| Table of Contents |
|---|
| maxLevel | 2 |
|---|
| minLevel | 2 |
|---|
| type | flat |
|---|
|
...
The full tag must have four levels. The first two are fixed as endpoint.symantec. The third level identifies the technology type and the fourth element is required and fixed depending upon the log type.
These are the valid tags and corresponding data tables that will receive the parsers' data:
...
Source Port → 13075
Source Data → ^SymantecServer: (([^,]*),)*SHA-256:
Target Tag → endpoint.symantec.sepm.agent_security
Select both Stop Processing and Sent without syslog tag
...
| Rw ui tabs macro |
|---|
tag0tag0endpoint.symantec.sepm.agent_activityField | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | site_name | str
| | server_name | str
| | domain_name | str
| | event_description | str
| | host_name | str
| | username | str
| | machine_domain_name | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | clientHostname | str
| | ipAddress | ip4
| | action | str
| | description | str
| | apiName | str
| | beginTime | timestamp
| | endTime | timestamp
| | securityRule | str
| | processID | int8
| | processName | str
| | returnAddress | int4
| | returnModule | str
| | parameters | str
| | userName | str
| | domainName | str
| | actionType | str
| | fileSize | int8
| | fileUnits | str
| | deviceID | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | actionDescr | str
| | ipAddress | ip4
| | computerName | str
| | source | str
| | riskName | str
| | occurrences | int4
| | filePath | str
| | description | str
| | actualAction | str
| | requestedAction | str
| | secondaryAction | str
| | eventTime | timestamp
| | eventInsertTime | timestamp
| | endTime | timestamp
| | lastUpdateTime | timestamp
| | domainName | str
| | groupName | str
| | serverName | str
| | userName | str
| | sourceComputerName | str
| | sourceComputerIP | ip4
| | disposition | str
| | downloadSite | str
| | webDomain | str
| | downloadedBy | str
| | prevalence | str
| | confidence | str
| | urlTrackingStatus | str
| | firstSeen | str
| | sensitivity | str
| | permittedApplicationReason | str
| | applicationHash | str
| | hashType | str
| | companyName | str
| | applicationName | str
| | applicationVersion | str
| | applicationType | int4
| | fileSize | int8
| | fileUnits | str
| | categorySet | str
| | categoryType | str
| | location | str
| | intensiveProtectionLevel | int4
| | certificateIssuer | str
| | certificateSigner | str
| | certificateThumbprint | str
| | signingTimestamp | int8
| | certificateSerialNumber | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | hostname | str
| | | | clientHostname | str
| | Code Block |
|---|
join(clientHostArray, ",") |
| clientHostArray | | scanID | int8
| | | | beginTime | timestamp
| | | | endTime | timestamp
| | | | status | str
| | | | duration | int4
| | | | durationUnits | str
| | | | user1 | str
| | | | user2 | str
| | | | message1 | str
| | | | message2 | str
| | | | command | str
| | | | threats | int4
| | | | infected | int4
| | | | totalFiles | int4
| | | | omitted | int4
| | | | computer | str
| | | | ipAddress | ip4
| | | | domainName | str
| | | | groupName | str
| | | | serverName | str
| | | | scanType | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
Transformationtransformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | hostname | str
| | | | serverName | str
| | Code Block |
|---|
ifthenelse(length(clientHostArray) > 1, clientHostArray[0], null) |
| clientHostArray | | computerName | str
| | Code Block |
|---|
ifthenelse(length(clientHostArray) > 1, clientHostArray[1], clientHostArray[0]) |
| clientHostArray | | description | str
| | | | action | str
| | | | localHostIP | ip4
| | | | localPort | int4
| | | | localHostMAC | str
| | | | remoteHostName | str
| | | | remoteHostIP | ip4
| | | | remotePort | int4
| | | | remoteHostMAC | str
| | | | trafficDirection | str
| | | | networkProtocol | str
| | | | intrusionID | int4
| | | | beginTime | timestamp
| | | | endTime | timestamp
| | | | occurrences | int4
| | | | application | str
| | | | location | str
| | | | userName | str
| | | | domainName | str
| | | | cidsSignatureID | int4
| | | | cidsSignatureString | str
| | | | attackType | str
| | Code Block |
|---|
split(cidsSignatureString, ":", 0) |
| cidsSignatureString | | cidsSignatureSubID | int4
| | | | intrusionURL | str
| | | | intrusionPayloadURL | str
| | | | sha256 | str
| | | | md5 | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
endpoint.symantec.sepm.agent_systemField | Type | Extra fields |
|---|
eventdate | timestamp
|
| | | | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | clientHostname | str
| | localHostIP | ip4
| | localPort | str
| | localHostMAC | str
| | remoteHostName | str
| | remoteHostIP | ip4
| | remotePort | str
| | remoteHostMAC | str
| | location | str
| | begin | str
| | endTime | str
| | occurrences | str
| | userName | str
| | domainName | str
| | action | str
| | rule | str
| | application | str
| | sha256 | str
| | md5 | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | hostname | str
| | | message | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| message | ✓ |
|
