Document toolboxDocument toolbox

endpoint.symantec

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
3 min read
[ 1 Tag structure ] [ 2 Configuration ]

The tags beginning with endpoint.symantec identify log events generated by any Symantec Endpoint product.

Tag structure

The full tag must have four levels. The first two are fixed as endpoint.symantec. The third level identifies the technology type and currently, it can only be sepm, which identifies logs generated by the Symantec Endpoint Protection Manager. The fourth element is required and fixed depending upon the log type.

technology

brand

type

subtype

technology

brand

type

subtype

endpoint

symantec

sepm

  • agent_behavior

  • agent_risk

  • agent_scan

  • agent_security

  • agent_system

  • others

Therefore, the valid tags include:

  • endpoint.symantec.sepm.agent_behavior

  • endpoint.symantec.sepm.agent_risk

  • endpoint.symantec.sepm.agent_scan

  • endpoint.symantec.sepm.agent_security

  • endpoint.symantec.sepm.agent_system

  • endpoint.symantec.sepm.others

Once Symantec Endpoint Protection Manager events are delivered to Devo, they will be accessible from the finder in tables with the same names.

For more information, read more about Devo tags.

Configuration

All Symantec Endpoint Protection Manager events should be sent to a Devo Relay for tagging and forwarding to Devo. The events can be directed to a single port; you will set up a series of rules to identify the event types and apply the correct Devo tag to each type.

The example rules below are based on port 13075 on the relay but you can use any free port you choose.

Rule 1 - Agent Behavior events

  • Source Port → 13075

  • Source Data → ^SymantecServer: (.*),Device ID:(.*)$

  • Target Tag → endpoint.symantec.sepm.agent_behavior

  • Select both Stop Processing and Sent without syslog tag

Rule 2 - Agent Risk events

  • Source Port → 13075

  • Source Data → ^SymantecServer: ([^,]*),IP Address:

  • Target Tag → endpoint.symantec.sepm.agent_risk

  • Select both Stop Processing and Sent without syslog tag

Rule 3 - Agent Scan events

  • Source Port → 13075

  • Source Data → ^SymantecServer: Scan ID:

  • Target Tag → endpoint.symantec.sepm.agent_scan

  • Select both Stop Processing and Sent without syslog tag

 

Rule 4 - Agent Security events

  • Source Port → 13075

  • Source Data → ^SymantecServer: (([^,]*),)*SHA-256:

  • Target Tag → endpoint.symantec.sepm.agent_security

  • Select both Stop Processing and Sent without syslog tag

Rule 5 - Agent System events

  • Source Port → 13075

  • Source Data → ^SymantecServer: ([^,]*),Category:

  • Target Tag → endpoint.symantec.sepm.agent_system

  • Select both Stop Processing and Sent without syslog tag

Rule 6 - Other events

  • Source Port → 13075

  • Target Tag → endpoint.symantec.sepm.others

  • Select both Stop Processing and Sent without syslog tag