Symantec Endpoint Protection

the symantec endpoint protection connector enables automated interaction with the sep manager, allowing for streamlined management of security policies, blacklists, and endpoint protection measures symantec endpoint protection is a robust security solution that provides comprehensive protection against a wide range of threats this connector enables swimlane turbine users to automate critical security tasks such as managing file fingerprints, updating blacklists, and initiating content updates on endpoints by integrating with symantec endpoint protection, users can enhance their security posture, streamline endpoint management, and respond to threats with greater speed and efficiency the connector's actions facilitate proactive threat hunting, system lockdown, and policy enforcement, directly contributing to a fortified defense against cyber threats prerequisites to effectively utilize the symantec endpoint protection connector with swimlane turbine, ensure you have the following prerequisites api key authentication with the following parameters url the base url for the sep manager api username the account username with permissions to access the sep manager password the corresponding password for the provided username port the port number on which the sep manager api is accessible capabilities the symantec endpoint protection connector has the following capabilities get groups add blacklist fingerprint to groups for lockdown create blacklist delete blacklist update blacklist get domains update content command configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required port api port string required username username string required secret password string required domain symantec endpoint protection user's domain, defaults to "default" domain string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add fingerprint to group adds a specific fingerprint to a symantec endpoint protection group for system lockdown, requiring group and fingerprint ids endpoint url sepm/api/v1/groups/{{group id}}/system lockdown/fingerprints/{{fingerprint id}} method put input argument name type required description group id string required unique identifier fingerprint id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase errorcode string error message if any apperrorcode string error message if any errormessage string response message example \[ { "status code" 423, "response headers" { "x frame options" "deny", "content security policy" "frame ancestors 'self' https //win qdbt6mvuilc 8443", "x xss protection" "1; mode=block", "x content type options" "nosniff, nosniff", "referrer policy" "strict origin when cross origin", "feature policy" "microphone 'none'; geolocation 'none'; usb 'none'; autoplay 'none' ", "pragma" "no cache", "expires" "thu, 01 jan 1970 00 00 00 gmt", "cache control" "no cache, no store", "x rate limit limit" "50", "x rate limit remaining" "49", "x rate limit reset" "60000", "strict transport security" "max age=31536000 ; includesubdomains", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked" }, "reason" "", "json body" { "errorcode" "423", "apperrorcode" "", "errormessage" "the requested settings are locked " } } ] create new blacklist adds a new file fingerprint list to the blacklist in symantec endpoint protection manager using details such as name, domainid, hashtype, and data endpoint url sepm/api/v1/policy objects/fingerprints method post input argument name type required description name string required name of the resource domainid string required unique identifier description string required parameter for create new blacklist hashtype string required type of the resource data array required response data output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier example \[ { "status code" 200, "response headers" { "x frame options" "deny", "content security policy" "frame ancestors 'self' https //win qdbt6mvuilc 8443", "x xss protection" "1; mode=block", "x content type options" "nosniff, nosniff", "referrer policy" "strict origin when cross origin", "feature policy" "microphone 'none'; geolocation 'none'; usb 'none'; autoplay 'none' ", "pragma" "no cache", "expires" "thu, 01 jan 1970 00 00 00 gmt", "cache control" "no cache, no store", "x rate limit limit" "50", "x rate limit remaining" "49", "x rate limit reset" "60000", "strict transport security" "max age=31536000 ; includesubdomains", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked" }, "reason" "", "json body" { "id" "e5b43b239c334ab289cd842b09b97241" } } ] delete blacklist removes a specified blacklist entry from symantec endpoint protection manager using the provided id endpoint url sepm/api/v1/policy objects/fingerprints/{{id}} method delete input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 200, "response headers" { "x frame options" "deny", "content security policy" "frame ancestors 'self' https //win qdbt6mvuilc 8443", "x xss protection" "1; mode=block", "x content type options" "nosniff, nosniff", "referrer policy" "strict origin when cross origin", "feature policy" "microphone 'none'; geolocation 'none'; usb 'none'; autoplay 'none' ", "pragma" "no cache", "expires" "thu, 01 jan 1970 00 00 00 gmt", "cache control" "no cache, no store", "x rate limit limit" "50", "x rate limit remaining" "49", "x rate limit reset" "60000", "strict transport security" "max age=31536000 ; includesubdomains", "content length" "0", "date" "thu, 01 dec 2022 18 07 44 gmt" }, "reason" "", "response text" "" } ] get blacklist fingerprint file by name retrieves the file fingerprint blacklist by name, returning a set of associated hash values in symantec endpoint protection endpoint url sepm/api/v1/policy objects/fingerprints method get input argument name type required description name string optional name of the resource output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource hashtype string type of the resource source string output field source description string output field description data array response data groupids array unique identifier file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "x frame options" "deny", "content security policy" "frame ancestors 'self' https //win qdbt6mvuilc 8443", "x xss protection" "1; mode=block", "x content type options" "nosniff, nosniff", "referrer policy" "strict origin when cross origin", "feature policy" "microphone 'none'; geolocation 'none'; usb 'none'; autoplay 'none' ", "pragma" "no cache", "expires" "thu, 01 jan 1970 00 00 00 gmt", "cache control" "no cache, no store", "x rate limit limit" "50", "x rate limit remaining" "48", "x rate limit reset" "21388", "strict transport security" "max age=31536000 ; includesubdomains", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked" }, "reason" "", "json body" { "id" "9ec5beefe64e406da0aac2a584bee09e", "name" "test", "hashtype" "md5", "source" "webservice", "description" "a description", "data" \[], "groupids" \[] } } ] get domains retrieve a list of all accessible domains from symantec endpoint protection manager endpoint url sepm/api/v1/domains method get output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "x frame options" "deny", "content security policy" "frame ancestors 'self' https //win qdbt6mvuilc 8443", "x xss protection" "1; mode=block", "x content type options" "nosniff, nosniff", "referrer policy" "strict origin when cross origin", "feature policy" "microphone 'none'; geolocation 'none'; usb 'none'; autoplay 'none' ", "pragma" "no cache", "expires" "thu, 01 jan 1970 00 00 00 gmt", "cache control" "no cache, no store", "x rate limit limit" "50", "x rate limit remaining" "49", "x rate limit reset" "60000", "strict transport security" "max age=31536000 ; includesubdomains", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked" }, "reason" "", "json body" \[ {} ] } ] get file fingerprint by id retrieve a list of hash values representing the file fingerprint for a specified id in symantec endpoint protection endpoint url sepm/api/v1/policy objects/fingerprints/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource hashtype string type of the resource source string output field source description string output field description data array response data groupids array unique identifier file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "x frame options" "deny", "content security policy" "frame ancestors 'self' https //win qdbt6mvuilc 8443", "x xss protection" "1; mode=block", "x content type options" "nosniff, nosniff", "referrer policy" "strict origin when cross origin", "feature policy" "microphone 'none'; geolocation 'none'; usb 'none'; autoplay 'none' ", "pragma" "no cache", "expires" "thu, 01 jan 1970 00 00 00 gmt", "cache control" "no cache, no store", "x rate limit limit" "50", "x rate limit remaining" "49", "x rate limit reset" "60000", "strict transport security" "max age=31536000 ; includesubdomains", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked" }, "reason" "", "json body" { "id" "9ec5beefe64e406da0aac2a584bee09e", "name" "test", "hashtype" "md5", "source" "webservice", "description" "a description", "data" \[], "groupids" \[] } } ] get group retrieves a list of groups from symantec endpoint protection for further analysis or action endpoint url sepm/api/v1/groups method get output parameter type description status code number http status code of the response reason string response reason phrase content array response content id string unique identifier name string name of the resource description string output field description fullpathname string name of the resource numberofphysicalcomputers number output field numberofphysicalcomputers numberofregisteredusers number output field numberofregisteredusers createdby string output field createdby created number output field created lastmodified number output field lastmodified policyserialnumber string output field policyserialnumber policydate number date value customipsnumber string output field customipsnumber domain object output field domain id string unique identifier name string name of the resource policyinheritanceenabled boolean output field policyinheritanceenabled size number output field size number number output field number sort array output field sort direction string output