By design the ICDx middleware application only works with the US tenant.

The ICDx middleware application was announced as EOL in September 2022, moving to a maintenance support mode for 12 months before being fully withdrawn. This was communicated to customers (via a note in the monthly customer newsletter) and via internal comms to sales and partners.

The download portal for ICDx also has this messaging:

"End-of-Life for Symantec Integrated Cyber Defense Exchange (ICDx)

Effective September 30, 2023, Integrated Cyber Defense Exchange (ICDx) will no longer be available for download from the Symantec TIPP Portal. Although customers can use ICDx beyond this date, extended support for ICDx beyond September 2023 will not be available from Broadcom Software/Symantec.

• Symantec will continue to offer technical support under the entitlement of the Symantec product that a customer was integrating via ICDx for 12 months, from September 30,  2022, through September 30, 2023.
   
• Symantec will continue to release maintenance releases of the ICDx application to address component currency and vulnerabilities until September 30, 2023.
   
• After September 30, 2023, the TIPP Integration portal will be updated and ICDx will no longer be available for download"

Given that the EU Dacatacentre Instance for SESC was GA'd in September 2022 there were never any plans to update the ICDx application specifically to support it, given that ICDx was in maintenance mode and customers are being recommended to find alternative data integration options rather than continue to use ICDx.

There is a manual workaround for any customers that need this as a short term fix while they consider an alternative to ICDx as a data integration solution.

To change an ICDx instances ICDm collector to point to the EU rather than US instance (i.e. api.sep.eu.securitycloud.symantec.com rather than api.sep.securitycloud.symantec.com)



Assuming you have a single collector configured for each collector (icdm event and icdm incidents) there are three mandatory places for each that you need to make changes for completeness (The highlighted collector version number could be different in your case):



The 1st sets the default values used if you create any other instances of the collector.

The 2nd and 3rd set the values for an instance of a collector already configured.



You would do something similar for sicdm_edr_col_dx-nnnnnn for the EDR incident collector.



1. /opt/symantec/icdx/sicdm_col_dx-1.1.0-21/repo/collector/network/sicdm_col_dx/.metadata

{

"name" : "Symantec Integrated Cyber Defense Manager",

"desc" : "Collect events from Symantec Integrated Cyber Defense Manager",

. . .

. . .

"host" : {

"name" : "Host",

"desc" : "The ICDm host name.",

"requirement": "system",

"type" : "string",

"default" : "api.sep.securitycloud.symantec.com"

},

. . .

. . .

}



1. /opt/symantec/icdx/repo/collector/network/sicdm_col_dx/.json

{

"name": "sicdm_events",

. . .

. . .

"config": {

"collector": {

"host": "api.sep.securitycloud.symantec.com",

"client_id": "",

"client_secret": "",

"_is_encrypted:client_secret": true,

"batch_size": 100,

"read_interval": 5000,

"idle_interval": 60000,

"use_proxy": true

},

. . .

. . .

"retention": 30

}

}



1. /opt/symantec/icdx/apps/collector/network/sicdm_col_dx//etc/collector.json

{

"host": "api.sep.securitycloud.symantec.com",

"client_id": "",

"client_secret": "",

"_is_encrypted:client_secret": true,

"batch_size": 100,

"read_interval": 5000,

"idle_interval": 60000,

"use_proxy": true

}





Please make sure that the permissions, owner and group information of below files are retained

If they change to “root” by chance, ICDx will not be able to read the files and will not be able to start, please keep this in mind.