Integrate SEP Mobile with Splunk or another SIEM
search cancel

Integrate SEP Mobile with Splunk or another SIEM


Article ID: 191848


Updated On:


Endpoint Protection Mobile


Integrating SEP Mobile with Splunk, Arcsight, Fortinet, Microsoft, LogRhythm, McAfee, RSA NetWitness, IBM QRadar, or another syslog/SIEM vendor.


Go to Settings>Integrations>Security Incidents Feed.

Under SIEM INTEGRATION check the box for Export system events to the organization's SIEM

Select your SIEM vendor from the available options for SIEM. If your vendor is not listed select Other syslog (CEF).

Select the protocol used by your vendor from:
  • SSL/TLS (over TCP)
  • TCP
  • UDP
Enter the IP Address / Hostname of your SIEM. NOTE: The address of your SIEM needs to be reachable from the internet. For on-premise SIEM solutions, provide an externally available IP address for your organization and ensure your internal network is configured to forward the SEP Mobile traffic to the SIEM. See Setting up your network configuration for Symantec Endpoint Protection Mobile to see where the SEP Mobile traffic will come from.

Enter the Port your SIEM uses for communication.

After entering the required information Apply Changes.

See Common Event Format (CEF) integration based on security incidents for additional details.