Collect Symantec Endpoint Protection logs

Supported in:

Google secops SIEM

This document explains how to ingest Symantec Endpoint Protection logs to Google Security Operations using Bindplane. The parser processes logs in SYSLOG or KV format, first extracting timestamps from various formats within the log data. Then, it utilizes a separate configuration file (sep_pt2.include) to perform further parsing and structuring of the log events, ensuring successful processing only if the initial timestamp extraction is successful.

Before you begin

Ensure that you have the following prerequisites:

Google SecOps instance
Windows 2016 or later or Linux host with systemd
If running behind a proxy, firewall ports are open
Privileged access to the Symantec Endpoint Protection platform

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

Open the Command Prompt or PowerShell as an administrator.

Run the following command:

msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Additional installation resources

For additional installation options, consult the installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

Access the configuration file:
- Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
- Open the file using a text editor (for example, nano, vi, or Notepad).

Edit the config.yaml file as follows:

receivers:
    udplog:
        # Replace the port and IP address as required
        listen_address: `0.0.0.0:514`

exporters:
    chronicle/chronicle_w_labels:
        compression: gzip
        # Adjust the path to the credentials file you downloaded in Step 1
        creds: '/path/to/ingestion-authentication-file.json'
        # Replace with your actual customer ID from Step 2
        customer_id: <customer_id>
        endpoint: malachiteingestion-pa.googleapis.com
        # Add optional ingestion labels for better organization
        ingestion_labels:
            log_type: 'CES'
            raw_log_field: body

service:
    pipelines:
        logs/source0__chronicle_w_labels-0:
            receivers:
                - udplog
            exporters:
                - chronicle/chronicle_w_labels

Replace the port and IP address as required in your infrastructure.
Replace <customer_id> with the actual customer ID.
Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux, run the following command:
```
sudo systemctl restart bindplane-agent
```
To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:
```
net stop BindPlaneAgent && net start BindPlaneAgent
```

Configure Syslog in Symantec Endpoint Protection

Sign in to your Symantec Endpoint Protection Manager web UI.
Click the Admin icon.
Locate the View Servers section, and click Servers.
Click Local Site > Configure External Logging.
Select the Enable Transmission of Logs to a Syslog Server checkbox.
Provide the following configuration details:
- Syslog Server: Enter the Bindplane IP address.
- UDP Destination Port: Enter the Bindplane port number (for example, 514 for UDP).
- Log Facility: Enter Local6.
- Select the Audit Logs checkbox.
- Select the Security Logs checkbox.
- Select the Risks checkbox.
Click OK.

