search cancel

Symantec Endpoint Detection and Response (SEDR) doesn't execute commands from integrated solutions

book

Article ID: 174453

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

Integrated Solutions are not showing query results.

Resolution

Use API commands to verify that Symantec Endpoint Detection and Response (SEDR) receives those API calls and that results are returned.

Using Curl:

  1. Verify that you have an OAuth Client established in the SEDR Web UI > Settings > Data Sharing and note down the client_id and client_secret.
  2. Concatenate the client_id, ':', client_secret with base64 and put it in the Authorization header after the Basic text.
  3. Use the following curl command where <SEDR IP> = the IP address of your SEDR appliance:
    curl -X POST -H "Accept: application/json" -H "Authorization: Basic 
    TzJJRC5hdHAtY3VzdG9tZXIuYXRwLWRvbWFpbi5hOXFjZWQ0dGZjcTdva2pjbDA3YjVrN25xczpqYXNsdjZyb3Q4cDd0MW8wN
    TZma3FtbHZiMG10ZWhoOXFmZw==" -H
    "Content-Type:  application/x-www-form-urlencoded" -d 
    'grant_type=client_credentials&scope=customer' "https://<SEDR IP>/atpapi/oauth2/tokens"
  4. Copy the access token from the response body:
    { 
    "access_token":"eyJraWQiOiIwOXdoVHNEM1JRV2VISGRXOGR3cXp3IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.ey
    JzdWIiOiJ7XCJkb21haW5faWRcIjpcImF0cC1kb21haW5cIixcIm93bmVyX3VyaVwiOlwiXC92MVwvbWRyXC91c2Vyc1wvemp
    tSGw5Z1VRMG1TSGo2dVdJYWtWZ1wiLFwic2NvcGVcIjpcImN1c3RvbWVyXCIsXCJwcml2c1wiOlwibWFuYWdlX2RvbWFpblwi
    LFwiY3VzdG9tZXJfaWRcIjpcImF0cC1jdXN0b21lclwiLFwidXJpXCI6XCJcL29hdXRoMlwvY2xpZW50c1wvTzJJRC5hdHAtY
    3VzdG9tZXIuYXRwLWRvbWFpbi5hOXFjZWQ0dGZjcTdva2pjbDA3YjVrN25xc1wiLFwiY2xpZW50X2lkXCI6XCJPMklELmF0cC
    1jdXN0b21lci5hdHAtZG9tYWluLmE5cWNlZDR0ZmNxN29ramNsMDdiNWs3bnFzXCJ9IiwidmVyIjoxLCJpc3MiOiJpZF9lcG1
    wX2kiLCJleHAiOjE0NjYwNjM5NjcsImlhdCI6MTQ2NjA2MDM2NywianRpIjoiWXVSTXRVWmRSZEszazVXNnhYU253QSJ9.3K7
    eZOO0oG1QtAA_YkRWQ_OeHxG_m98FI3qdIww0DK2CFsC_rSt1hq5QZxGeX_D803VarzrvDsMR4E26u-sdMY05X12q1p5v-
    phQWct6ArCtqNCderEJEkHvtu_Xynuytds7vgLKDXx-0IWP1zGtQdffpO7gTW1DVg4gz2P65ymA-
    iU5eXTRbXjHI6na8cAA__rW3d0k0tEKPVw8RlXHBccWAVRs9F3tJWSw2WHTK4OJyqYg6_nc2uMIciDH01v97ntb7zPY5rsSxN
    Ior9ipqNLqs__ya93_RO8S8pOR5LSANjROy8PBS-FUA-1hiHStrRCVdQ-R1aX2nO6qMThXmQ",
       "token_type":"Bearer",
       "expires_in":3600
    }
  5. Insert that Token into the following curl command:
    curl -X POST -H "Content-Type: application/json" -H
    "Authorization: Bearer 
    eyJraWQiOiIwOXdoVHNEM1JRV2VISGRXOGR3cXp3IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ7XCJkb2
    1haW5faWRcIjpcImF0cC1kb21haW5cIixcIm93bmVyX3VyaVwiOlwiXC92MVwvbWRyXC91c2Vyc1wvemptSGw5Z1VRMG1TSGo
    2dVdJYWtWZ1wiLFwic2NvcGVcIjpcImN1c3RvbWVyXCIsXCJwcml2c1wiOlwibWFuYWdlX2RvbWFpblwiLFwiY3VzdG9tZXJf
    aWRcIjpcImF0cC1jdXN0b21lclwiLFwidXJpXCI6XCJcL29hdXRoMlwvY2xpZW50c1wvTzJJRC5hdHAtY3VzdG9tZXIuYXRwL
    WRvbWFpbi5hOXFjZWQ0dGZjcTdva2pjbDA3YjVrN25xc1wiLFwiY2xpZW50X2lkXCI6XCJPMklELmF0cC1jdXN0b21lci5hdH
    AtZG9tYWluLmE5cWNlZDR0ZmNxN29ramNsMDdiNWs3bnFzXCJ9IiwidmVyIjoxLCJpc3MiOiJpZF9lcG1wX2kiLCJleHAiOjE
    0NjYwNjM5NjcsImlhdCI6MTQ2NjA2MDM2NywianRpIjoiWXVSTXRVWmRSZEszazVXNnhYU253QSJ9.3K7eZOO0oG1QtAA_YkR
    WQ_OeHxG_m98FI3qdIww0DK2CFsC_rSt1hq5QZxGeX_D803VarzrvDsMR4E26u-sdMY05X12q1p5v-
    phQWct6ArCtqNCderEJEkHvtu_Xynuytds7vgLKDXx-0IWP1zGtQdffpO7gTW1DVg4gz2P65ymA-
    iU5eXTRbXjHI6na8cAA__rW3d0k0tEKPVw8RlXHBccWAVRs9F3tJWSw2WHTK4OJyqYg6_nc2uMIciDH01v97ntb7zPY5rsSxN
    Ior9ipqNLqs__ya93_RO8S8pOR5LSANjROy8PBS-FUA-1hiHStrRCVdQ-R1aX2nO6qMThXmQ"
    -d '{ "verb":"query", "limit":1 }'
    "https://<SEDR IP>/atpapi/v2/events/"
  6. You should see a result returned:
    {
       "result":[
          {
             ...
          }
       ],
       "next":"NiwyMDR2LTA2LTIwVDIwOjQ2OjE2LjgyN1o=",
       "total":1
    }

With those results you will see that SEDR receives API commands and returns results.

If there are errors please note down the HTTP error code and message, then contact support.