Symantec Endpoint Security is the fully cloud-managed version of the on-premise Symantec Endpoint Protection (SEP), which delivers multi-layer protection to stop threats regardless of the method of attack on your endpoints. SES generates various incidents and event types.

Prerequisites

• Your Symantec subscription must include the Symantec Endpoint Security Complete.

Required Symantec SES Setup

• For Graylog to connect to the Symantec SES Event stream API, a stream and client application must be created with read permission for events and alerts.

Create a Client Application

To create a client application:

1. Add a client application.

2. Note the Client ID and OAuth token from the application as these will be required for configuration in Graylog.

3. For the client application, specify the View  permissions for Alerts & Events and Investigation.

Create an Event Stream

1. Open the Symantec SES console.

2. Create an event stream.

3. When configuring the event stream, select all event types you want to receive in Graylog.

4. Take note of the Stream GUID and Channel values as these are necessary for configuring the input in Graylog.

Configure Input in Graylog

To launch a new Symantec SES Events input:

1. Navigate to the System > Inputs.

2. Select Symantec SES Events from the input options and click the Launch new input  button.

3. Follow the setup wizard to configure the input.

Configuration Parameters

• Input Name

  • Provide a unique name for your new input.

• OAuth Credentials

  • OAuth token of the Symantec SES Client Application created with sufficient API permissions.

• Hosting Location

  • The region where the Symantec SES is hosted.

• Log Types to Collect

  • The type of activity logs to fetch.

• Stream GUID

  • The GUID of the event stream created with the required event types to be streamed.

• Number of Channels

  • The number of channels that are required for an event stream configuration.

• Polling Interval

  • How often (in minutes) Graylog checks for new data in SES. The smallest allowable interval is 5 minutes.

• Enable Throttling

  • If enabled, no new message is read from this input until Graylog catches up with its message load. This configuration parameter is typically useful for inputs reading from files or message queue systems like AMQP or Kafka. If you regularly poll an external system, e.g. via HTTP, you should leave this option disabled.

• Checkpoint Interval

  • How often (in seconds) Graylog records checkpoints for Symantec SES.

• Stream Connection Timeout

  • Event stream connection timeout in minutes. This setting indicates how long the stream connection should be available.

Supported Log Types

Graylog offers support for a variety of event type IDs and incidents. For a detailed list of Symantec event detection types and descriptions, review the documentation on event detection types and descriptions.