Pre-installation checklist for Symantec EDR App for Splunk
search cancel

Pre-installation checklist for Symantec EDR App for Splunk

book

Article ID: 176198

calendar_today

Updated On:

Products

Email Security.cloud Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

You seek to prepare for installing the Symantec EDR App for Splunk.

Environment

▪ Splunk Enterprise 6.4.x and above
▪ Symantec Advanced Threat Protection (ATP) 3.1 to 3.2 -OR- Symantec Endpoint Detection and Response (SEDR) 4.x

Resolution

  1. Identify which features of Symantec EDR App for Splunk you plan to implement
  2. Identify where to install Symantec EDR App for Splunk and Symantec EDR Add-On for Splunk
  3. Check requirements related to each planned feature
  4. Download installation material from Splunkbase

NOTE: Preparing login credentials for each planned feature is part of installing the Symantec EDR Add-On for Splunk. For more about the actual install steps, see Symantec™ Endpoint Detection and Response App for Splunk Administration Guide after you're done with the pre-install checklist.

 

To identify which features of Symantec EDR App for Splunk you plan to implement

  • Email - collect/analyze malware detection events from Email Security.cloud
  • Endpoint - collect/analyze malware detection events from ATP or SEDR which ATP or SEDR obtained from Symantec Endpoint Protection (SEP) Manager or Clients
  • Network - collect/analyze malware detection events from ATP or SEDR network scanners
  • Adaptive Response - Send command to ATP or SEDR to respond to detected events from within Splunk. Available actions include: Delete a File from a Device, Isolate an Endpoint, Rejoin an Endpoint, or Check Status for one of the Adaptive Response Delete/Isolate/Rejoin commands.

 

To identify where to install Symantec EDR App for Splunk and Symantec EDR Add-On for Splunk

  1. If you do not have a distributed Splunk environment, install both the Symantec EDR App for Splunk and Symantec EDR Add-On for Splunk on the Splunk server where you plan to use the Symantec EDR App for Splunk.
  2. If you have a distributed Splunk environment, refer to the following chart to determine where to install Symantec EDR App for Splunk and Symantec EDR Add-On for Splunk:

 

To check requirements related to each planned feature

  1. For each Splunk server, search head, forwarder, or indexer where either Symantec EDR App for Splunk and Symantec EDR Add-On for Splunk will be installed, confirm the version number is 6.4.x or above.
  2. For Email feature, confirm that the non-distributed Splunk server or each Forwarder can connect to datafeedapi.symanteccloud.com via TCP port 443.
  3. For Endpoint or Network feature, confirm that the non-distributed Splunk server or each Forwarder can connect to each ATP or SEDR instance via TCP port 443.
  4. For Adaptive Response feature, confirm that the Splunk Enterprise Security Suite is installed on the non-distributed Splunk server or the search head server.

 

To download install material for Symantec EDR App for Splunk and Symantec EDR Add-On for Splunk

  1. For Symantec EDR App for Splunk, navigate to https://splunkbase.splunk.com/app/3453/
  2. Click "Login to Download" and provide splunkbase credentials
  3. For Symantec EDR Add-On for Splunk, navigated to https://splunkbase.splunk.com/app/3454/
  4. Click "Login to Download" and provide splunkbase credentials

Latest link: Splunk Downloads

 

What next?

For detailed installation steps, including steps for identifying/obtaining needed credentials, see Symantec™ Endpoint Detection and Response App for Splunk Administration Guide

Powered by Wolken Software