Symantec Endpoint Protection¶
About¶
Symantec protects all your traditional and mobile endpoint devices with innovative technologies for attack surface reduction, attack prevention, breach prevention, and detection and response. All this protection is powered by our Global Intelligence Network, one of the largest in the world. Symantec’s single-agent solution delivers flexible management/deployment options, including fully cloud-based, on-premises, and hybrid.
Product Details¶
Vendor URL: Symantec Endpoint Protection
Product Type: EDR
Product Tier: Tier I
Integration Method: Syslog
Integration URL: Symantec Endpoint Protection - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 90-100%
Data Label: SEP
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| Actual Action | security_result.action |
| Application | target.application |
| Application hash | target.file.sha256 |
| Application name | target.application |
| Category set | security_result.category_details |
| CIDS Signature string | security_result.summary |
| Command | target.process.command_line_history |
| Computer name | principal.hostname |
| Confidence | security_result.confidence_details |
| Device ID | target.resource.parent |
| deviceclass | target.resource.type |
| deviceguid | target.resource.id |
| devicename | target.resource.name |
| direction | network.direction |
| Domain Name | principal.administrative_domain |
| Download site | src.url |
| Downloaded by | principal.application |
| Event Description | metadata.description |
| Event Description | security_result.summary |
| File path | target.file.full_path |
| File size (bytes) | target.file.size |
| fileName | target.file.full_path |
| First Seen | security_result.priority_details |
| Group Name | target.group.group_display_name |
| ID | target.resource.id |
| Intrusion URL | network.http.referral_url |
| IP Address | principal.ip |
| Local Host IP | principal.ip |
| Local Host MAC | principal.mac |
| Local Port | principal.port |
| Location | target.location.country_or_region |
| MD-5 | target.file.md5 |
| Occurrences | security_result.detection_fields |
| Prevalence | security_result.severity_details |
| proto | network.ip_protocol |
| Remote Host IP | target.ip |
| Remote Host MAC | target.mac |
| Remote Host Name | target.hostname |
| Remote Port | target.port |
| Risk name | security_result.threat_nam |
| Rule | metadata.description |
| Rule ID | security_result.summary |
| Scan Complete | target.resource.name |
| Scan Type | target.resource.type |
| Server Name | observer.hostname |
| SHA-256 | target.file.sha256 |
| SID | target.process.pid |
| Site | observer.administrative_domain |
| size | target.file.size |
| SymantecServer | principal.hostname |
| User Name | principal.user.userid |
| User1 | principal.user.userid |
Product Event Types¶
| Event | UDM Event Classification | Security Category | alerting enabled |
|---|---|---|---|
| client will block traffic | NETWORK_CONNECTION | ||
| downloaded GUP list | STATUS_UPDATE | ||
| High Risk Domains | NETWORK_CONNECTION | ||
| Host Integrity | STATUS_UPDATE | ||
| IPS | SCAN_FILE,NETWORK_CONNECTION | ||
| LiveUpdate Manager | STATUS_UPDATE | ||
| Memory Exploit Mitigation | STATUS_UPDATE,SCAN_HOST | ||
| Smc | STATUS_HEARTBEAT | ||
| SONAR | STATUS_UPDATE,SCAN_FILE | ||
| SubmissionsMan | SCAN_FILE | ||
| to Internet | NETWORK_CONNECTION | ||
| traffic and log | NETWORK_CONNECTION | ||
| USB | FILE_UNCATEGORIZED | ||
| virus_found,system_infected | SCAN_HOST | SOFTWARE_MALICIOUS | TRUE |
| Web,attack | NETWORK_CONNECTION | SOFTWARE_MALICIOUS | TRUE |
Log Sample¶
<54>Jun 21 08:27:42 sysloghost SymantecServer: server,Category: 2,SONAR,"Event Description: [SONAR detection Submission] File submitted to Symantec. File : 'c:\program files (x86)\microsoft office\root\office16\excel.exe', Size (bytes): 5427.",Event time: 2021-06-21 08:22:26,Group Name: My Company\Test Groups (For testing new Policies)\Testing Desktop Support
Sample Parsing¶
metadata.event_timestamp = "2021-061T13:41:34.012956Z"
metadata.event_type = "SCAN_FILE"
metadata.vendor_name = "Symantec"
metadata.product_name = "Endpoint Protection"
metadata.description = "SONAR detection Submission"
metadata.ingested_timestamp = "2021-06-21T13:41:34.012956Z"
principal.hostname = "hostname"
principal.asset_id = "assetid"
target.file.size = "5427"
target.file.full_path = "c:\program files (x86)\microsoft office\root\office16\excel.exe"
observer.hostname = "sysloghost"
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above.
Rules¶
Coming Soon