Accenture MDR Quick Start Guide for Symantec™ Email Threat Detection and Response

This quick start guide will help Accenture MDR customers configure Symantec Email Threat Detection and Response to allow log collection from the Log Collection Platform (LCP).

The document includes the following topics:

• Supported Versions

• Port Requirements

• Configuring Symantec Email

• Creating New Request for Monitoring

• LCP Configuration Parameters

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MSS_Supported_Products_List.xlsx) which can be found in Accenture Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents

Port Requirements

Table 1-1: Port requirements for LCP communication.

 Configuring the Symantec Email Security.cloud

1. A customer with Email.cloud and Symantec Email Threat Detection and Response services needs to login to the Symantec.cloud portal https://identity.symanteccloud.com/Logon.

2. The customer (Email Security.Cloud Portal administrator) needs to create an additional user with View Statistics privilege for Symantec Email Threat Detection and Response and Anti-Malware services. If the customer has purchased the Email Threat Isolation service and want to receive URL Isolation data, then the user account must have View Statistics permissions for Email Threat Isolation along with the ATP Email and Anti Malware services.

3. The username and password needs to be provided to the MSS onboarding team.

Note:The API provides a unique userid (UserName)  which is authenticated against the View Statistics role in ClientNet. Only valid users who have the View Statistics role on the associated service for the given customerid can receive data.

 To create a user, follow the steps below.

1. Select Administration > User Management.

2. Click Create new user.

3. Enter the user's full name (required), login name (required), and email address (optional).

4. Select the Preferred language that the portal displays in. Set this to English.

5. Select the Preferred time zone for the user. The default time zone is GMT.

6. Enter a password for the user (required).

7. Ensure that the User is enabled button is set to Yes.

8. Click Save and Exit.

To define the custom user role, follow the steps below.

1. Select Administration > User Management.

2. Select the user created above.

3. Click the User roles tab.

4. Click Create custom role.

5. From the drop-down list in the Permission section, select the role (View Statistics) to apply for this user.

6. From the drop-down list in the Services section, select the service (Email Threat Isolation along with the ATP Email and Anti Malware services) to apply the permissions for.

Note: Events from Services such as Email Antispam, Email Data Protection, etc. are not logged to Symantec.cloud.

7. Select All domains.

8. Click Append Role.

 Note: Administrators need to append the custom role for the user twice, once for Advanced Threat Protection and then for Anti–Malware.

Creating New Request for Monitoring

Once the device is configured as outlined in the steps above and all network pre-requisites have been made, you are now ready to onboard it for MSS monitoring. To complete this process, submit a New Request via the MSS Portal at https://mss.accenture.com/. This new request should contain the following information:

1. Reporting LCP Hostname/IP Address:

2. URL of Email.Cloud:

3. User Name:

4. Password:

5. Feeds to Fetch:

If you have any questions about this process, please contact your Onboarding Engineer or Service Manager.

LCP Configuration Parameters

Table 1-2: The Symantec Email Security.cloud sensor using the Web Service API v7.00.00 event collector (API - 3856) properties to be configured by MSS are shown in the table.