field direction property string output field property ascending boolean output field ascending example \[ { "status code" 200, "response headers" { "x frame options" "deny", "content security policy" "frame ancestors 'self' https //win qdbt6mvuilc 8443", "x xss protection" "1; mode=block", "x content type options" "nosniff, nosniff", "referrer policy" "strict origin when cross origin", "feature policy" "microphone 'none'; geolocation 'none'; usb 'none'; autoplay 'none' ", "pragma" "no cache", "expires" "thu, 01 jan 1970 00 00 00 gmt", "cache control" "no cache, no store", "x rate limit limit" "50", "x rate limit remaining" "49", "x rate limit reset" "60000", "strict transport security" "max age=31536000 ; includesubdomains", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked" }, "reason" "", "json body" { "content" \[], "size" 25, "number" 0, "sort" \[], "numberofelements" 2, "totalpages" 1, "firstpage" true, "lastpage" true, "totalelements" 2 } } ] update blacklist updates an existing blacklist in symantec endpoint protection using the specified 'id' system administrator account required endpoint url sepm/api/v1/policy objects/fingerprints/{{id}} method post input argument name type required description id string required unique identifier name string optional name of the resource domainid string optional unique identifier description string optional parameter for update blacklist hashtype string optional type of the resource data array optional response data output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 200, "response headers" { "x frame options" "deny", "content security policy" "frame ancestors 'self' https //win qdbt6mvuilc 8443", "x xss protection" "1; mode=block", "x content type options" "nosniff, nosniff", "referrer policy" "strict origin when cross origin", "feature policy" "microphone 'none'; geolocation 'none'; usb 'none'; autoplay 'none' ", "pragma" "no cache", "expires" "thu, 01 jan 1970 00 00 00 gmt", "cache control" "no cache, no store", "x rate limit limit" "50", "x rate limit remaining" "49", "x rate limit reset" "60000", "strict transport security" "max age=31536000 ; includesubdomains", "content length" "0", "date" "thu, 01 dec 2022 17 54 47 gmt" }, "reason" "", "response text" "" } ] update content command initiates a content update on specified symantec endpoint protection endpoints using group or computer ids system administrator account required endpoint url sepm/api/v1/command queue/updatecontent method post input argument name type required description group ids array required unique identifier computer ids array required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase errorcode string error message if any apperrorcode string error message if any errormessage string response message example \[ { "status code" 400, "response headers" { "x frame options" "deny", "content security policy" "frame ancestors 'self' https //win qdbt6mvuilc 8443", "x xss protection" "1; mode=block", "x content type options" "nosniff, nosniff", "referrer policy" "strict origin when cross origin", "feature policy" "microphone 'none'; geolocation 'none'; usb 'none'; autoplay 'none' ", "pragma" "no cache", "expires" "thu, 01 jan 1970 00 00 00 gmt", "cache control" "no cache, no store", "x rate limit limit" "50", "x rate limit remaining" "49", "x rate limit reset" "60000", "strict transport security" "max age=31536000 ; includesubdomains", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked" }, "reason" "", "json body" { "errorcode" "400", "apperrorcode" "", "errormessage" "no matching records found for input argument computer ids or hardware ids " } } ] response headers header description example cache control directives for caching mechanisms no cache, no store connection http response header connection close content length the length of the response body in bytes 0 content security policy http response header content security policy frame ancestors 'self' https //win qdbt6mvuilc 8443 https //win qdbt6mvuilc 8443 content type the media type of the resource application/json;charset=utf 8 date the date and time at which the message was originated thu, 01 dec 2022 18 11 36 gmt expires the date/time after which the response is considered stale thu, 01 jan 1970 00 00 00 gmt feature policy http response header feature policy microphone 'none'; geolocation 'none'; usb 'none'; autoplay 'none' keep alive http response header keep alive timeout=60 pragma http response header pragma no cache referrer policy http response header referrer policy strict origin when cross origin server information about the software used by the origin server sepm strict transport security http response header strict transport security max age=31536000 ; includesubdomains transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff, nosniff x frame options http response header x frame options deny x rate limit limit http response header x rate limit limit 50 x rate limit remaining http response header x rate limit remaining 49 x rate limit reset http response header x rate limit reset 60000 x xss protection http response header x xss protection 1; mode=block