Building for the Splunk Platform

How to collect event log from SEPC?

holm_arsene
Engager

I have been tried to export and collect event log from SEPC to my internal Splunk since last week. Firstly, I found error :

"requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)"

So, I solved this problem by add more parameter (verify=False at "requests,post" method) , after that error disappeared. However, I did not found any event log in my Splunk.

I have been searched the solution of this problem for 2 weeks, and cannot found any solution. So, please let me know,
can you collect and forward event log from Symantec cloud to your Splunk ? and
Could you please to solve this problem for me ?

This is script:

r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
#export_api = "/sccs/v1/events/export"
export_api = "/sccs/v1/events/export HTTP/1.1"
#CONFIG_INI = os.path.join('/Applications/Splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')
CONFIG_INI = os.path.join('/opt/splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')
START_DATE = 'start_date'
END_DATE = 'end_date'
CONFIG_EVENTS_SECTION = 'Events'
BATCH_SIZE = 'batch_size'
TYPE = 'event_type_filter'
CONFIG_AUTHENTICATION_SECTION = 'Authentication'
CLIENT_ID = 'client_id'
CLIENT_SECRET = 'client_secret'


def get_oauth_token(client_id, client_secret):

    headers = build_base_headers()
    headers.update({"Content-Type": "application/x-www-form-urlencoded"})

    token = b64encode(client_id + ":" + client_secret).decode("ascii")
    headers.update({"Authorization": "Basic " + token})
    params = {'grant_type': 'client_credentials'}

    response = requests.post("%s%s" % (r3_url, oauth_url),
                             headers=headers,
                             data=params, verify=False)

    if response.status_code == 200:
        data = response.json()

    return None


# Function to export events
def export_events(token, event_type, batch_size, start_date, end_date, client_id, client_secret):

    data = None

    headers = build_base_headers()
    headers.update({"Content-Type": "application/json"})
    headers.update({"Authorization": token})

    keys = ["type", "batchSize", "startDate", "endDate"]
    values = [event_type, int(batch_size), start_date, end_date]

    params = {}
    for index in range(len(keys)):
        params[keys[index]] = values[index]

    params = json.dumps(params)
    response = requests.post("%s%s" % (r3_url, export_api),
                             headers=headers,
                             data=params, verify=False)

    if response.status_code == requests.codes.ok:
        data = response.json()

    # TODO: To Test
    elif response.status_code == 401:
        token = get_oauth_token(client_id, client_secret)
        export_events(token, event_type, batch_size, start_date, end_date, client_id, client_secret)

    return data

Please help me. Thank you so much.

Labels (1)
Tags (2)

nagendra1111
New Member

@holm_arsene are you able to fetch logs?
i am also facing same problem.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Converted from answer to https://answers.splunk.com/answers/635384/symantec-cloud-scripted-input.html#answer-719709

---
If this reply helps you, Karma would be appreciated.
0 Karma

marend
Explorer

Splunkers, anyone got this data onboarded  to Splunk? If so, would you mind to share feedback or docs.

 

0 Karma
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...