Symantec Endpoint Detection and Response (SEDR) doesn't execute commands from integrated solutions
search cancel

Symantec Endpoint Detection and Response (SEDR) doesn't execute commands from integrated solutions

book

Article ID: 174453

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

Integrated Solutions are not showing query results.

Resolution

Use API commands to verify that Symantec Endpoint Detection and Response (SEDR) receives those API calls and that results are returned.

Using Curl:

  1. Verify that you have an OAuth Client established in the SEDR Web UI > Settings > Data Sharing and note down the client_id and client_secret.
  2. Concatenate the client_id, ':', client_secret with base64 and put it in the Authorization header after the Basic text.
  3. Use the following curl command where <SEDR IP> = the IP address of your SEDR appliance: 
    curl -X POST -H "Accept: application/json" -H "Authorization: Basic <TOKEN>" -H
"Content-Type:  application/x-www-form-urlencoded" -d 
'grant_type=client_credentials&scope=customer' "https://<SEDR IP>/atpapi/oauth2/tokens"
  4. Copy the access token from the response body: 
    { 
"access_token":"<BEARER_TOKEN>",
   "token_type":"Bearer",
   "expires_in":3600
}
  5. Insert that Token into the following curl command: 
    curl -X POST -H "Content-Type: application/json" -H
"Authorization: Bearer <BEARER_TOKEN>"
-d '{ "verb":"query", "limit":1 }'
"https://<SEDR IP>/atpapi/v2/events/"
  6. You should see a result returned: 
    {
   "result":[
      {
         ...
      }
   ],
   "next":"NiwyMDR2LTA2LTIwVDIwOjQ2OjE2LjgyN1o=",
   "total":1
}

With those results you will see that SEDR receives API commands and returns results.

If there are errors please note down the HTTP error code and message, then contact support.

Powered by Wolken Software