Symantec SOC View TA 2.0 does not display any new events from Symantec Endpoint Security (SES) Complete after November 10
The Symantec SOC View TA which calls “/v1/event-export” API to retrieve the SES events was previously using 4000 as a default value for the “limit” parameter
The documentation for “/v1/event-export” API at https://apidocs.securitycloud.symantec.com/#/doc?id=ses_event_export mentioned the maximum supported limit as 1000
To align with documentation, Broadcom updated the backend to support the limit to 1000 and return an error if API caller used a value greater than 1000
This resulted in SOC View TA failing to retrieve Events from SES using “/v1/event-export” public API
BROADCOM resolved this issue in Symantec SOC View TA 2.1.
Please download and install the latest version of Symantec SOC View TA 2.1. If you are not able to install the new version immediately, the following steps will workaround the issue.
· Login to the on premise server running the Splunk instance with SOC View TA version 2.0
· Edit configuration file $SPLUNK_HOME/etc/apps/TA-symantec_soc_view/ta_symantec_soc_view_settings.conf
· Change SIEM_LIMIT configuration parameter from value 4000 to 1000
· No need to restart Splunk services