Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to capture attack signature of Symantec EPO server in Splunk?

Aleena
Explorer
‎08-13-2020 12:47 AM

Hi Team,

I need to create a use case with the field "attack signature" from Symantec logs. i already have Symantec log but that does not have attack signature field.

Do i need to enable anything in logging? How can i achieve the above scenario?

Thanks in Advance🙏

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

shivanshu1593
Builder
‎10-07-2020 03:19 PM

Is it not under the interesting fields or is it not even in the raw events? If it is under raw events, please share some sample data, and I'll help you to extract it, both at search time or Index time, depending upon your requirement.

If it never came, even in the raw events, then you may need to contact your Symantec AV admin. As far as my experience goes with AVs, this field should at least be in the raw events.

Thank you,

S

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply

Aleena
Explorer
‎10-07-2020 07:40 PM

Hi S,

Thanks for getting back to me. We don't have attack signature field in raw log.. we only receive the following raw log from Symantec. Please let me know what log we have to pull from Symantec to get attack signature field.

2020-10-08T07:20:42+08:00     Abc(ip address)      Oct 8 07:30:15     xyz (hostname) SymantecServer:    Site: My Site,   Server Name: xxxx,    Domain Name: Default,The management server received the client log successfully     Xxx(username)

Thankyou,

A

Tags (1)
0 Karma
Reply

shivanshu1593
Builder
‎06-15-2021 03:07 PM

Hey Aleena,

Apologies for coming back to this so late. These are the audit logs of the management server of the Symantec AV, and not the threat logs.

Were you able to resolve this? If not, what are you using to get the logs to Splunk? A UF, Splunk DB connect, syslog? 

Thank you,

S

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply

Aleena
Explorer
‎06-15-2021 06:22 PM

hi Shivanshu,

Thanks for getting back to me. I will check whether we have enable audit log from Mgmt server. And we are using UF/HF for forwarding logs to Splunk.

 

Thankyou,

Aleena

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...