Document toolboxDocument toolbox

endpoint.symantec

Check the reference vendor documentation here.

Introduction

The tags beginning with endpoint.symantec identify log events generated by any Symantec Endpoint product.

Tag structure

The full tag must have four levels. The first two are fixed as endpoint.symantec. The third level identifies the technology type and the fourth element is required and fixed depending upon the log type.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Symantec Endpoint Protection Manager

endpoint.symantec.sepm.agent_activity

endpoint.symantec.sepm.agent_activity

endpoint.symantec.sepm.agent_behavior

endpoint.symantec.sepm.agent_behavior

endpoint.symantec.sepm.agent_risk

endpoint.symantec.sepm.agent_risk

endpoint.symantec.sepm.agent_scan

endpoint.symantec.sepm.agent_scan

endpoint.symantec.sepm.agent_security

endpoint.symantec.sepm.agent_security

endpoint.symantec.sepm.agent_system

endpoint.symantec.sepm.agent_system

endpoint.symantec.sepm.agent_traffic

endpoint.symantec.sepm.agent_traffic

endpoint.symantec.sepm.others

endpoint.symantec.sepm.others

Once Symantec Endpoint Protection Manager events are delivered to Devo, they will be accessible from the finder in tables with the same names.

For more information, read more about Devo tags.

Configuration

All Symantec Endpoint Protection Manager events should be sent to a Devo Relay for tagging and forwarding to Devo. The events can be directed to a single port; you will set up a series of rules to identify the event types and apply the correct Devo tag to each type.

Rule 1 - Agent Activity events

  • Source port → Required one

  • Source data → ^SymantecServer: Site:

  • Target Tag → endpoint.symantec.sepm.agent_activity

  • Select both Stop processing and Sent without syslog tag

Rule 2 - Agent Behavior events

  • Source port → Required one

  • Source data  ^SymantecServer: (.*),Device ID:(.*)$

  • Target tag  endpoint.symantec.sepm.agent_behavior

  • Select both Stop processing and Sent without syslog tag

Rule 3 - Agent Risk events

  • Source port → Required one

  • Source data  ^SymantecServer: ([^,]*),IP Address:

  • Target tag  endpoint.symantec.sepm.agent_risk

  • Select both Stop processing and Sent without syslog tag

Rule 4 - Agent Scan events

  • Source port → Required one

  • Source data  ^SymantecServer: Scan ID:

  • Target tag  endpoint.symantec.sepm.agent_scan

  • Select both Stop processing and Sent without syslog tag

Rule 5 - Agent Security events

  • Source port → Required one

  • Source data  ^SymantecServer: (([^,]*),)*SHA-256:

  • Target tag  endpoint.symantec.sepm.agent_security

  • Select both Stop processing and Sent without syslog tag

Rule 6 - Agent System events

  • Source port → Required one

  • Source data  ^SymantecServer: ([^,]*),Category:

  • Target Tag  endpoint.symantec.sepm.agent_system

  • Select both Stop Processing and Sent without syslog tag

Rule 8 - Other events

  • Source port → Required one

  • Target tag  endpoint.symantec.sepm.others

  • Select both Stop Processing and Sent without syslog tag

Table structure

These are the fields displayed in this table: