This topic lists the tasks that you must perform to integrate Symantec Endpoint Detection and Response with SEP. Before you perform these tasks, make sure that your SEP environment meets the necessary requirements.

See System requirements for Symantec EDR integration with SEP management interfaces and embedded databases.

Table: Symantec EDR integration with SEP workflow

Step

Task

Description

1

On SEPM, prepare the database for log collection.

For Symantec EDR to collect logs from SEP, you must prepare your SEPM database so that Symantec EDR can access it remotely. The tasks that you perform to do this depend on whether SEP uses an:

  • External Microsoft SQL Server database

    Microsoft SQL Server supports remote access. Symantec strongly recommends that you create a read-only account on this database so that Symantec EDR can access it. Or, you can let Symantec EDR access it using your DB administrator (sa) credentials.

    See Creating a SEPM SQL Server database account for Symantec EDR.

  • SEPM embedded database

    The SEPM embedded database does not support remote access. For Symantec EDR to access this database, you must download the Synapse Log Collector in the console and then install it on your database computer.

    See Installing the Synapse Log Collector for the SEPM Embedded Database.

2

In the console, enable Synapse correlation with SEP.

For Symantec EDR to connect to your SEPM database, you must enable SEP Correlation.

  1. Do one of the following:

    • In the EDR cloud console, click Settings, select an appliance, and then click Global > Synapse.

    • In the EDR appliance console, click Settings > Global > Synapse.

  2. Check Enable SEP Correlation.

See About Synapse correlation.

3

In the console, configure a connection to the SEPM database.

For Symantec EDR to connect to your SEPM database, you must configure a connection from Symantec EDR to that database.

See Configuring the connection to the SEPM database.

4

In the console, configure a connection to SEPM.

For Symantec EDR to communicate with SEPM, you must configure a connection from Symantec EDR to SEPM.

The connection serves these purposes:

  • Administrative changes, such as changes to the whitelist or blacklist made through Symantec EDR, are sent to SEPM through the SEPM Controller connection.

  • Information about the endpoints managed by SEPM is retrieved through the SEPM controller connection so that it can be associated with event data. For example, computer names that are stored by SEPM can be correlated to IP addresses in event messages.

See About configuring the connection to SEPM.

The workflow for configuring the connection to SEPM depends upon which version of Endpoint Communications Channel (ECC) that the SEPM uses (version 1 or version 2). The version of ECC that you use is based on the version of SEP that your clients run.

See About Endpoint Communications Channel (ECC).

See Enabling ECC 2.0.

5

In SEPM, configure endpoints to send information to the Symantec EDR management node.

For Symantec EDR to act as a proxy for SEP endpoint computers, you must configure your endpoints to send event data to Symantec EDR through the private cloud setting.

See Configuring endpoints in SEPM to communicate with Symantec EDR.

6

In the console, add SSL certificates for secure communication between endpoints and Symantec EDR, if needed.

If secure communication between endpoints and Symantec EDR is needed when Symantec EDR acts as a proxy for endpoint network communication, you can upload the SSL certificates that may be required to secure the communication.

See Securing communication between endpoints and Symantec EDR.

7

In the console, specify whether you have replicating databases in SEPM.

If you have replicating databases in SEPM, you must check the Replication is enabled between all SEPM's option.

  1. Do one of the following:

    • In the EDR cloud console, click Settings, select an appliance, and then click Global.

    • In the EDR appliance console, click Settings > Global.

  2. In the Endpoint Communication Channel, SEP Policies, and Endpoint Activity Recorder section, check Replication is enabled between all SEPM's.

See Configuring Symantec EDR to work with replicating SEPM sites.

See About integrating Symantec EDR with SEP

See SEP client versions and supported Symantec EDR features

See Required firewall ports

Legacy ID: v119835566_v128921691

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Symantec Corporation