to execute investigative, containment, and corrective actions
The configured user's account must be a System Administrator.
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Symantec Endpoint Protection 14 asset in SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| url | required | string | Server URL (e.g. https://10.10.10.10:8446) |
| verify_server_cert | optional | boolean | Verify server certificate |
| username | required | string | System Administrator Username |
| password | required | password | Password |
test connectivity - Validate credentials provided for connectivity
list domains - List all of the administrative domains configured on the device
list groups - List all of the administrative groups configured on the device
list endpoints - List all the endpoints/sensors configured on the device
get system info - Gets the information about the computers in a specified domain
get status - Get command status report
unquarantine device - Unquarantine the endpoint
quarantine device - Quarantine the endpoint
unblock hash - Unblock hashes on endpoints
block hash - Block hashes on endpoints
scan endpoint - Scan an endpoint
full scan - Scan a computer
Validate credentials provided for connectivity
Type: test
Read only: True
No parameters are required for this action
No Output
List all of the administrative domains configured on the device
Type: investigate
Read only: True
No parameters are required for this action
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.data.*.administratorCount | numeric | |
| action_result.data.*.companyName | string | |
| action_result.data.*.contactInfo | string | |
| action_result.data.*.createdTime | numeric | |
| action_result.data.*.description | string | |
| action_result.data.*.enable | boolean | |
| action_result.data.*.id | string | |
| action_result.data.*.name | string | symantec admin domain |
| action_result.summary.total_domains | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
List all of the administrative groups configured on the device
Type: investigate
Read only: True
No parameters are required for this action
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.data.*.childGroups | string | |
| action_result.data.*.created | numeric | |
| action_result.data.*.createdBy | string | |
| action_result.data.*.customIpsNumber | string | |
| action_result.data.*.description | string | |
| action_result.data.*.domain.id | string | md5 |
| action_result.data.*.domain.name | string | symantec admin domain |
| action_result.data.*.fullPathName | string | |
| action_result.data.*.id | string | symantec group id |
| action_result.data.*.lastModified | numeric | |
| action_result.data.*.name | string | |
| action_result.data.*.numberOfPhysicalComputers | numeric | |
| action_result.data.*.numberOfRegisteredUsers | numeric | |
| action_result.data.*.policyDate | numeric | |
| action_result.data.*.policyInheritanceEnabled | boolean | |
| action_result.data.*.policySerialNumber | string | |
| action_result.summary.total_groups | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
List all the endpoints/sensors configured on the device
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| admin_domain | required | Administrative domain of the endpoints to query | string | symantec admin domain |
| limit | optional | Maximum number of endpoints to be fetched | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.admin_domain | string | symantec admin domain |
| action_result.parameter.limit | numeric | |
| action_result.data.*.agentId | string | md5 |
| action_result.data.*.agentTimeStamp | numeric | |
| action_result.data.*.agentType | string | |
| action_result.data.*.agentUsn | numeric | |
| action_result.data.*.agentVersion | string | |
| action_result.data.*.apOnOff | numeric | |
| action_result.data.*.atpDeviceId | string | |
