ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

"Fail: API password is invalid" when configuring Symantec EDR App for QRADAR to retrieve logs from SES Complete web portal

book

Article ID: 227006

calendar_today

Updated On:

Products

Endpoint Detection and Response Cloud

Issue/Introduction

When attempting to configure Symantec EDR for QRADAR with an OID and client secret, EDR APP for QRADAR displays an authentication error, "Fail: API password is invalid."

Environment

  • Symantec Endpoint Security (SES) Complete web portal
  • Symantec EDR App for QRADAR v1.5.0
  • QRADAR 

Resolution

Symantec EDR App for QRadar v1.5.0 supports Endpoint Detection and Response (EDR) appliance version 3.2 to 4.1. 
Symantec EDR App for QRadar v1.5.0 requires QRadar version 7.3.1 or above 
The EDR portion, or Incidents tab, of the SES Complete web portal has an API which is different but similar the REST API of EDR appliance.

The API of SES Complete portal does not meet the requirements for Symantec EDR App for QRADAR 1.5.0 or earlier versions.

Additional Information

The following options are available for piping EDR events into QRADAR:

  • SES Complete > ICDX > QRadar w/ Symantec ICDx Content Pack For QRadar
       PROs: no need to roll out EDR on-prem appliance(s)
       CONs: Limitation: no EAR events

  • Symantec EDR on-prem appliance >  ICDX > QRadar w/ Symantec ICDx Content Pack For QRadar
       PROs: No Limitation: gets all EAR events
                  Scales to ~2000 events per second   
       CONs: Requires rollout of EDR physical appliances or virtual appliance in VMWare server
                   See System Requirements for EDR on-prem appliances here: 
                   https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-6/about-v96380626-d38e6/system-requirements-for-the-virtual-appliance-v96381064-d38e7045.html

  • NOT RECOMMENDED: Symantec EDR on-prem appliance > QRADAR w/ EDR App for QRADAR - 
       PROS: No limitation: gets all EAR events, performance permitting
             May work for small environments
       CONS: Requires rollout of EDR physical appliances or virtual appliance in VMWare server
             not performant - ~500 event per second

  • Bring Your Own App (BYOA): Symantec Endpoint Security Complete web portal > (your own custom QRADAR app crafted with the public API for SES Complete) 
       PROS: You maintain your own code, so you can fix quickly
       CONS: Your org's local development team maintains another app. BROADCOM SUPPORT will provide best effort support, oriented towards possible defects within the REST API and/or downtime of the API servers.


BROADCOM Software has scheduled ICDx for feature deprecation in May 2022.
By that time a new version of EDR on-prem appliance will include a replacement feature which natively sends events to QRADAR

 

Other references: