Symantec

Overview

Table name: symantec_endpoint_protection_ids_events

SEP IDS events cover a wide range of security incidents, from attempted network intrusions and malware detections to suspicious behavior and policy violations. The system logs these events with comprehensive details, including:

• The nature of the detected threat or violation.

• The severity level of the event, which helps in prioritizing responses.

• Timestamps detailing when the event occurred.

• The source and destination of any network traffic involved.

• The specific rule or signature that was triggered.

Send data to Hunters

Hunters supports the ingestion of Symantec Endpoint Protection IDS Events via an intermediary AWS S3 bucket.

To connect Symantec Endpoint Protection IDS Events:

1. Export your logs from Symantec to an AWS S3 bucket.

2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in Key Value format.

2021-09-25 04:05:25,Info,HOSTNAME,Event Description: [SID: 123456] Audit: TeamViewer Remote Access Activity attack detected but not blocked. Application path: C:\PROGRAM FILES (X86)\TEAMVIEWER\TEAMVIEWER_SERVICE.EXE,Local Host IP: 192.168.1.2,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 8.8.8.8,Remote Host MAC: 000000000000,Outbound,TCP,,Begin: 2021-09-25 04:05:14,End Time: 2021-09-25 04:05:14,Occurrences: 1,Application: C:/PROGRAM FILES (X86)/TEAMVIEWER/TEAMVIEWER_SERVICE.EXE,Location: External,User Name: none,Domain Name: ,Local Port: 50505,Remote Port: 5938,CIDS Signature ID: 12345,CIDS Signature string: Audit: TeamViewer Remote Access Activity,CIDS Signature SubID: 98765,Intrusion URL: ,Intrusion Payload URL: ,SHA-256: ,MD-5:

Overview

Table name: symantec_endpoint_protection_risk_events

Risk events in SEP encompass a wide range of security threats, including malware infections, suspicious activities, and policy violations. When SEP detects a risk, it logs an event that contains detailed information about the threat, such as:

• Nature of the Risk: Describes what was detected, for example, a virus, worm, spyware, or unauthorized access attempt.

• Severity Level: Indicates how severe the risk is, helping administrators to prioritize their response efforts.

• Timestamp: The date and time when the event was logged, providing a timeline of security incidents.

• Affected Endpoint: Identifies the device or devices involved in the event.

• Action Taken: Details the response initiated by SEP, such as quarantine, deletion, or blocking of the threat.

Send data to Hunters

Hunters supports the ingestion of Symantec Endpoint Protection Risk Events via an intermediary AWS S3 bucket.

To connect Symantec Endpoint Protection Risk Events:

1. Export your logs from Symantec to an AWS S3 bucket.

2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in Key Value format.

2021-09-25 08:55:33,Security risk found,IP Address: 192.168.1.2,Computer name: HOSTNAME,Source: Auto-Protect scan,Risk name: SecurityRisk.gen1,Occurrences: 1,File path: C:\TEMP\youtube-to-mp3-converter_72.exe,Description: ,Actual action: Deleted,Requested action: Deleted,Secondary action: Quarantined,Event time: 2021-09-25 08:51:48,Event Insert Time: 2021-09-25 08:55:32,End Time: 2021-09-25 08:53:13,Last update time: 2021-09-25 08:55:33,Domain Name: NA,Group Name: My Company\TEMP\Workstations,Server Name: HOSTNAME,User Name: SYSTEM,Source Computer Name: ,Source Computer IP: ,Disposition: Bad,Download site: ,Web domain: ,Downloaded by: Removable Files Portal,Prevalence: This file has been seen by thousands of Symantec users.,Confidence: There is strong evidence that this file is untrustworthy.,URL Tracking Status: On,First Seen: Symantec has known about this file for more than 1 year.,Sensitivity: ,Permitted application reason: Not on the permitted application list,Application hash: ,Hash type: SHA2,Company name: Sevas-S,Application name: YouTube to MP3 Converter,Application version: 1.2.0.412,Application type: 127,File size (bytes): 511848,Category set: Security risk,Category type: Security Risk,Location: External_SWG_ON,Intensive Protection Level: 0,Certificate issuer: Sevas-S LLC,Certificate signer: VeriSign Class 3 Code Signing 2010 CA,Certificate thumbprint: ,Signing timestamp: 1340789793,Certificate serial number:

Table name: symantec_endpoint_protection_scans

SEP scan logs provide comprehensive details about the scans conducted on endpoint devices, including:

• Date and Time of Scan: When the scan was initiated and completed, offering a timeline of security operations.

• Type of Scan: Whether the scan was a full, quick, custom, or scheduled scan, providing insight into the scope and depth of the examination.

• Scan Results: Detailed outcomes of the scan, such as the number of files scanned, threats detected, and any actions taken (e.g., files quarantined or deleted).

