Symantec: Endpoint Protection
Symantec Endpoint Protection Management (SEPM) is a type of log data that provides insight into intrusion prevention, firewall, and anti-malware activities. SEPM analyzes all incoming traffic and outgoing traffic and offers browser protection to block such threats before they can be executed on the computer. It uses signature-based antivirus and file heuristics to look for and eradicate malware on a system to protect against viruses, worms, Trojans, spyware, bots, adware, and rootkits.
SEPM logs fall into one of six categories: control, packet, risk, security, system, and traffic. All of these logs are applicable to client activity, and some are applicable to server and application activity as well. Other logs concern management of policies, access to hardware and applications, and roles on client computers that connect to your company's network. In the Common Information Model, SEPM log data can be mapped to any of the following data models, depending on the field: Authentication, Change, Intrusion Detection, Malware, and Network Traffic.
Configuration
Guidance for onboarding data can be found in the Spunk Documentation:
- Getting Data In (Splunk Enterprise)
- Getting Data In (Splunk Cloud)
- Get data into Splunk Observability Cloud
Refer to the documentation, and note the following:
- Add-on or app: Splunk Add-on for Symantec Endpoint Protection
- Sizing estimate: Sizing of SEPM logs depend on policy, activity and number of clients. The Symantec Endpoint Protection Sizing and Scalability Best Practices White Paper lists logging options and sizes examples.
Data Type | Input | Source Type | Index |
---|---|---|---|
Client scan data |
agt_scan.tmp |
symantec:ep:scan:file |
epav |
Client risk data |
agt_risk.tmp |
symantec:ep:risk:file |
epav |
Client proactive threat data |
agt_proactive.tmp |
symantec:ep:proactive:file |
epav |
Client security data |
Agt_security.tmp |
symantec:ep:security:file |
ephids |
Application and device control data |
Agt_behavior.tmp |
symantec:ep:behavior:file |
ephids |
Server client data |
Scm_agent_act.tmp |
symantec:ep:agent:file |
ephids |
Client traffic data |
Agt_traffic.tmp |
symantec:ep:traffic:file |
epfw |
Client packet data |
Agt_packet.tmp |
symantec:ep:packet:file |
epfw |
Client system data |
Agt_system.tmp |
symantec:ep:agt_system:file |
epav |
Server system data |
Scm_system.tmp |
symantec:ep:scm_system:file |
epav |
Server policy data |
Scm_policy.tmp |
symantec:ep:scm_policy:file |
epav |
Server administration data |
Scm_admin.tmp |
symantec:ep:scm_admin:file |
epav |
If you have already started ingesting data with a different sourcetype, we recommend you switch over to the standardized sourcetypes, if possible. If you have already started ingesting the data sources into indexes other than the ones shown here, you can usually proceed. Do consider, however, whether you should separate security logs from administration logs, application, and system logs, based on who likely will need access or be prohibited access.
Validation
After you have completed all installation and configuration, you can run a search such as the following to see whether events are flowing into your Splunk deployment.
index=ep* |stats count by source, sourcetype, index
Application
When your Splunk deployment is ingesting Symantec Endpoint Protection logs, you can use the data to achieve the following: