Splunk Enterprise Security
Highlighted

Symantec add on - CIM Compliance error

Communicator

Hello,
I am collecting SEP data from the next sources :

  1. symantec:ep:behavior:file
  2. symantec:ep:agent:file
  3. symantec:ep:scan:file
  4. symantec:ep:agt_system:file
  5. symantec:ep:security:file
  6. symantec:ep:risk:file
  7. symantec:ep:scm_system:file
  8. symantec:ep:proactive:file
  9. symantec:ep:policy:file

In my dedicated index "Symantec" i can see events about symantec:ep:scan:file, which supposed to be normalized to "Malware" datamodel according to the docs docs.
I can also see the "malware" tag, as well as the "attack" tag.
For some reason, when i query the datamodel, i don't see any sign for symantec logs.
The Intrusion Detection datamodel for example, does has symantec logs .

Can anyone help me figuring this out ?

Thanks !!

0 Karma
Highlighted

Re: Symantec add on - CIM Compliance error

SplunkTrust
SplunkTrust

You need to configure the index/sourcetypes to be used in the datamodel.

In the Enterprise Security App, navigate to Confgure->CIM Setup and select your Intrusion detection and add your index there. You need to do the same for other datamodels as well as per https://docs.splunk.com/Documentation/AddOns/released/SymantecEP/Sourcetypes

0 Karma
Highlighted

Re: Symantec add on - CIM Compliance error

Communicator

Is this operation doesn't built in the add-on ?
I will check it though, Thanks !

0 Karma
Highlighted

Re: Symantec add on - CIM Compliance error

SplunkTrust
SplunkTrust

No, generally, the add-ons have sourcetype, but not index, as each customer may choose to have diff ones. So, as part of any data on-boarding /CIM compliance, you would need to do the above step.

0 Karma