Hello,
I am collecting SEP data from the next sources :
symantec:ep:behavior:file
symantec:ep:agent:file
symantec:ep:scan:file
symantec:ep:agt_system:file
symantec:ep:security:file
symantec:ep:risk:file
symantec:ep:scm_system:file
symantec:ep:proactive:file
symantec:ep:policy:file
In my dedicated index "Symantec" i can see events about symantec:ep:scan:file, which supposed to be normalized to "Malware" datamodel according to the docs docs.
I can also see the "malware" tag, as well as the "attack" tag.
For some reason, when i query the datamodel, i don't see any sign for symantec logs.
The Intrusion Detection datamodel for example, does has symantec logs .
Can anyone help me figuring this out ?
Thanks !!
You need to configure the index/sourcetypes to be used in the datamodel.
In the Enterprise Security App, navigate to Confgure->CIM Setup and select your Intrusion detection and add your index there. You need to do the same for other datamodels as well as per https://docs.splunk.com/Documentation/AddOns/released/SymantecEP/Sourcetypes
Is this operation doesn't built in the add-on ?
I will check it though, Thanks !
No, generally, the add-ons have sourcetype, but not index, as each customer may choose to have diff ones. So, as part of any data on-boarding /CIM compliance, you would need to do the above step.