Document toolboxDocument toolbox

Symantec collector

Overview

Symantec Endpoint Protection, developed by Broadcom Inc., is a security software suite that consists of anti-malware, intrusion prevention and firewall features for server and desktop computers.

Devo collector features

Feature

Details

Feature

Details

Allow parallel downloading (multipod)

not allowed

Running environments

collector server

Populated Devo events

table

Flattening preprocessing

no

Data sources

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

All

Get all scanned email

/all

all_emails

mail.symantec.email_security_cloud.all_email

v1.0.0

Threat isolation

Get all the Isolation feature

/isolation

isolation

mail.symantec.email_security_cloud.isolation

v1.0.0

Malware

Get all the Malware containing email

/malware

malware

mail.symantec.email_security_cloud.malware

v1.0.0

clicktime

Get all the Click-time

/clicktime

clicktime

mail.symantec.email_security_cloud.clicktime

v1.0.0

Anti-spam

Get all email as spam, and action taken

/spam

anti_spam

mail.symantec.email_security_cloud.anti_spam

v1.0.0

Email Threat Analytics

Get all emails blocked by Anti-Malware service

/ec_reports

email_threat

mail.symantec.email_security_cloud.ec_report

v1.0.0

Email delivery data

Get all the describes both inbound and outbound email delivery

/delivery

email_delivery

mail.symantec.email_security_cloud.email_delivery

v1.0.0

For more information on how the events are parsed, visit our page.

Flattening preprocessing

Data source

Collector service

Optional

Flattening details

All

all_emails

yes

not required

Threat isolation

isolation

yes

not required

Malware

malware

yes

not required

clicktime

clicktime

yes

not required

Anti-spam

anti_spam

yes

not required

Email Threat Analytics

email_threat

yes

not required

Email delivery data

email_delivery

yes

not required

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting

Details

username

The username for Symantec Email Security Cloud API

password

The password for Symantec Email Security Cloud API

base_url

The Base Url for Symantec Email Security Cloud API . (Ex: https://<Symantec_base_url>)

reset_url

The Reset Url for Symantec Email Security Cloud API. (Ex: https://<Symantec_base_url>/reset?2024-07-16T10:00:00Z)

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

This collector can only make 30 requests per hour for each service.

Malware

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

2024-07-19T15:30:22.555 INFO InputProcess::MainThread -> SymantecBasePuller(symantec,123123,malware,predefined) - Starting thread 2024-07-19T15:30:22.555 INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-symantec/state/not_used/DevoSender;internal_senders;devo_sender_0.json.gz 2024-07-19T15:30:22.555 WARNING InputProcess::SymantecBasePuller(symantec,123123,malware,predefined) -> Waiting until setup will be executed 2024-07-19T15:30:22.556 INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated 2024-07-19T15:30:22.556 INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-symantec/state/4ff7b345dc444ac050cf75f93e5dcb3b" 2024-07-19T15:30:22.556 INFO OutputProcess::MainThread -> OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-symantec/state/not_used/OutputInternalConsumer;internal_senders;0.json.gz 2024-07-19T15:30:22.557 INFO OutputProcess::MainThread -> OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated 2024-07-19T15:30:22.557 INFO OutputProcess::MainThread -> OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-symantec/state/10dd360c86621afd5a28a029a0dddcf6" 2024-07-19T15:30:22.557 INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread 2024-07-19T15:30:22.557 INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_1) -> Starting thread (every 300 seconds) 2024-07-19T15:30:22.557 INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_1) -> Starting thread 2024-07-19T15:30:22.557 INFO OutputProcess::DevoSenderManager(standard_senders,manager,devo_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system 2024-07-19T15:30:22.558 INFO OutputProcess::OutputStandardConsumer(standard_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system 2024-07-19T15:30:22.558 INFO OutputProcess::MainThread -> DevoSender(lookup_senders,devo_sender_0) -> Starting thread 2024-07-19T15:30:22.558 INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(lookup_senders,devo_1) -> Starting thread (every 300 seconds) 2024-07-19T15:30:22.558 INFO OutputProcess::OutputStandardConsumer(standard_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system 2024-07-19T15:30:22.558 INFO OutputProcess::DevoSenderManager(standard_senders,manager,devo_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system 2024-07-19T15:30:22.559 INFO OutputProcess::MainThread -> DevoSenderManager(lookup_senders,manager,devo_1) -> Starting thread 2024-07-19T15:30:22.559 INFO OutputProcess::DevoSenderManager(lookup_senders,manager,devo_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system 2024-07-19T15:30:22.559 INFO OutputProcess::OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system 2024-07-19T15:30:22.559 INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> Starting thread 2024-07-19T15:30:22.559 INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(internal_senders,devo_1) -> Starting thread (every 300 seconds) 2024-07-19T15:30:22.559 INFO OutputProcess::MainThread -> DevoSenderManager(internal_senders,manager,devo_1) -> Starting thread 2024-07-19T15:30:22.559 INFO OutputProcess::OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system 2024-07-19T15:30:22.559 INFO OutputProcess::DevoSenderManager(internal_senders,manager,devo_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system 2024-07-19T15:30:22.559 INFO OutputProcess::DevoSenderManager(lookup_senders,manager,devo_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system 2024-07-19T15:30:22.560 INFO OutputProcess::OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system 2024-07-19T15:30:22.560 INFO OutputProcess::OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system 2024-07-19T15:30:22.560 INFO OutputProcess::DevoSenderManager(internal_senders,manager,devo_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system 2024-07-19T15:30:22.568 INFO InputProcess::MainThread -> [GC] global: 26.4% -> 26.5%, process: RSS(42.12MiB -> 42.12MiB), VMS(496.55MiB -> 496.55MiB) 2024-07-19T15:30:22.574 INFO OutputProcess::MainThread -> [GC] global: 26.5% -> 26.5%, process: RSS(42.97MiB -> 43.47MiB), VMS(929.05MiB -> 929.05MiB) 2024-07-19T15:30:23.075 INFO OutputProcess::DevoSender(internal_senders,devo_sender_0) -> Created a sender: {"name": "DevoSender(internal_senders,devo_sender_0)", "url": "collector-eu.devo.io:443", "chain_path": "/home/md_tausif/gitlab/devo-collector-symantec/certs/chain.crt", "cert_path": "/home/md_tausif/gitlab/devo-collector-symantec/certs/int-if-integrations-india.crt", "key_path": "/home/md_tausif/gitlab/devo-collector-symantec/certs/int-if-integrations-india.key", "transport_layer_type": "SSL", "last_usage_timestamp": null, "socket_status": null}, hostname: "2023-apac-0046", session_id: "127870209828560" 2024-07-19T15:30:23.075 INFO OutputProcess::DevoSender(internal_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system 2024-07-19T15:30:24.060 INFO InputProcess::SymantecBasePullerSetup(unknown,symantec#123123,malware,#predefined) -> Setup for module <SymantecBasePuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

