topic Questions about Add on for Symantec Endpoint Security (Cloud based- API integration required)? in All Apps and Add-ons

Questions about Add on for Symantec Endpoint Security (Cloud based- API integration required)?

rcalvo_ilt — Fri, 22 Jul 2022 13:56:38 GMT

Hi Team

Currently Splunk offers the 3.3.0 Add on for Symantec Endpoint Protection (aka SEP), this is an onpremise product, but Symantec also has a completely Cloud based solution called Endpoint Security (aka SES) that requires an integration with an API, I would like to know how Splunk is managing this kind of integration, my questions are:

1. Is there an Add on available that enables Splunk to collect data from the SES Cloud-API?

2. If not, What is the recommendation from Splunk to address the SES logs into the SIEM?

3. When is going to be available an agent even for a intermediate connection?

Best Regards

Re: Add on for Symantec Endpoint Security (Cloud based- API integration required)

jo54 — Fri, 22 Jul 2022 13:39:10 GMT

Hi,

I dealt with the identical issue. The only viable solution is to call an API. Or purchase Symantec's log parser exchange with a syslog output for SIEMS. This is purposely done.

You can do so by following these steps: https://apidocs.securitycloud.symantec.com/#/doc?id=ses auth

Generate an OAuth Key from the Symantec console in order to generate a bearer token with an expiration time for API calls. You have multiple alternatives, including Export Events and Export Stream Events, among others. The "Heavy Forwarder" server was what I used to execute these orders. The data can then be saved in a text file and parsed as desired.

You can also design the Add-On yourself, but then you're responsible for its maintenance and updates... so it's not worth it.