All Apps and Add-ons

Symantec Endpoint Protection 12 App

splunkadvantage
New Member

Hi Splunkers,

We used to have SEP 11 and using the app below works fine with Splunk.

http://splunk-base.splunk.com/answers/43518/symantec-endpoint-protection

After upgrading to SEP 12, the syslog format has been change and the app has become unusable. The fields are no longer recognized, therefore our scheduled reports and dashboards are no longer firing. Does anyone have a SEP 12 app that can be share with the community?

Below are the difference on the SEP 11 and 12 syslog format we've seen.

SEP 11 Syslog Format:

==========================================================================================

Aug 14 08:25:53 10.1.107.21 Aug 14 08:29:25 SymantecServer ORGSEP001: Virus found,Computer name: ORG-USER-NB,Source: Manual Quarantine,Risk name: IRC Trojan,Occurrences: 1,c:\Users\USER\AppData\Local\Temp\VBRF3C.exe,"",Actual action: Left alone,Requested action: Cleaned,Secondary action: Left alone,Event time: 2012-08-14 05:18:10,Inserted: 2012-08-14 05:29:25,End: 2012-08-14 05:18:04,Domain: ORG-COM,Group: My Company\Laptops\WebSence CR100249,Server: ORGSEP001,User: USER,Source computer: ,Source IP: 0.0.0.0

==========================================================================================

Sep 12 Syslog Format:

==========================================================================================

Oct 4 12:28:22 10.1.107.21 Oct 4 12:20:13 SymantecServer ORGSEP001: Virus found,IP Address: 10.100.1.164,Computer name: ORG-USER-PC,Source: Real Time Scan,Risk name: ALS.Kenilfe,Occurrences: 1,C:\Windows\Temp\506caddf.qsp,"",Actual action: Left alone,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2012-10-04 09:01:36,Inserted: 2012-10-04 09:20:13,End: 2012-10-04 09:01:35,Last update time: 2012-10-04 09:20:13,Domain: ORG-COM,Group: My Company\Desktops_SEP_12,Server: ORGSEP002,User: SYSTEM,Source computer: ,Source IP: ,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: ,0,Application hash: 97B94A2B0916FB933F9E4BBC9EAB9BB48B5237AB3151993010768249332021D0,Hash type: SHA2,Company name: ,Application name: 506188d3.qsp,Application version: ,Application type: Trojan Worm,File size (bytes): 9922

==========================================================================================

Thanks

Tags (2)
0 Karma

mux
Explorer

There is a new app that can be used with Symantec 12, it is called Splunk for Symantec and has sourcetypes for both SEP11 and SEP12.

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @splunkadvantage, did @mux's suggestion to use the Splunk for Symantec app work for this question? Here is the link https://splunkbase.splunk.com/app/1365/#/details. If so you can accept their answer!

0 Karma

mrgibbon
Contributor

I have the same problem. Im actually going through and re-writing the transforms, as this looks like where the issue is.
e.g

Old transform:

[sep_virusfound]

REGEX = .*SymantecServer [^:]+: Virus found,Computer name: (?P[^,]+),Source: (?P[^,]+),Risk name: (?P[^,]+),Occurrences: (?P[\d]+),(?P[^,]+),(?P[^,]+),Actual action: (?P[^,]+),Requested action: (?P[^,]+),Secondary action: (?P[^,]+),Event time: (?P[^,]+),Inserted: (?P[^,]+),End: (?P[^,]+),Domain: (?P[^,]+),Group: (?P[^,]+),Server: (?P[^,]+),User: (?P[^,]+)

My New Transform (still being tested)

[sep_virusfound]

REGEX = .*SymantecServer [^:]+: Virus found,IP Address: (?P[^,]+),Computer name: (?P[^,]+),Source: (?P[^,]+),Risk name: (?P[^,]+),Occurrences: (?P[\d]+),(?P[^,]+),(?P[^,]+),Actual action: (?P[^,]+),Requested action: (?P[^,]+),Secondary action: (?P[^,]+),Event time: (?P[^,]+),Inserted: (?P[^,]+),End: (?P[^,]+),Last update time: (?P[^,]+),Domain: (?P[^,]+),Group: (?P[^,]+),Server: (?P[^,]+),User: (?P[^,]+),Source computer: (?P[^,]+),Source IP: (?P[^,]+),Disposition: (?P[^,]+),Download site: (?P[^,]+),Web domain: (?P[^,]+),Downloaded by: (?P[^,]+),Prevalence: (?P[^,]+),Confidence: (?P[^,]+),URL Tracking Status: (?P[^,]+),First Seen: (?P[^,]+),Sensitivity: (?P[^,]+),Application hash: (?P[^,]+),Hash type: (?P[^,]+),Company name:\s?(?P[^,]+),Application version:\s?(?P[^,]+),Application type: (?P[^,]+),File size \(bytes\): (?P[^,]+)

This covers all the new fields found in the log file lines.
If anyone has already completed this work, please let me know!
Thanks.

0 Karma

rashid47010
Communicator

Mr. Gibbon,

when I select the dest filed with sourcetype in pivot for malware datamodel,
the Computer name filed is not being parsed properly for sourcetype=symantec:ep:risk:file.

0 Karma

jwalzerpitt
Influencer

Mr. Gibbon,

Was wondering if you ever fully vetted your Symantec v12 regex?

Thx

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...