Skip to content

Symantec

Overview

This article explains how to ingest your on-prem Symantec logs to Hunters.

Once integrated, the Symantec logs will be ingested into the Hunters DB in a dedicated schema, and will then populate relevant alerts into the Hunters portal. Moreover Hunters will execute further investigations (such as process and domain analysis), as well as correlations with other products' detected behaviours.

Supported Data Types

  • Symantec Endpoint Protection Risk: SEP Alerts from the Risk module by Symantec. For more details on the data type, see here.
  • Symantec Endpoint Protection IDS: SEP IDS related events by Symantec. For more details on the data type and schema, see here.

Hunters' Ingestion

For Hunters to integrate with your on-prem Symantec Logs, the logs should be collected to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

The expected format for the data types above is the key-value format, with the key-value separator :, and event separator ,.

Example for an IDS event:

2021-09-25 00:02:02,Info,HOSTNAME,Event Description: [SID: 32939] Audit: TeamViewer Remote Access Activity attack detected but not blocked. Application path: C:\PROGRAM FILES (X86)\TEAMVIEWER\TEAMVIEWER_SERVICE.EXE,Local Host IP: 192.168.1.2,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 1.2.3.4,Remote Host MAC: 000000000000,Outbound,TCP,,Begin: 2021-09-25 00:11:48,End Time: 2021-09-25 00:12:48,Occurrences: 1,Application: C:/PROGRAM FILES (X86)/TEAMVIEWER/TEAMVIEWER_SERVICE.EXE,Location: External,User Name: none,Domain Name: ,Local Port: 12345,Remote Port: 9009,CIDS Signature ID: 32939,CIDS Signature string: Audit: TeamViewer Remote Access Activity,CIDS Signature SubID: 73471,Intrusion URL: ,Intrusion Payload URL: ,SHA-256: D6BCAFCC158424DC8CC954481360494EFBD997382389DBCA40937CAED7204DFE,MD-5:

Example for a Risk event:

2021-09-23 18:45:46,Virus found,IP Address: 192.168.1.1,Computer name: my_hostname,Source: Auto-Protect scan,Risk name: W32.Gosys,Occurrences: 1,File path: C:\\Users\\kokoshoko\\Downloads\\example.exe,Description: ,Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2021-09-25 11:43:45,Event Insert Time: 2021-09-25 11:45:46,End Time: 2021-09-25 12:43:49,Last update time: 2021-09-25 12:45:46,Domain Name: NA,Group Name: My Company\\EXAMPLE_EXAMPLE,Server Name: SERVER_NAME,User Name: kokoshoko,Source Computer Name: ,Source Computer IP: ,Disposition: Bad,Download site: http://www.example.com,Web domain: www.example.com,Downloaded by: c:/program files (x86)/google/chrome/application/chrome.exe,Prevalence: Unknown,Confidence: This file is untrustworthy.,URL Tracking Status: On,First Seen: Symantec has known about this file approximately 2 days.,Sensitivity: ,Permitted application reason: Not on the permitted application list,Application hash: ABCDEF12ABCDEF12ABCDEF12ABCDEF12ABCDEF12ABCDEF12ABCDEF12ABCDEF12,Hash type: SHA2,Company name: Microsoft,Application name: Win,Application version: 1.00,Application type: 127,File size (bytes): 125314629,Category set: Malware,Category type: Virus,Location: External,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: 0,Certificate serial number: