Symantec Endpoint Detection and Response (SEDR) doesn't execute commands from integrated solutions
Article ID: 174453
Updated On:
Products
Endpoint Detection and Response
Advanced Threat Protection Platform
Issue/Introduction
Integrated Solutions are not showing query results.
Resolution
Use API commands to verify that Symantec Endpoint Detection and Response (SEDR) receives those API calls and that results are returned.
Using Curl:
- Verify that you have an OAuth Client established in the SEDR Web UI > Settings > Data Sharing and note down the client_id and client_secret.
- Concatenate the client_id, ':', client_secret with base64 and put it in the Authorization header after the Basic text.
- Use the following curl command where <SEDR IP> = the IP address of your SEDR appliance:
curl -X POST -H "Accept: application/json" -H "Authorization: Basic TzJJRC5hdHAtY3VzdG9tZXIuYXRwLWRvbWFpbi5hOXFjZWQ0dGZjcTdva2pjbDA3YjVrN25xczpqYXNsdjZyb3Q4cDd0MW8wN TZma3FtbHZiMG10ZWhoOXFmZw==" -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&scope=customer' "https://<SEDR IP>/atpapi/oauth2/tokens"
- Copy the access token from the response body:
{ "access_token":"eyJraWQiOiIwOXdoVHNEM1JRV2VISGRXOGR3cXp3IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.ey JzdWIiOiJ7XCJkb21haW5faWRcIjpcImF0cC1kb21haW5cIixcIm93bmVyX3VyaVwiOlwiXC92MVwvbWRyXC91c2Vyc1wvemp tSGw5Z1VRMG1TSGo2dVdJYWtWZ1wiLFwic2NvcGVcIjpcImN1c3RvbWVyXCIsXCJwcml2c1wiOlwibWFuYWdlX2RvbWFpblwi LFwiY3VzdG9tZXJfaWRcIjpcImF0cC1jdXN0b21lclwiLFwidXJpXCI6XCJcL29hdXRoMlwvY2xpZW50c1wvTzJJRC5hdHAtY 3VzdG9tZXIuYXRwLWRvbWFpbi5hOXFjZWQ0dGZjcTdva2pjbDA3YjVrN25xc1wiLFwiY2xpZW50X2lkXCI6XCJPMklELmF0cC 1jdXN0b21lci5hdHAtZG9tYWluLmE5cWNlZDR0ZmNxN29ramNsMDdiNWs3bnFzXCJ9IiwidmVyIjoxLCJpc3MiOiJpZF9lcG1 wX2kiLCJleHAiOjE0NjYwNjM5NjcsImlhdCI6MTQ2NjA2MDM2NywianRpIjoiWXVSTXRVWmRSZEszazVXNnhYU253QSJ9.3K7 eZOO0oG1QtAA_YkRWQ_OeHxG_m98FI3qdIww0DK2CFsC_rSt1hq5QZxGeX_D803VarzrvDsMR4E26u-sdMY05X12q1p5v- phQWct6ArCtqNCderEJEkHvtu_Xynuytds7vgLKDXx-0IWP1zGtQdffpO7gTW1DVg4gz2P65ymA- iU5eXTRbXjHI6na8cAA__rW3d0k0tEKPVw8RlXHBccWAVRs9F3tJWSw2WHTK4OJyqYg6_nc2uMIciDH01v97ntb7zPY5rsSxN Ior9ipqNLqs__ya93_RO8S8pOR5LSANjROy8PBS-FUA-1hiHStrRCVdQ-R1aX2nO6qMThXmQ", "token_type":"Bearer", "expires_in":3600 } - Insert that Token into the following curl command:
curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer eyJraWQiOiIwOXdoVHNEM1JRV2VISGRXOGR3cXp3IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ7XCJkb2 1haW5faWRcIjpcImF0cC1kb21haW5cIixcIm93bmVyX3VyaVwiOlwiXC92MVwvbWRyXC91c2Vyc1wvemptSGw5Z1VRMG1TSGo 2dVdJYWtWZ1wiLFwic2NvcGVcIjpcImN1c3RvbWVyXCIsXCJwcml2c1wiOlwibWFuYWdlX2RvbWFpblwiLFwiY3VzdG9tZXJf aWRcIjpcImF0cC1jdXN0b21lclwiLFwidXJpXCI6XCJcL29hdXRoMlwvY2xpZW50c1wvTzJJRC5hdHAtY3VzdG9tZXIuYXRwL WRvbWFpbi5hOXFjZWQ0dGZjcTdva2pjbDA3YjVrN25xc1wiLFwiY2xpZW50X2lkXCI6XCJPMklELmF0cC1jdXN0b21lci5hdH AtZG9tYWluLmE5cWNlZDR0ZmNxN29ramNsMDdiNWs3bnFzXCJ9IiwidmVyIjoxLCJpc3MiOiJpZF9lcG1wX2kiLCJleHAiOjE 0NjYwNjM5NjcsImlhdCI6MTQ2NjA2MDM2NywianRpIjoiWXVSTXRVWmRSZEszazVXNnhYU253QSJ9.3K7eZOO0oG1QtAA_YkR WQ_OeHxG_m98FI3qdIww0DK2CFsC_rSt1hq5QZxGeX_D803VarzrvDsMR4E26u-sdMY05X12q1p5v- phQWct6ArCtqNCderEJEkHvtu_Xynuytds7vgLKDXx-0IWP1zGtQdffpO7gTW1DVg4gz2P65ymA- iU5eXTRbXjHI6na8cAA__rW3d0k0tEKPVw8RlXHBccWAVRs9F3tJWSw2WHTK4OJyqYg6_nc2uMIciDH01v97ntb7zPY5rsSxN Ior9ipqNLqs__ya93_RO8S8pOR5LSANjROy8PBS-FUA-1hiHStrRCVdQ-R1aX2nO6qMThXmQ" -d '{ "verb":"query", "limit":1 }' "https://<SEDR IP>/atpapi/v2/events/" - You should see a result returned:
{ "result":[ { ... } ], "next":"NiwyMDR2LTA2LTIwVDIwOjQ2OjE2LjgyN1o=", "total":1 }
With those results you will see that SEDR receives API commands and returns results.
If there are errors please note down the HTTP error code and message, then contact support.
Feedback
Yes
No
Powered by