| action_result.data.*.atpServer | string | |
| action_result.data.*.attributeExtension | string | |
| action_result.data.*.avEngineOnOff | numeric | |
| action_result.data.*.bashStatus | numeric | |
| action_result.data.*.biosVersion | string | |
| action_result.data.*.bwf | numeric | |
| action_result.data.*.cidsBrowserFfOnOff | numeric | |
| action_result.data.*.cidsBrowserIeOnOff | numeric | |
| action_result.data.*.cidsDefsetVersion | string | |
| action_result.data.*.cidsDrvMulfCode | numeric | |
| action_result.data.*.cidsDrvOnOff | numeric | |
| action_result.data.*.cidsEngineVersion | string | ip |
| action_result.data.*.cidsSilentMode | numeric | |
| action_result.data.*.computerDescription | string | |
| action_result.data.*.computerName | string | host name |
| action_result.data.*.computerTimeStamp | numeric | |
| action_result.data.*.computerUsn | numeric | |
| action_result.data.*.contentUpdate | numeric | |
| action_result.data.*.creationTime | numeric | |
| action_result.data.*.currentClientId | string | md5 |
| action_result.data.*.daOnOff | numeric | |
| action_result.data.*.deleted | numeric | |
| action_result.data.*.department | string | |
| action_result.data.*.deploymentMessage | string | |
| action_result.data.*.deploymentPreVersion | string | |
| action_result.data.*.deploymentRunningVersion | string | |
| action_result.data.*.deploymentStatus | string | |
| action_result.data.*.deploymentTargetVersion | string | |
| action_result.data.*.description | string | |
| action_result.data.*.dhcpServer | string | ip |
| action_result.data.*.diskDrive | string | file path |
| action_result.data.*.dnsServers | string | ip |
| action_result.data.*.domainOrWorkgroup | string | domain |
| action_result.data.*.edrStatus | numeric | |
| action_result.data.*.elamOnOff | numeric | |
| action_result.data.*.email | string | email |
| action_result.data.*.employeeNumber | string | |
| action_result.data.*.employeeStatus | string | |
| action_result.data.*.encryptedDevicePassword | string | |
| action_result.data.*.fbwf | numeric | |
| action_result.data.*.firewallOnOff | numeric | |
| action_result.data.*.freeDisk | numeric | |
| action_result.data.*.freeMem | numeric | |
| action_result.data.*.fullName | string | |
| action_result.data.*.gateways | string | ip |
| action_result.data.*.group.domain.id | string | md5 |
| action_result.data.*.group.domain.name | string | symantec admin domain |
| action_result.data.*.group.externalId | string | |
| action_result.data.*.group.fullPathName | string | |
| action_result.data.*.group.id | string | symantec group id |
| action_result.data.*.group.name | string | |
| action_result.data.*.group.source | string | |
| action_result.data.*.groupUpdateProvider | boolean | |
| action_result.data.*.hardwareKey | string | md5 |
| action_result.data.*.homePhone | string | |
| action_result.data.*.hypervisorVendorId | string | |
| action_result.data.*.idsChecksum | string | |
| action_result.data.*.idsSerialNo | string | |
| action_result.data.*.idsVersion | string | |
| action_result.data.*.infected | numeric | |
| action_result.data.*.installType | string | |
| action_result.data.*.ipAddresses | string | ip |
| action_result.data.*.isGrace | numeric | |
| action_result.data.*.isNpvdiClient | numeric | |
| action_result.data.*.jobTitle | string | |
| action_result.data.*.kernel | string | |
| action_result.data.*.lastConnectedIpAddr | string | ip |
| action_result.data.*.lastDeploymentTime | numeric | |
| action_result.data.*.lastDownloadTime | numeric | |
| action_result.data.*.lastHeuristicThreatTime | numeric | |
| action_result.data.*.lastScanTime | numeric | |
| action_result.data.*.lastServerId | string | md5 |
| action_result.data.*.lastServerName | string | |
| action_result.data.*.lastSiteId | string | md5 |
