Integrating Symantec CloudSOC with
Symantec ICA

Symantec ICA
pulls Symantec CloudSOC data by using an import utility that makes calls to the API and downloads the data into a relational database. The data from this database is then imported into
Symantec ICA
using the Integration Wizard. This one-way pull of data allows for the Symantec CloudSOC data to be used in connection to the data already collected by
Symantec ICA
in order to provide additional context with advanced reporting and behavior analytics. This integration is a critical component for realizing the benefit of the
Symantec ICA
for management and bulk remediation of security and access events to cloud applications as well as highlighting prioritized events and top offenders in your environment.

Configuring and Using the Import Utility

Administrators use the JSON import utility to pull events into
Symantec ICA
from their other security tools. The following procedure describes how to use the JSON import utility:
  1. Copy the JsonImporter ZIP file to the
    Symantec ICA
    database utilities folder that will run the import utility. The default name for the folder is
    DatabaseUtilities
    .
  2. Unzip the JsonImporter file.
  3. Use Microsoft SQL Server Management Studio (Microsoft SSMS) to create a database for the imported events, and name the database CloudSOCDW.
    Set the database to simple recovery model instead of full.
  4. Run the
    JsonDW_Create.SQL
    script on the CloudSOCDW database to create the base tables and initialization stored procedures. The script is located in the
    JsonImporter
    folder.
  5. Run the
    spInitializeCloudSOC
    stored procedure on the CloudSOCDW database to create and populate the tables.
  6. Edit the ApplicationSettings table to have the correct API URL and user name. The password is updated later in this procedure.
  7. Update the
    <appSettings>
    section of the
    JsonImporter.execonfig
    file for the Symantec CloudSOC import. In the section, the  CloudSOC section should be uncommented, and other import sections should be commented.
  8. Update the data source in the
    <ConnectonStrings>
    section with the name of the data source server.
  9. Run the following command to update the ApplicationSettings table with an encrypted password:
    JsonImporter.exe -password
    password_for_API
  10. Run the
    JsonImporter.exe
    command line to create the metadata tables, connect to the API, and pull data. You can monitor the log files to check the import process.
  11. (Optional) Set up a SQL Agent job to pull data  automatically on a schedule.  

Configuring the Integration Wizard Components

The stored procedure configures the necessary integration wizard components. The components are as follows:
  • Data source
  • Query
  • Integration pack
  • Import rule
  • Import rule mapping
  • Populate staging tables
The following procedure describes how to use the stored procedure to configure the integration wizard components:
  1. Run the following stored procedure on the
    Symantec ICA
    database to pull data from the CloudSOC database to
    Symantec ICA
    :
    EXEC db0.spIW_UnattendedInstallCloudSOC, @i_bUpdateExisting= 1, @i_sLinkedServerDataSource=
    CloudSOC_host
    , @i_sLinkedServerCatalog='CloudSOCDW'; @i_sLinkedServerRemoteUser=
    CloudSOC_database_user
    , (1) @i_sLinkedServerRemotePassword=
    CloudSOC_database_user_password
    ,(2) @i_dJobStartDate=
    date_to_start_job
    ; @i_nJobIntervalMinutes=
    minutes_between_job_runs
    ; @i_bRunDataSourceQueries=1; (3)
    If you are running the preceding procedure from a different server, then the user and password at
    (1)
    and
    (2)
    are needed to connect to the source database.
    The
    @i_bRunDataSourceQueries
    at
    (3)
    is used to populate the staging tables. Set the option to 0 (zero) if you do not want to populate the staging tables at this time.
    Wait for the integration wizard jobs to complete before proceeding to the next step.
  2. Run the nightly job to populate the
    Symantec ICA
    event tables.