Symantec Endpoint Security Content Pack

The following content is part of the Graylog Illuminate 6.0 documentation. If you are using another version of Illuminate, please switch to your version. For versions prior to 4.0, please see the legacy documentation.

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Symantec Endpoint Security is a cloud and hybrid-managed solution that provides the protection of SEP, attack detection of EDR, and other technologies to secure devices.

Requirement(s)

Symantec Endpoint Security Enterprise or Symantec Endpoint Security Complete license
Minimum of Graylog 6.0+ with a valid enterprise license

Not Supported

Please note the following categories are not supported in this content pack:

Evidence of Compromise
Information Protection
License

Stream Configuration

This technology pack includes one stream:

“Illuminate:Symantec Endpoint Security Messages”

Hint: If this stream does not exist prior to the activation of this pack, then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

“Symantec Endpoint Security Logs”

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Examples

{"device_os_type_id":100,"lineage":["C:\\Users\\user2\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe"],"feature_uid":"1DF0351C-146D-4F07-B155-BF5C7077FF40","type":"event_query_results","seq_num":177,"ref_uid":"4D5B6F97-6101-4C7E-B922-930E25360417","legacy_product_uid":"d965a903-7d7a-7347-decb-101fd144c5bc","id":1,"product_uid":"31B0C880-0229-49E8-94C5-48D56B1BD7B9","feature_name":"DETECTION_RESPONSE","device_group":"Default","product_name":"Symantec Endpoint Security","version":"1.0.0","command_uid":"","device_ip":"192.168.1.3","device_vhost":1,"timezone":-330,"device_domain":"WORKGROUP","product_ver":"14.3.10148.8000","is_npvdi_client":false,"device_name":"DESKTOP-BP8KOJM","category_id":5,"device_networks":[{"ipv6":["2401:4900:1cb2:ea41:b45a:2aba:b9f5:c3ef","2401:4900:1cb2:ea41:c568:8e7a:5c3c:70aa","fe80:0000:0000:0000:af14:9b46:8337:5c4c"],"mac":"64:79:f0:cd:e9:02","ipv4":["192.168.1.3"]}],"device_os_name":"Windows 11 Professional Edition","type_id":8001,"actor":{"session_id":2,"pid":6932,"uid":"D157FA8E-DF80-F1EE-B896-84BC5A4C9DB5","tid":6468,"start_time":"2024-03-12T04:41:07.479Z","cmd_line":"\"C:\\Users\\user2\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\" --system-initiated","integrity_id":3,"file":{"type_id":1,"created":"2024-03-11T09:36:04.367Z","modified":"2024-03-11T09:36:07.440Z","md5":"4989696e862d359ec09b75f4b2934b4b","sha2":"48cf3cfae4cc99eb5ed7b2fa0104fa8db47b6b13bc9e4c05103cc6b0265e9aeb","size":149479288,"signature_company_name":"Microsoft Corporation","signature_value_ids":[3,5],"security_descriptor":"O:S-1-5-21-2943851542-2441814902-1111111-1002G:S-1-5-21-2943851542-2441814902-1111111-513D:(A;;0x1fffff;;;S-1-5-21-2943851542-2441814902-1111111-1002)(A;;0x1fffff;;;SY)(A;;0x121411;;;S-1-5-5-0-43017645)S:AI","normalized_path":"CSIDL_PROFILE\\appdata\\local\\microsoft\\teams\\current\\teams.exe","path":"c:\\users\\user2\\appdata\\local\\microsoft\\teams\\current\\teams.exe","uid":"5629499534313427","name":"teams.exe","folder":"c:\\users\\user2\\appdata\\local\\microsoft\\teams\\current","original_name":"Teams.exe","signature_level_id":60},"user":{"name":"user1","sid":"S-1-5-21-2943851542-2441814902-1111111-1002","domain":"DESKTOP-BP8KOJM"}},"device_mac":"64:79:f0:cd:e9:02","device_uid":"HvM1Eew9SXmq8F-WGqkYtg","org_unit_uid":"DS-gzhR8RaWMhATsDmbsyg","severity_id":1,"logging_device_post_time":"2024-03-12T15:20:12.970Z","device_time":"2024-03-12T15:20:12.962Z","user_name":"user1","process":{"session_id":2,"pid":9352,"uid":"088F4DEC-E05C-F1EE-B896-84BC5A4C9DB5","start_time":"2024-03-12T15:20:12.962Z","cmd_line":"\"C:\\Users\\user2\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\" --type=renderer --enable-wer --user-data-dir=\"C:\\Users\\user2\\AppData\\Roaming\\Microsoft\\Teams\" --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path=\"C:\\Users\\user2\\AppData\\Local\\Microsoft\\Teams\\current\\resources\\app.asar\" --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=309 --launch-time-ticks=111330447179 --mojo-platform-channel-handle=3992 --field-trial-handle=1852,i,7718261119285444314,14632190959189571843,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1","integrity_id":2,"file":{"type_id":1,"created":"2024-03-11T09:36:04.367Z","modified":"2024-03-11T09:36:07.440Z","md5":"4989696e862d359ec09b75f4b2934b4b","sha2":"48cf3cfae4cc99eb5ed7b2fa0104fa8db47b6b13bc9e4c05103cc6b0265e9aeb","size":149479288,"signature_company_name":"Microsoft Corporation","signature_value_ids":[3,5],"security_descriptor":"O:S-1-5-21-2943851542-2441814902-1111111-1002G:S-1-5-21-2943851542-2441814902-1111111-513D:(A;;0x1fffff;;;S-1-5-21-2943851542-2441814902-1111111-1002)(A;;0x1fffff;;;SY)S:AI","normalized_path":"CSIDL_PROFILE\\appdata\\local\\microsoft\\teams\\current\\teams.exe","path":"c:\\users\\user2\\appdata\\local\\microsoft\\teams\\current\\teams.exe","uid":"5629499534313427","name":"teams.exe","folder":"c:\\users\\user2\\appdata\\local\\microsoft\\teams\\current","original_name":"Teams.exe","signature_level_id":60},"user":{"name":"user1","sid":"S-1-5-21-2943851542-2441814902-1111111-1002","domain":"DESKTOP-BP8KOJM"}},"edr_enriched_data":{"category_name":"Generic Data to be sent to Symantec EDR","category_id":201,"event_group_id":"9878AD19-4849-439E-A68A-7353D041C701","suspicion_score":50,"rule_id":1198,"rule_name":"eUserExecution","rule_description":"User execution detected"},"feature_ver":"edr/1.3.0","is_user_present":true,"event_data_type":"fdr","user":{"name":"user1"},"device_os_ver":"10.0.22621","policy":{"uid":"19caded7-de5f-4e05-8000-f71fd8151bb7","name":"Default Detection and Response Policy","version":"2"},"attacks":[{"technique_uid":"T1204","technique_name":"User Execution","tactic_ids":[2],"tactic_uids":["TA0002"]}],"customer_uid":"abc123","device_public_ip":"1.1.1.1","domain_uid":"xyz456","time":"2024-03-12T15:20:12.962Z","log_time":"2024-03-12T15:23:02.261Z","uuid":"8001:059e2820-e084-11ee-e526-000003a26ae1"}

Requirements

Symantec Endpoint Security Loggings: Symantec Endpoint Security (SES) utitlizes the Graylog Symantec SES Events input that ingests events and incidents logs in JSON format (as seen above).

What is Provided?

Rules to normalize and enrich Symantec Endpoint Security log messages.

Symantec Endpoint Security Log Message Processing

The Illuminate processing of Symantec Endpoint Security log messages provides the following:

Field extraction, normalization and message enrichment for Symantec Endpoint Security log messages.
GIM Categorization of the following messages:

Vendor Event ID	GIM Category	GIM Subcategory
8075	`alert`	`alert.default`

Symantec Endpoint Security Spotlight Content Pack

The Symantec Endpoint Protection Spotlight content pack contains:

Dashboard: Illuminate:Symantec Endpoint Security Overview

Overview tab

MITRE ATTACK Overview tab
Saved Search: Illuminate:Symantec Endpoint Security Correlation UID Log Viewer

Log viewer