| action_result.data.*.lastSiteName | string | |
| action_result.data.*.lastUpdateTime | numeric | |
| action_result.data.*.lastVirusTime | numeric | |
| action_result.data.*.licenseExpiry | numeric | |
| action_result.data.*.licenseId | string | |
| action_result.data.*.licenseStatus | numeric | |
| action_result.data.*.logicalCpus | numeric | |
| action_result.data.*.loginDomain | string | domain |
| action_result.data.*.logonUserName | string | user name |
| action_result.data.*.macAddresses | string | mac address |
| action_result.data.*.majorVersion | numeric | |
| action_result.data.*.memory | numeric | |
| action_result.data.*.minorVersion | numeric | |
| action_result.data.*.mobilePhone | string | |
| action_result.data.*.officePhone | string | |
| action_result.data.*.onlineStatus | numeric | |
| action_result.data.*.operatingSystem | string | |
| action_result.data.*.osBitness | string | |
| action_result.data.*.osElamStatus | numeric | |
| action_result.data.*.osFlavorNumber | numeric | |
| action_result.data.*.osFunction | string | |
| action_result.data.*.osLanguage | string | |
| action_result.data.*.osMajor | numeric | |
| action_result.data.*.osMinor | numeric | |
| action_result.data.*.osName | string | |
| action_result.data.*.osServicePack | string | |
| action_result.data.*.osVersion | string | |
| action_result.data.*.osbitness | string | |
| action_result.data.*.osflavorNumber | numeric | |
| action_result.data.*.osfunction | string | |
| action_result.data.*.oslanguage | string | |
| action_result.data.*.osmajor | numeric | |
| action_result.data.*.osminor | numeric | |
| action_result.data.*.osname | string | |
| action_result.data.*.osservicePack | string | |
| action_result.data.*.osversion | string | |
| action_result.data.*.patternIdx | string | md5 |
| action_result.data.*.pepOnOff | numeric | |
| action_result.data.*.physicalCpus | numeric | |
| action_result.data.*.processorClock | numeric | |
| action_result.data.*.processorType | string | |
| action_result.data.*.profileChecksum | string | |
| action_result.data.*.profileSerialNo | string | |
| action_result.data.*.profileVersion | string | |
| action_result.data.*.ptpOnOff | numeric | |
| action_result.data.*.publicKey | string | |
| action_result.data.*.quarantineDesc | string | |
| action_result.data.*.rebootReason | string | |
| action_result.data.*.rebootRequired | numeric | |
| action_result.data.*.securityVirtualAppliance | string | |
| action_result.data.*.serialNumber | string | |
| action_result.data.*.snacLicenseId | string | |
| action_result.data.*.subnetMasks | string | |
| action_result.data.*.svaId | string | |
| action_result.data.*.tamperOnOff | numeric | |
| action_result.data.*.timeZone | numeric | |
| action_result.data.*.tmpDevice | string | |
| action_result.data.*.totalDiskSpace | numeric | |
| action_result.data.*.tpmDevice | string | |
| action_result.data.*.uniqueId | string | symantec device id |
| action_result.data.*.uuid | string | |
| action_result.data.*.uwf | numeric | |
| action_result.data.*.virtualizationPlatform | string | |
| action_result.data.*.vsicStatus | numeric | |
| action_result.data.*.winServers | string | ip |
| action_result.data.*.worstInfectionIdx | string | |
| action_result.data.*.writeFiltersStatus | string | |
| action_result.summary.system_found | boolean | |
| action_result.summary.total_endpoints | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Gets the information about the computers in a specified domain
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| hostname | required | Hostname of the device to get system info | string | host name |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.hostname | string | host name |
| action_result.data.*.agentId | string | |
| action_result.data.*.agentTimeStamp | numeric | |
| action_result.data.*.agentType | string | |
