Device Integration: Symantec Endpoint Security

Modified on Mon, 20 Apr at 1:28 PM

TABLE OF CONTENTS


Overview

This guide explains how to integrate Symantec Endpoint Security (SES/SEP) with ADR SIEM (aiSIEM/aiXDR) using API calls. Once integrated, Symantec telemetry is ingested into the CCE (Collection and Control Engine) and processed by the APE (Analytics and Policy Engine) for centralized monitoring, threat visibility, and compliance.


Prerequisites

  • Administrative access to Symantec Security Cloud Portal.

  • Administrative access to the ADR SIEM UI and CCE server.

  • Firewall rules allowing outbound HTTPS (443) from CCE to Symantec APIs.


Generate API Credentials in Symantec SES/SEP

Follow Symantec’s API authentication steps:

  1. Log in to the Symantec Security Cloud Portal.

  2. Navigate to Integrations → API Authentication.

  3. Generate a Client ID and Client Secret.

    • These are required for authentication.

  4. Use the Symantec documentation for details: Symantec API Authentication Guide.

  5. The API call will return a Bearer Token used for subsequent requests.

Keep credentials secure — regenerate if compromised.


Configure Symantec in ADR SIEM

  1. Log in to ADR SIEM UI with admin rights.

  2. Navigate to: Administration → Add-On Devices → Add.

  3. Fill in details:

FieldValue
Device NameSymantec Endpoint Security (or SEP)
CCE Host (IP)Enter the CCE IP
Access ID / UsernameEnter the Client ID
Password / Secret KeyEnter the Client Secret
Config (JSON)Provide the Symantec API host:

Example JSON: (The URL mentioned in below example could be different. Kindly check with Symantec support for latest and correct URL)


{"host": "sep.su.securitycloud.symantec.com"


OR

{  "host": "sep.securitycloud.symantec.com"
}
  1. Click Save.


Verification (MSSP Only)

On ADR SIEM UI

  1. Navigate to: System → Logs and Flows Collection Status.

  2. Verify Symantec Endpoint Security/Protection appears under configured devices.

  3. Confirm logs are being ingested successfully.

On ADR CCE (CLI)

Run:

  1. SSH into the CCE server.

  2. Run:

    otmdoc -s addondevices
    crontab -l

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article