Skip to main content
Splunk Lantern

Symantec: Endpoint Protection

Symantec Endpoint Protection Management (SEPM) is a type of log data that provides insight into intrusion prevention, firewall, and anti-malware activities. SEPM analyzes all incoming traffic and outgoing traffic and offers browser protection to block such threats before they can be executed on the computer. It uses signature-based antivirus and file heuristics to look for and eradicate malware on a system to protect against viruses, worms, Trojans, spyware, bots, adware, and rootkits. Other logs concern management of policies, access to hardware and applications, and roles on client computers that connect to your company's network. In the Common Information Model, SEPM log data can be mapped to any of the following data models, depending on the field: AuthenticationChangeIntrusion DetectionMalware, and Network Traffic

Data visibility 

SEPM logs fall into one of six categories: control, packet, risk, security, system, and traffic. All of these logs are applicable to client activity, and some are applicable to server and application activity as well. 

Data application

When your Splunk deployment is ingesting Symantec Endpoint Protection logs, you can use the data to achieve the following:

Configuration

Guidance for onboarding data can be found in the Spunk Documentation, Getting Data In (Splunk Enterprise) or Getting Data In (Splunk Cloud). Refer to the documentation, and note the following:

Data Type Input Source Type Index

Client scan data

agt_scan.tmp

symantec:ep:scan:file

epav

Client risk data

agt_risk.tmp

symantec:ep:risk:file

epav

Client proactive threat data

agt_proactive.tmp

symantec:ep:proactive:file

epav

Client security data

Agt_security.tmp

symantec:ep:security:file

ephids

Application and device control data

Agt_behavior.tmp

symantec:ep:behavior:file

ephids

Server client data

Scm_agent_act.tmp

symantec:ep:agent:file

ephids

Client traffic data

Agt_traffic.tmp

symantec:ep:traffic:file

epfw

Client packet data

Agt_packet.tmp

symantec:ep:packet:file

epfw

Client system data

Agt_system.tmp

symantec:ep:agt_system:file

epav

Server system data

Scm_system.tmp

symantec:ep:scm_system:file

epav

Server policy data

Scm_policy.tmp

symantec:ep:scm_policy:file

epav

Server administration data

Scm_admin.tmp

symantec:ep:scm_admin:file

epav

If you have already started ingesting data with a different sourcetype, we recommend you switch over to the standardized sourcetypes, if possible. If you have already started ingesting the data sources into indexes other than the ones shown here, you can usually proceed. Do consider, however, whether you should separate security logs from administration logs, application, and system logs, based on who likely will need access or be prohibited access. 

Validation

After you have completed all installation and configuration, you can run a search such as the following to see whether events are flowing into your Splunk deployment. 

index=ep* 
|stats count by source, sourcetype, index
  • Was this article helpful?