| action_result.data.*.agentUsn | numeric | |
| action_result.data.*.agentVersion | string | |
| action_result.data.*.apOnOff | numeric | |
| action_result.data.*.atpDeviceId | string | |
| action_result.data.*.atpServer | string | |
| action_result.data.*.attributeExtension | string | |
| action_result.data.*.avEngineOnOff | numeric | |
| action_result.data.*.bashStatus | numeric | |
| action_result.data.*.biosVersion | string | |
| action_result.data.*.bwf | numeric | |
| action_result.data.*.cidsBrowserFfOnOff | numeric | |
| action_result.data.*.cidsBrowserIeOnOff | numeric | |
| action_result.data.*.cidsDefsetVersion | string | |
| action_result.data.*.cidsDrvMulfCode | numeric | |
| action_result.data.*.cidsDrvOnOff | numeric | |
| action_result.data.*.cidsEngineVersion | string | |
| action_result.data.*.cidsSilentMode | numeric | |
| action_result.data.*.computerDescription | string | |
| action_result.data.*.computerName | string | host name |
| action_result.data.*.computerTimeStamp | numeric | |
| action_result.data.*.computerUsn | numeric | |
| action_result.data.*.contentUpdate | numeric | |
| action_result.data.*.creationTime | numeric | |
| action_result.data.*.currentClientId | string | |
| action_result.data.*.daOnOff | numeric | |
| action_result.data.*.deleted | numeric | |
| action_result.data.*.department | string | |
| action_result.data.*.deploymentMessage | string | |
| action_result.data.*.deploymentPreVersion | string | |
| action_result.data.*.deploymentRunningVersion | string | |
| action_result.data.*.deploymentStatus | string | |
| action_result.data.*.deploymentTargetVersion | string | |
| action_result.data.*.description | string | |
| action_result.data.*.dhcpServer | string | ip |
| action_result.data.*.diskDrive | string | file path |
| action_result.data.*.dnsServers | string | ip |
| action_result.data.*.domainOrWorkgroup | string | domain |
| action_result.data.*.edrStatus | numeric | |
| action_result.data.*.elamOnOff | numeric | |
| action_result.data.*.email | string | email |
| action_result.data.*.employeeNumber | string | |
| action_result.data.*.employeeStatus | string | |
| action_result.data.*.encryptedDevicePassword | string | |
| action_result.data.*.fbwf | numeric | |
| action_result.data.*.firewallOnOff | numeric | |
| action_result.data.*.freeDisk | numeric | |
| action_result.data.*.freeMem | numeric | |
| action_result.data.*.fullName | string | |
| action_result.data.*.gateways | string | ip |
| action_result.data.*.group.domain.id | string | md5 |
| action_result.data.*.group.domain.name | string | symantec admin domain |
| action_result.data.*.group.externalId | string | |
| action_result.data.*.group.fullPathName | string | |
| action_result.data.*.group.id | string | symantec group id |
| action_result.data.*.group.name | string | |
| action_result.data.*.group.source | string | |
| action_result.data.*.groupUpdateProvider | boolean | |
| action_result.data.*.hardwareKey | string | md5 |
| action_result.data.*.homePhone | string | |
| action_result.data.*.hypervisorVendorId | string | |
| action_result.data.*.idsChecksum | string | |
| action_result.data.*.idsSerialNo | string | |
| action_result.data.*.idsVersion | string | |
| action_result.data.*.infected | numeric | |
| action_result.data.*.installType | string | |
| action_result.data.*.ipAddresses | string | ip |
| action_result.data.*.isGrace | numeric | |
| action_result.data.*.isNpvdiClient | numeric | |
| action_result.data.*.jobTitle | string | |
| action_result.data.*.kernel | string | |
| action_result.data.*.lastConnectedIpAddr | string | ip |
| action_result.data.*.lastDeploymentTime | numeric | |
| action_result.data.*.lastDownloadTime | numeric | |
| action_result.data.*.lastHeuristicThreatTime | numeric | |
| action_result.data.*.lastScanTime | numeric | |
| action_result.data.*.lastServerId | string | |
| action_result.data.*.lastServerName | string | |
| action_result.data.*.lastSiteId | string | |
| action_result.data.*.lastSiteName | string | |
| action_result.data.*.lastUpdateTime | numeric | |
| action_result.data.*.lastVirusTime | numeric | |
| action_result.data.*.licenseExpiry | numeric | |
| action_result.data.*.licenseId | string | |
| action_result.data.*.licenseStatus | numeric | |
| action_result.data.*.logicalCpus | numeric | |
| action_result.data.*.loginDomain | string | domain |
| action_result.data.*.logonUserName | string | user name |
| action_result.data.*.macAddresses | string | mac address |
| action_result.data.*.majorVersion | numeric | |
| action_result.data.*.memory | numeric | |
| action_result.data.*.minorVersion | numeric | |
| action_result.data.*.mobilePhone | string | |
| action_result.data.*.officePhone | string | |
| action_result.data.*.onlineStatus | numeric | |
| action_result.data.*.operatingSystem | string | |
| action_result.data.*.osBitness | string | |
| action_result.data.*.osElamStatus | numeric | |
| action_result.data.*.osFlavorNumber | numeric | |
| action_result.data.*.osFunction | string | |
| action_result.data.*.osLanguage | string | |
| action_result.data.*.osMajor | numeric | |
| action_result.data.*.osMinor | numeric | |
| action_result.data.*.osName | string | |
| action_result.data.*.osServicePack | string | |
| action_result.data.*.osVersion | string | |
| action_result.data.*.osbitness | string | |
| action_result.data.*.osflavorNumber | numeric | |
| action_result.data.*.osfunction | string | |
| action_result.data.*.oslanguage | string | |
| action_result.data.*.osmajor | numeric | |
| action_result.data.*.osminor | numeric | |
| action_result.data.*.osname | string | |
| action_result.data.*.osservicePack | string | |
| action_result.data.*.osversion | string | |
| action_result.data.*.patternIdx | string | md5 |
| action_result.data.*.pepOnOff | numeric | |
| action_result.data.*.physicalCpus | numeric | |
| action_result.data.*.processorClock | numeric | |
| action_result.data.*.processorType | string | |
| action_result.data.*.profileChecksum | string | |
| action_result.data.*.profileSerialNo | string | |
| action_result.data.*.profileVersion | string | |
| action_result.data.*.ptpOnOff | numeric | |
| action_result.data.*.publicKey | string | |
| action_result.data.*.quarantineDesc | string | |
| action_result.data.*.rebootReason | string | |
| action_result.data.*.rebootRequired | numeric | |
| action_result.data.*.securityVirtualAppliance | string | |
| action_result.data.*.serialNumber | string | |
| action_result.data.*.snacLicenseId | string | |
| action_result.data.*.subnetMasks | string | |
| action_result.data.*.svaId | string | |
| action_result.data.*.tamperOnOff | numeric | |
| action_result.data.*.timeZone | numeric | |
| action_result.data.*.tmpDevice | string | |
| action_result.data.*.totalDiskSpace | numeric | |
| action_result.data.*.tpmDevice | string | |
| action_result.data.*.uniqueId | string | symantec device id |
| action_result.data.*.uuid | string | |
| action_result.data.*.uwf | numeric | |
| action_result.data.*.virtualizationPlatform | string | |
| action_result.data.*.vsicStatus | numeric | |
| action_result.data.*.winServers | string | ip |
| action_result.data.*.worstInfectionIdx | string | |
| action_result.data.*.writeFiltersStatus | string | |
| action_result.summary.system_found | boolean | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get command status report
Type: investigate
Read only: True
This action provides detailed information about the execution of a specified command on a specified client. Status of the command can be evaluated based on three output parameters stateId, subStateId and subStateDesc.
