All Collections
Integration Guide
Symantec EDR
Symantec EDR
Ali Murtaza avatar
Written by Ali Murtaza
Updated over a week ago

Symantec EDR Integration

Symantec EDR uses machine learning and behavioral analytics to detect and expose suspicious network activities

Symantec EDR and SIRP together provide users with a single platform to perform automated operations, such as retrieving events, blacklisting and whitelisting artifacts, incidents, and files from the Symantec EDR server and isolating or rejoining an endpoint,


Supported Actions

SIRP’s Symantec EDR integration app allows you to execute the following actions:

S.no

Action

Description

1

Get Incidents

Retrieves information about all incidents from the Symantec EDR.

2

Mark Incident As Closed

Closes incident on the Symantec EDR.

3

Update Incident Resolution

Update resolution on an incident on the Symantec EDR.

4

Add IP To Allowlist

Push IP to Allowlist in Symantec EDR

5

Add Domain to Allowlist

Push Domain to Allowlist in Symantec EDR

6

Add URL to Allowlist

Push URL to Allowlist in Symantec EDR

7

Add Hash to Allowlist

Push SHA256 to Allowlist in Symantec EDR

8

Add IP To Blacklist

Push IP to Blacklist Symantec EDR

9

Add Domain to Blacklist

Push Domain to Blacklist in Symantec EDR

10

Add URL to Blacklist

Push URL to Blacklist in Symantec EDR

11

Add Hash to Blacklist

Push MD5, SHA256 to Blacklist in Symantec EDR

12

Add IP To Denylist

Push IP to Denylist in Symantec EDR

13

Add Domain to Denylist

Push Domain to Denylist in Symantec EDR

14

Add URL to Denylist

Push URL to Denylist in Symantec EDR

15

Add Hash to Denylist

Push MD5, SHA256 to Denylist in Symantec EDR

16

Remove IP from Blacklist.

Push out IP from Blacklist in Symantec EDR

17

Remove Domain from Blacklist

Push out Domain from Blacklist in Symantec EDR

18

Remove URL from Blacklist

Push out URL from Blacklist in Symantec EDR

19

Remove Hash from Blacklist

Push out MD5, SHA256 from Blacklist in Symantec EDR

20

Remove IP To Denylist

Push out IP from Denylist in Symantec EDR

21

Remove Domain from Denylist

Push out Domain from Denylist in Symantec EDR

22

Remove URL from Denylist

Push out URL from Denylist in Symantec EDR

23

Remove Hash from Denylist

Push out MD5, SHA256 from Denylist in Symantec EDR

Enable and Configure Symantec EDR

Create a new user on Symantec Instance

  1. Open your Symantec XDR instance.

  2. In the Settings on the left, go to Data Sharing.

  3. Under OAuth Clients, click Add Application.

  4. In Add Application:

    1. Add App Name.

    2. Set Enable V2 APIs

    3. Set Role to Admin

  5. Copy Client ID and Client Secret and click done.

Enable the Symantec EDR in SIRP

  1. First, log in to SIRP, then go to Apps from the left navigation bar.

  2. Locate the app named Symantec EDR.

  3. Enable the Symantec EDR by clicking on the toggle button under the Status Column.

Once you enable the App, click the configure option to integrate SIRP with Symantec

  1. Add the following details and click Save:

    1. URL: <URL of the Symantec EDR Instance>

    2. Client-ID: <Client ID generated in Symantec Instance>

    3. Client-Secret: <Client Secret generated in Symantec Instance>

    4. Configuration Name: <Set by User>

Did this answer your question?