Symantec’s integration via Splunk Apps provides a clear dashboard for security operations allowing rapid investigation for advanced persistent threats. Symantec for Splunk Apps are currently available for: Endpoint Detection & Response (EDR), Cloud SWG (previously WSS), Web Application Firewall (WAF), ProxySG, Email Security.cloud, and Integrated Cyber Defense Exchange (ICDx).
APPs were tested on Splunk Enterprise 6.5.0 or later.
Please note: The Splunk Apps below are freely downloadable and editable. As such, they are unsupported by Symantec and are provided to assist with Splunk integration efforts.
The Siemplify SOAR and Symantec Endpoint Security Complete integration automatically enriches real-time threat intelligence, providing security teams with contextualized and prioritized insights into endpoints. Go here to download the Symantec Threat Intelligence API now.
Go here for Threat Quotient Marketplace for downloads of Symantec Threat Intelligence API, allowing organizations to use the Symantec ecosystem to enrich Indicators from within ThreatQ and determine the prevalence of files and network related events. The following actions are supported:
Anomali and Symantec as a division of Broadcom Software created numerous data enrichments that return any and all information related to a particular entity from the Symantec Threat Intelligence API. This enables security teams to quickly identify risk, investigate responses and preemptively mitigate cyber threats ahead of any actual attacks. Supported data types and enrichments:
• SHA file hash: file insight, file protection, file related, file process chain
• Domain or IPv4: network insight, network protection, network related
Log in to the Anomali platform and enter your API key to activate the enrichment.
- Symantec's ICDm integration via QRadar makes use of the QRadar-provided Universal Cloud REST API protocol for the ingestion of Endpoint events, incidents, and incident-related events.
- Symantec's ICDm Event Stream - Data Bucket integration via QRadar makes use of the Amazon AWS S3 REST API protocol Log Source configuration for the ingestion of ICDm events from S3 buckets.
- Symantec's EDR Appliance Events Integration via QRadar makes use of the Syslog protocol Log Source configuration for the ingestion of EDR events. (Supported on the EDR Appliance version 4.8 and later.)
This integration also includes the Device Support Module (DSM) for QRadar to interpret the ingested event data.
Events ingestion was tested on QRadar 7.3.3 Fix Pack 6 and later.