The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Hint: This content pack was first released in Illuminate v3.2.0.

Symantec Endpoint Protection is a security software suite that consists of anti-malware, intrusion prevention, and firewall features for server and desktop computers. This technology pack will process Symantec logs, providing normalization and enrichment of common events of interest.

Supported Version(s)

  • 14.3.8268.5000

Stream Configuration

This technology pack includes one stream:

  • “Illuminate: Symantec Device Messages”

Hint: If this stream does not exist prior to the activation of this pack, then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

  • “Symantec Event Log Messages”

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Event Types Supported

  • Server Administration

  • Application and Device Control

  • Server Client-Server Policy

  • Server System

  • Client Packet

  • Client Proactive Threat

  • Client Risk

  • Client Scan

  • Client Security

  • Client System

  • Client Traffic

Log Format Examples

Server Administration Admin

WIN-TFB8L7BI77H SymantecServer: Site: My Site,Server Name: WIN-TFB8L7BI77H,Domain Name: Default,Admin: admin,Event Description: Administrator log on succeeded

Application and Device Control

-Behavior
WIN-TFB8L7BI77H SymantecServer: WIN-TFB8L7BI77H,172.16.14.42,Blocked, - Caller SHA256=e6b2c506042ff50415668cb9d0f24c34c2cf080f1023ca9565fdb846ccd39b53 - Target MD5=9a1d9fe9b1223273c314632d04008384 - Target Arguments='',Create Process,Begin: 2023-01-11 18:38:09,End Time: 2023-01-11 18:38:09,Rule: Rule 1 | Block anydesk.exe,10060,C:/Windows/explorer.exe,0,No Module Name,C:/Users/Administrator/Downloads/AnyDesk.exe,User Name: Administrator,Domain Name: WIN-TFB8L7BI77H,Action Type: ,File size (bytes): 399808,Device ID: SCSI\Disk&Ven_&Prod_ST500DM002-1BD14\4&37da426a&0&000000
-Agent
WIN-TFB8L7BI77H SymantecServer: Site: My Site,Server Name: WIN-TFB8L7BI77H,Domain Name: Default,The management server received the client log successfully,WIN-TFB8L7BI77H,Administrator,LocalComputer

Server Client-Server Policy

WIN-TFB8L7BI77H SymantecServer: Site: My Site,Server Name: WIN-TFB8L7BI77H,Domain Name: Default,Admin: admin,Event Description: Policy has been edited: Edited shared Firewall policy: Firewall policy,Firewall policy

Server System

WIN-TFB8L7BI77H SymantecServer: Site: My Site,Server Name: WIN-TFB8L7BI77H,Event Description: Failed to connect to the syslog server. External logging cannot proceed until the problem is resolved.

Client Packet

WIN-TFB8L7BI77H SymantecServer: WIN-Client,Local Host IP: 172.16.14.42,Local: 3,Remote Host IP: 172.16.14.10,Remote Host Name: ceredox-dc01.ceredox.comd,Remote: 3,Outbound,Application: ,Action: Blocked

Client Proactive Threat

WIN-TFB8L7BI77H SymantecServer: Security risk found,Computer name: WIN-Client,IP Address: 172.16.14.42,Detection type: Suspicious Behavior Detection,First Seen: Reputation was not used in this detection.,Application name: Microsoft® Windows® Operating System,Application type: Trojan Worm,Application version: 10.0.17763.1,Hash type: SHA-256,Application hash: 85dd6f8edf142f53746a51d11dcba853104bb0207cdf2d6c3529917c3c0fc8df,Company name: Microsoft Corporation,File size (bytes): 1652736,Sensitivity: 1,Detection score: 0,COH Engine Version: ,Detection Submissions No,Allowed application reason: Not on the allow list,Disposition: Good,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,Risk Level: High,Risk type: BPE,Source: SONAR Scan,Risk name: SONAR.SuspPE!gen43,Occurrences: 1,c:\windows\system32\certutil.exe,,Actual action: Access denied,Requested action: Left alone,Secondary action: Left alone,Event time: 2023-01-11 01:29:36,Event Insert Time: 2023-01-11 01:31:24,End Time: 2023-01-11 01:29:36,Domain Name: Default,Group Name: My Company\\Test,Server Name: WIN-TFB8L7BI77H,User Name: Administrator,Source Computer Name: ,Source Computer IP: ,Location: ,Intensive Protection Level: 0,Certificate issuer: Microsoft Windows,Certificate signer: Microsoft Windows Production PCA 2011,Certificate thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452,Signing timestamp: 1536994988,Certificate serial number: 33000001C422B2F79B793DACB20000000001C4

