View Source

Check the reference vendor documentation here.

Introduction

The tags beginning with endpoint.symantec identify log events generated by any Symantec Endpoint product.

Tag structure

The full tag must have four levels. The first two are fixed as endpoint.symantec. The third level identifies the technology type and the fourth element is required and fixed depending upon the log type.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables
Symantec Endpoint Protection Manager	`endpoint.symantec.sepm.agent_activity`	`endpoint.symantec.sepm.agent_activity`
	`endpoint.symantec.sepm.agent_behavior`	`endpoint.symantec.sepm.agent_behavior`
	`endpoint.symantec.sepm.agent_risk`	`endpoint.symantec.sepm.agent_risk`
	`endpoint.symantec.sepm.agent_scan`	`endpoint.symantec.sepm.agent_scan`
	`endpoint.symantec.sepm.agent_security`	`endpoint.symantec.sepm.agent_security`
	`endpoint.symantec.sepm.agent_system`	`endpoint.symantec.sepm.agent_system`
	`endpoint.symantec.sepm.agent_traffic`	`endpoint.symantec.sepm.agent_traffic`
	`endpoint.symantec.sepm.others`	`endpoint.symantec.sepm.others`
	`endpoint.symantec.sepm.system`	`endpoint.symantec.sepm.system`

Once Symantec Endpoint Protection Manager events are delivered to Devo, they will be accessible from the finder in tables with the same names.

For more information, read more about Devo tags.

Configuration

All Symantec Endpoint Protection Manager events should be sent to a Devo Relay for tagging and forwarding to Devo. The events can be directed to a single port; you will set up a series of rules to identify the event types and apply the correct Devo tag to each type.

Rule 1 - Agent Activity events

Source port → Required one
Source data → ^SymantecServer: Site:
Target Tag → endpoint.symantec.sepm.agent_activity
Select both Stop processing and Sent without syslog tag

Rule 2 - Agent Behavior events

Source port → Required one
Source data → ^SymantecServer: (.*),Device ID:(.*)$
Target tag → endpoint.symantec.sepm.agent_behavior
Select both Stop processing and Sent without syslog tag

Rule 3 - Agent Risk events

Source port → Required one
Source data → ^SymantecServer: ([^,]*),IP Address:
Target tag → endpoint.symantec.sepm.agent_risk
Select both Stop processing and Sent without syslog tag

Rule 4 - Agent Scan events

Source port → Required one
Source data → ^SymantecServer: Scan ID:
Target tag → endpoint.symantec.sepm.agent_scan
Select both Stop processing and Sent without syslog tag

Rule 5 - Agent Security events

Source port → Required one
Source data → ^SymantecServer: (([^,]*),)*SHA-256:
Target tag → endpoint.symantec.sepm.agent_security
Select both Stop processing and Sent without syslog tag

Rule 6 - Agent System events

Source port → Required one
Source data → ^SymantecServer: ([^,]*),Category:
Target Tag → endpoint.symantec.sepm.agent_system
Select both Stop Processing and Sent without syslog tag

Rule 8 - Other events

Source port → Required one
Target tag → endpoint.symantec.sepm.others
Select both Stop Processing and Sent without syslog tag

Table structure

These are the fields displayed in this table:

endpoint.symantec.sepm.agent_activity
endpoint.symantec.sepm.agent_behavior
endpoint.symantec.sepm.agent_risk
endpoint.symantec.sepm.agent_scan

endpoint.symantec.sepm.agent_activity

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
site_name	`str`
server_name	`str`
domain_name	`str`
event_description	`str`
host_name	`str`
username	`str`
machine_domain_name	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

endpoint.symantec.sepm.agent_behavior

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
clientHostname	`str`
ipAddress	`ip4`
action	`str`
description	`str`
apiName	`str`
beginTime	`timestamp`
endTime	`timestamp`
securityRule	`str`
processID	`int8`
processName	`str`
returnAddress	`int4`
returnModule	`str`
parameters	`str`
userName	`str`
domainName	`str`
actionType	`str`
fileSize	`int8`
fileUnits	`str`
deviceID	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

endpoint.symantec.sepm.agent_risk

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
actionDescr	`str`
ipAddress	`ip4`
computerName	`str`
source	`str`
riskName	`str`
occurrences	`int4`
filePath	`str`
description	`str`
actualAction	`str`
requestedAction	`str`
secondaryAction	`str`
eventTime	`timestamp`
eventInsertTime	`timestamp`
endTime	`timestamp`
lastUpdateTime	`timestamp`
domainName	`str`
groupName	`str`
serverName	`str`
userName	`str`
sourceComputerName	`str`
sourceComputerIP	`ip4`
disposition	`str`
downloadSite	`str`
webDomain	`str`
downloadedBy	`str`
prevalence	`str`
confidence	`str`
urlTrackingStatus	`str`
firstSeen	`str`
sensitivity	`str`
permittedApplicationReason	`str`
applicationHash	`str`
hashType	`str`
companyName	`str`
applicationName	`str`
applicationVersion	`str`
applicationType	`int4`
fileSize	`int8`
fileUnits	`str`
categorySet	`str`
categoryType	`str`
location	`str`
intensiveProtectionLevel	`int4`
certificateIssuer	`str`
certificateSigner	`str`
certificateThumbprint	`str`
signingTimestamp	`int8`
certificateSerialNumber	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

endpoint.symantec.sepm.agent_scan

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

clientHostname

str

join(clientHostArray, ",")

clientHostArray

scanID

int8

beginTime

timestamp

endTime

timestamp

status

str

duration

int4

durationUnits

str

user1

str

user2

str

message1

str

message2

str

command

str

threats

int4

infected

int4

totalFiles

int4

omitted

int4

computer

str

ipAddress

ip4

domainName

str

groupName

str

serverName

str

scanType

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

endpoint.symantec.sepm.agent_security
endpoint.symantec.sepm.agent_system
endpoint.symantec.sepm.agent_traffic
endpoint.symantec.sepm.others

endpoint.symantec.sepm.agent_security

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

serverName

str

ifthenelse(length(clientHostArray) > 1, clientHostArray[0], null)

clientHostArray

computerName

str

ifthenelse(length(clientHostArray) > 1, clientHostArray[1], clientHostArray[0])

clientHostArray

description

str

action

str

localHostIP

ip4

localPort

int4

localHostMAC

str

remoteHostName

str

remoteHostIP

ip4

remotePort

int4

remoteHostMAC

str

trafficDirection

str

networkProtocol

str

intrusionID

int4

beginTime

timestamp

endTime

timestamp

occurrences

int4

application

str

location

str

userName

str

domainName

str

cidsSignatureID

int4

cidsSignatureString

str

attackType

str

split(cidsSignatureString, ":", 0)

cidsSignatureString

cidsSignatureSubID

int4

intrusionURL

str

intrusionPayloadURL

str

sha256

str

md5

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

endpoint.symantec.sepm.agent_system

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
clientHostname	`str`
category	`int4`
source	`str`
description	`str`
eventTime	`timestamp`
groupName	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

endpoint.symantec.sepm.agent_traffic

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
clientHostname	`str`
localHostIP	`ip4`
localPort	`str`
localHostMAC	`str`
remoteHostName	`str`
remoteHostIP	`ip4`
remotePort	`str`
remoteHostMAC	`str`
location	`str`
begin	`str`
endTime	`str`
occurrences	`str`
userName	`str`
domainName	`str`
action	`str`
rule	`str`
application	`str`
sha256	`str`
md5	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

endpoint.symantec.sepm.others

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
message	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`	message	✓