UDM mapping table

Log field	UDM mapping	Logic
Action	security_result.action	The value is taken from the `Action` field in the raw log and mapped to a UDM action.
Action Type	security_result.action_details	The value is taken from the `Action Type` field in the raw log.
Admin
Allowed application reason	security_result.action_details	The value is taken from the `Allowed application reason` field in the raw log.
Application	principal.process.command_line	The value is taken from the `Application` field in the raw log.
Application hash	target.file.sha256	The value is taken from the `Application hash` field in the raw log.
Application name	target.application	The value is taken from the `Application name` field in the raw log.
Application type	target.resource.attribute.labels.value	The value is taken from the `Application type` field in the raw log. The key is hardcoded to `Application Type`.
Application version	target.application.version	The value is taken from the `Application version` field in the raw log.
Begin
Begin Time	extensions.vulns.vulnerabilities.scan_start_time	The value is taken from the `Begin Time` field in the raw log.
Begin:	extensions.vulns.vulnerabilities.scan_start_time	The value is taken from the `Begin:` field in the raw log.
Category	principal.resource.attribute.labels.value	The value is taken from the `Category` field in the raw log. The key is hardcoded to `Category`.
Category set	security_result.category	The value is taken from the `Category set` field in the raw log and mapped to a UDM category.
Category type	security_result.category_details	The value is taken from the `Category type` field in the raw log.
CIDS Signature ID
CIDS Signature string	security_result.summary	The value is taken from the `CIDS Signature string` field in the raw log.
CIDS Signature SubID
Client Policy
Command
Computer	target.hostname	The value is taken from the `Computer` field in the raw log.
Computer name	principal.hostname	The value is taken from the `Computer name` field in the raw log.
Confidence	security_result.confidence_details	The value is taken from the `Confidence` field in the raw log.
data
Description	security_result.action_details	The value is taken from the `Description` field in the raw log.
Description:	security_result.action_details	The value is taken from the `Description:` field in the raw log.
Detection score
Detection Submissions No
Detection type	security_result.summary	The value is taken from the `Detection type` field in the raw log.
Device ID	target.asset.hostname	The value is taken from the `Device ID` field in the raw log.
Disposition	security_result.action	The value is taken from the `Disposition` field in the raw log and mapped to a UDM action.
Domain	principal.administrative_domain	The value is taken from the `Domain` field in the raw log.
Domain Name	principal.administrative_domain	The value is taken from the `Domain Name` field in the raw log.
Domain Name:	principal.administrative_domain	The value is taken from the `Domain Name:` field in the raw log.
Downloaded by	principal.process.file.full_path	The value is taken from the `Downloaded by` field in the raw log.
Download site
Duration (seconds)	extensions.vulns.vulnerabilities.scan_end_time	The value is taken from the `Duration (seconds)` field in the raw log and added to the scan start time.
End
End Time	extensions.vulns.vulnerabilities.scan_end_time	The value is taken from the `End Time` field in the raw log.
End Time:	extensions.vulns.vulnerabilities.scan_end_time	The value is taken from the `End Time:` field in the raw log.
End:	extensions.vulns.vulnerabilities.scan_end_time	The value is taken from the `End:` field in the raw log.
Event Description	metadata.description	The value is taken from the `Event Description` field in the raw log.
Event Description:	metadata.description	The value is taken from the `Event Description:` field in the raw log.
Event Insert Time
Event time	metadata.event_timestamp	The value is taken from the `Event time` field in the raw log.
Event time:	metadata.event_timestamp	The value is taken from the `Event time:` field in the raw log.
Event Type	metadata.product_event_type	The value is taken from the `Event Type` field in the raw log.
Event Type:	metadata.product_event_type	The value is taken from the `Event Type:` field in the raw log.
File path	target.file.full_path	The value is taken from the `File path` field in the raw log.
File path:	target.file.full_path	The value is taken from the `File path:` field in the raw log.
File size (bytes)	target.file.size	The value is taken from the `File size (bytes)` field in the raw log.
First Seen	security_result.action_details	The value is taken from the `First Seen` field in the raw log.
First Seen:	security_result.action_details	The value is taken from the `First Seen:` field in the raw log.
Group	principal.group.group_display_name	The value is taken from the `Group` field in the raw log.
Group Name	principal.group.group_display_name	The value is taken from the `Group Name` field in the raw log.
Group Name:	principal.group.group_display_name	The value is taken from the `Group Name:` field in the raw log.
