search cancel

Symantec SOC View TA 2.0 does not display any new events from Symantec Endpoint Security (SES) Complete after November 10

book

Article ID: 229828

calendar_today

Updated On:

Products

Endpoint Security Complete

Issue/Introduction

Symantec SOC View TA 2.0 does not display any new events from Symantec Endpoint Security (SES) Complete after November 10 

Cause

The Symantec SOC View TA which calls “/v1/event-export” API to retrieve the SES events was previously using 4000 as a default value for the “limit” parameter

The documentation for “/v1/event-export” API at https://apidocs.securitycloud.symantec.com/#/doc?id=ses_event_export mentioned the maximum supported limit as 1000

To align with documentation, Broadcom updated the backend to support the limit to 1000 and return an error if API caller used a value greater than 1000

This resulted in SOC View TA failing to retrieve Events from SES using “/v1/event-export” public API

 

Resolution

BROADCOM resolved this issue in Symantec SOC View TA 2.1.


Please download and install the latest version of Symantec SOC View TA 2.1. If you are not able to install the new version immediately, the following steps will workaround the issue.


Workaround:

·        Login to the on premise server running the Splunk instance with SOC View TA version 2.0

·        Edit configuration file $SPLUNK_HOME/etc/apps/TA-symantec_soc_view/ta_symantec_soc_view_settings.conf

·        Change SIEM_LIMIT configuration parameter from value 4000 to 1000

·        No need to restart Splunk services