Configuring Broadcom (Symantec) Cloud Workload Protection Connectors
The Broadcom (Symantec) Cloud Workload Protection connector allows you to ingest event and alert logs to the Stellar Cyber data lake.
Connector Overview: Broadcom (Symantec) Cloud Workload Protection
Capabilities
-
Collect: Yes
-
Respond: No
-
Native Alerts Mapped: No
-
Runs on: DP
-
Interval: Configurable
Collected Data
Content Type |
Index |
Locating Records |
---|---|---|
Alert Event-CWP Event-CWP-S Event-CWP-SPE |
Syslog |
Domain
https://scwp.securitycloud.symantec.com |
Response Actions
N/A
Third Party Native Alert Integration Details
N/A
Required Credentials
-
Customer ID, Domain ID, Client ID, and Client Secret
Let us know if you find the above overview useful.
Adding a Broadcom (Symantec) Cloud Workload Protection Connector
To add the Broadcom (Symantec) Cloud Workload Protection connector:
Obtaining the Required Credentials
To configure this connector in Stellar Cyber, you will need the following information from your Broadcom (Symantec) Cloud Workload Protection deployment:
-
Customer ID
-
Domain ID
-
Client ID
-
Client Secret
Adding the Connector in Stellar Cyber
With the configuration information handy, you can add the Broadcom (Symantec) Cloud Workload Protection connector in Stellar Cyber:
-
Log in to Stellar Cyber.
-
Click System | Integration | Connectors. The Connector Overview appears.
-
Click Create. The General tab of the Add Connector screen appears. The information on this tab cannot be changed after you add the connector.
The asterisk (*) indicates a required field.
-
Choose Cloud Security from the Category drop-down.
-
Choose Symantec Cloud Workload Protection from the Type drop-down.
-
For this connector, the supported Function is Collect, which is enabled already.
-
Enter a Name.
This field does not accept multibyte characters.
-
Choose a Tenant Name. The Interflow records created by this connector include this tenant name.
-
Choose the device on which to run the connector .
-
(Optional) When the Function is Collect, you can create Log Filters. For information, see Managing Log Filters.
-
Click Next. The Configuration tab appears.
The asterisk (*) indicates a required field.
-
Enter the Customer ID you copied earlier.
-
Enter the Domain ID you copied earlier.
-
Enter the Client ID you copied earlier.
-
Enter the Client Secret you copied earlier.
-
Choose the Interval (min). This is how often the logs are collected.
-
Select the Content Type you want to collect:
-
Alert
-
Event CWP
-
Event CWP-S
-
Event CWP-SPE
-
-
Click Next. The final confirmation tab appears.
-
Click Submit.
To pull data, a connector must be added to a Data Analyzer profile if it is running on the Data Processor.
The new connector is immediately active.
Testing the Connector
When you add (or edit) a connector, we recommend that you run a test to validate the connectivity parameters you entered. (The test validates only the authentication / connectivity; it does not validate data flow).
For connectors running on a sensor, Stellar Cyber recommends that you allow 30-60 seconds for new or modified configuration details to be propagated to the sensor before performing a test.
-
Click System | Integrations | Connectors. The Connector Overview appears.
-
Locate the connector that you added, or modified, or that you want to test.
-
Click Test at the right side of that row. The test runs immediately.
Note that you may run only one test at a time.
Stellar Cyber conducts a basic connectivity test for the connector and reports a success or failure result. A successful test indicates that you entered all of the connector information correctly.
To aid troubleshooting your connector, the dialog remains open until you explicitly close it by using the X button. If the test fails, you can select the button from the same row to review and correct issues.
The connector status is updated every five (5) minutes. A successful test clears the connector status, but if issues persist, the status reverts to failed after a minute.
Repeat the test as needed.
Verifying Ingestion
To verify ingestion:
- Click Investigate | Threat Hunting. The Interflow Search tab appears.
- Change the Indices to Syslog. The table immediately updates to show ingested Interflow records.