Integrating ATP with Symantec™ Integrated Cyber Defense Exchange (ICDx)
Last Updated September 25, 2018
This topic assumes that you have installed and configured an Symantec™ Integrated Cyber Defense Exchange (ICDx) server in your environment. For information about acquiring ICDx, contact your Symantec Partner or sales representative.
What ICDx does
ICDx is an open platform that gives you control over your enterprise security data: how much you collect, how long you retain it, and where it resides. It also provides a standard, cross-product schema for analytics, reports, and dashboards.
Normalizing the events to the Integrated Cyber Defense Schema
Storing the event data locally for the purposes of searching and viewing
Filtering and forwarding the collected events to different customer destinations, such as, Splunk™ , or ServiceNow™
Before you start setting up forwarding to ICDx, be aware of the following:
ATP streams events and incidents to ICDx in real time. The forwarding is best effort; ATP drops events if ICDx is unavailable and the ATP queue is full.
ATP supports active and passive high availability of ICDx. You can configure a primary ICDx and a secondary ICDx. The collector switches to the secondary ICDx when the primary is unavailable. ATP switches back to the primary when the primary becomes available.
The current version of ICDx does not support ATP incidents; ATP incidents are dropped from the forwarded data.
Setting up ICDx forwarding
To set up ICDx forwarding, you perform the following four procedures:
Obtain the API key, client ID, and client secret for ATP integration
Add the ATP ICDx collector in ICDx
Edit the collector configuration after saving the initial configuration
Configure ICDx forwarding in ATP
1. Obtain the API key, client ID, and client secret for ATP integration
On the ICDx console, do the following:
Go to Settings and select the API tab.
Enter a name of your choice for the API and click Save.
On the new API, click Actions > Copy Client ID to clipboard.
Paste the Client ID into a text editor.
Click Actions again and select Copy Client Secret to clipboard.
Paste the Client Secret into a text editor.
2. Add the ATP ICDx collector in ICDx
On the ICDx console, do the following:
Go to Configuration and select the Collectors tab.
At the Symantec ATP section, click Add.
Enter the name you want to use for the collector and optionally, provide a description.
For Startup, select Manual.
You can change the Startup type to Automatic after you've confirmed the successful integration of the collector with ATP.
3. Edit the collector configuration
When you save the initial collector configuration, a UUID is created for the collector. The UUID is available when you open the collector for editing. On the ICDx console, do the following:
On the new collector, click Actions > Edit.
Click Show Advanced.
Copy the UUID to your clipboard.
4. Configure ICDx forwarding in ATP
On the ATP Manager console, do the following:
Go to Settings > Data Sharing and in the Event and Incident Forwarding section, click Add Host.
Under Primary Host, enter the URL for the ICDx collector. The format is:
https://<icdx-host>/r3_epmp_i/dx/col-atp/<collector-uuid> Where <icdx-host> is the address of your ICDx server, and <collector-uuid> is the UUID you copied in Procedure 3. For example: https://10.7.162.100/r3_epmp_i/dx/col-atp/38c680b0-9104-11e8-e707-000000000023.
Enter the Username and Password. Use the Client ID and Client Secret you copied in Procedure 3 for Username and Password, respectively.
Specify the events and incidents to forward:
Uncheck Email and Incident.
Under Endpoint, check only Data Recorder.
Only Data Recorder events are normalized; incidents are ignored.
Selecting Process Launch or Process Terminate Data Recorder events can place a high demand on network resources.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe