Symantec Endpoint Protection Management (SEPM) is a type of log data that provides insight into intrusion prevention, firewall, and anti-malware activities. SEPM analyzes all incoming traffic and outgoing traffic and offers browser protection to block such threats before they can be executed on the computer. It uses signature-based antivirus and file heuristics to look for and eradicate malware on a system to protect against viruses, worms, Trojans, spyware, bots, adware, and rootkits. Other logs concern management of policies, access to hardware and applications, and roles on client computers that connect to your company's network. In the Common Information Model, SEPM log data can be mapped to any of the following data models, depending on the field: Authentication, Change, Intrusion Detection, Malware, and Network Traffic.
Data visibility
SEPM logs fall into one of six categories: control, packet, risk, security, system, and traffic. All of these logs are applicable to client activity, and some are applicable to server and application activity as well.
Data application
When your Splunk deployment is ingesting Symantec Endpoint Protection logs, you can use the data to achieve the following objectives:
- Monitoring for network traffic volume outliers
- Monitoring employee network traffic
- Detecting the use of randomization in cyberattacks
- Monitoring for signs of Windows privilege escalation attacks
Configuration
The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official Symantec resources.
Data ingestion
If your deployment is not already ingesting Symantec Endpoint Protection logs, follow the Getting Data In guidance for Splunk Enterprise or the Onboarding and Forwarding Your Data guidance for Splunk Cloud.
There are a variety of input types, source types, and recommended indexes for Symantec Endpoint Protection data, as shown in the following table.
Data Type |
Input |
Source Type |
Index |
Client scan data |
agt_scan.tmp |
symantec:ep:scan:file |
epav |
Client risk data |
agt_risk.tmp |
symantec:ep:risk:file |
epav |
Client proactive threat data |
agt_proactive.tmp |
symantec:ep:proactive:file |
epav |
Client security data |
Agt_security.tmp |
symantec:ep:security:file |
ephids |
Application and device control data |
Agt_behavior.tmp |
symantec:ep:behavior:file |
ephids |
Server client data |
Scm_agent_act.tmp |
symantec:ep:agent:file |
ephids |
Client traffic data |
Agt_traffic.tmp |
symantec:ep:traffic:file |
epfw |
Client packet data |
Agt_packet.tmp |
symantec:ep:packet:file |
epfw |
Client system data |
Agt_system.tmp |
symantec:ep:agt_system:file |
epav |
Server system data |
Scm_system.tmp |
symantec:ep:scm_system:file |
epav |
Server policy data |
Scm_policy.tmp |
symantec:ep:scm_policy:file |
epav |
Server administration data |
Scm_admin.tmp |
symantec:ep:scm_admin:file |
epav |
If you have already started ingesting data with a different sourcetype, we recommend you switch over to the standardized sourcetypes, if possible.
If you have already started ingesting the data sources into indexes other than the ones shown here, you can usually proceed. Do consider, however, whether you should separate security logs from administration logs, application, and system logs, based on who likely will need access or be prohibited access.
In addition, you will need the Splunk Add-on for Symantec Endpoint Protection. The add-on can be downloaded here and the add-on documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure Symantec Endpoint Protection, and configure Splunk.
Sizing estimate
Sizing of SEPM logs depend on policy, activity and number of clients. The Symantec Endpoint Protection Sizing and Scalability Best Practices White Paper lists logging options and sizes examples.
Validation
After you have completed all installation and configuration, you can run a search such as the following to see whether events are flowing into your Splunk deployment.
index=ep*
|stats count by source, sourcetype, index
Comments
0 comments
Please sign in to leave a comment.