Integrating SEP Mobile with Splunk, Arcsight, Fortinet, Microsoft, LogRhythm, McAfee, RSA NetWitness, IBM QRadar, or another syslog/SIEM vendor.
Go to Settings>Integrations>Security Incidents Feed.
Under SIEM INTEGRATION check the box for Export system events to the organization's SIEM
Select your SIEM vendor from the available options for SIEM. If your vendor is not listed select Other syslog (CEF).
Select the protocol used by your vendor from:
Enter the IP Address / Hostname of your SIEM. NOTE: The address of your SIEM needs to be reachable from the internet. For on-premise SIEM solutions, provide an externally available IP address for your organization and ensure your internal network is configured to forward the SEP Mobile traffic to the SIEM. See Setting up your network configuration for Symantec Endpoint Protection Mobile to see where the SEP Mobile traffic will come from.
Enter the Port your SIEM uses for communication.
After entering the required information Apply Changes.
See Common Event Format (CEF) integration based on security incidents for additional details.