Endpoint Protection Cloud

Expand all | Collapse all

Splunk integration after last SEPC update

  • 1.  Splunk integration after last SEPC update

    Posted 11-13-2020 02:20 AM
    Edited by Ninjavi 11-13-2020 06:12 AM

    Hello everyone,

    We were using the official scripts recommended in the following support link to export SEPC events into a SIEM solution: https://help.symantec.com/cs/SEPC/SEPC/v126173001_v101064224/Importing-SEP-Cloud-events-into-Splunk-or-other-applications?locale=EN_US

    To summarize, those scripts are:
    SEPCloudConfig.ini - Contains Client ID and Secret Key.
    wrapper.sh - Just a caller to the python script.
    ExportClient.py - To get the events contacting the API, etc.

    Therefore since the SEPC has been updated, even creating a new Client ID and Secret Key and replacing both of them in SEPCloudConfig.ini file, event ingestion from the new SEPC into the SIEM is not working.

    There are no errors while executing ExportClient.py, seems that there are no events to export, which is not the case.

    Currently we are still using both old and the new portal, but only the security events from the old portal are ingested successfully.
    By the way, scripts are not available to download anymore.

    Is there another way to ingest SEPC events into SIEM or something that needs to be updated in the old scripts, apart from the new Client ID and Secret key?

    Are the API Gateway and URL to export events the same in SESE as in the old SEPC?

    r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
    oauth_url = "/oauth2/tokens"
    export_api = "/sccs/v1/events/export"

    Thanks in advance,

    Kind regards,

  • 2.  RE: Splunk integration after last SEPC update

    Broadcom Employee
    Posted 01-12-2021 04:39 PM
    Recommend looking at Symantec's Integrated Cyber Defense Exchange to send events into Splunk.  It's free.

    Download site: