收集 Symantec Endpoint Protection 日志
支持的语言:
Google SecOps
SIEM
本文档介绍了如何使用 Bindplane 将 Symantec Endpoint Protection 日志注入到 Google Security Operations。解析器以 SYSLOG 或 KV 格式处理日志,首先从日志数据中的各种格式提取时间戳。然后,它会利用单独的配置文件 (sep_pt2.include) 对日志事件进行进一步的解析和结构化处理,只有在初始时间戳提取成功时,才能确保成功处理。
准备工作
确保您满足以下前提条件:
- Google SecOps 实例
- Windows 2016 或更高版本,或者具有 systemd 的 Linux 主机
- 如果在代理后运行,防火墙端口处于开放状态
- 对 Symantec Endpoint Protection 平台的特权访问权限
获取 Google SecOps 注入身份验证文件
- 登录 Google SecOps 控制台。
- 依次前往 SIEM 设置 > 收集代理。
- 下载注入身份验证文件。将文件安全地保存在将要安装 Bindplane 的系统上。
获取 Google SecOps 客户 ID
- 登录 Google SecOps 控制台。
- 依次前往 SIEM 设置 > 个人资料。
- 复制并保存组织详细信息部分中的客户 ID。
安装 Bindplane 代理
以下部分介绍了如何安装 Bindplane 代理。
Windows 安装
- 以管理员身份打开命令提示符或 PowerShell。
运行以下命令:
msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
Linux 安装
- 打开具有 root 或 sudo 权限的终端。
运行以下命令:
sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
其他安装资源
如需了解其他安装选项,请参阅安装指南。
配置 Bindplane 代理以注入 syslog 并将其发送到 Google SecOps
- 访问配置文件:
- 找到
config.yaml文件。通常,它位于 Linux 上的/etc/bindplane-agent/目录中或 Windows 上的安装目录中。 - 使用文本编辑器(例如
nano、vi或记事本)打开该文件。
- 找到
按如下方式修改
config.yaml文件:receivers: udplog: # Replace the port and IP address as required listen_address: `0.0.0.0:514` exporters: chronicle/chronicle_w_labels: compression: gzip # Adjust the path to the credentials file you downloaded in Step 1 creds: '/path/to/ingestion-authentication-file.json' # Replace with your actual customer ID from Step 2 customer_id: <customer_id> endpoint: malachiteingestion-pa.googleapis.com # Add optional ingestion labels for better organization ingestion_labels: log_type: 'CES' raw_log_field: body service: pipelines: logs/source0__chronicle_w_labels-0: receivers: - udplog exporters: - chronicle/chronicle_w_labels根据基础架构的需要替换端口和 IP 地址。
将
<customer_id>替换为实际的客户 ID。将
/path/to/ingestion-authentication-file.json更新为获取 Google SecOps 提取身份验证文件部分中保存身份验证文件的路径。
重启 Bindplane 代理以应用更改
如需在 Linux 中重启 Bindplane 代理,请运行以下命令:
sudo systemctl restart bindplane-agent如需在 Windows 中重启 Bindplane 代理,您可以使用服务控制台,也可以输入以下命令:
net stop BindPlaneAgent && net start BindPlaneAgent
在 Symantec Endpoint Protection 中配置 Syslog
- 登录 Symantec Endpoint Protection Manager Web 界面。
- 点击管理图标。
- 找到查看服务器部分,然后点击服务器。
- 依次点击本地网站 > 配置外部日志记录。
- 选中启用向 Syslog 服务器传输日志复选框。
- 提供以下配置详细信息:
- Syslog 服务器:输入 Bindplane IP 地址。
- UDP 目标端口:输入 Bindplane 端口号(例如,
514表示 UDP)。 - 日志设施:输入 Local6。
- 选中审核日志复选框。
- 选中安全日志复选框。
- 选中风险复选框。
- 点击确定。
UDM 映射表
| 日志字段 | UDM 映射 | 备注 |
|---|---|---|
_DB_HOST |
target.hostname |
|
a_record |
network.dns.questions.type |
|
AccessCheckResults |
security_result.detection_fields |
|
Accesses |
security_result.detection_fields |
|
AccessList |
security_result.detection_fields |
|
AccessMask |
security_result.detection_fields |
|
AccessReason |
security_result.description |
|
AccountName |
target.user.user_display_name |
|
AccountType |
principal.user.attribute.roles |
|
ACTION |
security_result.detection_fields |
|
ACTION_TYPE |
security_result.action_details |
|
ActiveProfile |
target.resource.name |
|
ActivityID |
additional.fields |
|
AdditionalInfo2 |
security_result.detection_fields |
|
ADMIN_NAME |
principal.user.userid |
|
AGENT_SECURITY_LOG_IDX |
metadata.product_log_id |
|
AgentVer |
additional.fields |
|
Alert |
security_result.detection_fields |
|
ALERT_IDX |
security_result.rule_id |
|
ALERTDATETIME |
security_result.first_discovered_time |
|
ALERTENDDATETIME |
security_result.last_discovered_time |