Hash type	target.resource.attribute.labels.value	The value is taken from the `Hash type` field in the raw log. The key is hardcoded to `Hash Type`.
Intensive Protection Level
Intrusion ID
Intrusion Payload URL
Intrusion URL
IP Address	principal.ip	The value is taken from the `IP Address` field in the raw log.
IP Address:	principal.ip	The value is taken from the `IP Address:` field in the raw log.
Last update time
Local Host	principal.ip	The value is taken from the `Local Host` field in the raw log.
Local Host IP	principal.ip	The value is taken from the `Local Host IP` field in the raw log.
Local Host MAC	principal.mac	The value is taken from the `Local Host MAC` field in the raw log.
Local Port	principal.port	The value is taken from the `Local Port` field in the raw log.
Location
MD-5
Occurrences	security_result.about.resource.attribute.labels.value	The value is taken from the `Occurrences` field in the raw log. The key is hardcoded to `Occurrences`.
Permitted application reason	security_result.action_details	The value is taken from the `Permitted application reason` field in the raw log.
Prevalence	security_result.description	The value is taken from the `Prevalence` field in the raw log.
Remote path	target.file.full_path	The value is taken from the `Remote file path` field in the raw log.
Remote Host IP	target.ip	The value is taken from the `Remote Host IP` field in the raw log.
Remote Host MAC	target.mac	The value is taken from the `Remote Host MAC` field in the raw log.
Remote Hostname	target.hostname	The value is taken from the `Remote Host Name` field in the raw log.
Remote Port	target.port	The value is taken from the `Remote Port` field in the raw log.
Requested action	security_result.action	The value is taken from the `Requested action` field in the raw log and mapped to a UDM action.
Risk Level	security_result.severity	The value is taken from the `Risk Level` field in the raw log and mapped to a UDM severity.
Risk name	security_result.threat_name	The value is taken from the `Risk name` field in the raw log.
Risk type	security_result.detection_fields.value	The value is taken from the `Risk type` field in the raw log. The key is hardcoded to `Risk Type`.
Rule	principal.resource.name	The value is taken from the `Rule` field in the raw log.
Rule:	principal.resource.name	The value is taken from the `Rule:` field in the raw log.
Scan ID	extensions.vulns.vulnerabilities.name	The value is taken from the `Scan ID` field in the raw log.
Scan ID:	extensions.vulns.vulnerabilities.name	The value is taken from the `Scan ID:` field in the raw log.
Scan Type
Secondary action	target.resource.attribute.labels.value	The value is taken from the `Secondary action` field in the raw log. The key is hardcoded to `Secondary action`.
Security risk found	metadata.description	The value is taken from the `Security risk found` field in the raw log.
Server	intermediary.hostname	The value is taken from the `Server` field in the raw log.
Server Name	intermediary.hostname	The value is taken from the `Server Name` field in the raw log.
Server Name:	intermediary.hostname	The value is taken from the `Server Name:` field in the raw log.
SHA-256	principal.process.file.sha256	The value is taken from the `SHA-256` field in the raw log.
Site	additional.fields.value.string_value	The value is taken from the `Site` field in the raw log. The key is hardcoded to `Site Name`.
Site Name	additional.fields.value.string_value	The value is taken from the `Site Name` field in the raw log. The key is hardcoded to `Site Name`.
Site:	additional.fields.value.string_value	The value is taken from the `Site:` field in the raw log. The key is hardcoded to `Site Name`.
Source	metadata.product_event_type	The value is taken from the `Source` field in the raw log and appended to the hardcoded string `Security risk found -`.
Source computer
Source computer:
Source IP
Source IP:
Source:	metadata.product_event_type	The value is taken from the `Source:` field in the raw log and appended to the hardcoded string `Security risk found -`.
ts	metadata.event_timestamp	The value is taken from the `ts` field in the raw log.
URL Tracking Status
User	principal.user.userid	The value is taken from the `User` field in the raw log.
User Name	principal.user.userid	The value is taken from the `User Name` field in the raw log.
User Name:	principal.user.userid	The value is taken from the `User Name:` field in the raw log.
Web domain
metadata.description		If the raw log contains the string `The client has downloaded` the description is set to `The client has downloaded {target file name}`. If the raw log contains the string `The management server received` the description is set to `The management server received the client log successfully`. Otherwise, the description is set to the value of the `Event Description` field in the raw log.
metadata.event_type		The event type is determined by the parser logic based on the content of the raw log.
metadata.log_type		The log type is hardcoded to `SEP`.
metadata.product_name		The product name is hardcoded to `SEP`.
metadata.vendor_name		The vendor name is hardcoded to `Symantec`.

Need more help? Get answers from Community members and Google SecOps professionals.