| Table of Contents |
|---|
| maxLevel | 2 |
|---|
| minLevel | 2 |
|---|
| type | flat |
|---|
|
...
The tags beginning with endpoint.symantec identify log events generated by any Symantec Endpoint product.
Tag structure
The full tag must have four levels. The first two are fixed as endpoint.symantec. The third level identifies the technology type and the fourth element is required and fixed depending upon the log type.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|
Symantec Endpoint Protection Manager | endpoint.symantec.sepm.agent_activity
| endpoint.symantec.sepm.agent_activity
|
endpoint.symantec.sepm.agent_behavior
| endpoint.symantec.sepm.agent_behavior
|
endpoint.symantec.sepm.agent_risk
| endpoint.symantec.sepm.agent_risk
|
endpoint.symantec.sepm.agent_scan
| endpoint.symantec.sepm.agent_scan
|
endpoint.symantec.sepm.agent_security
| endpoint.symantec.sepm.agent_security
|
endpoint.symantec.sepm.agent_system
| endpoint.symantec.sepm.agent_system
|
endpoint.symantec.sepm.agent_traffic
| endpoint.symantec.sepm.agent_traffic
|
endpoint.symantec.sepm.others
| endpoint.symantec.sepm.others
|
endpoint.symantec.sepm.system
| endpoint.symantec.sepm.system
|
Once Symantec Endpoint Protection Manager events are delivered to Devo, they will be accessible from the finder in tables with the same names.
...
Rule 1 - Agent Activity events
...
Source data → ^SymantecServer: Site:
Target Tag → endpoint.symantec.sepm.agent_activity
Select both Stop processing and Sent without syslog tag
Rule 2 - Agent Behavior events
Source port → Required oneSource data → ^SymantecServer: (.*),Device ID:(.*)$
Target tag → endpoint.symantec.sepm.agent_behavior
Select both Stop processing and Sent without syslog tag
Rule 3 - Agent Risk events
Source port → Required oneSource data → ^SymantecServer: ([^,]*),IP Address:
Target tag → endpoint.symantec.sepm.agent_risk
Select both Stop processing and Sent without syslog tag
Rule 4 - Agent Scan events
...
Source data → ^SymantecServer: Scan ID:
Target tag → endpoint.symantec.sepm.agent_scan
Select both Stop processing and Sent without syslog tag
Rule 5 - Agent Security events
...
Source data → ^SymantecServer: (([^,]*),)*SHA-256:
Target tag → endpoint.symantec.sepm.agent_security
Select both Stop processing and Sent without syslog tag
Rule 6 - Agent System events
...
Source data → ^SymantecServer: ([^,]*),Category:
Target Tag → endpoint.symantec.sepm.agent_system
Select both Stop Processing and Sent without syslog tag
Rule
...
7 - Other events
...
Target tag → endpoint.symantec.sepm.others
Select both Stop Processing and Sent without syslog tag
...
| Rw ui tabs macro |
|---|
endpoint.symantec.sepm.agent_activityField | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | site_name | str
| | server_name | str
| | domain_name | str
| | event_description | str
| | host_name | str
| | username | str
| | machine_domain_name | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | clientHostname | str
| | ipAddress | ip4
| | action | str
| | description | str
| | apiName | str
| | beginTime | timestamp
| | endTime | timestamp
| | securityRule | str
| | processID | int8
| | processName | str
| | returnAddress | int4
| | returnModule | str
| | parameters | str
| | userName | str
| | domainName | str
| | actionType | str
| | fileSize | int8
| | fileUnits | str
| | deviceID | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | actionDescr | str
| | ipAddress | ip4
| | computerName | str
| | source | str
| | riskName | str
| | occurrences | int4
| | filePath | str
| | description | str
| | actualAction | str
| | requestedAction | str
| | secondaryAction | str
| | eventTime | timestamp
| | eventInsertTime | timestamp
| | endTime | timestamp
| | lastUpdateTime | timestamp
| | domainName | str
| | groupName | str
| | serverName | str
| | userName | str
| | sourceComputerName | str
| | sourceComputerIP | ip4
| | disposition | str
| | downloadSite | str
| | webDomain | str
| | downloadedBy | str
| | prevalence | str
| | confidence | str
| | urlTrackingStatus | str
| | firstSeen | str
| | sensitivity | str
| | permittedApplicationReason | str
| | applicationHash | str
| | hashType | str
| | companyName | str
| | applicationName | str
| | applicationVersion | str
| | applicationType | int4
| | fileSize | int8
| | fileUnits | str
| | categorySet | str
| | categoryType | str
| | location | str
| | intensiveProtectionLevel | int4
| | certificateIssuer | str
| | certificateSigner | str
| | certificateThumbprint | str
| | signingTimestamp | int8
| | certificateSerialNumber | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | hostname | str
| | | | clientHostname | str
| | Code Block |
|---|
join(clientHostArray, ",") |
| clientHostArray | | scanID | int8
| | | | beginTime | timestamp
| | | | endTime | timestamp
| | | | status | str
| | | | duration | int4
| | | | durationUnits | str
| | | | user1 | str
| | | | user2 | str
| | | | message1 | str
| | | | message2 | str
| | | | command | str
| | | | threats | int4
| | | | infected | int4
| | | | totalFiles | int4
| | | | omitted | int4
| | | | computer | str
| | | | ipAddress | ip4
| | | | domainName | str
| | | | groupName | str
| | | | serverName | str
| | | | scanType | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
Field | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | hostname | str
| | | | serverName | str
| | Code Block |
|---|
ifthenelse(length(clientHostArray) > 1, clientHostArray[0], null) |
| clientHostArray | | computerName | str
| | Code Block |
|---|
ifthenelse(length(clientHostArray) > 1, clientHostArray[1], clientHostArray[0]) |
| clientHostArray | | description | str
| | | | action | str
| | | | localHostIP | ip4
| | | | localPort | int4
| | | | localHostMAC | str
| | | | remoteHostName | str
| | | | remoteHostIP | ip4
| | | | remotePort | int4
| | | | remoteHostMAC | str
| | | | trafficDirection | str
| | | | networkProtocol | str
| | | | intrusionID | int4
| | | | beginTime | timestamp
| | | | endTime | timestamp
| | | | occurrences | int4
| | | | application | str
| | | | location | str
| | | | userName | str
| | | | domainName | str
| | | | cidsSignatureID | int4
| | | | cidsSignatureString | str
| | | | attackType | str
| | Code Block |
|---|
split(cidsSignatureString, ":", 0) |
| cidsSignatureString | | cidsSignatureSubID | int4
| | | | intrusionURL | str
| | | | intrusionPayloadURL | str
| | | | sha256 | str
| | | | md5 | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | clientHostname | str
| | category | int4
| | source | str
| | description | str
| | eventTime | timestamp
| | groupName | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | clientHostname | str
| | localHostIP | ip4
| | localPort | str
| | localHostMAC | str
| | remoteHostName | str
| | remoteHostIP | ip4
| | remotePort | str
| | remoteHostMAC | str
| | location | str
| | begin | str
| | endTime | str
| | occurrences | str
| | userName | str
| | domainName | str
| | action | str
| | rule | str
| | application | str
| | sha256 | str
| | md5 | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | hostname | str
| | | message | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| message | ✓ |
|
...
