Security awareness

SecurityIQ Symantec Integration: Event-Activated Learning

July 24, 2018 by Infosec

Introduction

These instructions will help you integrate your SecurityIQ (SIQ) platform with your Symantec Endpoint Protection Cloud (SEPC) account. The integration will allow your organization to provide security awareness training to employees based on the employees’ involvement in security-related events. Your employees will get this training automatically as these events occur.  

Symantec has several products that include an API (e.g. Symantec Data Loss Prevention Detection, Symantec™ Endpoint Protection Manager). These products accomplish different things and their APIs function differently. Currently, SIQ integrates with Symantec Endpoint Protection Cloud. If you would like to integrate with any other product, please contact your customer success manager or sales representative.

Before You Start

Before you get started, you will need access to the following: your SEPC account and the ability to authorize new applications within both this account and your SIQ account. You will also need the SecurityIQ Symantec Integration toolset. If you do not have the SecurityIQ toolset, please contact your client success manager.

You can request your API key directly within the app on this page.

How It Works

The SecurityIQ Symantec Integration toolset accesses the events in your SEPC via the API. These events will be displayed in SecurityIQ Symantec Integration toolset. The toolset will allow you to make rules that automatically enroll learners into SIQ security awareness trainings, based on the rules you make via the SIQ API.

Remember: Only SEPC events associated with a user email will be visible in the SecurityIQ Symantec Integration toolset. Learners are enrolled in existing awareness campaigns, and only existing learners can be enrolled in campaigns. The SEPC user email must match an email in your SIQ platform for an enrollment to take place.

The SEPC and SIQ API are currently in development, so all functionality is subject to change. Please contact your client success manager for question or suggestions.

Requirements

  1. A SecurityIQ account preconfigured with awareness campaigns and participating learners.
  2. A Symantec Endpoint Protection Cloud account configured with your employees, including their email.
  3. A Windows computer with PowerShell 4.0 or higher.

Getting Started

To get started, you need authorize the SecurityIQ Symantec Integration toolset to access your SEPC API.

  1. Log into your SEPC account and navigate to the Settings page.
  2. Navigate to the Client Application Management page.
  3. Click on the Add Application Button.

  4. Select Others and name your application. When ready, click the Add button.
  5. Take Note of your CUSTOMER ID, DOMAIN ID, CLIENT ID and CLIENT SECRET.
  6. Run the symantec_inegration_gui.exe file.
  7. Fill in the SecurityIQ API Key, Symantec Customer ID, Symantec Domain ID, Symantec ClientID and Symantec Client Secret.
  8. Click the Save Config button. This will create a “config.json” file in the directory where the tool is run.
  9. Select the number of days back in time that you want to load SEPC events for.
  10. Select the Event Type. Note: Event type 0 is all events. Other event types are not currently documented by Symantec but may be in the future.   
  11. Click the topmost Load button. Your SIQ Awareness campaigns will load in the dropdown.
  12. Click the next Load button. Your SEPC events that have an associated user email will load. If you there are a large number of events, this can take several minutes.
  13. Select a SIQ Awareness campaign.
  14. Select SEPC events that you want to trigger an enrollment. Note: Due to a limitation in the SEPC API, the rule applies to the exact string you are selecting. If you want to make a more generalized rule, see the next step.
  15. To make more generalized rule, enter a custom string in the “Customs String” section. If an event contains your custom string, the associated learner will be enrolled in the SIQ Awareness campaign.
  16. Click the Enrollment Rule button to create an enrollment rule. A file named “enrollment_rules.json” will be created in the directory from which the tool is run.
  17. Repeat steps 10 through 17 for every SIQ campaign that you want to make enrollment rules for.
  18. When ready, Click the Enroll Learners button to enroll learners based on your configuration.

Automating the Process

After you have completed the above steps, enrollments can be automated by using the Microsoft Task Scheduler. Simply create a task to run the “symantic_integration_scheduler.exe” once per day. Ensure that the “config.json” and “enrollment_rules.json” files are in the same directory as the “symantic_integration_scheduler.exe” file.

 

The “symantic_integration_scheduler.exe” queries events going back one day. It is important that it is ran daily to avoid missing events.

  1. Open Microsoft Task Scheduler Service and select Create Basic Task.

  2. Name your task and click Next.
  3. Configure your trigger and click Next.
  4. Select “Start a program” and click Next.

  5. Browse to select the “symantic_integration_scheduler.exe” .
  6. Click Next.
  7. Click Finish.

Sources

Symantec Endpoint Protection Cloud REST API Reference, Symantec

Introduction to SecurityIQ, SIQ

Posted: July 24, 2018
Infosec
View Profile
In this Series
Related Bootcamps
Incident Response