I am collecting SEP data from the next sources :
In my dedicated index "Symantec" i can see events about symantec:ep:scan:file, which supposed to be normalized to "Malware" datamodel according to the docs docs.
I can also see the "malware" tag, as well as the "attack" tag.
For some reason, when i query the datamodel, i don't see any sign for symantec logs.
The Intrusion Detection datamodel for example, does has symantec logs .
Can anyone help me figuring this out ?
You need to configure the index/sourcetypes to be used in the datamodel.
In the Enterprise Security App, navigate to Confgure->CIM Setup and select your Intrusion detection and add your index there. You need to do the same for other datamodels as well as per https://docs.splunk.com/Documentation/AddOns/released/SymantecEP/Sourcetypes
No, generally, the add-ons have sourcetype, but not index, as each customer may choose to have diff ones. So, as part of any data on-boarding /CIM compliance, you would need to do the above step.