Symantec Endpoint Protection Cloud (SEPC)
SecurityIQ already provides a turnkey integration for Symantec Endpoint Protection Cloud (SEPC) that runs on all modern Microsoft Windows environments. It’s built with PowerShell and open source. You can find out more about integrating SEPC with SecurityIQ here.
Writing Your Own Integration
If you are not currently using an endpoint-protection vendor that we have a built-in integration with, you can still use our REST API to accomplish the same functionality. Before you begin, there are three prerequisites that need to be met:
Request an API key from the SecurityIQ app on this page. Make sure your endpoint protection software provides programmatic access to security events, including the email address of the end user (learner) Pick your favorite programming or scripting language
This write-up covers version 1.0 of the SecurityIQ API, the documentation for which can be found here. The basic architecture of this integration is very simple. Your code will periodically query the endpoint protection software for new security events and, when new events are found, use the SecurityIQ API to enroll the affected learners into the appropriate Just-in-Time Awareness Campaigns. This flow can be broken down into individual API calls:
Querying Security Events
Each endpoint protection system will have a different API with its own quirks and features, but virtually all of them provide a mechanism for querying security events (e.g. the user tried to open a piece of dangerous malware and was protected from being infected). These events are what you will pair with campaigns in SecurityIQ. How exactly you query these events will depend on the endpoint protection vendor you select, so be sure to consult their documentation and build a basic understanding of how their individual APIs work.
Learner and Campaign Data
Us humans think in terms of learner “Adam Smith” or campaign “2018 Just-in-Time Malware Training,” but APIs prefer unique identifiers like “7815696ecbf,” and the SecurityIQ API is no exception. Whenever you communicate with the SecurityIQ API about a learner or campaign, it expects you to refer to things not by their ordinary names, but by those unique IDs. Fortunately, it provides a very simple and convenient way to look them up. Suppose you query security events and determine that bob@example.com tried to infect himself with malware. You can then dispatch a GET request to /learners?email=bob@example.com and get back a JSON response telling you that Bob’s unique ID is, say, 12345. For more information and examples, see here.
Looking Up Learners
The Python code snippet below will look up a learner by their email address and return the ID you will use in subsequent requests. In the JSON response below you will see the ID that corresponds with the email address we searched for. This ID is what we will use to enroll Bob into a campaign. { “data”: [ { “id”: 307930, “email”: “bob@example.com”, “first_name”: “Bob”, “last_name”: “Smith” } ] } The exact same technique can be used to query campaigns.
Enrolling Learners Into Campaigns
The end goal of our integration is to enroll learners into campaigns, and this is done through the Enrollment API. In order to enroll a learner into a campaign you will need to know two things: the ID of the learner and the ID of the campaign. Equipped with those, you can dispatch a POST request to /campaigns/:campaignId/enrollments. For more details and examples, see here. How does that look in Python code? Let’s see: A successful enrollment request will return a response containing an ID that represents this enrollment as well as information about the learner and campaign. That is all that’s involved in integrating SecurityIQ with your endpoint protection system of choice. Armed with the three SecurityIQ API endpoints described above, you have all the tools you need to enroll your learners into awareness campaigns.
