Enabling Synapse correlation with Symantec ATP: Roaming
Last Updated September 25, 2018
Symantec ATP: Roaming is a Symantec Web Security.cloud service that detects and blocks the threats that are embedded in unencrypted (HTTP) and SSL-encrypted (HTTPS) web traffic. ATP: Roaming inspects web traffic from both your on-LAN and off-LAN (or "roaming") users. It also sends copies of files to Symantec's cloud-based sandbox for additional analysis.
Using Synapse, you can enable correlation between Symantec Advanced Threat Protection (ATP) and ATP: Roaming. When you enable ATP: Roaming, Synapse collects events from ATP: Roaming and correlates them with events from your other control points (such as Network, Endpoint, and Email). When ATP correlates these events, it looks for relationships based on common threats and suspicious behavior. It then aggregates common threat events into a single incident, helping you to identify and prioritize your work. After you enable ATP: Roaming Correlation, ATP starts collecting events within the hour. You can view information about these events in ATP Manager.
To enable correlation, your organization must have a licensed Symantec.cloud account for which ATP: Roaming is enabled. This account must have a Symantec Web Security.cloud user logon account associated with it that has View Statistics permissions.
To enable Synapse correlation with Symantec ATP: Roaming
In ATP Manager, click Settings > Global.
In the Synapse section, check Enable Symantec ATP: Roaming Correlation.
In the dialog box, type the Symantec Web Security.cloud logon name and the Symantec Web Security.cloud password for your Web Security.cloud account.
The format of the user name should be three letters and four numbers (e.g., ABC1234). Symantec provides this user name when you register for the service. Also, these credentials should be separate from the main admin account, have View Statistics permission, and be dedicated to ATP usage only.