Symantec: Endpoint Protection – Splunk Lantern

Symantec Endpoint Protection Management (SEPM) is a type of log data that provides insight into intrusion prevention, firewall, and anti-malware activities. SEPM analyzes all incoming traffic and outgoing traffic and offers browser protection to block such threats before they can be executed on the computer. It uses signature-based antivirus and file heuristics to look for and eradicate malware on a system to protect against viruses, worms, Trojans, spyware, bots, adware, and rootkits. Other logs concern management of policies, access to hardware and applications, and roles on client computers that connect to your company's network. In the Common Information Model, SEPM log data can be mapped to any of the following data models, depending on the field: Authentication, Change, Intrusion Detection, Malware, and Network Traffic.

Data visibility

SEPM logs fall into one of six categories: control, packet, risk, security, system, and traffic. All of these logs are applicable to client activity, and some are applicable to server and application activity as well.

Data application

When your Splunk deployment is ingesting Symantec Endpoint Protection logs, you can use the data to achieve the following objectives:

Configuration

The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official Symantec resources.

Data ingestion

If your deployment is not already ingesting Symantec Endpoint Protection logs, follow the Getting Data In guidance for Splunk Enterprise or the Onboarding and Forwarding Your Data guidance for Splunk Cloud.

There are a variety of input types, source types, and recommended indexes for Symantec Endpoint Protection data, as shown in the following table.

Data Type	Input	Source Type	Index
Client scan data	agt_scan.tmp	symantec:ep:scan:file	epav
Client risk data	agt_risk.tmp	symantec:ep:risk:file	epav
Client proactive threat data	agt_proactive.tmp	symantec:ep:proactive:file	epav
Client security data	Agt_security.tmp	symantec:ep:security:file	ephids
Application and device control data	Agt_behavior.tmp	symantec:ep:behavior:file	ephids
Server client data	Scm_agent_act.tmp	symantec:ep:agent:file	ephids
Client traffic data	Agt_traffic.tmp	symantec:ep:traffic:file	epfw
Client packet data	Agt_packet.tmp	symantec:ep:packet:file	epfw
Client system data	Agt_system.tmp	symantec:ep:agt_system:file	epav
Server system data	Scm_system.tmp	symantec:ep:scm_system:file	epav
Server policy data	Scm_policy.tmp	symantec:ep:scm_policy:file	epav
Server administration data	Scm_admin.tmp	symantec:ep:scm_admin:file	epav

If you have already started ingesting data with a different sourcetype, we recommend you switch over to the standardized sourcetypes, if possible.

If you have already started ingesting the data sources into indexes other than the ones shown here, you can usually proceed. Do consider, however, whether you should separate security logs from administration logs, application, and system logs, based on who likely will need access or be prohibited access.

In addition, you will need the Splunk Add-on for Symantec Endpoint Protection. The add-on can be downloaded here and the add-on documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure Symantec Endpoint Protection, and configure Splunk.

Sizing estimate

Sizing of SEPM logs depend on policy, activity and number of clients. The Symantec Endpoint Protection Sizing and Scalability Best Practices White Paper lists logging options and sizes examples.

Validation

After you have completed all installation and configuration, you can run a search such as the following to see whether events are flowing into your Splunk deployment.

index=ep* 
|stats count by source, sourcetype, index