Integrate SEP Mobile with Splunk or another SIEM

book

Article ID: 191848

calendar_today

Updated On:

Products

Endpoint Protection Mobile

Issue/Introduction

Integrating SEP Mobile with Splunk, Arcsight, Fortinet, Microsoft, LogRhythm, McAfee, RSA NetWitness, IBM QRadar, or another sylog/SIEM vendor.

Resolution

Go to Settings>Integrations>Security Incidents Feed.

Under SIEM INTEGRATION check the box for Export system events to the organization's SIEM

Select your SIEM vendor from the available options for SIEM. If your vendor is not listed select Other syslog (CEF).

Select the protocol used by your vendor from:
  • SSL/TLS (over TCP)
  • TCP
  • UDP
Enter the IP Address / Hostname of your SIEM. NOTE: The address of your SIEM needs to be reachable from the internet. For on-premise SIEM solutions, provide an externally available IP address for your organization and ensure your internal network is configured to forward the SEP Mobile traffic to the SIEM. See Setting up your network configuration for Symantec Endpoint Protection Mobile to see where the SEP Mobile traffic will come from.

Enter the Port your SIEM uses for communication.

After entering the required information Apply Changes.

See Common Event Format (CEF) integration based on security incidents for additional details.