Symantec EDR Events Input
Symantec Endpoint Detection and Response (EDR) is used to detect suspicious activities in your environment and take appropriate action. EDR collects various incidents and event types.
Prerequisites
Before proceeding, ensure that the following prerequisites are met:
-
Your Symantec subscription must include the Symantec Endpoint Security Complete.
Supported Log Types
This input supports collecting the following log types:
-
Graylog offers support for a variety of event type IDs and incidents. For a detailed list of Symantec event detection types and descriptions, review the documentation on event detection types and descriptions.
Required Third-Party Setup
To enable integration, complete the following required setup with your third-party service:
-
Create an OAuth Client.
-
After creating the OAuth client, take note of the generated Client ID and Client Secret.
-
Assign necessary permissions. A custom role must be specified with the following permissions:
atp_view_events,atp_view_incidents,atp_view_audit, andatp_view_datafeeds.
Required Configuration Values
In your third-party configuration, make note of the following values that are required when configuring the input in Graylog:
-
Client ID
-
Client Secret
Input Type
This input is a
Input Configuration
Follow the input setup instructions. During setup of this input, you can configure the following options:
| Configuration Option | Description |
|---|---|
|
Input Name
|
Provide a unique name for your new input. |
|
Management Server Host |
The IP address or host name of your Symantec EDR Management server. |
|
Client ID |
The Client ID of the Symantec EDR Connected App created with sufficient API permissions. |
|
Client Secret |
The Client Secret of the Symantec EDR Connected App. |
|
Logs Types to Collect |
The type of activity logs to fetch. |
|
Polling Interval |
Determines how often (in minutes) Graylog will check for new data in Symantec EDR. The smallest allowable interval is 5 minute. |
| Enable Throttling |
If enabled, no new messages will be read from this input until Graylog catches up with its message load. This is typically useful for inputs reading from files or message queue systems like AMQP or Kafka. If you regularly poll an external system, e.g. via HTTP, you should leave this option disabled. |
Next Steps
After you complete input setup, visit Input Diagnosis for testing and validation of the new input. Use this functionality to help troubleshoot any connection issues.
Further Reading
Explore the following additional resources and recommended readings to expand your knowledge on related topics:
