Failed Symantec EDR integration with Symantec ICA
search cancel

Failed Symantec EDR integration with Symantec ICA

book

Article ID: 234250

calendar_today

Updated On:

Products

Information Centric Analytics

Issue/Introduction

After following the instructions for integrating Symantec Endpoint Detection and Response (EDR) with Information Centric Analytics (ICA), no EDR events are displayed in the ICA console.

Environment

Release : 6.x

Component : Symantec EDR Import Utility

Cause

The instructions provided in the Integrating Symantec Endpoint Detection and Response with Symantec ICA integration guide are incomplete and contain typographical errors.

Resolution

The procedure for integrating EDR with ICA in the Integration and Solution Accelerator Guide will be updated and corrected with a future release of ICA.

To integrate EDR with ICA after initially attempting the integration per the guide, follow this procedure:

  1. Run the following query to determine whether the staging table exists:

    SELECT *
    FROM sys.all_objects
    WHERE [type] = 'U'
    AND   [name] IN ('Stg_SymantecATP_EPEvents','stg_SymantecEDR_EPEvents');

  2. If no results are returned, proceed to step 4; otherwise, proceed to step 3
  3. Drop the table Stg_SymantecATP_EPEvents using the following statement:

    USE RiskFabric;
    GO

    DROP TABLE dbo.Stg_SymantecATP_EPEvents;

  4. Use this query to identify any linked servers pointing to the EDR data warehouse (DW):

    USE RiskFabric;
    GO

    SELECT *
    FROM dbo.LinkedServers
    WHERE LinkedServerType = 'SQL Server IW'
    AND   (
      LinkedServerLabel = 'Symantec ATP' OR
      [Database] = 'SymantecEDRDW'
    );

  5. If linked servers are returned, edit this statement to include the LinkedServerID values in the parentheses below (e.g., WHERE LinkedServerID IN (24, 26)):

    USE RiskFabric;
    GO

    DELETE
    FROM dbo.LinkedServers
    WHERE LinkedServerID IN ();

    NOTE: Replace <LinkedServerID> with the LinkedServerID(s) from step 4. If more than one ID must be entered, separate them by a comma.
  6. Set the variable @DataSourceQueryIndex = NULL in the stored procedure dbo.spIW_UpdateDataSourceQuery by following these steps:
    1. Navigate in Object Explorer to Databases > RiskFabric > Programmability > Stored Procedures
    2. Right-click dbo.spIW_UpdateDataSourceQuery and select Script Stored Procedure as > CREATE To > New Query Editor Window
    3. In the new query editor window, locate the following on line 11:

      CREATE PROCEDURE [dbo].[spIW_UpdateDataSourceQuery]

      Modify that line to this:

      CREATE PROCEDURE [dbo].[spIW_UpdateDataSourceQuery_RF21546]

    4. Execute the script by pressing the F5 key, selecting Execute from the Query menu, or by clicking the Execute button in the SQL Editor toolbar
    5. In Object Explorer, right-click dbo.spIW_UpdateDataSourceQuery and select Modify
    6. In the new query editor window, locate the variable @DataSourceQueryIndex on line 14 and modify that line to match this:

      @DataSourceQueryIndex nvarchar(max) = NULL, /* RF-21546 */

    7. Execute the script by pressing the F5 key, selecting Execute from the Query menu, or by clicking the Execute button in the SQL Editor toolbar
  7. Modify the unattended install script referenced in the section of the integration guide titled Configuring the Integration Wizard Components as follows:

    USE RiskFabric;
    GO
    EXEC spIW_UnattendedInstallSymantecATP
         @i_bUpdateExisting = 1,
         @i_sLinkedServerDataSource = '<SQL Server hostname>',
         @i_sLinkedServerCatalog = 'SymantecEDRDW',
         @i_nJobIntervalMinutes = 60,
         @i_bRunDataSourceQueries = 1;

    NOTE: Modify this script to replace <SQL Server hostname> with the hostname of your SQL Server.
  8. Execute the modified unattended install script by pressing the F5 key, selecting Execute from the Query menu, or by clicking the Execute button in the SQL Editor toolbar
  9. Identify the RiskFabric_IW_DataSourceQueryID_<n> job that corresponds to the EDR integration. To obtain the ID for this job, execute the following query:

    USE RiskFabric;
    GO

    SELECT DataSourceQueryID
    FROM   IW_DataSourceQuery
    WHERE  LinkedServerID IN (<LinkedServerID>);

    NOTE: Replace <LinkedServerID> with the LinkedServerID(s) from step 4. If more than one ID must be entered, separate them by a comma.
  10. In Object Explorer, navigate to SQL Server Agent > Jobs
  11. Right-click the RiskFabric_IW_DataSourceQueryID_<n> job identified in step 9 and select Start Job at Step...
  12. In the Start Job window, select Step ID 1 and click the Start button
  13. Once the job completes, right-click the job RiskFabric Processing and select Start Job at Step...
  14. In the Start Job window, select Step ID 1 and click the Start button
Powered by Wolken Software