Collector and Forwarder Support matrix for ICDx

book

Article ID: 173469

calendar_today

Updated On:

Products

ICDx

Issue/Introduction

Information is needed on which versions of Integrated Cyber Defense exchange (ICDx) supports a given Collector or Forwarder.

Resolution

ICDx Support for Collectors

Collector Type Product

Product Version

Minimum ICDx Version Comments

Symantec Endpoint Protection Manager**

SEPM

14.0.1+

(AKA 14RU1)

1.2.0

Target SEPM must be installed into a Microsoft SQL server,
not installed into a SEPM embedded database.

Symantec Advanced Threat Protection*

SEDR

ATP

4.0+

3.2

1.2.0

1.2.0

For SEDR, only Endpoint Activity Recorder events

For ATP, only data recorder events

Symantec Secure Web Gateway (ProxySG)* ProxySG

6.7

6.6

6.5

1.2.0

1.2.0

1.2.0

Both push at rotation and streaming via TCP custom push target. WAF should also work.
Symantec Email Security.cloud* ESS N/A 1.2.0 Malware and non-malware events now supported
Symantec Data Center Security** DCS

6.7+

6.5

1.2.0

1.2.0

 

Symantec Data Loss Prevention**

DLP

15.7

14.6

1.2.0

1.2.0

Additional requirements for DLP Collector:
- Download ojdbc.jar file from Oracle and install
- Create incident_view and user using incident_view SQL

RabbitMQ - AMQP*** ??? ??? 1.2.0  
Symantec Web Security Service* WSS N/A 1.2.0  

* This collector is a network collector
** This collector is a database collector
*** Custom work for this collector is available through Symantec Consulting Services. Support assists with confiming defects.

ICDx Support for Forwarders

Forwarder Type Required Target Version Minimum ICDx version Notes
Amazon S3 N/A 1.2.0  - Useful for SmartHive integration
Apache Kafka 1.0.0 1.2.0  
Elasticsearch - Python v2.7.x+ on node with Kibana
- “Request” module for Python
- Elasticsearch v6.2.3+
- Kibana v6.2.3+
1.2.0

- The Kibana app requires document type mapping
- Pipeline enabled in elastic

For more, see DOC11490 - Symantec™ Integrated Cyber Defense Exchange SOC Investigator App for the Elastic Stack Installation and Configuration Guide

JSON N/A 1.2.0 - useful as limited deployment for troubleshooting flow of events from collector to forwarder
Microsoft Azure Sentinel (LogAnalytics) N/A 1.3.0  

RabbitMQ - AMQP

  1.2.0  


 

ServiceNow SOC Response London 1.2.0

- Requires Security Operations add on

For more, see DOC11491 - Symantec™ Integrated Cyber Defense Exchange SOC Response App for ServiceNow Installation and Configuration Guide
 

Splunk - HEC 7.x 1.2.0

- Requires HTTP + JSON processor
- Free tier should work for demo purposes
- Current dashboards provided are SEP focused

For more, see DOC11492 - Symantec™ Integrated Cyber Defense Exchange SOC View App and TA for Splunk Installation and Configuration Guide
Symantec Threat Hunting Center N/A 1.3.0 - Symantec Threat Hunting Center is an OEM offering of Anomali Enterprise which includes configuration options that accept connections from ICDx. ICDx forwarder support does not include support for the non-OEM version of Anomali Enterprise itself.
Syslog Common Event Format (CEF) N/A 1.2.0

- useful for IBM QRadar and multiple other integrations, such as CyberSponse CyberOps and Examark

For more information, see:
HOWTO130442 - Forward ICDx via Syslog CEF Forwarder
 

Syslog N/A 1.2.0 - useful for Syslog integrations where CEF is not used