This document applies to Classic/Legacy Integrations. You may continue to use these integration configurations. While no active development is happening for these integrations, we continue to provide Classic/Legacy Integrations in the product. You do not have to move to MSI Integrations. If your support engineer or TSC recommends or you choose to move to MSI Integrations, you can take advantage of the latest features and functionality. For more information, see the MSI Integration documentation in the Integrations Overview.
Update Symantec EP
To update Symantec EP
- Log in to the Symantec Endpoint Protection Manager.
Create an admin user.
Click Admin in the left-hand pane and select Add an administrator.
In the General tab, enter a User name, Full name, and Email address.
In the Access Permissions tab, select System Administrator.
On the Authentication tab, choose Symantec Endpoint Protection Manager Authentication and set a password. You may want to increase the password expiration time for this account (depending on your policy requirements for integration/service accounts).
- Click Save to create the account.
<Username>:<Active_Directory_Domain_In_Upper_Case>
or<Role>\<Username>:<Active_Directory_Domain_In_Upper_Case>- Examples:
svc-verodin:ACME.COM OR api-user\svc-verodin:ACME.COM - Reference: https://www.symantec.com/connect/forums/ad-user-authentication-dlp-reporting-and-updating-api#comment-8394101
Syncronize Systems
Time plays an important part in event matching when tests are run. After you update SEP, verify the following systems are all using the same time: the endpoint, the Validation Platform Director, the Windows system running SEP Manager (SEPM), and real time.
Update the Validation Platform
Prerequisites
Information to gather before you start:
- Identify the IP address or hostname used to access Symantec Endpoint Protection.
- Identify the port for Symantec Endpoint Protection communications (typically 8445).
- Identify or create credentials to access Symantec Endpoint Protection.
Configuration
To add the Symantec EP integration
Go to Settings > Integrations.
- Click Add Integration > Symantec EP.
Enter information for the Host, Port, Username, and Password.
Expand Advanced options.
(Optional) Update Query time and Delay time.
The Query time is the amount of time (minutes) before and after the query runs that the looks for events, while the Delay time is the amount of time (minutes) that the platform waits to run the query after a Job Action. For example, you configure your integration with the following values: Query time = 5, Query interval = 30 seconds, and Delay time = 0. When a Job Actions starts at 12:00:00, the first time the query runs, the platform looks for events from 11:55:00 to 12:00:00. Then 30 seconds later, it looks for events from 11:55:30 to 12:00:30. This interval continues, with the last query looking from 12:00:00 to 12:05:00. If you instead configured the Delay time to equal 10, it would run the same query, but it wouldn't start that query until 12:10:00.If your monitors are set to run more frequently than the query time, it will impact the pass/fail results for AEDA monitors.- Verify that the correct Version is selected. Authentication may fail if the incorrect version is selected.
- Select the Timestamp Format.
- Modify the Query Interval, if necessary.
Modify the Event Time Adjustment.
The timestamp retrieved from SEPM is not the time the event occurred on the host but is the time that SEPM received the event from the Symantec agent running on the host. The time difference varies from environment to environment, so you need to adjust the Event Time Adjustment field to account for the change in your environment. We have seen -12 work in many environments, but there is not a one-size-fits all value for it.(Optional) Assign a Name.
(Optional) Choose Yes to save suspicious events.
Click Submit.
Verify connectivity
To verify connectivity to Symantec EP
Click Test to verify that:
- The Director can communicate with Symantec EP using the port specified.
- User credentials are working.