Device Integration: Symantec Endpoint Security

TABLE OF CONTENTS

• Overview
• Prerequisites
• Generate API Credentials in Symantec SES/SEP
• Configure Symantec in ADR SIEM
• Verification (MSSP Only)

Overview

This guide explains how to integrate Symantec Endpoint Security (SES/SEP) with ADR SIEM (aiSIEM/aiXDR) using API calls. Once integrated, Symantec telemetry is ingested into the CCE (Collection and Control Engine) and processed by the APE (Analytics and Policy Engine) for centralized monitoring, threat visibility, and compliance.

Prerequisites

• Administrative access to Symantec Security Cloud Portal.

• Administrative access to the ADR SIEM UI and CCE server.

• Firewall rules allowing outbound HTTPS (443) from CCE to Symantec APIs.

Generate API Credentials in Symantec SES/SEP

Follow Symantec’s API authentication steps:

1. Log in to the Symantec Security Cloud Portal.

2. Navigate to Integrations → API Authentication.

3. Generate a Client ID and Client Secret.

   • These are required for authentication.

4. Use the Symantec documentation for details: Symantec API Authentication Guide.

5. The API call will return a Bearer Token used for subsequent requests.

Keep credentials secure — regenerate if compromised.

Configure Symantec in ADR SIEM

1. Log in to ADR SIEM UI with admin rights.

2. Navigate to: Administration → Add-On Devices → Add.

3. Fill in details:

Example JSON: (The URL mentioned in below example could be different. Kindly check with Symantec support for latest and correct URL)

{"host": "sep.su.securitycloud.symantec.com"

} 

OR

{  "host": "sep.securitycloud.symantec.com"
}

4. Click Save.

Verification (MSSP Only)

On ADR SIEM UI

1. Navigate to: System → Logs and Flows Collection Status.

2. Verify Symantec Endpoint Security/Protection appears under configured devices.

3. Confirm logs are being ingested successfully.

On ADR CCE (CLI)

Run:

1. SSH into the CCE server.

2. Run:

   otmdoc -s addondevices
   crontab -l