Symantec Connector

Symantec Endpoint Protection (SEP), part of the Broadcom Cybersecurity Portfolio, provides a complete security solution for protecting enterprise endpoints from various threats.

What is a Symantec Connector

The Symantec Connector creates a secure bridge between your Symantec cloud security platform and Qualys ETM. When configured, it automatically transfers asset inventory and security findings through scheduled API calls. Qualys ETM then processes this data by:

Deduplicating redundant entries
Normalizing data formats
Enriching findings with additional context
Calculating risk scores using TruRisk

Category	Supported Data Type	Supported Asset Type
API Connector	Asset	Host Asset

The Symantec Broadcom connector performs a full data pull during each run, as the Broadcom API does not support incremental (delta) data retrieval.

Prerequisites

These are the required configurations to create a Symantec Broadcom connection with Qualys ETM successfully.

User Roles and Permissions

To establish a secure connection between the Symantec connector and Qualys ETM, you must generate an Auth token that will be used in API requests to access resources. To obtain the Auth token, visit the Symantec Endpoint Security cloud environment URL: https://api.sep.eu.securitycloud.symantec.com/v1/oauth2/tokens

How to Generate the Auth token

Login to your Symantec Endpoint Security console.
On the left navigation menu, click Integration > Client Application.
Click Add.
Provide a Client application name, then click Add. The client application details screen appears.
On the client application details screen, select the privileges/options for your application, then click Save.
1. For Group Management, select View, Create and Edit.
2. For Remotely Run Commands, select Run Commands.
Click on the Kebab icon on the right side of your created client application and select Client Secret.
Copy the OAuth credentials.
Run curl with the required header to generate the Auth token.
curl -X POST https://api.sep.eu.securitycloud.symantec.com/v1/oauth2/tokens -H “accept: application/json” -H “authorization: {{OAuth Credentials value}}" -H “content-type: application/x-www-form-urlencoded”

Create a New API Connector

Basic Details

Provide the Connector's Name and Description.
Select the type of Data Model you want to import - currently, we support Asset.
Select the Data Model Type - currently we support Host Asset.
The following screenshot displays the Basic Details fields.
Next, provide the Credential token generated earlier in the API authentication details of the Symantec environment.

Data Model

The Symantec Connector offers an out-of-the-box data model mapping for mapping with Qualys ETM schema. You can view the schema to understand the attributes in the data model.

Transform Maps

Transform Maps ensure the data is transformed correctly during the import or export process.

The Symantec Connector offers an out-of-the-box transform map so you can proceed without further configuration. View the map to understand the data transformation, or clone it to edit its configurations.

Click Create New to create a new Transform Map.

Perform the following steps to configure a Transform Model:

Transform Map Name: Enter a unique name for the Transform Map. This name helps identify the specific transformation configuration within this connector.
Symantec Data Model: Select the Symantec data model that serves as the input for the transformation. This is the model from which data will be extracted.
Qualys Data Model: Select the Qualys data model to receive the transformed data. This model defines how the data will be structured after the transformation.

Click Add to create and display the mapping for the Symantec Field, Source Data Type, and Qualys Field below the section. This visual helps ensure that all necessary fields are mapped correctly and allows easy verification and adjustments.

Profile

Create a profile for your connector. A profile decides the connector status, execution schedule and transform map to choose. The connector follows the configurations of this profile for all future executions.

Click the "+" to create a new profile.

In the Profile screen, provide the necessary inputs for your new profile.

Provide a Name and Description.

Select the required Transform Map for the data mapping.

The Data Model Type field lets you choose the type of data mapped from Symantec. Currently, we only support Assets.

The Status field determines whether the connector should be in Active or Inactive state after creation.

Lastly, the Schedule section lets you create a Single Occurence or Recurring schedule. Provide the exact date and time for the Single Occurence execution and the Start and End date/time for the Recurring schedule.

Select Identification Rules

The Identification Rules are a set of out-of-the-box precedence rules set by Qualys CSAM. The connector discovers findings based on the order set by the selected Identification Rules.

You can proceed to the next step without making any changes to this screen.

If you don't want to choose a specific rule, turn off the toggle next to it. But, ensure that at least one rule is selected.

To learn more about the different rules and options present in this screen, refer to the CSAM Online Help.

Review and Confirm

Review the configurations provided in the previous steps. Ensure all details are correct and complete. Confirm the setup to finalize the configuration of the API connector.

This streamlined process allows for efficient data integration, ensuring accuracy and consistency across systems.

Saving and Running the Connector

Save and run the connector to process the data accordingly, transforming and importing it as per the configurations set.

How Does a Connection Work?

The Symantec connector functions through configured profiles that define which endpoint assets to synchronize. The connector operates on a scheduled basis (or on-demand), pulling asset and agent data from Symantec into Qualys ETM for consolidated visibility.

Once configured, your Symantec connector appears in the Processed state in the Connector screen.

Connector States

A successfully configured connector progresses through the following states:

Registered – Connector created and ready to fetch data
Scheduled – Connector is scheduled to run
Processing – Connector is actively pulling data
Processed – Connector has completed asset data import

It may take up to 2 hours to fully process and populate the asset data in Qualys ETM.

View Assets and Findings in ETM

Navigate to Enterprise TruRisk Management (ETM) to analyze imported endpoint data.

View Assets

Go to Assets > Endpoint Asset
Use the filter:inventory: (source: 'Symantec')to view assets imported from Symantec.

These assets include endpoint metadata such as hostname, OS, agent version, and installation status.

Additional Information

API Reference

Name	Key	Type	Example
Auth API	url	String	GET Symantec devices Limitations: Rate limit: 5000 per hour
Batch Size	limit	Integer	value can be 1 - 1000 Default batch size: 1000
Offset	offset	Integer	Default value: 0

Data Model Mapping

This section explains the attribute mappings of the values from Symantec and Qualys ETM.

Symantec Transformation Mapping

Here's the Symantec Transformation Map:

Symantec Field (Source)	Transformation Field (Target)
id	externalAssetId (Required)
name	assetName
id	cloudInstanceId
domain	dnsName
domain	fqdn
ipv4Address	ipAddress
macAddress	macAddress
operating system user	lastLoggedOnUser
operating system name	operatingSystemName
operating system architecture	operatingSystemArchitecture
number of CPU	numberOfCpu
operating system type	System Type
serialNumber	serialNumber
operating system version	operatingSystemVersion
cpu type	processorDescription
ipv4Address	interfaceName
hardware uuid	netBiosName