• Threat Details: For detected threats, logs may include the name of the malware, the severity level, and the specific files or system areas affected.

• System Performance Impact: Information on how the scan impacted the endpoint's performance, which can help in scheduling future scans to minimize disruption.

Send data to Hunters

Hunters supports the ingestion of Symantec Endpoint Protection Scans via an intermediary AWS S3 bucket.

To connect Symantec Endpoint Protection Scans:

1. Export your logs from Symantec to an AWS S3 bucket.

2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in Key Value format.

Sep 27 00:46:46 SERVER NAME SymantecServer: Scan ID: 4554545,Begin: 2022-09-27 00:30:12,End Time: 2022-09-27 00:39:22,Completed,Duration (seconds): 550,User1: root,User2: root,Scan started on all drives and all extensions.,Scan Complete: Threats: 0 Scanned: 193016 Files/Folders/Drives Omitted: 42314,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 193016,Omitted: 42314,Computer:COMPUTER NAME ,IP Address: 10.1.1.1,Domain Name: Default,Group Name: GROUP,Server Name: SERVER

Table name: symantec_endpoint_protection_sonar_raw

SONAR logs are an important aspect of SEP's comprehensive security approach, providing detailed insights into the behavior-based detections made by the system. SONAR logs in SEP capture and detail the activities and events deemed suspicious or malicious based on behavioral characteristics.

Send data to Hunters

This data type requires the involvement of Hunters Support. Click here to reach out.

Expected format

Logs are expected in Key Value format.

Nov 30 10:59:37 EU-SEPM-01 SymantecServer: Security risk found,Computer name: name,IP Address: ip,Detection type: Heuristic,First Seen: Symantec has known about this file for more than 30 days.,Application name: socar.exe,Application type: 127,Application version: ,Hash type: SHA-256,Application hash: hash,Company name: ,File size (bytes): 7178,Sensitivity: 1,Detection score: 0,COH Engine Version: 12.6.0.106,Detection Submissions No,Permitted application reason: Not on the permitted application list,Disposition: Good,Download site: ,Web domain: ,Downloaded by: c:/windows/explorer.exe,Prevalence: This file has been seen by fewer than 5 Symantec users.,Confidence: There is growing evidence that this file is trustworthy.,URL Tracking Status: On,Risk Level: High,Risk type: Heuristic,Source: SONAR Scan,Risk name: SONAR.Heuristic.121,Occurrences: 1,Desktop\\socar.exe,,Actual action: Quarantined,Requested action: Quarantined,Secondary action: Left alone,Event time: 2022-11-30 10:58:36,Event Insert Time: 2022-11-30 10:59:37,End Time: 2022-11-30 10:58:37,Domain Name: Default,Group Name: My Company\\ - Prod - Servers\\Symantec Servers\\Symantec ICT,Server Name: name,User Name: name,Source Computer Name: ,Source Computer IP: ,Location: location - Internal,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: ,Certificate serial number:

Table name: symantec_dlp_logs

Symantec DLP logs record detailed information about incidents where sensitive data might be at risk of exposure or has been mishandled.

Send data to Hunters

Hunters supports the ingestion of Symantec DLP logs via an intermediary AWS S3 bucket.

To connect Symantec DLP logs:

1. Export your logs from Symantec to an AWS S3 bucket.

2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in Key Value format.

Jan 31 13:00:29  eu-server.temp.com application_name="Microsoft Edge Chromium" application_user="N/A" attach_file_name="[UNKNOWN VARIABLE: ATTACHMENT_FILE_NAME]" blocked="None" dataowner_name="N/A" dataowner_email="N/A" destination_ip="null" device_instance_id="N/A" endpoint_location="On the Corporate Network" endpoint_machine="9HMR0J3" endpoint_user_name="abc" path="N/A" file_name="N/A" parent_path="N/A" incident_id="12670053" machine_ip="10.63.212.92" incident_snapshot="https://test.temp.com:1234" match_count="4" occured_on="January 31, 2023 12:51:20 PM" policy="Global - MON - Risk Web Uploads" policy_rules="Risk URLs, Webmail Domains, Risk Web Uploads" protocol="Endpoint HTTPS" quarantine_parent_path="N/A" recipients="https://mail.google.com/mail/u/0/?login#inbox/" reported_on="January 31, 2023 12:49:00 PM" scan_date="N/A" sender="10.1.2.3" server="AM Endpoint 02" severity="2:Medium" status="Log Only" subject="N/A" target="N/A" url="N/A" user_justification="N/A" severity="2:Medium"

Table name: symantec_cloud_secure_web_gateway_logs

Symantec Cloud Secure Web Gateway logs capture detailed information about all web traffic passing through the gateway, including allowed and blocked accesses based on the security policies in place.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of Symantec DLP logs via an intermediary AWS S3 bucket.

To connect Symantec Cloud Secure Web Gateway Logs:

1. Follow this guide to retrieve the following information from Symantec:

   • Username (Example - 30b21288-e608-42fe-aa68-9d39854f1518)

   • Password (Example - 2d84600a-d3b1-47f6-913c-877a09a98de2)

2. Complete the process on the Hunters platform, following this guide.

Expected format

Logs are expected in JSON format.

{"x-bluecoat-request-tenant-id": "17484", "date": "2023-06-04", "time": "10:17:43", "x-bluecoat-appliance-name": "proxysg4", "time-taken": "4", "c-ip": "86.155.94.185", "cs-userdn": "T\\DAN", "cs-auth-groups": "T\\Rek", "x-exception-id": "silent_denied", "sc-filter-result": "DENIED", "cs-categories": "Technology/Internet", "cs(Referer)": "-", "sc-status": "0", "s-action": "DENIED", "cs-method": "unknown", "rs(Content-Type)": "-", "cs-uri-scheme": "ssl", "cs-host": "abc.com", "cs-uri-port": "443", "cs-uri-path": "/", "cs-uri-query": "-", "cs-uri-extension": "-", "cs(User-Agent)": "-", "s-ip": "192.168.2.1", "sc-bytes": "0", "cs-bytes": "1637", "x-icap-reqmod-header(X-ICAP-Metadata)": "-", "x-icap-respmod-header(X-ICAP-Metadata)": "-", "x-data-leak-detected": "-", "x-virus-id": "-", "x-bluecoat-location-id": "0", "x-bluecoat-location-name": "client", "x-bluecoat-access-type": "client_connector", "x-bluecoat-application-name": "-", "x-bluecoat-application-operation": "-", "r-ip": "12.13.42.3", "r-supplier-country": "United Kingdom", "x-rs-certificate-validate-status": "CERT_VALID", "x-rs-certificate-observed-errors": "none", "x-cs-ocsp-error": "-", "x-rs-ocsp-error": "-", "x-rs-connection-negotiated-ssl-version": "TLSv1.2", "x-rs-connection-negotiated-cipher": "ECDHE-RSA-AES256-GCM-SHA384", "x-rs-connection-negotiated-cipher-size": "256", "x-rs-certificate-hostname": "abc.com", "x-rs-certificate-hostname-categories": "Technology/Internet", "x-cs-connection-negotiated-ssl-version": "TLSv1.2", "x-cs-connection-negotiated-cipher": "ECDHE-RSA-AES256-GCM-SHA384", "x-cs-connection-negotiated-cipher-size": "256", "x-cs-certificate-subject": "-", "cs-icap-status": "ICAP_NOT_SCANNED", "cs-icap-error-details": "-", "rs-icap-status": "ICAP_NOT_SCANNED", "rs-icap-error-details": "-", "s-supplier-ip": "-", "s-supplier-country": "-", "s-supplier-failures": "-", "x-cs-client-ip-country": "-", "cs-threat-risk": "-", "x-rs-certificate-hostname-threat-risk": "unlicensed", "x-client-agent-type": "unified-agent", "x-client-os": "architecture=x86_64%20name=Windows%2010%20Pro%20version=10.0.19045", "x-client-agent-sw": "4.10.6.1223366", "x-client-device-id": "123123ddd-4332-3214-1234-321123321", "x-client-device-name": "DELL-132123", "x-client-device-type": "-", "x-client-security-posture-details": "-", "x-client-security-posture-risk-score": "-", "x-bluecoat-reference-id": "-", "x-sc-connection-issuer-keyring": "SSL_Intercept_1", "x-sc-connection-issuer-keyring-alias": "-", "x-cloud-rs": "-", "x-bluecoat-placeholder": "-", "cs(X-Requested-With)": "-", "x-random-ipv6": "-", "x-bluecoat-transaction-uuid": "00000000123123123"}

Table name: symantec_cloud_secure_web_gateway_audit_logs

Audit logs are essential for security, compliance, and operational integrity, providing a detailed record of administrative actions, policy changes, and system events. These logs are designed to help organizations understand how the gateway is being managed and to ensure that any changes or activities are traceable and accountable.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of Symantec DLP logs via an intermediary AWS S3 bucket.

To connect Symantec Cloud Secure Web Gateway Audit Logs:

1. Follow this guide to retrieve the following information from Symantec: the API keys to be shared with Hunters:

   • Username (Example - 30b21288-e608-42fe-aa68-9d39854f1518)

   • Password (Example - 2d84600a-d3b1-47f6-913c-877a09a98de2)

2. Complete the process on the Hunters platform, following this guide.

Expected format

Logs are expected in JSON format.

{"userFullName": "ABC", "createdOn": "Wed Dec 14 11:20:53 UTC 2022", "objectType": "User", "operationType": "Login", "objectData": "User <i>abc@.co.uk</i> logged in from IP <i>111.100.156.34</i>"}