When trying to add Symantec account to the Splunk SOC View App, accordingly to the SES API Documentation the address for your tenant is api.sep.eu.securitycloud.symantec.com, however when you are configuring the SOC View App and choose ICDm as an account type, the URL that populates the ICDm Hostname field points to the US tenant (api.sep.securitycloud.symantec.com), and there is no EU option.

Additionally, if you proceed with the suggested configuration, once you add a Splunk input, for ex. of a Symantec ICDm Event Stream type, you get errors such as:

RRRR-MM-DD HH:MM:DD,123 ERROR pid=123456 tid=MainThread file=base_modinput.py:log_error:309 | Exception occurred while calling API: URL: https://api.sep.eu.securitycloud.symantec.com/v1/event-export | Status code: 400 | Response: { "message" : "Missing Authorization header."}

or

RRRR-MM-DD HH:MM:DD,123 ERROR pid=123456 tid=MainThread file=icdm_collector_event_stream.py:get_events:262 | Specified input configuration is badly formatted or invalid request arguments are provided, Please check and try again.

Splunk SOC View App

This is a misleading issue caused by the lack of the EU tenant at the time of the SOC View App's release.

Please bear in mind, that once the settings are saved, the address in the UI will revert back to the default one and incorrectly show the wrong, US tenant's URL. This is only a cosmetic issue, and the real configuration will still remain intact. The problem is already known, and we are working on a fix.