How to capture attack signature of Symantec EPO server in Splunk?


Hi Team,

I need to create a use case with the field "attack signature" from Symantec logs. i already have Symantec log but that does not have attack signature field.

Do i need to enable anything in logging? How can i achieve the above scenario?

Thanks in Advance🙏



Labels (1)
Tags (1)
0 Karma


Is it not under the interesting fields or is it not even in the raw events? If it is under raw events, please share some sample data, and I'll help you to extract it, both at search time or Index time, depending upon your requirement.

If it never came, even in the raw events, then you may need to contact your Symantec AV admin. As far as my experience goes with AVs, this field should at least be in the raw events.

Thank you,


0 Karma


Hi S,

Thanks for getting back to me. We don't have attack signature field in raw log.. we only receive the following raw log from Symantec. Please let me know what log we have to pull from Symantec to get attack signature field.

2020-10-08T07:20:42+08:00     Abc(ip address)      Oct 8 07:30:15     xyz (hostname) SymantecServer:    Site: My Site,   Server Name: xxxx,    Domain Name: Default,The management server received the client log successfully     Xxx(username)



Tags (1)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!