Symantec WSS¶
About¶
The Symantec™ Cloud Secure Web Gateway (Formerly Web Security Service) is an indispensable line of defense against modern-day cyber threats. A critical capability of Symantec Web Protection, it enables enterprises to control access, protects users from threats, and secures their sensitive data.
Product Details¶
Vendor URL: Symantec Cloud Secure Web Gateway
Product Type: Cloud Security
Product Tier: Tier II
Integration Method: Syslog
Integration URL:
Log Guide: Exporting Data to Syslog
Parser Details¶
Log Format: SYSLOG
Expected Normalization Rate: 90%
Data Label: SYMANTEC_WSS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| column2 | event_timestamp.date |
| column3 | event_timestamp.time |
| column4 | intermediary.hostname |
| column6 | principal.nat_ip |
| column7 | principal.user.userid |
| column8 | principal.group.group_display_name |
| column9 | security_result.summary |
| column10 | security_result.action |
| column11 | security_result.rule_name |
| column12 | additional.fields[ThreatConnect_URL_Referrer] |
| column13 | network.http.response_code |
| column14 | network.ip_protocol |
| column15 | network.http.method |
| column17 | network.application_protocol |
| column18 | target.hostname |
| column19 | target.port |
| column20 | target.url |
| column21 | additional.fields[query] |
| column23 | newtork.http.user_agent |
| column24 | intermediary.ip |
| column25 | network.received_bytes |
| column26 | network.sent_bytes |
| column36 | target.ip |
| column37 | target.location.country_or_region |
| column42 | network.tls.version_protocol |
| column43 | network.ts.cipher |
| column45 | network.tls.client.server_name |
| column55 | intermediary.nat_ip |
| column58 | principal.location.country_or_region |
| column61 | principal.application |
| column62 | principal.platform_version |
| column63 | principal.application |
| column65 | principal.hostname |
| column76 | metadata.product_log_id |
Log Sample¶
25690 2025-04-03 22:57:13 "HO1-Proxy_Machine" 2 10.75.12.34 domain\EUsername - - OBSERVED "Web Ads/Analytics" https://subdomain.example.com/ 200 TCP_NC_MISS GET image/gif https www.google-analytics.com 443 /collect ?v=1&_v=j101&a=1463353948&t=pageview&_s=1&dl=https%3A%2F%2Fsubdomain.example.com%2Fpc%2FScript.do&dp=No%20Policy%20Type%20%3A%20No%20Transaction%20%3A%20Homepage&ul=en-us&de=UTF-8&dt=No%20Policy%20Type%20%3A%20No%20Transaction%20%3A%20Homepage&sd=24-bit&sr=1600x900&vp=1600x765&je=0&_u=SACAAEABAAAAACACIAC~&jid=&gjid=&cid=1727451051.1681149700&tid=UA-191980767-3&_gid=280871854.1743350101>m=45He5420n81P6BBJJTv845504786za200&cd1=EUsername&cd2=Coding%20Underwriting%20Supervisor%2FManager&cd6=Example%20Username&gcd=13l3l3l3l1l1&dma=0&tag_exp=102030456~102030456~102030456~102030456~102030456~102030456~102030456~102030456&z=1020304561 - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36" 192.168.0.5 988 1320 - - - - 0 "client" client_connector - - 192.168.123.145 "United States" CERT_VALID none - none TLSv1.3 TLS_AES_128_GCM_SHA256 128 *.google-analytics.com "Web Ads/Analytics" TLSv1.3 TLS_AES_128_GCM_SHA256 128 - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - 192.168.123.145 "United States" - "United States" 2 2 wss-agent "architecture=x86_64 name=Windows 10 Enterprise version=10.0.22631" 9.8.1.22800 12345678-7829-abcd-abcd-12345678906c HostnameMachine PC - - - SSL_Intercept_1 - - - - - 1234567890abcdef-1234567890abcdef-1234567890abcdef
Sample Parsing¶
metadata.product_log_id: "1234567890abcdef-1234567890abcdef-1234567890abcdef"
metadata.event_type: NETWORK_CONNECTION
metadata.vendor_name: "Symantec"
metadata.product_name: "WSS"
additional.fields["ThreatConnect_URL_Referrer"].value.string_value: "https://subdomain.example.com/"
additional.fields["query"].value.string_value: "?v=1&_v=j101&a=1463353948&t=pageview&_s=1&dl=https%3A%2F%2Fsubdomain.example.com%2Fpc%2FScript.do&dp=No%20Policy%20Type%20%3A%20No%20Transaction%20%3A%20Homepage&ul=en-us&de=UTF-8&dt=No%20Policy%20Type%20%3A%20No%20Transaction%20%3A%20Homepage&sd=24-bit&sr=1600x900&vp=1600x765&je=0&_u=SACAAEABAAAAACACIAC~&jid=&gjid=&cid=1727451051.1681149700&tid=UA-191980767-3&_gid=280871854.1743350101>m=45He5420n81P6BBJJTv845504786za200&cd1=EUsername&cd2=Coding%20Underwriting%20Supervisor%2FManager&cd6=Example%20Username&gcd=13l3l3l3l1l1&dma=0&tag_exp=102030456~102030456~102030456~102030456~102030456~102030456~102030456~102030456&z=1020304561"
principal.hostname: "hostnamemachine"
principal.user.userid: "EUsername"
principal.ip: "10.75.12.34"
principal.nat_ip: "10.75.12.34"
principal.application: "wss-agent 9.8.1.22800"
principal.platform_version: "architecture=x86_64 name=Windows 10 Enterprise version=10.0.22631"
principal.location.country_or_region: "United States"
target.hostname: "www.google-analytics.com"
target.ip: "192.168.123.145"
target.port: 443
target.url: "https://www.google-analytics.com/collect"
target.location.country_or_region: "United States"
intermediary.hostname: "HO1-Proxy_Machine"
intermediary.ip: "192.168.0.5"
intermediary.nat_ip: "192.168.123.145"
security_result.rule_name: "Web Ads/Analytics"
security_result.action: ALLOW
network.sent_bytes: 1320
network.received_bytes: 988
network.ip_protocol: TCP
network.application_protocol: HTTPS
network.http.method: "GET"
network.http.user_agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
network.http.response_code: 200
network.tls.client.server_name: "*.google-analytics.com"
network.tls.cipher: "TLS_AES_128_GCM_SHA256"
network.tls.version_protocol: "TLSv1.3"