Release Notes for EDR Add-On for Splunk
search cancel

Release Notes for EDR Add-On for Splunk

book

Article ID: 204594

calendar_today

Updated On:

Products

Endpoint Detection and Response Endpoint Protection with Endpoint Detection and Response

Issue/Introduction

Where are the Release Notes for EDR Add-On for Splunk?

Resolution

 

Release Notes for EDR Add-On for Splunk:

 

* Symantec EDR Add-On for Splunk is a Technology Add-on for Symantec EDR App for Splunk (symantec_atp_app). EDR Add-On for splunk retrieves log entries from EDR using the EDR public API. Before first time installation of EDR Add-On for Splunk and EDR App for Splunk, please see:

 


KNOWN ISSUES

  • On installing this app, below error will be logged in the splunkd.log file. This error is related to Splunk Enterprise Security Adaptive Response framework dependency and can be ignored if Adaptive Response feature is not being used or the Adaptive Response related savedsearches can be disabled:
     "Error in 'sendalert' command: Alert action "notable" not found"

  • Splunk Enterprise Security Suite has some browser compatibility issues. Due to which while taking an Adaptive Response Action, sometimes the user can face below issue on screen:
        "Symantec EDR Delete File on Device" could not be dispatched
      In this scenario, it is recommended to switch to a different browser and try again.

  • When a "Symantec EDR Delete File on Device" action is taken on an event with too many File Hashes and Device UIDs, we are dividing File Hashes and Device UIDs into groups of 7 and automatically take multiple "Symantec EDR Delete File on Device" actions. In this scenario, one action will provide multiple File Hashes and Device UIDs in one API call to EDR Manager. Now if some device does not contain a file with the provided hash, the action will have a failed status as EDR will provide below response for that API call:
        "One or more of the targets is not a valid device file pair."

 

FIXED ISSUES BY VERSION

Version 1.5.0

    • Updated app to support python 3 for Splunk 8.1.x and above.
    • App does not support python 2.x anymore.
    • App can be reconfigured by accessing 'Apps'-> 'Manage Apps' -> 'Symantec EDR Add-on for Splunk' -> 'Set up'.

Version 1.4.0

    • Updated queries to use the "log_time" for querying incident events and "updated_time" for querying incidents to avoid missing events in case of latency.
    • Changes to use the EDR v2 public APIs instead of EDR v1 public APIs.

Version 1.3.0

    • Compatible with:
         Splunk Enterprise version: 7.0.x, 7.1.x and 7.2.x
         Common Information Model: 4.6

Version 1.2.0

    • Fix for cloud vetting checks

Version 1.1.0

    •   Added Blacklist policy AR action for sha256, url, domain, ip
    •   Added Whitelist policy AR action for sha256, url, domain, ip, md5

Version 1.0.8

    • Renamed all UI occurrences of ATP to EDR

Version 1.0.7

    • Resolved App Certification failures

Version 1.0.6

    • Enabled SSL certificate verification by default. Users who upgrade to 1.0.6 can disable it from setup page.
    • Added proxy feature in setup page.
    • Added validation for all the inputs in setup page.
    • Changed logs to avoid log injection issues.

Version 1.0.5

    •   Added client side validation for setup page.
    •   Added support to enable/disable SSL certificate validation in setup page

Version 1.0.4

    • Changed Email Security.cloud default data collection interval to 15 minutes instead of 1 hour.

Version 1.0.3

    •   Version change to manage dependency with Symantec ATP App for Splunk.
    •   Extracted Device UID for symantec:atp:network and symantec:atp:endpoint sourcetypes.
    •   Synced background color of transparent Symantec Logo images with Symantec ATP App for Splunk.
    •   Handled too many File Hashes and Device UIDs in a single Event in "Symantec ATP Delete File on Device" Adaptive Response Action.
    •   Field extraction optimizations.
    •   Changed default log levels to ERROR. Log level can be changed by change the default value in logger_manager.py.
    •   Updated Known Issues section in README.txt

Version 1.0.2

    •   Version change to manage dependency with Symantec ATP App for Splunk.

Version 1.0.1

    • Resolved issue of Incident Data Collection in Splunk 6.4.x.
    • Default Adaptive Response index changed to main instead of summary.
    • Updated App description and License URL in app.conf and README.
    • UTF 8 compliant README.
    • Fixed Typos and other minor bug fixes.