Package Details

The application consist of the following components:

1. Dashboard Packages
   
   • LP_SEP Firewall and IDS
   • LP_SEP Virus Spyware Information 
   • LP_Symantec Messaging Gateway 
   • LP_Symantec Endpoint Protection
2. Normalization Packages
   
   • LP_Symantec Antivirus 
   • LP_Symantec Endpoint Protection 
   • LP_Symantec Endpoint Protection Client NX Agent 
   • LP_Symantec Endpoint Protection CSV 
   • LP_Symantec Mail Security for Microsoft Exchange 
   • LP_Symantec MessageLabs 
   • LP_Symantec Messaging Gateway 
   • LP_Symantec Messaging Gateway v10_6_1
   • LP_Symantec Messaging Gateway Generic 
   • LP_Symantec VIP 
3. Label Package
   
   • LP_Symantec Endpoint Protection 
4. Compiled Normalizers
   • SymantecMailSecurityNormalizer 
   • SymantecATPNormalizer 
   • SymantecEmailGatewayNormalizer 
   • SymantecAntivirusNormalizer 

Enhancement

A minor update has been done in the application’s normalizer for better signature handling.

Installation 

Follow these steps to install the Symantec Security v3.5.0 plugin:

1. Download the Symantec Security package from the Download section above.
2. Add the required Symantec Security as a device in LogPoint.

3. Create a collection policy with the Syslog collector and appropriate processing policy.

4. Assign the policy to the device.
5. Add the dashboard.

Note: You must activate the Symantec Endpoint Protection label package to populate the Symantec Endpoint Dashboard 

Screenshots

Supported Version

The supported versions of  Symantec Security with LogPoint in this configuration are:

• Mail Security for Microsoft Exchange
• Symantec Endpoint Protection Version 12.1 RU6
• Symantec MessageLabs
• Symantec AntiVirus Corporate Edition

Log Format

Symantec Email Gateway

Log Sample

{"incidents": null, "emailInfo": {"HELOString": "logpoint.com", "logpoint": "XXXX_XXXXXXXXX", "envFrom": "bounce-notifications-verp-e0fc027d7cd4c9ddc292@logpoint.com", "longMsgRef": "message.com!1552262838!2753525!1", "senderMailserver": "message.com", "country": "", "envTo": ["logpoint.com"], "mailProcessingStartTime": 1552262838, "xMsgRef": "155226283800000027535250001222028", "isOutbound": false, "authResults": null, "messageSize": 10356, "headerTo": ["logpoint.com"], "filesAndLinks": [{"index": 3, "nodeType": "FILE", "fileType": "text/html", "linkSource": "EMAIL", "parentIndex": 2, "fileNameOrURL": "message.htm", "fileSize": 9186, "sha256": "1b98b5cad6d8983cb89a02164bc724bd2142e189ab140885536ef7691333b872", "md5": "98387f6c999ab88f59e4dbbaf1212d86"}, {"index": 2, "nodeType": "FILE", "fileType": "Email/HeaderPart", "linkSource": "EMAIL", "parentIndex": 1, "fileNameOrURL": "SMTP Envelope (1)", "fileSize": 9186, "sha256": "1b98b5cad6d8983cb89a02164bc724bd2142e189ab140885536ef7691333b872", "md5": "98387f6c999ab88f59e4dbbaf1212d86"}, {"index": 1, "nodeType": "FILE_INCLUDED", "fileType": "Email/Header", "linkSource": "EMAIL", "parentIndex": 0, "fileNameOrURL": "SMTP Envelope (0)", "fileSize": 1170, "sha256": "1409ff84ed65f8b574c052d480ed0647de4141af2257b32d0da4cdc22641efe2", "md5": "913d473f93634fe40bf5e079849ea2bb"}], "messageId": "20190311000718.409a655c23d5a723f1e2f0b@logpoint.com", "senderIp": "1.1.1.1", "headerReplyTo": "", "headerFrom": "logpoint.com", "subject": "Email Quarantine: You have 1 new emails"}}

