Endpoint Protection Cloud

Hello everyone,

We were using the official scripts recommended in the following support link to export SEPC events into a SIEM solution: https://help.symantec.com/cs/SEPC/SEPC/v126173001_v101064224/Importing-SEP-Cloud-events-into-Splunk-or-other-applications?locale=EN_US

To summarize, those scripts are:
SEPCloudConfig.ini - Contains Client ID and Secret Key.
wrapper.sh - Just a caller to the python script.
ExportClient.py - To get the events contacting the API, etc.

Therefore since the SEPC has been updated, even creating a new Client ID and Secret Key and replacing both of them in SEPCloudConfig.ini file, event ingestion from the new SEPC into the SIEM is not working.

There are no errors while executing ExportClient.py, seems that there are no events to export, which is not the case.

Currently we are still using both old and the new portal, but only the security events from the old portal are ingested successfully.
By the way, scripts are not available to download anymore.

Is there another way to ingest SEPC events into SIEM or something that needs to be updated in the old scripts, apart from the new Client ID and Secret key?

Are the API Gateway and URL to export events the same in SESE as in the old SEPC?

r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
export_api = "/sccs/v1/events/export"

Thanks in advance,

Kind regards,

Recommend looking at Symantec's Integrated Cyber Defense Exchange to send events into Splunk.  It's free.

Download site: 
https://www.broadcom.com/products/cyber-security/integrated-cyber-defense/integrated-cyber-defense-exchange

Documentation:
https://techdocs.broadcom.com/us/en/symantec-security-software/integrated-cyber-defense/integrated-cyber-defense-exchange/1-4-2.html

Original Message:
Sent: 11-13-2020 02:20 AM
From: Nin Javi
Subject: Splunk integration after last SEPC update

Hello everyone,

We were using the official scripts recommended in the following support link to export SEPC events into a SIEM solution: https://help.symantec.com/cs/SEPC/SEPC/v126173001_v101064224/Importing-SEP-Cloud-events-into-Splunk-or-other-applications?locale=EN_US

To summarize, those scripts are:
SEPCloudConfig.ini - Contains Client ID and Secret Key.
wrapper.sh - Just a caller to the python script.
ExportClient.py - To get the events contacting the API, etc.

Therefore since the SEPC has been updated, even creating a new Client ID and Secret Key and replacing both of them in SEPCloudConfig.ini file, event ingestion from the new SEPC into the SIEM is not working.

There are no errors while executing ExportClient.py, seems that there are no events to export, which is not the case.

Currently we are still using both old and the new portal, but only the security events from the old portal are ingested successfully.
By the way, scripts are not available to download anymore.

Is there another way to ingest SEPC events into SIEM or something that needs to be updated in the old scripts, apart from the new Client ID and Secret key?

Are the API Gateway and URL to export events the same in SESE as in the old SEPC?

r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
export_api = "/sccs/v1/events/export"

Thanks in advance,

Kind regards,