Symantec Endpoint Detection and Response Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Symantec Endpoint Detection and Response (EDR) is used to detect advanced attacks using machine learning and global threat intelligence to minimize false positives and help ensure high levels of productivity for security teams. This technology pack parses, normalizes, and enriches Symantec EDR events ingested through the Graylog Symantec EDR input.

Supported Version(s)

• Symantec Endpoint Detection and Response 4.x

Requirements

• Symantec Endpoint Detection and Response on-premises or cloud subscription

• Graylog 6.0+ with a valid Enterprise license

Stream Configuration

This technology pack includes 1 stream:

• "Illuminate:Symantec Endpoint Detection and Response Messages"

Hint: If this stream does not exist prior to the activation of this pack then it is created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

• "Symantec Endpoint Detection and Response Logs"

Hint: If this index set is already defined, then nothing is changed. If this index set does not exist, then it is created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

Symantec Endpoint Detection and Response uses the Graylog Symantec EDR input to ingest events from the Symantec EDR API in JSON format. Refer to the Graylog documentation for instructions on configuring the Symantec EDR input.

Log Format Examples

Process Event (type_id 8001)

{"type_id":8001,"severity_id":1,"device_time":"2024-04-18T06:42:05.894Z","log_time":"2024-04-17T23:00:52.403Z","device_uid":"3fb76a67-874f-4cd1-8d96-aeba1d20bbaf","device_name":"WIN-TKA1G03QG76","device_ip":"172.16.14.11","device_os_name":"Windows Server 2019","user_name":"SYSTEM","user_domain":"NT AUTHORITY","user_sid":"S-1-5-18","device_domain":"DC01.com","operation":2,"event_actor":{"pid":5844,"uid":"DEDEC927-FD16-F1EE-8DB5-98261F32744E","cmd_line":"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wuauserv","start_time":"2024-04-18T06:32:03.421Z","user":{"name":"SYSTEM","sid":"S-1-5-18"},"file":{"name":"svchost.exe","md5":"4dd18f001ac31d5f48f50f99e4aa1761","path":"c:\\windows\\system32\\svchost.exe","signature_company_name":"Microsoft Windows Publisher","sha2":"2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b","original_name":"svchost.exe"}},"process":{"pid":5844,"uid":"DEDEC927-FD16-F1EE-8DB5-98261F32744E","cmd_line":"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wuauserv","user":{"name":"SYSTEM","sid":"S-1-5-18"},"file":{"name":"svchost.exe","md5":"4dd18f001ac31d5f48f50f99e4aa1761","path":"c:\\windows\\system32\\svchost.exe","signature_company_name":"Microsoft Windows Publisher","sha2":"2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b","original_name":"svchost.exe"}},"enriched_data":{"rule_name":"eProcessClose","category_name":"Process Termination","category_id":3},"ref_uid":"8906CA27-352B-4FC7-A146-1602517C0EFD","uuid":"c590c660-fd4e-11ee-da35-00000001aa89","log_name":"epmp_events-fdr-2024-04-18"}

Intrusion Prevention (type_id 4098)

{"type_id":4098,"device_time":"2024-04-18T06:33:19.989Z","log_time":"2024-04-18T06:33:20.651Z","device_uid":"3fb76a67-874f-4cd1-8d96-aeba1d20bbaf","device_name":"win-tka1g03qg76","device_ip":"172.16.14.11","internal_port":57694,"external_ip":"49.12.202.237","external_port":443,"source_ip":"49.12.202.237","source_port":[57694],"target_port":[443],"data_source_url":"https://7-zip.org","data_source_url_domain":"7-zip.org","data_direction":2,"sep_installed":true,"file":{"sha2":"ccd90e5850a1b5853ff807fcebedca42fa2015d0792946f41a35bcf50cbd3684","md5":"f6b05f4b78cd456483e27b9368e80aff","name":"CERTUTIL.EXE","folder":"\\DEVICE\\HARDDISKVOLUME4\\WINDOWS\\SYSTEM32","version":"10.0.17763.3469"},"signature_id":"32954","signature_name":"Audit: Certutil File Download Request","categories":["Audit"],"intrusion":{"date_detected":"2024-04-18T18:55:17.000Z","attacker_local_remote":"1","protocol_id":"6","detail_id":"65537","signature_properties":"7696"},"scan":{"signatures_version":"20240417.081"},"infected":false,"deepsight_domain":"notavailable","uuid":"8c1a0a50-fd4d-11ee-f705-00000001afc8","log_name":"epmp_events-2024-04-18"}

What is Provided

• Rules to parse, normalize, and enrich Symantec EDR messages.

• Routing of EDR messages into a dedicated stream and index set.

• JSON parsing of nested event data, with deduplication of MITRE ATT&CK tactic and technique identifiers.

• Vendor severity normalization to the Graylog event_severity_level scale.

• MITRE ATT&CK enrichment via Symantec tactic identifier mapping.

• GIM categorization and enforcement field population to support cross-vendor correlation and alerting.

• A Spotlight dashboard displaying events and statistics of interest.

Events Processed by This Technology Pack

The pack processes messages from the following Symantec EDR vendor subtype categories. Events outside these categories receive generic processing.

GIM Categorization

GIM categorization is provided for the following messages. The Symantec vendor subtype, and where applicable a sub-classifier such as the enriched rule_category, drives the GIM mapping.

Symantec Endpoint Detection and Response Spotlight

This spotlight offers a dashboard with 2 tabs:

Overview

MITRE ATT&CK Overview