Symantec Endpoint Protection

Symantec Endpoint Protection (SEP) utilizes the endpoints on your network to work together in protecting data.

Before You Begin

InsightIDR can ingest data from Symantec Endpoint Protection in two ways: syslog and Watch Directory.

Syslog

In the SEP Management Console, you must configure Symantec to send logs via syslog in the "External Logging settings" section. Read instructions on page 705 of the Administrator's Guide here: https://support.symantec.com/en_US/article.DOC8645.html

Watch Directory

In the SEP Management Console, you must configure Symantec to send logs to a folder in the "External Logging settings" section. When configuring Symantec for syslog delivery, check off Export Logs to a Dump File. This option will log data to a single log folder instead of sending the logs to syslog.

How to Configure This Event Source

  1. From your dashboard, select** Data Collection** on the left hand menu.
  2. At the top right of the page, select the dropdown that says "Setup Event Source" and then choose Add Event Source.
  3. From the "Security Data" section, select the Virus Scan icon. The "Add Event Source" panel appears.
  4. Select your collector and event source. You can name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. Select an attribution source.
  8. Configure your default domain and any Advanced Event Source Settings.
  9. Select a collection method.
  10. Click Save.

Not seeing log data?

InsightIDR only parses an event from your Virus Scan event source when a virus is found.

Attribution source options

Symantec Endpoint Protection product logs can contain information about hosts and accounts. When setting up Symantec Endpoint Protection as an event source, you will have the ability to specify the following attribution options:

  1. Use IDR engine if possible; if not, use event log

By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it's unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.

  1. Use event log if possible; if not, use IDR engine

By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.

  1. Use IDR engine only

By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.

  1. Use event log only

By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.