Endpoint Detection and Response (EDR)

 View Only
  • 1.  EDR_IOC_Python Script_Taxi Server Integration

    Posted May 12, 2020 08:14 AM
      |   view attached

    We have integrated internal TAXI server with SIEM, also we have integrated Symantec EDR with SIEM.We plan to integrate Symantec EDR with TAXI server.

     

    FOllowing is the Taxi server hosted internally, has anyone created Python script for exporting /fetching IOCs from TAXII server and feeding to Symantec EDR.

     

    Is their any workaround for above or from SIEM since its correlating all logs from EDR as well TAXI server so that we can share the information to Symantec EDR for any malicious IOCs



  • 2.  RE: EDR_IOC_Python Script_Taxi Server Integration

    Broadcom Employee
    Posted May 13, 2020 10:22 AM
    Hi 
    I am not sure about whether there is a python script .. but it might be worth mentioning that if you use Symantec's ICDx server this will act as a messaging buffer for alerts coming from Sym products that then are going north bound into the SIEM (it can also reduce duplication of events which is good if you are paying for EPS into the SIEM as you do with Splunk and the like). We also have a product called Threat Hunting centre which will integrate with the TAXII server and ingest IoCs; it can then automatically hunt through the gathered event data to look whether any of these IoCs have been seen by any of your Symantec products

    Hope that is of use 

    Cheers

    Simon


  • 3.  RE: EDR_IOC_Python Script_Taxi Server Integration

    Broadcom Employee
    Posted May 20, 2020 12:00 PM
    I would recommend using ICDx in this case, for multiple reasons:
    • Normalization of events from EDR, CloudSOC, SEPM, and other Symantec products with ONE schema
    • ability to filter and push events to multiple endpoints (Splunk, Elasticsearch, Kafka, even JSON files, and more)
    • GUI interface verifies flow inbound and outbound easily


    ------------------------------
    Solutions Engineer
    Broadcom
    ------------------------------



  • 4.  RE: EDR_IOC_Python Script_Taxi Server Integration

    Broadcom Employee
    Posted May 13, 2020 11:47 AM
    here is a link to the API document for EDR v4 - it shows how to use API to create custom balcklists, maybe useful in creating that python script ? 

    https://apidocs.symantec.com/home/SymantecEDR_4.2#_create_blacklist_policies_example