Endpoint Security Cloud Event Stream not forwarding to QRadar
search cancel

Endpoint Security Cloud Event Stream not forwarding to QRadar

book

Article ID: 439311

calendar_today

Updated On:

Products

Endpoint Security Complete

Issue/Introduction

Integration of Symantec Endpoint Security Cloud (SESC) Event Stream Incidents not forwarding to QRadar

Environment

Endpoint Security
IBM (QRadar) 

Cause

SESC Workflow and Workflow parameters for Incidents only-workflow.xml may have typo/mismatch in the variable name.

Example:  "chkEnd_date" vs chkEnd_Date" which could cause the time_range is not updated properly in the workflow.

Resolution

To resolve this issue, verify the case sensitive path and rectify the configuration.

Example:

From 
<Initialize path- "/chkEnd_date" value-"" />

To
<Initialize path- "/chkEnd_Date" value-"" />

From 
<If condition="empty(/chkStart_Date) and empty (/chkEnd_date)"> 

To
<If condition="empty(/chkStart_Date) and empty (/chkEnd_Date)"> 

Note: There could be other parameters that could exhibit incorrect case sensitive path.

Additional Information

Endpoint Security Cloud logs transfer to IBM Qradar

Powered by Wolken Software