Symantec Endpoint Detection and Response (EDR) is used to detect suspicious activities in your environment and take appropriate action. EDR collects various incidents and event types.

Prerequisites

• Your Symantec subscription must include the Symantec Endpoint Security Complete.

Complete Setup in EDR

• For Graylog to connect to the Symantec EDR API, an OAuth client must be created with sufficient permission that produces Client ID and Client Secret to connect to the API. Instructions for creating an OAuth client are available in the Symantec documentation, "Generating an OAuth Client."

• A custom role must be specified with the following permissions: atp_view_events, atp_view_incidents, atp_view_audit, and atp_view_datafeeds.

Configure Input in Graylog

To launch a new Symantec EDR Events input:

1. Navigate to the System > Inputs.

2. Select Symantec EDR Events from the input options and click the Launch new input button.

3. Follow the setup wizard to configure the input.
   

Configuration Parameters

• Input Name

  • Provide a unique name for your new input.

• Management Server Host

  • The IP address or host name of your Symantec EDR Management server.

• Client ID

  • The Client ID of the Symantec EDR Connected App created with sufficient API permissions.

• Client Secret

  • The Client Secret of the Symantec EDR Connected App.

• Log Types to Collect

  • The type of activity logs to fetch.

• Polling Interval

  • How often (in minutes) Graylog checks for new data in Symantec EDR. The smallest allowable interval is 5 minutes.

• Enable Throttling

  • If enabled, no new message is read from this input until Graylog catches up with its message load. This configuration parameter is typically useful for inputs reading from files or message queue systems like AMQP or Kafka. If you regularly poll an external system, e.g. via HTTP, you should leave this option disabled.

Supported Log Types

Graylog offers support for a variety of event type IDs and incidents. For a detailed list of Symantec event detection types and descriptions, review the documentation on event detection types and descriptions.