[New Integration] Symantec EDR Cloud

[jamiehynds]

Description

Symantec EDR exposes advanced attacks with precision machine learning and global threat intelligence minimizing false positives and helps ensure high levels of productivity for security teams. Symantec EDR capabilities allow incident responders to quickly search, identify and contain all impacted endpoints while investigating threats using a choice of on-premises and cloud-based sandboxing. Also, Symantec EDR enhances investigator productivity with automated investigation playbooks and user behavior analytics that brings the skills and best practices of the most experienced security analysts to any organization.

Architecture

Symantec provide an API to pull incidents, events and audit events. Pushing data to object storage such as S3, Azure Blob and GCS buckets are also supported.

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency when creating or updating a Package, Module or Dataset for an Integration.

All changes

• [ ] Change follows the contributing guidelines
• [ ] Supported versions of the monitoring target are documented
• [ ] Supported operating systems are documented (if applicable)
• [ ] Integration or System tests exist
• [ ] Documentation exists
• [ ] Fields follow ECS and naming conventions
• [ ] At least a manual test with ES / Kibana / Agent has been performed.
• [ ] Required Kibana version set to:

New Package

• [ ] Screenshot of the "Add Integration" page on Fleet added

Dashboards changes

• [ ] Dashboards exists
• [ ] Screenshots added or updated
• [ ] Datastream filters added to visualizations

Log dataset changes

• [ ] Pipeline tests exist (if applicable)
• [ ] Generated output for at least 1 log file exists
• [ ] Sample event (sample_event.json) exists

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[ebeahan]

A symantec_edr_cloud integration shipped with the incidents data stream calling the /v1/incidents API. in #8267.

Future work will add an additional data stream calling the /v1/event-export/stream/{stream_guid}/{channel_id} Event Stream API.

[jamiehynds]

A symantec_edr_cloud integration shipped with the incidents data stream calling the /v1/incidents API. in #8267.

Future work will add an additional data stream calling the /v1/event-export/stream/{stream_guid}/{channel_id} Event Stream API.

@ebeahan this is something actively being worked on my @piyush-elastic and team.

[ebeahan]

@jamiehynds got it - I missed https://github.com/elastic/integrations/issues/8972.