Re: Symantec add on - CIM Compliance error

astatrial · ‎02-27-2019

Hello,
I am collecting SEP data from the next sources :

symantec:ep:behavior:file
symantec:ep:agent:file
symantec:ep:scan:file
symantec:ep:agt_system:file
symantec:ep:security:file
symantec:ep:risk:file
symantec:ep:scm_system:file
symantec:ep:proactive:file
symantec:ep:policy:file

In my dedicated index "Symantec" i can see events about symantec:ep:scan:file, which supposed to be normalized to "Malware" datamodel according to the docs docs.
I can also see the "malware" tag, as well as the "attack" tag.
For some reason, when i query the datamodel, i don't see any sign for symantec logs.
The Intrusion Detection datamodel for example, does has symantec logs .

Can anyone help me figuring this out ?

Thanks !!

lakshman239 · ‎02-27-2019

You need to configure the index/sourcetypes to be used in the datamodel.

In the Enterprise Security App, navigate to Confgure->CIM Setup and select your Intrusion detection and add your index there. You need to do the same for other datamodels as well as per https://docs.splunk.com/Documentation/AddOns/released/SymantecEP/Sourcetypes

astatrial · ‎02-27-2019

Is this operation doesn't built in the add-on ?
I will check it though, Thanks !

lakshman239 · ‎02-28-2019

No, generally, the add-ons have sourcetype, but not index, as each customer may choose to have diff ones. So, as part of any data on-boarding /CIM compliance, you would need to do the above step.

Symantec add on - CIM Compliance error

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life