Currently Splunk offers the 3.3.0 Add on for Symantec Endpoint Protection (aka SEP), this is an onpremise product, but Symantec also has a completely Cloud based solution called Endpoint Security (aka SES) that requires an integration with an API, I would like to know how Splunk is managing this kind of integration, my questions are:
1. Is there an Add on available that enables Splunk to collect data from the SES Cloud-API?
2. If not, What is the recommendation from Splunk to address the SES logs into the SIEM?
3. When is going to be available an agent even for a intermediate connection?
Generate an OAuth Key from the Symantec console in order to generate a bearer token with an expiration time for API calls. You have multiple alternatives, including Export Events and Export Stream Events, among others. The "Heavy Forwarder" server was what I used to execute these orders. The data can then be saved in a text file and parsed as desired.
You can also design the Add-On yourself, but then you're responsible for its maintenance and updates... so it's not worth it.