How to collect event log from SEPC?

holm_arsene · ‎01-30-2019

I have been tried to export and collect event log from SEPC to my internal Splunk since last week. Firstly, I found error :

"requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)"

So, I solved this problem by add more parameter (verify=False at "requests,post" method) , after that error disappeared. However, I did not found any event log in my Splunk.

I have been searched the solution of this problem for 2 weeks, and cannot found any solution. So, please let me know,
can you collect and forward event log from Symantec cloud to your Splunk ? and
Could you please to solve this problem for me ?

This is script:

r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
#export_api = "/sccs/v1/events/export"
export_api = "/sccs/v1/events/export HTTP/1.1"
#CONFIG_INI = os.path.join('/Applications/Splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')
CONFIG_INI = os.path.join('/opt/splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')
START_DATE = 'start_date'
END_DATE = 'end_date'
CONFIG_EVENTS_SECTION = 'Events'
BATCH_SIZE = 'batch_size'
TYPE = 'event_type_filter'
CONFIG_AUTHENTICATION_SECTION = 'Authentication'
CLIENT_ID = 'client_id'
CLIENT_SECRET = 'client_secret'


def get_oauth_token(client_id, client_secret):

    headers = build_base_headers()
    headers.update({"Content-Type": "application/x-www-form-urlencoded"})

    token = b64encode(client_id + ":" + client_secret).decode("ascii")
    headers.update({"Authorization": "Basic " + token})
    params = {'grant_type': 'client_credentials'}

    response = requests.post("%s%s" % (r3_url, oauth_url),
                             headers=headers,
                             data=params, verify=False)

    if response.status_code == 200:
        data = response.json()

    return None


# Function to export events
def export_events(token, event_type, batch_size, start_date, end_date, client_id, client_secret):

    data = None

    headers = build_base_headers()
    headers.update({"Content-Type": "application/json"})
    headers.update({"Authorization": token})

    keys = ["type", "batchSize", "startDate", "endDate"]
    values = [event_type, int(batch_size), start_date, end_date]

    params = {}
    for index in range(len(keys)):
        params[keys[index]] = values[index]

    params = json.dumps(params)
    response = requests.post("%s%s" % (r3_url, export_api),
                             headers=headers,
                             data=params, verify=False)

    if response.status_code == requests.codes.ok:
        data = response.json()

    # TODO: To Test
    elif response.status_code == 401:
        token = get_oauth_token(client_id, client_secret)
        export_events(token, event_type, batch_size, start_date, end_date, client_id, client_secret)

    return data

Please help me. Thank you so much.

nagendra1111 · ‎03-26-2020

@holm_arsene are you able to fetch logs?
i am also facing same problem.

richgalloway · ‎01-30-2019

Converted from answer to https://answers.splunk.com/answers/635384/symantec-cloud-scripted-input.html#answer-719709

---
If this reply helps you, Karma would be appreciated.

marend · ‎02-23-2022

Splunkers, anyone got this data onboarded to Splunk? If so, would you mind to share feedback or docs.

How to collect event log from SEPC?

SDK

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

How to collect event log from SEPC?

SDK

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES