- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Questions about Add on for Symantec Endpoint Security (Cloud based- API integration required)?
Hi Team
Currently Splunk offers the 3.3.0 Add on for Symantec Endpoint Protection (aka SEP), this is an onpremise product, but Symantec also has a completely Cloud based solution called Endpoint Security (aka SES) that requires an integration with an API, I would like to know how Splunk is managing this kind of integration, my questions are:
1. Is there an Add on available that enables Splunk to collect data from the SES Cloud-API?
2. If not, What is the recommendation from Splunk to address the SES logs into the SIEM?
3. When is going to be available an agent even for a intermediate connection?
Best Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I dealt with the identical issue. The only viable solution is to call an API. Or purchase Symantec's log parser exchange with a syslog output for SIEMS. This is purposely done.
You can do so by following these steps: https://apidocs.securitycloud.symantec.com/#/doc?id=ses auth
Generate an OAuth Key from the Symantec console in order to generate a bearer token with an expiration time for API calls. You have multiple alternatives, including Export Events and Export Stream Events, among others. The "Heavy Forwarder" server was what I used to execute these orders. The data can then be saved in a text file and parsed as desired.
You can also design the Add-On yourself, but then you're responsible for its maintenance and updates... so it's not worth it.