stateId does not necessarily return one of the below state values. Possible values are:
- 0 = INITIAL
- 1 = RECEIVED
- 2 = IN_PROGRESS
- 3 = COMPLETED
- 4 = REJECTED
- 5 = CANCELED
- 6 = ERROR
subStateId does not necessarily return one of the below state values. Possible values are:
- -1 = Unknown
- 0 = Success
- 1 = Client did not execute the command
- 2 = Client did not report any status
- 3 = Command was a duplicate and not executed
- 4 = Spooled command could not restart
- 5 = Restart command not allowed from the console
- 6 = Unexpected error
- 100 = Success
- 101 = Security risk found
- 102 = Scan was suspended
- 103 = Scan was aborted
- 105 = Scan did not return status
- 106 = Scan failed to start
- 110 = Auto-Protect cannot be turned on
- 120 = LiveUpdate download is in progress
- 121 = LiveUpdate download failed
- 131 = Quarantine delete failed
- 132 = Quarantine delete partial success
- 141 = Evidence of Compromise scan failed
- 142 = Evidence of Compromise scan failed: XML invalid or could not be parsed
- 146 = Evidence of Compromise file validation failed on the server
subStateDesc does not necessarily return one of the below state values. Possible values are:
- -1 = Unknown
- 0 = Success
- 1 = Client did not execute the command
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| id | required | Command ID | string | symantec command id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.id | string | symantec command id |
| action_result.data.*.beginTime | string | |
| action_result.data.*.binaryFileId | string | |
| action_result.data.*.computerId | string | symantec device id |
| action_result.data.*.computerIp | string | ip |
| action_result.data.*.computerName | string | host name |
| action_result.data.*.currentLoginUserName | string | user name |
| action_result.data.*.domainName | string | symantec admin domain |
| action_result.data.*.hardwareKey | string | md5 |
| action_result.data.*.lastUpdateTime | string | |
| action_result.data.*.resultInXML | string | |
| action_result.data.*.stateId | numeric | |
| action_result.data.*.subStateDesc | string | |
| action_result.data.*.subStateId | numeric | |
| action_result.summary.command_state | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Unquarantine the endpoint
Type: correct
Read only: False
Either id or ip_hostname of an endpoint needs to be specified to unquarantine an endpoint. If id is specified, ip_hostname is ignored.
The action sends the unquarantine command to the SEP Manager and returns with the command id. The command takes some time (usually under a minute) to complete. The get status action can be used to get the status of the command. The action will start the unquarantine process and poll for the amount of seconds passed in the timeout parameter to get the latest status of the action. If any value of the computerID, IP or hostname is given wrong in the comma separated string in the respective parameters, the action will fail.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| id | optional | Comma(,) separated Computer IDs of the endpoints to unquarantine | string | symantec device id |
| ip_hostname | optional | Comma(,) separated Hostname/IP of the endpoints to unquarantine | string | ip host name |
| timeout | optional | Timeout (Default: 30 seconds) | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.id | string | symantec device id |
| action_result.parameter.ip_hostname | string | ip host name |
| action_result.parameter.timeout | numeric | |
| action_result.data.*.beginTime | string | |
| action_result.data.*.binaryFileId | string | |
| action_result.data.*.computerId | string | md5 |
| action_result.data.*.computerIp | string | ip |
| action_result.data.*.computerName | string | host name |
| action_result.data.*.currentLoginUserName | string | user name |
| action_result.data.*.domainName | string | domain |
| action_result.data.*.hardwareKey | string | md5 |
| action_result.data.*.lastUpdateTime | string | |
| action_result.data.*.resultInXML | string | |
| action_result.data.*.stateId | numeric | |
| action_result.data.*.subStateDesc | string | |
| action_result.data.*.subStateId | numeric | |
| action_result.summary.command_id | string | symantec command id |
| action_result.summary.state_id_status | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Quarantine the endpoint
Type: contain
Read only: False
Either id or ip_hostname of an endpoint needs to be specified to quarantine an endpoint. If id is specified, ip_hostname is ignored.
