When attempting to integrate Symantec Endpoint Security (SES) with a third-party SIEM (such as Sumo Logic) via cloud-to-cloud API, the integration fails with an authorization error. 

• Symantec Endpoint Security (SES)
• Third-party SIEM (Sumo Logic, etc.)
• Integration using the `/v1/incidents` or similar API endpoints

This functionality is restricted based on the license tier. While users are able to successfully generate an 'access_token' and use some of the APIs, the Incident APIs and related cloud-to-cloud SIEM integration features are reserved for customers with a Symantec Endpoint Security Complete (SESC) license. 

Customers using the Symantec Endpoint Security Enterprise (SESE) license do not have the necessary privileges to access these API endpoints, resulting in a `403 Forbidden` response even if the API credentials (Client ID and Secret) are technically valid for authentication.

To resolve this error, environment would need to be upgraded to a Symantec Endpoint Security Complete (SESC) license level.

1.  Verify License: Confirm the current entitlement in the SES console.
2.  Upgrade: If the environment currently uses SESE, please contact your Broadcom account representative or partner to upgrade to SESC.
3.  Validation: Once the SESC license is applied, the 403 error should no longer occur when polling the Incident APIs.