Symantec Managed Security Services

Use the Symantec Managed Security Services (Symantec MSS) integration to create Demisto incidents from Symantec incidents.

Prerequisites

  1. Export a Production certificate that enables you to access your organization’s information in
    SWS ( https://api.monitoredsecurity.com/SWS/ ) .p12 format.
  2. Use any "File to Base64" converter to encode the .p12 file into a base64 string.

If not authorized, make sure that the exported .p12 certificate is for the production API and not the test API.

Verify that you can make HTTPS requests from your machine.

Make sure you use the correct proxy, and enable it in the configuration.

Configure the Symantec MSS Integration on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Symantec MSS.
  3. Click Add instance to create and configure a new integration instance.
    • Name : A textual name for the integration instance.
    • Server URL : URL of Symantec MSS server
    • Certificate : The base64 representation of the exported production certificate
    • Certificate Passphrase : The passphrase used to create the .p12 certificate.
    • Use system proxy settings
    • Fetch Incidents
    • Incident type : Incident type to trigger incident creation.
    • Demisto engine
  4. Click Test to to validate that the certificate is authenticated and the SWS server is responsive.

Fetched Incidents Data

Incidents with the severities of "Emergency" or "Critical" will be fetched. When importing events for the first time, incidents from the last 10 minutes are imported. A maximum of 500 incidents will be created in one import.

Use Cases

  • Close an incident, change it's resolution to "Resolved" and assign to a person named "John"
    Example: "!symantec-mss-update-incident number=123 resolution=Resolved status=Closed assignPerson=John"
  • Query for a specific incident (Incident number 1 in this example)
    Example: "!symantec-mss-get-incident number=1"
  • Retreive a list of alerts and them as incidents into Demisto
    Check "Import events as incidents" when configuring the integration.
    To get a list of incidents from the War Room, since 2017, with severity of "Informational" or "Warning" from the source IP "127.0.0.1", with a maximum of 20 entries: "!symantec-mss-incidents-list time=2017-01-01T00:00:00.000Z severities=Informational,Warning max=20 sourceIp=127.0.0.1"

Commands

  1. List all incidents: symantec-mss-incidents-list
  2. Get incident information: symantec-mss-incident
  3. Update an incident: symantec-mss-update-incident

1. List all incidents


Gets a list of incidents. You can filters the results by like time, source IP, severity, and max incidents. If no time is specified, incidents from the last 24 hours are returned.

Base Command

symantec-mss-incidents-list

Input
Parameter Description
list time List timestamp
severities Informational, Warning
max Maximum number of incidents to return
sourceIp Source incidents list IP address

Raw Output
[  
   {  
      "Category":"No Category",
      "Severity":"Warning",
      "DaysSeenGlobally":"0",
      "HostNameList":null,
      "GlobalLookbackDays":"2",
      "CustomerSeverity":null,
      "CountryCode":"CC0",
      "DaysSeenInLast30Days":"0",
      "DestOrganizationName":"Org0",
      "SourceOrganizationName":"Org1",
      "UserList":null,
      "IncidentNumber":"565656",
      "CountryOfOrigin":null,
      "SourceIPString":"127.0.0.1",
      "Correlation":"No",
      "IsInternalExternal":null,
      "LatestKeyEvent":"2017-12-20T10:04:35.4355923+00:00",
      "Classification":"Scan for Web Servers",
      "TimeCreated":"2017-12-20T10:04:35.4355923+00:00",
      "FirstSeenInLast30Days":"2017-12-20T10:04:35.4355923+00:00",
      "FirstSeenGlobally":"2017-12-20T10:04:35.4355923+00:00",
      "CountryName":"CName0",
      "UpdateTimestampGMT":"2017-12-20T10:04:35.4355923+00:00",
      "PrevalenceGlobally":"L"
   },
   {  
      "Category":"Authorized Activity",
      "Severity":"Warning",
      "DaysSeenGlobally":"0",
      "HostNameList":null,
      "GlobalLookbackDays":"2",
      "CustomerSeverity":null,
      "CountryCode":"CC1",
      "DaysSeenInLast30Days":"0",
      "DestOrganizationName":"Org1",
      "SourceOrganizationName":"Org2",
      "UserList":null,
      "IncidentNumber":"565657",
      "CountryOfOrigin":null,
      "SourceIPString":"127.0.0.1",
      "Correlation":"Yes",
      "IsInternalExternal":null,
      "LatestKeyEvent":"2017-12-20T10:03:35.4355923+00:00",
      "Classification":"Scan for Web Servers",
      "TimeCreated":"2017-12-20T10:03:35.4355923+00:00",
      "FirstSeenInLast30Days":"2017-12-20T10:03:35.4355923+00:00",
      "FirstSeenGlobally":"2017-12-20T10:03:35.4355923+00:00",
      "CountryName":"CName1",
      "UpdateTimestampGMT":"2017-12-20T10:03:35.4355923+00:00",
      "PrevalenceGlobally":"L"
   },
   ............................
]

War Room Output

2. Get incident information


Query an incident by number.

Base Command

symantec-mss-get-incident

Input
Parameter Description
number Incident number

Raw Output
{  
   "Signaturtes":"[{"   NumberBlocked":"0",
   "SourceIPString":"0.0.0.0",
   "VendorSignature":null,
   "NumberNotBlocked":"0",
   "SignatureName":"Symantec AV Alert"
},
{  
   "NumberBlocked":"0",
   "SourceIPString":"1.1.1.1",
   "VendorSignature":null,
   "NumberNotBlocked":"0",
   "SignatureName":"Symantec AV Alert"
},
{  
   "NumberBlocked":"0",
   "SourceIPString":"2.2.2.2",
   "VendorSignature":null,
   "NumberNotBlocked":"0",
   "SignatureName":"Symantec AV Alert"
},
{  
   "NumberBlocked":"0",
   "SourceIPString":"3.3.3.3",
   "VendorSignature":null,
   "NumberNotBlocked":"0",
   "SignatureName":"Symantec AV Alert"
},
{  
   "NumberBlocked":"0",
   "SourceIPString":"4.4.4.4",
   "VendorSignature":null,
   "NumberNotBlocked":"0",
   "SignatureName":"Symantec AV Alert"
},
{  
   "NumberBlocked":"0",
   "SourceIPString":"5.5.5.5",
   "VendorSignature":null,
   "NumberNotBlocked":"0",
   "SignatureName":"Symantec AV Alert"
}
]", 
"Incident Number":"565656",
"Number of Analyzed Signatures":"5",
"Analyst Assessment":"Lorem ipsum dolor sit amet, consectetur 
 adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.",
"Status":"",
"Description":"Scans for Web Servers have been detected",
"Classification":"Activity Summary - Scans for Web Servers",
"Assigned Person":"",
"Time Created":"2017-12-20T09:53:18.1855923+00:00",
"Related Incidents":"["1235", "123456", "123457"]",
"Comment":"CommentTest"
}
War Room Output

3. Update an incident


Updates an incident's workflow, specified by number. Optional parameters that are not specified are taken from the current workflow. If there are none, an error is thrown, requiring a value for the parameter.

Base Command

symantec-mss-update-incident

Input
Parameter Description
number Incident number
resolution Resolved status, for example, Closed
assignPerson User assigned to the incident

Raw Output
Update status: Updated successfully
War Room Output