The action sends the quarantine command to the SEP Manager and returns with the command id. The command takes some time (usually under a minute) to complete. The get status action can be used to get the status of the command. The action will start the quarantine process and poll for the amount of seconds passed in the timeout parameter to get the latest status of the action. If any value of the computerID, IP or hostname is given wrong in the comma separated string in the respective parameters, the action will fail.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| id | optional | Comma(,) separated Computer IDs of the endpoints to quarantine | string | symantec device id |
| ip_hostname | optional | Comma(,) separated Hostname/IP of the endpoints to quarantine | string | ip host name |
| timeout | optional | Timeout (Default: 30 secs) | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.id | string | symantec device id |
| action_result.parameter.ip_hostname | string | ip host name |
| action_result.parameter.timeout | numeric | |
| action_result.data.*.beginTime | string | |
| action_result.data.*.binaryFileId | string | |
| action_result.data.*.computerId | string | md5 |
| action_result.data.*.computerIp | string | ip |
| action_result.data.*.computerName | string | host name |
| action_result.data.*.currentLoginUserName | string | user name |
| action_result.data.*.domainName | string | domain |
| action_result.data.*.hardwareKey | string | md5 |
| action_result.data.*.lastUpdateTime | string | |
| action_result.data.*.resultInXML | string | |
| action_result.data.*.stateId | numeric | |
| action_result.data.*.subStateDesc | string | |
| action_result.data.*.subStateId | numeric | |
| action_result.summary.command_id | string | symantec command id |
| action_result.summary.state_id_status | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Unblock hashes on endpoints
Type: correct
Read only: False
This action removes all the MD5 hashes provided in hash from a fingerprint file. If all hashes from the fingerprint file are removed, then the fingerprint file will be deleted from SEP.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| group_id | required | Group ID | string | symantec group id |
| hash | required | Comma(,) separated MD5 hash value of files to unblock | string | md5 |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.group_id | string | symantec group id |
| action_result.parameter.hash | string | md5 |
| action_result.data.*.fingerprint_file_info.data | string | md5 |
| action_result.data.*.fingerprint_file_info.description | string | |
| action_result.data.*.fingerprint_file_info.domainId | string | md5 |
| action_result.data.*.fingerprint_file_info.groupIds | string | symantec group id |
| action_result.data.*.fingerprint_file_info.hashType | string | |
| action_result.data.*.fingerprint_file_info.id | string | |
| action_result.data.*.fingerprint_file_info.name | string | |
| action_result.data.*.fingerprint_file_info.source | string | |
| action_result.data.*.hash_info.*.context | string | |
| action_result.data.*.hash_info.*.data | string | |
| action_result.data.*.hash_info.*.extra_data | string | |
| action_result.data.*.hash_info.*.message | string | |
| action_result.data.*.hash_info.*.parameter.hash | string | md5 |
| action_result.data.*.hash_info.*.status | string | |
| action_result.data.*.hash_info.*.summary | string | |
| action_result.summary.hashes_already_unblocked | numeric | |
| action_result.summary.hashes_unblocked | numeric | |
| action_result.summary.invalid_hashes | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Block hashes on endpoints
Type: contain
Read only: False
This action creates a fingerprint file on SEP manager for a given group_id and adds all the MD5 hashes provided in hash to the file. This file will be connected in blacklist mode to the System Lockdown setting of the group referred by group_id. Hashes of files having extensions either .exe, .com, .dll or .ocx will be used to block an application from launching on endpoints.
In order to add an application to a group in blocked mode, the group must not inherit policies and settings of its parent group.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| group_id | required | Group ID | string | symantec group id |
| hash | required | Comma(,) separated MD5 hash value of files to block | string | md5 |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.group_id | string | symantec group id |
| action_result.parameter.hash | string | md5 |
| action_result.data.*.fingerprint_file_info.description | string | |
| action_result.data.*.fingerprint_file_info.domainId | string | md5 |
| action_result.data.*.fingerprint_file_info.hashType | string | |
| action_result.data.*.fingerprint_file_info.id | string | md5 |
| action_result.data.*.fingerprint_file_info.name | string | |
| action_result.data.*.hash_info.*.context | string | |
| action_result.data.*.hash_info.*.data | string | |
| action_result.data.*.hash_info.*.extra_data | string | |
| action_result.data.*.hash_info.*.message | string | |
| action_result.data.*.hash_info.*.parameter.hash | string | md5 |
| action_result.data.*.hash_info.*.status | string | |
| action_result.data.*.hash_info.*.summary | string | |
| action_result.summary.hashes_already_blocked | numeric | |
| action_result.summary.hashes_already_unblocked | numeric | |
| action_result.summary.hashes_blocked | numeric | |
| action_result.summary.invalid_hashes | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Scan an endpoint
Type: investigate
Read only: True
Either id or ip_hostname of an endpoint needs to be specified to scan an endpoint. If id is specified, ip_hostname is ignored.
