All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Questions about Add on for Symantec Endpoint Security (Cloud based- API integration required)?

rcalvo_ilt
New Member
‎04-25-2022 09:56 AM

Hi Team

Currently Splunk offers the 3.3.0 Add on for Symantec Endpoint Protection (aka SEP), this is an onpremise product, but Symantec also has a completely Cloud based solution called Endpoint Security  (aka SES) that requires an integration with an API, I would like to know how Splunk is managing this kind of integration, my questions are:

1. Is there an Add on available that enables Splunk to collect data from the SES Cloud-API?

2. If not,  What is the recommendation from Splunk to address the SES logs into the SIEM?

3. When is going to be available an agent even for a intermediate connection?

Best Regards

Labels (1)
Labels
0 Karma
Reply

jo54
Loves-to-Learn Lots
‎07-22-2022 06:39 AM

Hi,

I dealt with the identical issue. The only viable solution is to call an API. Or purchase Symantec's log parser exchange with a syslog output for SIEMS. This is purposely done.

You can do so by following these steps: https://apidocs.securitycloud.symantec.com/#/doc?id=ses auth

Generate an OAuth Key from the Symantec console in order to generate a bearer token with an expiration time for API calls. You have multiple alternatives, including Export Events and Export Stream Events, among others. The "Heavy Forwarder" server was what I used to execute these orders. The data can then be saved in a text file and parsed as desired.

You can also design the Add-On yourself, but then you're responsible for its maintenance and updates... so it's not worth it.

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...