Document toolboxDocument toolbox

endpoint.symantec

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Feb 15, 2022
3 min read

The tags beginning with endpoint.symantec identify log events generated by any Symantec Endpoint product.

Tag structure

The full tag must have four levels. The first two are fixed as endpoint.symantec. The third level identifies the technology type and currently, it can only be sepm, which identifies logs generated by the Symantec Endpoint Protection Manager. The fourth element is required and fixed depending upon the log type.

technology

brand

type

subtype

endpoint

symantec

sepm

  • agent_behavior
  • agent_risk
  • agent_scan
  • agent_security
  • agent_system
  • others

Therefore, the valid tags include:

  • endpoint.symantec.sepm.agent_behavior
  • endpoint.symantec.sepm.agent_risk
  • endpoint.symantec.sepm.agent_scan
  • endpoint.symantec.sepm.agent_security
  • endpoint.symantec.sepm.agent_system
  • endpoint.symantec.sepm.others

Once Symantec Endpoint Protection Manager events are delivered to Devo, they will be accessible from the finder in tables with the same names.

For more information, read more about Devo tags.

Configuration

All Symantec Endpoint Protection Manager events should be sent to a Devo Relay for tagging and forwarding to Devo. The events can be directed to a single port; you will set up a series of rules to identify the event types and apply the correct Devo tag to each type.

The example rules below are based on port 13075 on the relay but you can use any free port you choose.

Rule 1 - Agent Behavior events

  • Source Port → 13075
  • Source Data  ^SymantecServer: (.*),Device ID:(.*)$
  • Target Tag  endpoint.symantec.sepm.agent_behavior
  • Select both Stop Processing and Sent without syslog tag

Rule 2 - Agent Risk events

  • Source Port → 13075
  • Source Data  ^SymantecServer: ([^,]*),IP Address:
  • Target Tag  endpoint.symantec.sepm.agent_risk
  • Select both Stop Processing and Sent without syslog tag

Rule 3 - Agent Scan events

  • Source Port → 13075
  • Source Data  ^SymantecServer: Scan ID:
  • Target Tag  endpoint.symantec.sepm.agent_scan
  • Select both Stop Processing and Sent without syslog tag

 

Rule 4 - Agent Security events

  • Source Port → 13075
  • Source Data  ^SymantecServer: (([^,]*),)*SHA-256:
  • Target Tag  endpoint.symantec.sepm.agent_security
  • Select both Stop Processing and Sent without syslog tag

Rule 5 - Agent System events

  • Source Port → 13075
  • Source Data  ^SymantecServer: ([^,]*),Category:
  • Target Tag  endpoint.symantec.sepm.agent_system
  • Select both Stop Processing and Sent without syslog tag

Rule 6 - Other events

  • Source Port → 13075
  • Target Tag  endpoint.symantec.sepm.others
  • Select both Stop Processing and Sent without syslog tag

Log samples

The following are sample logs sent to each of the endpoint.symantec data tables. Also, find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.