Log Format

Symantec Endpoint Protection

Log Sample

<11>Dec 11 05:51:42 v-sitesc3 line printer - v-sitesc3 SymantecServer: abc123,Local Host: 1.1.1.1,Local Port:XXXX,Local Host MAC: 0000000000000,Remote Host IP: 1.1.1.1,Remote Host Name: logpoint,Remote Port: XXXXX,Remote Host MAC: 000000000000,TCP,Inbound,Begin: 2019-12-11 05:35:13,End: 2019-12-11 05:35:17,Occurrences: 2,Application: C:/WINDOWS/system32/logpoint,Rule: Block RDP,Location: Intranet,User: logpoint,Domain: LOG,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000

Log Format

Symantec ATP

Log Sample

<13>Oct 26 05:51:57 localhost sep_proxy_insight_event: INFO - logpoint.COM CEF:0|Symantec|ATPU|1.0|4096|sep_proxy_insight_event|0|device_time=2018-10-26T05:51:56.378Z device_uid=xxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxxxinternalIP=1.1.1.1 internalHost=1.1.1.1 filePath=CSIDL_PROFILE\\appdata\\local\\temp\\dtvaultprivacy30-0784-d fname=Launcher.exe sha2=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx md5=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxdisposition=0 disposition_atp=0 user_name= json={"atp_protocol":"rrs","data_direction":1,"data_source_ip":null,"data_source_url":null,"data_source_url_domain":null,"data_source_url_referer":null,"device_ip":"1.1.1.1","device_name":"1.1.1.1","device_time":"2018-10-26T05:51:56.378Z","device_uid":"xxxxxxx-xxxxx-xxxxx-xxxx-xxxxxxxx","disposition":1,"downloaded_portal_id":null,"en_uid":"xxxxxxxxxxxxxxxxxxxxxxxxxx","external_ip":null,"feature_name":"ATP:Endpoint","feature_ver":"2014.0.0","file":{"attributes":null,"confidence":114,"confidence_atp":114,"desc":"exe","disposition":0,"disposition_atp":0,"file_age":1,"first_seen":"2014-11-24T08:00:00.000Z","folder":"CSIDL_PROFILE\\appdata\\local\\temp\\privacy30-0784-d","md5":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ","name":"Launcher.exe","prevalence":166,"prevalence_band":7,"reputation_band":1,"sha2":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ","signature_company_name":"Logpoint","signature_issuer":"VeriSign Class 3 Code Signing 2010 CA","signature_serial_number":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ","size":1173792},"id":0,"initiating_engine":1313163330,"parent_file_name":null,"parent_file_sha2":null,"parent_installer_url":null,"product_name":"ATP:Endpoint","request_reason":null,"rule_id":null,"rule_version":0,"sep_mid":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ","type_id":4096,"zone_id":null,"sep_installed":true}

Log Format

Symantec Antivirus

Log Sample

<14>Apr 2 18:35:35 logpoint.com Symantec_AntiVirus: {"EventTime":"2019-04-02 18:35:35","Hostname":"logpoint.com,"Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":45,"SourceName":"Symantec AntiVirus","TaskValue":0,"RecordNumber":XXXXX,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Domain":"LOGPOINT","AccountName":"LOGPOINT","UserID":"X-X-X-XX","AccountType":"User","Message":" \r\n\r\nScan type: Tamper Protection Scan\r\nEvent: Tamper Protection Detection\r\nSecurity risk detected: C:\\PROGRAM FILES\\AMS\\SERVICE\\QAMS.EXE\r\nFile: C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\14.2.1031.0100.105\\Bin\\ccSvcHst.exe\r\nLocation: C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\14.2.1031.0100.105\\Bin\r\nComputer: MAIL160\r\nUser: SYSTEM\r\nAction taken: Leave Alone\r\nDate found: tag, 02. April 2019 18:35:35","EventData":"<Data>\r\n\r\nScan type: Tamper Protection Scan\r\nEvent: Tamper Protection Detection\r\nSecurity risk detected: C:\\PROGRAM FILES\\HEWLETT-PACKARD\\AMS\\SERVICE\\QAMS.EXE\r\nFile: C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\14.2.1031.0100.105\\Bin\\ccSvcHst.exe\r\nLocation: C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\14.2.1031.0100.105\\Bin\r\nComputer:LOGPOINT\r\nUser: SYSTEM\r\nAction taken: Leave Alone\r\nDate found: Dienstag, 02. April 2019 18:35:35</Data>","EventReceivedTime":"2019-04-02 18:35:35","SourceModuleName":"log_in","SourceModuleType":"log"}

To export data to LogPoint, use the Syslog collector on port 514 on the LogPoint server.