Haifeng's Blog

Retrieving Event Stream via SES API

by · Published · Updated

Scenario and Goal

We want to retrieve real-time event streams from Symantec Endpoint Security (SES) and output them locally or forward them to a log platform. This article demonstrates how to:

  1. Create a Client Application in the SES console (to obtain OAuth2 credentials)
  2. Create an Event Stream in the SES console (to obtain a Stream GUID)
  3. Use a Python script to connect to the API and print events
  4. Validate the setup by applying a policy change

1. Create a Client Application

  1. Log in to the SES console → Integration → Client Applications.
  2. Click Add, enter a name, and save.
  3. In the application’s menu, select Client Secret and copy the OAuth Credentials (usually Basic xxx).
  4. Assign the necessary privileges to the Client Application.

2. Create an Event Stream

  1. SES console → Integration → Event Streams.
  2. Create a new stream and select the event types and fields to export.
  3. Save and obtain the stream’s GUID.

3. Python Example Script

This script will:

  • Use the Basic credentials to obtain a Bearer token
  • Open the specified Event Stream
  • Continuously print events to standard output
#!/usr/bin/env python3
import requests, json

OAUTH_CRED = "Basic <Your OAuth Credentials>"
STREAM_GUID = "<Your Stream GUID>"
BASE = "https://api.sep.securitycloud.symantec.com"

# Get Token
tok = requests.post(
    f"{BASE}/v1/oauth2/tokens",
    headers={"accept":"application/json","authorization":OAUTH_CRED,"content-type":"application/x-www-form-urlencoded"},
    data={"grant_type":"client_credentials"},
).json()["access_token"]

# Open Event Stream
with requests.post(
    f"{BASE}/v1/event-export/stream/{STREAM_GUID}/0",
    params={"ConnectionTimeout":"5"},
    headers={"Authorization":f"Bearer {tok}","Accept-Encoding":"gzip","Content-Type":"application/json"},
    json={}, stream=True
) as r:
    r.raise_for_status()
    for line in r.iter_lines(decode_unicode=True):
        if not line: continue
        for ev in json.loads(line).get("events", []):
            print(json.dumps(ev, ensure_ascii=False))

4. Validation Test

To confirm that the event stream works, perform an action in the console, such as adding a policy to a Policy Group and applying it:

  1. Console → Policies → Add a policy to a target group and apply it.
  2. Return to the running script and wait a few seconds.
  3. The terminal will print a JSON object similar to the following:

This confirms that the Event Stream and API integration are functioning correctly.

5. References

Broadcom Enterprise Security Group APIs

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *