search cancel

Symantec EDR App For QRadar showing error codes or installation failures

book

Article ID: 173477

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

When running QRadar 7.3.1 or later and Symantec ATP 3.x or Endpoint Detection and Response (SEDR) 4.0 or later and have installed the Symantec ATP App For QRadar, you may start seeing errors 422 reported in the app logs or Dashboard errors in the QRadar App.

Resolution

In order to resolve this issue, you will need to completely remove and reinstall the Symantec ATP App for QRadar. Please follow these steps:

  1.     Delete the log source of the old ATP app
    1. To delete the custom properties go to Admin -> Custom Event Properties, search for “symantec*” and select all by pressing ctrl+a. Make sure the log source type associated is Symantec ATP/EDR and then click on Delete button

      NOTE: It is important to remove any entries that reference 'symantec', as leaving these artifacts behind will cause issues during the installation of the new App.

  2. Uninstall Symantec ATP/EDR app
      1. Go to the Admin Page
      2. Open the Extension Management section
      3. Select Symantec EDR application
      4. Click on Uninstall

  3. Download the latest version of Symantec EDR app for QRadar from IBM. This can be downloaded after logging in here: https://exchange.xforce.ibmcloud.com/hub/extension/6d5f99c56cc60d7234259369ca85d029

  4. Install and verify installation
    (Refer to page 13 of the Symantec ATP App for QRadar guide for more information)
    1. Login to QRadar console
    2. Go to Admin -> Extension Management
    3. Choose the downloaded zip file by clicking on Browse
    4. The QRadar will show the list of changes being made by the app
    5. Click the Install button

  5. Configure the ATP connection
    (Refer to page 14 of the Symantec ATP App for QRadar guide for more information)Login to QRadar console.
    1. Go to Admin -> Plugins -> Symantec ATP
    2. Click on “New” to setup a new Symantec ATP Server. And then enter following details:
      1. ATP/SEDR appliance URL (example : https://192.168.10.110/)
      2. Password, must be in client_id:client_secret format, from the OAuth token generated on the appliance.
    3. Go to Admin -> Authorized Services
    4. Create a new Authorization token and click the checkbox for No Expiry
    5. Click on Deploy changes
    6. Go to the configuration tab and enable the data collection as required.
    7. Enter Authorization token that is used for fetching data via REST API.
    8. It is recommended to keep the start time as “now” or there will be discrepancy in the dashboards and you may have to wait for some time until dashboards get populated fully.
    9. The "Start Time" should not be older than last 3 months (90 days) for data collection.

  6. Verify the dashboard is receiving events
    1. Click Symantec ATP Overview
    2. Check the Overview section