Symantec endpoint protection - CIM compliance

astatrial · ‎02-27-2019

Hello,
I am collecting SEP data from the next sources :

symantec:ep:behavior:file
symantec:ep:agent:file
symantec:ep:scan:file
symantec:ep:agt_system:file
symantec:ep:security:file
symantec:ep:risk:file
symantec:ep:scm_system:file
symantec:ep:proactive:file
symantec:ep:policy:file

In my dedicated index "Symantec" i can see events about symantec:ep:scan:file, which supposed to be normalized to "Malware" datamodel according to the docs docs.
I can also see the "malware" tag, as well as the "attack" tag.
For some reason, when i query the datamodel, i don't see any sign for symantec logs.
The Intrusion Detection datamodel for example, does has symantec logs .

Can anyone help me figuring this out ?

Thanks !!

lakshman239 · ‎03-18-2019

Is the issue resolved now? if so could you accept the solution, else provide further inputs so we can assit.

astatrial · ‎03-19-2019

Hi,
I have some issues to implement your suggestion, but as soon as i will try it, i will update the question.

Thanks !

lakshman239 · ‎02-27-2019

You need to configure the index/sourcetypes to be used in the datamodel.

In the Enterprise Security App, navigate to Confgure->CIM Setup and select your Intrusion detection and add your index there. You need to do the same for other datamodels as well as per https://docs.splunk.com/Documentation/AddOns/released/SymantecEP/Sourcetypes

Symantec endpoint protection - CIM compliance

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?