The type parameter can be one of the following values:
- QUICK_SCAN
- FULL_SCAN
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| id | optional | Comma(,) separated Computer IDs of the endpoints to scan | string | symantec device id |
| ip_hostname | optional | Comma(,) separated Hostname/IP of the endpoints to scan | string | ip host name |
| type | optional | Scan Type (Default: QUICK_SCAN) | string | symantec scan type |
| timeout | optional | Timeout (Default: 30 seconds) | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.id | string | symantec device id |
| action_result.parameter.ip_hostname | string | ip host name |
| action_result.parameter.timeout | numeric | |
| action_result.parameter.type | string | symantec scan type |
| action_result.data.*.EOC.@creator | string | |
| action_result.data.*.EOC.@id | string | |
| action_result.data.*.EOC.@version | string | |
| action_result.data.*.EOC.Activity | string | |
| action_result.data.*.EOC.DataSource.@id | string | |
| action_result.data.*.EOC.DataSource.@name | string | |
| action_result.data.*.EOC.DataSource.@version | string | |
| action_result.data.*.EOC.ScanType | string | symantec scan type |
| action_result.data.*.EOC.Threat.@category | string | |
| action_result.data.*.EOC.Threat.@severity | string | |
| action_result.data.*.EOC.Threat.@time | string | |
| action_result.data.*.EOC.Threat.@type | string | |
| action_result.data.*.EOC.Threat.Application | string | |
| action_result.data.*.EOC.Threat.Attacker | string | |
| action_result.data.*.EOC.Threat.Description | string | |
| action_result.data.*.EOC.Threat.URL | string | |
| action_result.data.*.EOC.Threat.User | string | |
| action_result.data.*.EOC.Threat.proxy.@ip | string | |
| action_result.data.*.beginTime | string | |
| action_result.data.*.binaryFileId | string | |
| action_result.data.*.computerId | string | md5 |
| action_result.data.*.computerIp | string | ip |
| action_result.data.*.computerName | string | host name |
| action_result.data.*.currentLoginUserName | string | user name |
| action_result.data.*.domainName | string | domain |
| action_result.data.*.hardwareKey | string | md5 |
| action_result.data.*.lastUpdateTime | string | |
| action_result.data.*.stateId | numeric | |
| action_result.data.*.subStateDesc | string | |
| action_result.data.*.subStateId | numeric | |
| action_result.summary.command_id | string | symantec command id |
| action_result.summary.state_id_status | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Scan a computer
Type: investigate
Read only: True
Either computer_id or group_id needs to be specified to perform fullscan/activescan. If both computer_id and group_id are specified, selected scan will start for both values.
The type parameter can be one of the following values:
- activescan
- fullscan
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| computer_id | optional | Comma(,) separated computer IDs to scan | string | symantec device id |
| group_id | optional | Comma(,) separated group IDs to scan | string | symantec group id |
| type | optional | Scan Type (Default: fullscan) | string | symantec fullscan type |
| timeout | optional | Timeout (Default: 30 seconds) | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.computer_id | string | symantec device id |
| action_result.parameter.group_id | string | symantec group id |
| action_result.parameter.timeout | numeric | |
| action_result.parameter.type | string | symantec fullscan type |
| action_result.data.*.beginTime | string | |
| action_result.data.*.binaryFileId | string | |
| action_result.data.*.computerId | string | symantec device id |
| action_result.data.*.computerIp | string | |
| action_result.data.*.computerName | string | |
| action_result.data.*.currentLoginUserName | string | |
| action_result.data.*.domainName | string | |
| action_result.data.*.hardwareKey | string | |
| action_result.data.*.lastUpdateTime | string | |
| action_result.data.*.resultInXML | string | |
| action_result.data.*.stateId | numeric | |
| action_result.data.*.subStateDesc | string | |
| action_result.data.*.subStateId | numeric | |
| action_result.summary.computer_command_id | string | symantec command id |
| action_result.summary.group_command_id | string | symantec command id |
| action_result.summary.state_computer_id_status | string | |
| action_result.summary.state_group_id_status | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |