ATP & SEPM Both Unable to import external Cyber intelligence feeds?

I need a solution

Hi all,

Unless someone out there can prove me wrong (which I would really like) I have looked around the forums, Internet, API guides, and spoken to a sales partner in the UK.

I have come to the sad conclusion that both ATP and SEPM are unable to Import via the API (or by the looks of it, any means) any of the listed below items from external feeds, Threat Intel Platforms, etc?

  1. IP Addresses
  2. Domains
  3. FQDN
  4. File hashes (possibly) – but not of real use to my use case
  5. Other Indicators of Compromise

Kind of restricts you to Symantec ONLY feeds, no OSINT, or cross platform ingestion of extra inteligence?

This is terrible if this is the case!

JB

0

1534853224

Related:

  • No Related Posts

Getting Email meta information (from API)

I need a solution

Hello,

Is it possible to forward email traffic meta-information towards a SIEM?
I have tried the Data Feed API and however the Test Query gives the expected results, I have no luck with the API itself (as it returns 0 results, even if i reset the cursor to months ago).

1. Does the Data Feed API give me meta information about all incoming/outgoing Email traffic, or only on those flagged by ATP?
2. Is the Data Feed API the replacement of the (older) MessageLabs SOAP based API? and if so, is the old SOAP API still working?

Thanks,
Tony

0

Related:

  • No Related Posts

Re: how can I list all attributes via the REST API ???

Hi everyone,

So I’m successfully able to get the attributes back that I need from the REST API but I need to specify each one individually which is kind of a hassle/pain.

i.e : ‘/api/types/datastore/instances?fields=storageResource,name,format,host,vmDisks,vms’

Does anyone know of a way that I can list them ALL out without specifying each field individually ?

If you pass it ‘/api/types/datastore/instances’ , it only returns the ID.

Is there anything I can do such as ‘instances?fields=*’ that will return every attribute ?

Please let me know.

Thank you!

Related:

  • No Related Posts

Using REST API for getting suspicious files from endpoints – need help

I need a solution

Hi folks,

I was trying to implement this mechanism in my integration:
https://support.symantec.com/en_US/article.TECH239…
(Endpoint Protection 14 REST API support for deleting or fetching a file based on hash value)

Unfortunately got into dead end, maybe you can give a tip how to move further. Hers what I did:

I use postman for API tests. I’m able to authentincate /api/v1/identity/authenticate , I get a token back. Next step is to order SEPM to go to endpoing and grab the file using:

/api/v1/command-queue/files?file_path=c:windowsnotepad.exe&computer_ids=C[…CUT…]3&sha256=933E1778B2760B3A9194C2799D7B76052895959C3CAEDEFB4E9D764CBB6AD3B5 

all I get as a return is a command_ID. Great. After some time I can see that command was executed successfully in the SEMP console. Now I would like to download the file (eg. for further analysis), but according to article for that I need a file_ID – /api/v1/command-queue/file/{file_id}/content

The question is… where to get file_id?

Did anyone actually successfully implemented the mechanism from the article?

0

Related:

  • No Related Posts

7022837: Return Code 11 from HLLAPI Calls with Reflection Desktop 16

This document (7022837) is provided subject to the disclaimer at the end of this document.

Environment

Reflection Desktop (including Pro, for X, for IBM, or for UNIX and OpenVMS) 16.0

Reflection Desktop (including Pro, for X, for IBM, or for UNIX and OpenVMS) 16.1

Microsoft Windows 7

Microsoft Windows 10

Situation

When using HLLAPI, EHLLAPI, or WinHLLAPI with Reflection Desktop, a Return Code 11 may result from some of the API calls. This article describes what causes this Return Code and how to prevent it from occurring with Reflection Desktop 16.

Resolution

Beginning with Reflection 2014 R1, a Return Code of 11 (RC=11) my result from some API calls if the Host session is configured with PCI/DSS Redaction enabled. The Return Code 11 indicates “Resource Unavailable”. Access to unredacted data via HLLAPI functions is prevented by disabling most HLLAPI functions if Redaction is enabled.

The following HLLAPI functions are available with Redaction enabled:

1 – ConnectPS

2 – DisconnectPS

9 – SetSessionParameters

20 – QuerySystem

21 – Reset

101 – Connect Window Services

102 – Disconnect Window Services

103 – Query Window Coordinates

104 – Window Status

106 – Change PS Window Name

All other HLLAPI functions are disabled and will generate a RC = 11 “Resource unavailable” to prevent users of HLLAPI attempting access to redacted screen data.

Disable Privacy Filters and Redaction

To allow the HLLAPI interfaces or other automation interfaces (like VBA and .NET) to access data in a Host session, disable the Redaction settings as shown below.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

  • No Related Posts

7021278: EXTRA! Developer Tools: API Code Samples and Manuals

This technical note is organized into the following sections:

API Reference Manuals

The following documentation is available for EXTRA! APIs.

API
Reference Information
OLE Automation (COM)
See the EXTRA! Macro Editor component help (EPC_OLE.HLP installed with product), or http://docs.attachmate.com/extra/x-treme/apis/com/
WinHLLAPI
WinHLLAPI Language Reference

http://docs.attachmate.com/extra/x-treme/apis/whllapi.pdf
EHLLAPI
EHLLAPI Language Reference

http://docs.attachmate.com/extra/x-treme/apis/ehllapi.pdf
Attachmate HLLAPI
HLLAPI Language Reference

http://docs.attachmate.com/extra/x-treme/apis/hllapi.pdf
EAL
Enterprise Access Library Language Reference

http://docs.attachmate.com/extra/x-treme/apis/eal.pdf
PCSHLL
PCSHLL Language Reference (IBM PCOMM 4.01 EHLLAPI)

http://docs.attachmate.com/extra/x-treme/apis/pcshll.pdf
WD_API
Wall Data (RUMBA) WD_API Language Reference

http://docs.attachmate.com/extra/x-treme/apis/wd_api.pdf

EXTRA! Basic Code Samples

A collection of over 20 EXTRA! Basic macros is available for download. These educational samples demonstrate:

– displaying Windows dialogs,

– checking the host 3270 OIA status line,

– transferring a file at a regular interval,

– calling Win32 API functions (e.g., modify Windows registry),

– copying host screen text to a Microsoft Excel spreadsheet,

– and more.

Download eb-samples.zip and see the enclosed _ReadMe.txt file for more information.

Test Tool Code Samples

The following additional test tool code samples are available for older APIs and IDEs.


VB 5.0 / 6.0
VC++ 5.0 / 6.0
WinHLLAPI
hllvb32w.exe
hlltes32.exe
EHLLAPI
hllvb32e.exe
hlltes32.exe
HLLAPI

hlldem32.exe
EAL
atmapi32.exe
ealtutor.exe
PCSHLL

pcshll32.exe

By default, EXTRA! X-treme is configured to use 32-bit Enhanced Transport for HLLAPI. You can confirm the HLLAPI Transport Type selection by clicking Options > Global Preferences > Advanced.

For information on tracing API calls for debugging purposes, see Technical Note 2249.

Related:

  • No Related Posts

7022829: Changing the default port for salt-api results in DeepSea stage 1 failing

This document (7022829) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Enterprise Storage 5

Situation

Changing the default salt-api port by adjusting the port number in “/etc/salt/master.d/salt-api.conf” results in DeepSea stage 1 failing with:

Stage initialization output:

salt-api : [“Salt API is failing to authenticate – try ‘systemctl restart salt-master'”]

deepsea_minions : valid

master_minion : valid

ceph_version : valid

Stage execution failed:

– salt-api failed

Resolution

The current suggested workaround is to create a custom stage 1 to bypass the salt-api validation check.

Cause

The validation check uses a curl command that specifically only checks against the default salt-api port, port 8000.

Additional Information

If it is determined that the salt-api validation is indeed failing due to a port change, to create a custom DeepSea stage 1 that bypasses the salt-api validation, the following steps are needed:

1. Copy “/srv/salt/ceph/stage/1/default.sls” to for example “/srv/salt/ceph/stage/1/custom.sls”.

2. Edit “/srv/salt/ceph/stage/1/custom.sls” and remove the following section from the top if this file:

{% if salt[‘saltutil.runner’](‘validate.saltapi’) == False %}

salt-api failed:

salt.state:

– name: just.exit

– tgt: {{ salt[‘pillar.get’](‘master_minion’) }}

– failhard: True

{% endif %}

3. Edit “/srv/pillar/ceph/stack/global.yml” and add the line:

stage_discovery: custom

4. Now re-run DeepSea stage 1.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

  • No Related Posts