Splunk TA App "update password" does not function correctly

book

Article ID: 184930

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

With the Symantec EDR Add-on for Splunk app version 1.0.5 - 1.1.0 installed on a Splunk 7.3.1 instance, adding a new password (Provided in client_id:client_secret format)) to use a new OAuth token created on the targeted EDR appliance does not work as expected.

No apparent errors in the UI accessible logs of either Splunk or Symantec Endpoint Detection and Response (SEDR) 4.x appliance console.

Other relevant symptoms:

+++ On the ATP App for Splunk, on the Protection at a Glance control point, the following symptoms occur:
1. The Open Incidents widget is 0 events and 0%
2. The File Reputation (Insight) widget shows 0 events and -100%

+++ When searching Splunk, the available eventtypes for recent events from SEDR are:
symantec:atp:endpoint
symantec:atp:network


+++ The event types which do not appear are:
symantec:atp:incidentevents
symantec:atp:incidents

Despite these symptoms, the Settings> Data Sharing page of SEDR UI may show Status of the Splunk connector is "Healthy".

Cause

The app appears to continue to use the "old" password and therefore will fail to authenticate to the SEDR appliance if this "old" token is expired no longer available.

Resolution

Symantec resolved this issue starting with Symantec EDR Add-On for Splunk.v 1.2.0 and later.

Workaround:

Do one of the following:

  • Disable, save then re-enable and configure the Symantec ATP App for Splunk, or
  • Uninstall and re-install Symantec ATP App for Splunk, then re-configure.