Symantec Endpoint Protection Cloud (SEPC)

#1

Symantec Endpoint Protection Cloud (SEPC)

Table of Contents

Introduction

Endpoint Integration

The Infosec IQ platform supports integration with a number of leading Endpoint Protection (EPP) products, including Symantec Endpoint Protection. This integration allows you to automatically enroll Learners in AwareEd Campaigns whenever your EPP product detects those Learners performing unwanted or unsafe actions.

To begin integrating your EPP solution with Infosec IQ, navigate to Endpoint Integration under the Gear icon.

Symantec Endpoint Protection Cloud (SEPC)

Infosec IQ provides a turnkey integration for Symantec Endpoint Protection Cloud (SEPC) that runs on all modern Microsoft Windows environments; it is open source and built with Power Shell.

The integration will allow your organization to provide security awareness training to employees based on the employee involvement in security-related events. Your employees will get this training automatically as these events occur.

Return to Table of Contents

Before You Start

Before you get started, you will need access to the following: your SEPC account and the ability to authorize new applications within both this account and your SIQ account. You will also need the Infosec IQ Symantec Integration toolset. If you do not have the Infosec IQ toolset, please contact your client success manager.

You can request your API key on the Account Settings > Endpoint Integration page by clicking the Generate New Key button.

Return to Table of Contents

How It Works

The Infosec IQ Symantec Integration toolset accesses the events in your SEPC via the API. These events will be displayed in Infosec IQ Symantec Integration toolset. The toolset will allow you to make rules that automatically enroll learners into Infosec IQ security awareness training, based on the rules you make via the Infosec IQ API.

Remember: Only SEPC events associated with a user email will be visible in the Infosec IQ Symantec Integration toolset. Learners are enrolled in existing awareness campaigns, and only existing learners can be enrolled in campaigns. The SEPC user email must match an email in your SIQ platform for an enrollment to take place.

Return to Table of Contents

Requirements

  1. A Infosec IQ account preconfigured with awareness campaigns and participating learners.
  2. A Symantec Endpoint Protection Cloud account configured with your employees, including their email.
  3. A Windows computer with PowerShell 4.0 or higher.

Return to Table of Contents

Getting Started

To get started, you need to authorize the Infosec IQ Symantec Integration toolset to access your SEPC API.

  1. Log into your SEPC account and navigate to the Settings page.
  2. Navigate to the Client Application Management page.
    SEPC%201
    SEPC 1.png975×559 37.9 KB
  3. Click on the Add Application button.
    SEPC%202
  4. Select Others and name your application. When ready, click the Add button.
    SEPC%203
    SEPC 3.png975×540 24.4 KB
  5. Take Note of your CUSTOMER ID, DOMAIN ID, CLIENT ID and CLIENT SECRET.
    SEPC%204
    SEPC 4.png975×388 18.5 KB
  6. Run the symantec_inegration_gui.exe file.
  7. Fill in the Infosec IQ API Key, Symantec Customer ID, Symantec Domain ID, Symantec ClientID and Symantec Client Secret.
  8. Click the Save Config button. This will create a config.json file in the directory where the tool is run.
  9. Select the number of days back in time that you want to load SEPC events for.
  10. Select the Event Type. Note: Event type 0 is all events. Other event types are not currently documented by Symantec, but may be in future.
  11. Click the topmost Load button. Your SIQ Awareness Campaigns will load in the dropdown.
  12. Click the next Load button. Your SEPC events that have an associated user email will load. If you there are a large number of events, this can take several minutes.
  13. Select an SIQ Awareness campaign.
  14. Select SEPC events that you want to trigger an enrollment.

Note: Due to a limitation in the SEPC API, the rule applies to the exact string you are selecting. If you want to make a more generalized rule, see the next step.

  1. To make more generalized rule, enter a custom string in the Custom String section. If an event contains your custom string, the associated learner will be enrolled in the SIQ Awareness campaign.
  2. Click the Enrollment Rule button to create an enrollment rule. A file named enrollment_rules.json will be created in the directory from which the tool is run.
  3. Repeat steps 10 through 17 for every SIQ Campaign that you want to make enrollment rules for.
  4. When ready, click the Enroll Learners button to enroll learners based on your configuration.

SEPC%205
SEPC 5.png960×1158 231 KB

Return to Table of Contents

Automating the Process

After you have completed the above steps, enrollments can be automated by using the Microsoft Task Scheduler. Simply create a task to run the symantec_integration_scheduler.exe once per day. Ensure that the config.json and enrollment_rules.json files are in the same directory as the symantec_integration_scheduler.exe file.

The symantec_integration_scheduler.exe queries events going back one day. It is important that it is run daily to avoid missing events.

  1. Open Microsoft Task Scheduler Service and select Create Basic Task.
    SEPC%206
    SEPC 6.png853×605 26.5 KB
  2. Name your task and click Next.
  3. Configure your trigger and click Next.
  4. Select “Start a program” and click Next.
    SEPC%207
    SEPC 7.png861×604 16.6 KB
  5. Browse to select the symantec_integration_scheduler.exe.
  6. Click Next.
  7. Click Finish.

Return to Table of Contents