Symantec Endpoint Protection, developed by Broadcom Inc., is a security software suite that consists of anti-malware, intrusion prevention and firewall features for server and desktop computers.
Devo collector features
Feature
Details
Feature
Details
Allow parallel downloading (multipod)
not allowed
Running environments
collector server
Populated Devo events
table
Flattening preprocessing
no
Data sources
Data source
Description
API endpoint
Collector service name
Devo table
Available from release
All
Get all scanned email
/all
all_emails
mail.symantec.email_security_cloud.all_email
v1.0.0
Threat isolation
Get all the Isolation feature
/isolation
isolation
mail.symantec.email_security_cloud.isolation
v1.0.0
Malware
Get all the Malware containing email
/malware
malware
mail.symantec.email_security_cloud.malware
v1.0.0
clicktime
Get all the Click-time
/clicktime
clicktime
mail.symantec.email_security_cloud.clicktime
v1.0.0
Anti-spam
Get all email as spam, and action taken
/spam
anti_spam
mail.symantec.email_security_cloud.anti_spam
v1.0.0
Email Threat Analytics
Get all emails blocked by Anti-Malware service
/ec_reports
email_threat
mail.symantec.email_security_cloud.ec_report
v1.0.0
Email delivery data
Get all the describes both inbound and outbound email delivery
/delivery
email_delivery
mail.symantec.email_security_cloud.email_delivery
v1.0.0
For more information on how the events are parsed, visit our page.
Flattening preprocessing
Data source
Collector service
Optional
Flattening details
All
all_emails
yes
not required
Threat isolation
isolation
yes
not required
Malware
malware
yes
not required
clicktime
clicktime
yes
not required
Anti-spam
anti_spam
yes
not required
Email Threat Analytics
email_threat
yes
not required
Email delivery data
email_delivery
yes
not required
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.
This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.
Setting
Details
username
The username for Symantec Email Security Cloud API
password
The password for Symantec Email Security Cloud API
base_url
The Base Url for Symantec Email Security Cloud API . (Ex: https://<Symantec_base_url>)
reset_url
The Reset Url for Symantec Email Security Cloud API. (Ex: https://<Symantec_base_url>/reset?2024-07-16T10:00:00Z)
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Collector services detail
This section is intended to explain how to proceed with specific actions for services.
This collector can only make 30 requests per hour for each service.
Malware
Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.
This service has the following components:
Component
Description
Component
Description
Setup
The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller
The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.
Setup output
A successful run has the following output messages for the setup module:
2024-07-19T15:30:22.555 INFO InputProcess::MainThread -> SymantecBasePuller(symantec,123123,malware,predefined) - Starting thread
2024-07-19T15:30:22.555 INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-symantec/state/not_used/DevoSender;internal_senders;devo_sender_0.json.gz
2024-07-19T15:30:22.555 WARNING InputProcess::SymantecBasePuller(symantec,123123,malware,predefined) -> Waiting until setup will be executed
2024-07-19T15:30:22.556 INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-07-19T15:30:22.556 INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-symantec/state/4ff7b345dc444ac050cf75f93e5dcb3b"
2024-07-19T15:30:22.556 INFO OutputProcess::MainThread -> OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-symantec/state/not_used/OutputInternalConsumer;internal_senders;0.json.gz
2024-07-19T15:30:22.557 INFO OutputProcess::MainThread -> OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-07-19T15:30:22.557 INFO OutputProcess::MainThread -> OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-symantec/state/10dd360c86621afd5a28a029a0dddcf6"
2024-07-19T15:30:22.557 INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread
2024-07-19T15:30:22.557 INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_1) -> Starting thread (every 300 seconds)
2024-07-19T15:30:22.557 INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_1) -> Starting thread
2024-07-19T15:30:22.557 INFO OutputProcess::DevoSenderManager(standard_senders,manager,devo_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system
2024-07-19T15:30:22.558 INFO OutputProcess::OutputStandardConsumer(standard_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system
2024-07-19T15:30:22.558 INFO OutputProcess::MainThread -> DevoSender(lookup_senders,devo_sender_0) -> Starting thread
2024-07-19T15:30:22.558 INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(lookup_senders,devo_1) -> Starting thread (every 300 seconds)
2024-07-19T15:30:22.558 INFO OutputProcess::OutputStandardConsumer(standard_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-07-19T15:30:22.558 INFO OutputProcess::DevoSenderManager(standard_senders,manager,devo_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-07-19T15:30:22.559 INFO OutputProcess::MainThread -> DevoSenderManager(lookup_senders,manager,devo_1) -> Starting thread
2024-07-19T15:30:22.559 INFO OutputProcess::DevoSenderManager(lookup_senders,manager,devo_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system
2024-07-19T15:30:22.559 INFO OutputProcess::OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system
2024-07-19T15:30:22.559 INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> Starting thread
2024-07-19T15:30:22.559 INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(internal_senders,devo_1) -> Starting thread (every 300 seconds)
2024-07-19T15:30:22.559 INFO OutputProcess::MainThread -> DevoSenderManager(internal_senders,manager,devo_1) -> Starting thread
2024-07-19T15:30:22.559 INFO OutputProcess::OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-07-19T15:30:22.559 INFO OutputProcess::DevoSenderManager(internal_senders,manager,devo_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system
2024-07-19T15:30:22.559 INFO OutputProcess::DevoSenderManager(lookup_senders,manager,devo_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-07-19T15:30:22.560 INFO OutputProcess::OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system