Client Risk

WIN-TFB8L7BI77H SymantecServer: Virus found,IP Address: 172.16.14.42,Computer name: WIN-Client,Source: Auto-Protect scan,Risk name: EICAR Test String,Occurrences: 1,File path: C:\Users\Administrator\Downloads\eicar_com.zip,Description: ,Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2023-01-12 12:25:36,Event Insert Time: 2023-01-12 12:27:05,End Time: 2023-01-12 12:25:36,Last update time: 2023-01-12 12:27:05,Domain Name: Default,Group Name: My Company\Test,Server Name: WIN-TFB8L7BI77H,User Name: Administrator,Source Computer Name: ,Source Computer IP: ,Disposition: Bad,Download site: [https://secure.eicar.org/eicar_com.zip,Web](https://secure.eicar.org/eicar_com.zip,Web) domain: [secure.eicar.org](http://secure.eicar.org/),Downloaded by: chrome.exe,Prevalence: This file has been seen by hundreds of thousands of Symantec users.,Confidence: This file is untrustworthy.,URL Tracking Status: On,First Seen: Symantec has known about this file for more than 1 year.,Sensitivity: ,Allowed application reason: Not on the allow list,Application hash: 2546DCFFC5AD854D4DDC64FBF056871CD5A00F2471CB7A5BFD4AC23B6E9EEDAD,Hash type: SHA2,Company name: ,Application name: eicar_com.zip,Application version: ,Application type: 127,File size (bytes): 184,Category set: Malware,Category type: Virus,Location: Default,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: 0,Certificate serial number:

Client Scan

WIN-TFB8L7BI77H SymantecServer: Scan ID: 1673417071,Begin: 2023-01-12 11:25:12,End Time: 2023-01-12 11:25:50,Completed,Duration (seconds): 38,User1: SYSTEM,User2: SYSTEM,Scan started on selected drives and folders and all extensions.,Scan Complete: Risks: 0 Scanned: 1102 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 748,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 1102,Omitted: 0,Computer: WIN-TFB8L7BI77H,IP Address: 172.16.14.42,Domain Name: Default,Group Name: My Company\Test,Server Name: WIN-TFB8L7BI77H,Scan Type: DefWatch

Client Security

WIN-TFB8L7BI77H SymantecServer: WIN-TFB8L7BI77H,Event Description: [SID: 60501] URL reputation: Browser navigation to known bad URL attack blocked. Traffic has been blocked for this application: C:\Program Files\Google\Chrome\Application\Chrome.exe,Event Type: Browser Protection event,Local Host IP: 0.0.0.0,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 0.0.0.0,Remote Host MAC: 000000000000,Outbound,OTHERS,,Begin: 2023-01-12 12:21:33,End Time: 2023-01-12 12:21:33,Occurrences: 1,Application: C:/Program Files/Google/Chrome/Application/chrome.exe,Location: Default,User Name: Administrator,Domain Name: WIN-TFB8L7BI77H,Local Port: 0,Remote Port: 0,CIDS Signature ID: 60501,CIDS Signature string: URL reputation: Browser navigation to known bad URL,CIDS Signature SubID: 0,Intrusion URL: http:/[www.eicar.eu/,Intrusion](http://www.eicar.eu/,Intrusion) Payload URL: ,SHA-256: ,MD-5: ,Intensive Protection Level: Level 1,URL Risk: N/A,URL Category: Malicious Sources/Malnets* Client System
WIN-TFB8L7BI77H SymantecServer: WIN-Client,Category: 2,LiveUpdate Manager,Event Description: An update for Revocation Data was successfully installed. The new sequence number is 230112003.,Event time: 2023-01-12 15:29:51,Group Name: My Company\Test

Client Traffic

WIN-TFB8L7BI77H SymantecServer: DESKTOP-D2IQ7II,Local Host IP: 172.16.14.58,Local Port: 3,Local Host MAC: F8B156BAD2E9,Remote Host IP: 8.8.8.8,Remote Host Name: dns.google,Remote Port: 3,Remote Host MAC: 001AE3B5F444,ICMP,Outbound,Begin: 2023-01-12 16:59:58,End Time: 2023-01-12 16:59:58,Occurrences: 1,Application: ,Rule: Block all other IP traffic and log,Location: Default,User Name: admin,Domain Name: DESKTOP-D2IQ7II,Action: Blocked,SHA-256: ,MD-5:

Requirements

  • Configure a TCP Syslog input on Graylog.

  • Configure Symantec Endpoint Protection Manager to transmit Syslog to your Graylog server Syslog input.
    For SEPM output configuration, please refer to the official documentation.

What is Provided?

  • Parsing rules to extract Symantec logs into Graylog schema compatible fields.

Categorized Events

  • Client Risk: alert message

  • Client Security: alert message

  • Client Proactive Threat: alert message

  • Server Administration (log on event): logon

  • Server Administration (log off event): logoff

  • Server Administration (log on failed): logon

  • Server Administration (admin password change): administrative password reset

Hint: Client Risk logs are set statically to alert_severity high.

SEPM supports three action types for the event types: Client Proactive Threat and Client Risk. The behavior is described as:

  • Actual action: The action SEP took to remediate the mentioned threat.

  • Requested action: This is the action SEP wants to perform and is usually the same as actual action.

  • Secondary action: Action to take in case the actual action does not work.

Graylog maps actual, requested, and secondary actions to:

  • Actual action: vendor_event_action

  • Requested action: vendor_requested_action

  • Secondary action: vendor_secondary_action

The logs are identified by the keyword SymantecServer.

Symantec Endpoint Spotlight Content Pack

Introduced in Illuminate 3.4 the Symantec Endpoint Spotlight Content Pack comes bundled with the Symantec Endpoint Security Content Pack. See Installing Illuminate or Upgrading Illuminate for more information on Spotlight Content Pack selection. This additional pack contains the following dashboards:

  • Symantec Endpoint Protection: Overview Tab

  • Symantec Endpoint Protection: Alert Tab

  • Symantec Endpoint Protection: Authentication Tab