Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
Integrate Symantec Endpoint Protection Cloud EventTracker v9.x and above
Publication Date: July 12, 2019
1
Integrate Symantec Endpoint Protection Cloud
Abstract This guide helps you in configuring Symantec Endpoint Protection Cloud with EventTracker to receive
Symantec Endpoint Protection Cloud events. In this guide, you will find the detailed procedures required for
monitoring the Symantec Endpoint Protection Cloud.
Audience Administrators who are assigned the task to monitor and manage Symantec Endpoint Protection Cloud
events using EventTracker.
The information contained in this document represents the current view of Netsurion on the
issues discussed as of the date of publication. Because Netsurion must respond to changing
market conditions, it should not be interpreted to be a commitment on the part of Netsurion, and
Netsurion cannot guarantee the accuracy of any information presented after the date of
publication.
This document is for informational purposes only. Netsurion MAKES NO WARRANTIES, EXPRESS
OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, this paper may be freely distributed without permission from Netsurion, if
its content is unaltered, nothing is added to the content and credit to Netsurion is provided.
Netsurion may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Netsurion, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The example companies, organizations, products, people and events depicted herein are fictitious.
No association with any real company, organization, product, person or event is intended or
should be inferred.
© 2019 Netsurion. All rights reserved. The names of actual companies and products mentioned
herein may be the trademarks of their respective owners.
2
Integrate Symantec Endpoint Protection Cloud
Table of Contents Abstract ............................................................................................................................................................. 1
Audience ............................................................................................................................................................ 1
Overview ................................................................................................................................................................ 3
Obtaining Symantec Endpoint Protection Cloud credential ................................................................................. 3
Integrating Symantec Endpoint Protection Cloud to EventTracker ...................................................................... 5
EventTracker Knowledge Pack .............................................................................................................................. 6
Category ............................................................................................................................................................ 6
Alerts ................................................................................................................................................................. 6
Flex Reports ....................................................................................................................................................... 6
Dashboards ........................................................................................................................................................ 8
Importing SEPC knowledge pack into EventTracker ............................................................................................. 9
Category .......................................................................................................................................................... 10
Alerts ............................................................................................................................................................... 11
Knowledge Object ........................................................................................................................................... 12
Flex Report....................................................................................................................................................... 14
Dashboard ....................................................................................................................................................... 16
Verifying SEPC knowledge pack in EventTracker ................................................................................................ 18
Category .......................................................................................................................................................... 18
Alerts ............................................................................................................................................................... 19
Knowledge Object ............................................................................................................................................ 19
Flex Report ........................................................................................................................................................ 20
3
Integrate Symantec Endpoint Protection Cloud
Overview Symantec Endpoint Protection Cloud is a cloud-based security solution tailored for small- and medium-sized
businesses.
EventTracker KP for Symantec Endpoint Protection Cloud provides your insight about the Threat detection,
Device Management, and other critical events.
Obtaining Symantec Endpoint Protection Cloud
credential To obtain Symantec Endpoint Protection Cloud API credentials, follow the steps
1. Go to Settings.
Figure 1
2. Select Client Application Management.
4
Integrate Symantec Endpoint Protection Cloud
Figure 2
3. Click on Add Client Application and create the API keys.
Figure 3
4. Copy the Client ID, Client Secret, Customer ID, and Domain ID.
5
Integrate Symantec Endpoint Protection Cloud
Integrating Symantec Endpoint Protection Cloud to
EventTracker 1. Download the Integrator for Symantec Endpoint Protection Cloud. 2. Save .exe and run the executable file “SEPCIntegrator.exe”. 3. This will launch the following window.
Figure 4
4. Enter the Details and click on validate, this will validate the keys and provide the below message if the credentials are successfully validated.
Figure 5
5. You will get a pop up suggesting the successful integration.
Figure 6
6
Integrate Symantec Endpoint Protection Cloud
EventTracker Knowledge Pack Once logs are received into EventTracker, Alerts, Reports can be configured into EventTracker. The following
Knowledge Packs are available in EventTracker to support Windows.
Category
• Symantec Endpoint Protection Cloud - Threat Detection: This category provides information related
to all the threat that is detected by Symantec Endpoint Protection Cloud.
• SEP Cloud - Audit Events: This category provides information related to all the audit-related activities.
• SEP Cloud - Management Events: This category provides information related to all the device and
client management related activities.
• SEP Cloud - Security Events: This category provides information related to all the security activities
such as enable and disable of critical features, scan details, etc.
• SEP Cloud - System Events: This category provides information related to all the system related
activities.
Alerts
• Symantec Endpoint Protection Cloud - Threat detection: This alert is generated when the Symantec
Endpoint Protection Cloud detects any malware or threats.
• Symantec Endpoint Protection Cloud - Scan aborted: This alert is generated when the Symantec
Endpoint Protection scan is aborted.
• Symantec Endpoint Protection Cloud - Definition update failed: This alert is generated when the
Symantec Endpoint Protection Cloud detects any definition update fails.
• Symantec Endpoint Protection Cloud - Critical Feature Disabled: This alert is generated when the
Symantec Endpoint Protection Cloud detects any critical feature disabled gets disabled.
Flex Reports
• Symantec Endpoint Protection Cloud - Threat detection- This report provides details about the threat detected by Symantec Endpoint Protection Cloud.
7
Integrate Symantec Endpoint Protection Cloud
Figure 7
• Symantec Endpoint Protection Cloud - Scan details - This report provides details about all the scans that have been performed.
Figure 8
• Symantec Endpoint Protection Cloud - Console login logout details - This report provides details about the login logout activities.
Figure 9
8
Integrate Symantec Endpoint Protection Cloud
• Symantec Endpoint Protection Cloud - Management activities - This report provides details about
any admin user changes that are done.
Figure 10
Dashboards
• Symantec Endpoint Protection Cloud – Threats detected.
Figure 11
• Symantec Endpoint Protection Cloud – Login details.
9
Integrate Symantec Endpoint Protection Cloud
Figure 12
• Symantec Endpoint Protection Cloud – Login details.
Figure 13
Importing SEPC knowledge pack into EventTracker NOTE: Import knowledge pack items in the following sequence:
• Category
• Alerts
• Knowledge Objects
10
Integrate Symantec Endpoint Protection Cloud
• Flex Reports
1. Launch the EventTracker Control Panel.
2. Double click Export-Import Utility.
Figure 14
3. Click the Import tab
Category
1. Click the Category option, and then click the browse button.
Figure 15
11
Integrate Symantec Endpoint Protection Cloud
2. Locate Category_SEPC.iscat file, and then click the Open button.
3. To import categories, click the Import button.
4. EventTracker displays a success message.
Figure 16
5. Click OK, and then click the Close button.
Alerts
1. Click the Alert option, and then click the browse button.
Figure 17
2. Locate Alerts_SEPC.isalt file, and then click the Open button.
3. To import alerts, click the Import button.
12
Integrate Symantec Endpoint Protection Cloud
4. EventTracker displays a success message.
Figure 18
5. Click the OK button, and then click the Close button.
Knowledge Object 1. Click Knowledge objects under the Admin option in the EventTracker manager page.
Figure 19
2. Click on the Import button as highlighted in the below image.
13
Integrate Symantec Endpoint Protection Cloud
Figure 20
3. Click on Browse.
4. Locate the file named KO_SEPC.etko.
5. Now select all the checkbox and then click on the ‘Import’ option.
14
Integrate Symantec Endpoint Protection Cloud
Figure 21
6. Knowledge objects are now imported successfully.
Figure 22
Flex Report
On EventTracker Control Panel,
1. Click Reports option and select new (etcrx) from the option.
15
Integrate Symantec Endpoint Protection Cloud
Figure 23
2. Locate the file named Reports_ SEPC.etcrx and select all the checkbox.
16
Integrate Symantec Endpoint Protection Cloud
Figure 24
3. Click the Import button to import the reports. EventTracker displays a success message.
Figure 25
Dashboard NOTE: Below steps given are specific to EventTracker and later.
1. Open EventTracker in browser and logon.
17
Integrate Symantec Endpoint Protection Cloud
Figure 26
2. Navigate to My Dashboard option as shown above.
3. Click on the Import button as shown below.
Figure 27
4. Import dashboard file Dashboard_SEPC.etwd and checkbox the dashboards that you require and click on Import as shown below.
Figure 28
5. Import is now completed successfully.
Figure 29
18
Integrate Symantec Endpoint Protection Cloud
Verifying SEPC knowledge pack in EventTracker
Category 1. Logon to EventTracker.
2. Click Admin dropdown, and then click Categories.
Figure 30
3. In Category Tree to view imported categories, scroll down and expand SEPC group folder to view the imported categories.
Figure 31
19
Integrate Symantec Endpoint Protection Cloud
Alerts 1. Logon to EventTracker.
2. Click the Admin menu, and then click Alerts.
Figure 32
3. In the Search box, type ‘SEPC, and then click the Go button. Alert Management page will display all the imported alerts.
Figure 33
Knowledge Object 1. In the EventTracker web interface, click the Admin dropdown, and then click Knowledge Objects.
Figure 31
Figure 34
2. In the Knowledge Object tree, expand SEPC group folder to view the imported Knowledge objects.
20
Integrate Symantec Endpoint Protection Cloud
Figure 35
Flex Report 1. In the EventTracker web interface, click the Reports menu, and then select the Report
Configuration.
21
Integrate Symantec Endpoint Protection Cloud
Figure 36
2. In Reports Configuration pane, select the Defined option.
3. Click on the SEPC group folder to view the imported SEPC reports.
Figure 37