Note that the PrePull action is executed only one time before the first run of the Pull action.

2024-07-19T15:30:24.564 INFO InputProcess::SymantecBasePuller(symantec,123123,malware,,predefined) -> Pull Started 2024-07-19T15:30:24.565 INFO InputProcess::SymantecBasePuller(symantec,123123,malware,,predefined) -> Fetching data From : 2024-07-16T10:00:00Z to the current date 2024-07-19T15:30:27.075 INFO InputProcess::SymantecBasePuller(symantec,123123,malware,,predefined) -> Sent 87 malware events to Devo. 2024-07-19T15:30:27.075 INFO InputProcess::SymantecBasePuller(symantec,123123,malware,,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1721383224558):Number of requests made: 1; Number of events received: 87; Number of duplicated events filtered out: 0; Number of events generated and sent: 87; Average of events per second: 34.643.

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

2024-07-19T15:30:28.452 INFO InputProcess::SymantecBasePuller(symantec,123123,malware,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1721383224558):Number of requests made: 2; Number of events received: 87; Number of duplicated events filtered out: 0; Number of events generated and sent: 87; Average of events per second: 22.375.

all_emails

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

Puller output

A successful initial run has the following output messages for the puller module:

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

anti_spam

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

Puller output

A successful initial run has the following output messages for the puller module:

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

email_threat

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

Puller output

A successful initial run has the following output messages for the puller module:

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

email_delivery

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

Puller output

A successful initial run has the following output messages for the puller module:

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

clicktime

threat_isolation

Restart the persistance

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

  1. Edit the configuration file.

  2. Change the value of the request_period_in_seconds parameter to a different one.

  3. Save the changes.

  4. Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

Troubleshooting

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type

Error ID

Error message

Cause

Solution

SetupError

100

Error occurred while requesting from the Symantec server. Error message: {error message}

Credentials error {unauthorized} or mismatch b/w credentials or Symantec server error

Check the credentials or contact developer with required message

SetupError

101

Some error occurred while retrieving events from symantec server. Error detail {e}.

Error on the symantec server.

Contact the developer with exact error message.

PullError

300

Error related to HTTP, occurred while retrieving events from symantec server{summery} , {details}

This error happens when the collector tries to fetch the data from API.

In this error you will find the HTTP error code as well as the summary and details.

PullError

301

Some error occurred while retrieving events from symantec server. Error details: {details}

Some exceptions occurred while making the API request.

Contact the developer with exact error message.

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Change log

Release

Released on

Release type

Details

Recommendations

Release

Released on

Release type

Details

Recommendations

v1.0.0

Jul 25, 2024

NEW FEATURE



-

-