2024-07-19T15:30:22.560 INFO OutputProcess::OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-07-19T15:30:22.560 INFO OutputProcess::DevoSenderManager(internal_senders,manager,devo_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-07-19T15:30:22.568 INFO InputProcess::MainThread -> [GC] global: 26.4% -> 26.5%, process: RSS(42.12MiB -> 42.12MiB), VMS(496.55MiB -> 496.55MiB)
2024-07-19T15:30:22.574 INFO OutputProcess::MainThread -> [GC] global: 26.5% -> 26.5%, process: RSS(42.97MiB -> 43.47MiB), VMS(929.05MiB -> 929.05MiB)
2024-07-19T15:30:23.075 INFO OutputProcess::DevoSender(internal_senders,devo_sender_0) -> Created a sender: {"name": "DevoSender(internal_senders,devo_sender_0)", "url": "collector-eu.devo.io:443", "chain_path": "/home/md_tausif/gitlab/devo-collector-symantec/certs/chain.crt", "cert_path": "/home/md_tausif/gitlab/devo-collector-symantec/certs/int-if-integrations-india.crt", "key_path": "/home/md_tausif/gitlab/devo-collector-symantec/certs/int-if-integrations-india.key", "transport_layer_type": "SSL", "last_usage_timestamp": null, "socket_status": null}, hostname: "2023-apac-0046", session_id: "127870209828560"
2024-07-19T15:30:23.075 INFO OutputProcess::DevoSender(internal_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-07-19T15:30:24.060 INFO InputProcess::SymantecBasePullerSetup(unknown,symantec#123123,malware,#predefined) -> Setup for module <SymantecBasePuller> has been successfully executed
Puller output
A successful initial run has the following output messages for the puller module:
Note that the PrePull action is executed only one time before the first run of the Pull action.
2024-07-19T15:30:24.564 INFO InputProcess::SymantecBasePuller(symantec,123123,malware,,predefined) -> Pull Started
2024-07-19T15:30:24.565 INFO InputProcess::SymantecBasePuller(symantec,123123,malware,,predefined) -> Fetching data From : 2024-07-16T10:00:00Z to the current date
2024-07-19T15:30:27.075 INFO InputProcess::SymantecBasePuller(symantec,123123,malware,,predefined) -> Sent 87 malware events to Devo.
2024-07-19T15:30:27.075 INFO InputProcess::SymantecBasePuller(symantec,123123,malware,,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1721383224558):Number of requests made: 1; Number of events received: 87; Number of duplicated events filtered out: 0; Number of events generated and sent: 87; Average of events per second: 34.643.
After a successful collector’s execution (that is, no error logs found), you will see the following log message:
2024-07-19T15:30:28.452 INFO InputProcess::SymantecBasePuller(symantec,123123,malware,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1721383224558):Number of requests made: 2; Number of events received: 87; Number of duplicated events filtered out: 0; Number of events generated and sent: 87; Average of events per second: 22.375.
all_emails
Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.
This service has the following components:
Component
Description
Component
Description
Setup
The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller
The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.
Setup output
A successful run has the following output messages for the setup module:
Puller output
A successful initial run has the following output messages for the puller module:
After a successful collector’s execution (that is, no error logs found), you will see the following log message:
anti_spam
Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.
This service has the following components:
Component
Description
Component
Description
Setup
The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller
The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.
Setup output
A successful run has the following output messages for the setup module:
Puller output
A successful initial run has the following output messages for the puller module:
After a successful collector’s execution (that is, no error logs found), you will see the following log message:
email_threat
Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.
This service has the following components:
Component
Description
Component
Description
Setup
The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller
The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.
Setup output
A successful run has the following output messages for the setup module:
Puller output
A successful initial run has the following output messages for the puller module:
After a successful collector’s execution (that is, no error logs found), you will see the following log message:
email_delivery
Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.
This service has the following components:
Component
Description
Component
Description
Setup
The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller
The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.
Setup output
A successful run has the following output messages for the setup module:
Puller output
A successful initial run has the following output messages for the puller module:
After a successful collector’s execution (that is, no error logs found), you will see the following log message:
clicktime
threat_isolation
Restart the persistance
This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:
Edit the configuration file.
Change the value of the request_period_in_seconds parameter to a different one.
Save the changes.
Restart the collector.
The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.
Troubleshooting
This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.
Error type
Error ID
Error message
Cause
Solution
SetupError
100
Error occurred while requesting from the Symantec server. Error message: {error message}
Credentials error {unauthorized} or mismatch b/w credentials or Symantec server error
Check the credentials or contact developer with required message
SetupError
101
Some error occurred while retrieving events from symantec server. Error detail {e}.
Error on the symantec server.
Contact the developer with exact error message.
PullError
300
Error related to HTTP, occurred while retrieving events from symantec server{summery} , {details}
This error happens when the collector tries to fetch the data from API.
In this error you will find the HTTP error code as well as the summary and details.
PullError
301
Some error occurred while retrieving events from symantec server. Error details: {details}
Some exceptions occurred while making the API request.
Contact the developer with exact error message.
Collector operations
This section is intended to explain how to proceed with specific operations of this collector.