|
ALERTINSERTTIME |
security_result.detection_fields |
|
AlgorithmName |
security_result.detection_fields |
|
Allowedapplicationreason |
security_result.detection_fields |
|
APP_NAME |
target.application |
|
app_name |
principal.application |
|
AppPoolID |
target.application |
|
AuthenticationPackageName |
additional.fields |
|
AuthenticationSetId |
security_result.detection_fields |
|
AuthenticationSetName |
target.resource.name |
|
BitlockerUserInputTime |
additional.fields |
|
BootMenuPolicy |
additional.fields |
|
BootType |
additional.fields |
|
BU |
additional.fields |
|
BugcheckString |
additional.fields |
|
CALLER_PROCESS_ID |
principal.process.pid |
|
CALLER_PROCESS_NAME |
principal.process.file.full_path |
|
callerReturnAddress |
additional.fields |
|
callerReturnModuleName |
additional.fields |
|
Caption |
target.application |
|
Category |
security_result.category_details |
|
Channel |
security_result.about.resource.attribute.labels |
|
CIDS_SIGN_SUB_ID |
additional.fields |
|
CLIENT_USER2 |
principal.user.userid |
|
Comment |
metadata.description |
|
Component |
security_result.detection_fields |
|
connection.ether_type |
security_result.about.labels |
|
ConnectionSecurityRuleName |
target.resource.name |
|
ConnectionSecurityRuleId |
security_result.detection_fields |
|
CryptographicSetId |
security_result.detection_fields |
|
CryptographicSetName |
target.resource.name |
|
CSPEID |
additional.fields |
|
DCName |
intermediary.hostname |
|
Desc |
metadata.description |
|
DesiredAccess |
security_result.detection_fields |
|
device.last_app_connection |
target.asset.last_discover_time |
|
device.wss_feature |
target.asset.attribute.labels |
|
DeviceName |
target.resource.name |
|
DeviceNameLength |
additional.fields |
|
DeviceTime |
additional.fields |
|
DeviceVersionMajor |
additional.fields |
|
DeviceVersionMinor |
additional.fields |
|
disposition |
security_result.detection_fields |
|
dns_direction |
security_result.detection_fields |
|
domain |
target.administrative_domain |
|
Domain |
principal.administrative_domain |
|
DOMAIN_ID |
target.resource.product_object_id |
|
EDate |
additional.fields |
|
EDateUTC |
metadata.event_timestamp |
|
elevated_token |
additional.fields |
|
EntryCount |
additional.fields |
|
Error |
security_result.description |
|
error |
security_result.detection_fields |
|
ErrorCode |
security_result.description |
|
ErrorDescription |
security_result.description |
|
Event |
metadata.description |
|
EVENT_DATA |
additional.fields |
|
event_type |
metadata.product_event_type |
|
EventData.Binary |
additional.fields |
|
eventDesc |
metadata.description |
|
eventInsertTime |
metadata.collected_timestamp |
|
EventReceivedTime |
metadata.collected_timestamp |
|
EventTime |
metadata.event_timestamp |
|
EventType |
metadata.product_event_type |
|
ExceptionCode |
security_result.detection_fields |
|
executionPolicy |
security_result.rule_name |
|
ExecutionProcessID |
principal.process.pid |
|
ExecutionThreadID |
principal.process.product_specific_process_id |
|
ExtensionId |
security_result.detection_fields |
|
ExtensionName |
target.resource.name |
|
ExtraInfoLength |
additional.fields |
|
ExtraInfoString |
additional.fields |
|
FailureId |
security_result.detection_fields |
|
faulting_application_name |
principal.process.file.names |
|
faulting_application_path |
principal.process.file.full_path |
|
FaultingModuleName |
additional.fields |
|
FaultingModulePath |
additional.fields |
|
FaultOffset |
additional.fields |
|
FILE_SIZE |
about.file.size |
|
FilterID |
security_result.detection_fields |
|
FinalStatus |
security_result.description |
|
GPODisplayName |
target.resource.name |
|
GPOFileSystemPath |
target.file.full_path |
|
Group |
principal.resource.attribute.labels |
|
HACK_TYPE |
security_result.category_details |
|
HandleId |
target.resource.attribute.labels |
|
HID_LEVEL |
additional.fields |
|
HN |
additional.fields |
|
host |
principal.hostname |
|
Hostname |
principal.hostname |
|
id |
metadata.product_log_id |
|
IdleImplementation |
additional.fields |
|
IdleStateCount |
additional.fields |
|
ImpersonationLevel |
additional.fields |
|
IntensiveProtectionLevel |
security_result.detection_fields |
|
Interface |
security_result.detection_fields |
|
intermediary_host |
intermediary.ipintermediary.hostname |
如果值为 IP 地址,则映射到 intermediary.ip。如果值为主机名,则映射到 intermediary.hostname。 |
INTRUSION_PAYLOAD_URL |
target.url |
|
INTRUSION_URL |
target.url |
|
IP |
principal.ip |
|
IP_ADDR |
src.ip |
|
IpAddress |
principal.ip |
|
IpPort |
principal.port |
|
KERNEL |
principal.platform_patch_level |
|
KeyFilePath |
target.file.full_path |
|
KeyLength |
additional.fields |
|
KeyName |
security_result.detection_fields |
|
KeyType |
security_result.detection_fields |
|
lastUpdateTime |
target.resource.attribute.last_update_time |
|
LmPackageName |
security_result.detection_fields |
|
LoadOptions |
additional.fields |
|
LogonGuid |
network.session_id |
|
LogonProcessName |
target.application |
|
LogonType |
extensions.auth.auth_details |
|
MandatoryLabel |
target.resource.attribute.labels |
|
MasterKeyId |
security_result.detection_fields |
|
MaximumPerformancePercent |
additional.fields |
|
Message |
metadata.description |
|
MinimumPerformancePercent |
additional.fields |
|
MinimumThrottlePercent |
additional.fields |
|
Minutes |
target.resource.attribute.labels |
|
NewFile |
target.file.full_path |
|
NewGrp |
target.group.group_display_name |
|
NewModDt |
target.file.last_modification_time |
|
NewOwn |
additional.fields |
|
NewPerms |
additional.fields |
|
NewProcessId |
target.process.pid |
|
NewProcessName |
target.process.file.full_path |
|
NewSecurityDescriptor |
security_result.description |
|
NewSize |
additional.fields |
|
NominalFrequency |
principal.resource.attribute.labels |
|
Number |
principal.resource.attribute.labels |
|
NumberOfGroupPolicyObjects |
additional.fields |
|
ObjectName |
target.resource.name |
|
ObjectServer |
target.resource.attribute.labels |
|
ObjectType |
target.resource.resource_type |
|
ObjId |
target.resource.attribute.labels |
|
OldFile |
src.file.full_path |
|
OldGrp |
src.group.group_display_name |
|
OldModDt |
src.file.last_modification_time |
|
OldOwn |
additional.fields |
|
OldPerms |
additional.fields |
|
OldSize |
additional.fields |
|
omittedFiles |
security_result.detection_fields |
|
Opcode |
additional.fields |
|
OpcodeValue |
metadata.product_event_type |
|
Operation |
security_result.description |
|
Operation |
additional.fields |
|
OperationType |
security_result.category_details |
|
OriginalSecurityDescriptor |
additional.fields |
|
OS |
principal.platform |
|
OSVER |
principal.platform_version |
|
param2 |
security_result.detection_fields |
|
param3 |
security_result.detection_fields |
|
param4 |
security_result.detection_fields |
|
PARAM_DEVICE_ID |
principal.hostname |
|
PARAMETER |
target.file.full_path |
|
parameters |
additional.fields |
|
PARENT_SERVER_TYPE |
additional.fields |
|
PerformanceImplementation |
additional.fields |
|
POLNm |
additional.fields |
|
prevalence |
security_result.detection_fields |
|
Priority |
security_result.detection_fields |
|
PrivilegeList |
target.resource.attribute.permissions.name |
|
PrivilegesUsedForAccessCheck |
security_result.detection_fields |
|
ProblemID |
additional.fields |
|
ProcessId |
principal.process.pid |
|
ProcessID |
target.process.pid |
|
ProcessingMode |
additional.fields |
|
ProcessingTimeInMilliseconds |
additional.fields |
|
ProcessName |
principal.process.file.full_path |
|
ProcName |
principal.process.file.names |
|
ProcPath |
principal.process.file.full_path |
|
product_event_type |
metadata.product_event_type |
|
PROFILE_SERIAL_NO |
additional.fields |
|
protected |
security_result.detection_fields |
|
ProviderGuid |
metadata.product_deployment_id |
|
ProviderName |
security_result.detection_fields |
|
PuaCount |
additional.fields |
|
PuaPolicyId |
additional.fields |
|
PUB_KEY |
additional.fields |
|
Reason |
additional.fields |
|
ReasonCode |
additional.fields |
|
RecordNumber |
metadata.product_log_id |
|
RecoveryReason |
security_result.description |
|
RecType |
metadata.product_event_type |
|
RelativeTargetName |
target.user.user_display_name |
|
report_id |
metadata.product_log_id |
|
request |
additional.fields |
|
restricted_admin_mode |
additional.fields |
|
restricted_sid_count |
additional.fields |
|
risks |
security_result.detection_fields |
|
Rule |
security_result.rule_name |
|
RuleName |
security_result.rule_name |
|
RuleType |
additional.fields |
|
scan_duration |
security_result.detection_fields |
|
scan_state |
security_result.detection_fields |
|
scan_type |
security_result.detection_fields |
|
scanned_number |
security_result.detection_fields |
|
ScriptType |
additional.fields |
|
SecurityPackageName |
about.file.full_path |
|
SEQ_ID |
additional.fields |
|
Service |
target.application |
|
SeverityValue |
security_result.severity_details |
|
sha256 |
principal.process.file.sha256 |
|
ShareLocalPath |
target.file.full_path |
|
ShareName |
target.resource.name |
|
SITE_IDX |
additional.fields |
|
skipped_files |
security_result.detection_fields |
|
SourceModuleName |
additional.fields |
|
SourceModuleType |
additional.fields |
|
SourceName |
principal.application |
|
spn1 |
target.resource.attribute.labels |
|
spn2 |
target.resource.attribute.labels |
|
standard_schemes |
security_result.detection_fields |
|
State |
additional.fields |
|
Status |
target.resource.attribute.labels |
|
StopTime |
additional.fields |
|
SubjectDomainName |
principal.administrative_domain |
|
SubjectLogonId |
principal.user.userid |
|
SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
principal.user.windows_sid |
|
SupportInfo1 |
additional.fields |
|
SupportInfo2 |
additional.fields |
|
syslogServer |
intermediary.ipintermediary.hostname |
该值(IP 地址或主机名)来自日志的标头,并且与中介相关联。 |
TargetDomainName |
target.administrative_domain |
|
TargetLogonId |
target.user.userid |
|
TargetUserName |
target.user.userid |
|
TargetUserSid |
target.user.windows_sid |
|
TaskContentNew |
additional.fields |
|
TaskName |
target.resource.name |
|
TaskValue |
metadata.description |
|
THREATS |
security_result.detection_fields |
|
threats |
security_result.detection_fields |
|
TimeDifferenceMilliseconds |
additional.fields |
|
TimeSampleSeconds |
additional.fields |
|
timestamp |
metadata.event_timestamp |
|
TokenElevationType |
target.resource.attribute.labels |
|
transaction_id |
metadata.product_log_id |
|
TransitedServices |
security_result.detection_fields |
|
TSId |
network.session_id |
|
type |
security_result.threat_name |
|
UMDFDeviceInstallBegin.version |
target.resource.attribute.labels |
|
UMDFReflectorDependencyMissing.Dependency |
additional.fields |
|
updateGuid |
target.process.product_specific_process_id |
|
updateRevisionNumber |
target.resource.attribute.labels |
|
updateTitle |
target.resource.name |
|
UpdateType |
additional.fields |
|
Url |
target.url |
|
urlTrackingStatus |
security_result.detection_fields |
|
User |
principal.user.userid |
|
UserID |
target.user.userid |
|
UserSid |
target.user.windows_sid |
|
VAPI_NAME |
security_result.summary |
|
VAST |
additional.fields |
|
Version |
metadata.product_version |
|
virtual_account |
additional.fields |
|
VSAD |
additional.fields |
|
WorkstationName |
additional.fields |
|
| 不适用 | metadata.log_type |
日志类型已硬编码为 SEP。 |
| 不适用 | metadata.product_name |
产品名称已硬编码为 SEP。 |
| 不适用 | metadata.vendor_name |
供应商名称已硬编码为 Symantec。 |
UDM 映射增量参考信息
2025 年 8 月 26 日,Google SecOps 发布了新版 Symantec Endpoint Protection 解析器,其中对 Symantec Endpoint Protection 日志字段到 UDM 字段的映射以及事件类型的映射做出了重大更改。
日志字段映射增量
下表列出了 2025 年 8 月 26 日之前和之后公开的 Symantec Endpoint Protection 日志到 UDM 字段的映射差异(分别列在旧映射和当前映射列中)。
| 日志字段 | 旧映射 | 当前映射 |
|---|---|---|
_DB_DRIVER |
about.resource.id |
about.resource.product_object_id |
_ip |
principal.ip |
intermediary.ip |
Actualaction: Quarantined |
security_result.action : BLOCK |
security_result.action : QUARANTINE |
BEGIN_TIME |
additional.fields |
target.resource.attribute.labels |
callerProcessId |
target.process.pid |
principal.process.pid |
callerProcessName |
target.file.full_path |
principal.process.file.full_path |
CATEGORY_DESC |
additional.fields |
security_result.category_details |
CLIENT_TYPE |
additional.fields |
principal.user.attribute.roles |
DESCRIPTION |
security_result.detection_fields |
security_result.summary |
device.id |
target.resource.id |
target.resource.product_object_id |
device_uid |
principal.resource.id |
principal.resource.product_object_id |
DURATION |
additional.fields |
network.session_duration.seconds |
END_TIME |
additional.fields |
target.resource.attribute.last_update_time |
feature_name |
about.labels |
security_result.about.labels |
REMOTE_HOST_MAC |
additional.fields |
principal.mac |
resourceId |
principal.resource.id |
principal.resource.product_object_id |
server_name_1 |
principal.hostnameintermediary.hostname |
target.hostname |
UUID |
additional.fields |
principal.asset.asset_id |
事件类型映射增量
之前被归类为通用事件的多个事件现在已正确归类为有意义的事件类型。
下表列出了 2025 年 8 月 26 日之前和之后 Symantec Endpoint Protection 事件类型处理方式的差异(分别列在旧 event_type 和当前 event_type 列中)。
| 日志中的 eventType | 旧 event_type | 当前 event_type |
|---|---|---|
| 管理员退出 | GENERIC_EVENT |
USER_LOGOUT |
| 屏蔽所有其他 IP 流量并记录 | STATUS_UPDATE |
NETWORK_CONNECTION |
| 文件已创建 | GENERIC_EVENT |
FILE_CREATION |
| 文件已修改 | GENERIC_EVENT |
FILE_MODIFICATION |
| 文件已重命名 | GENERIC_EVENT |
FILE_MODIFICATION |
| 已开始在所选云端硬盘上扫描 | GENERIC_EVENT |
SCAN_HOST |
| 扫描已在所选驱动器上开始,并且有文件 | GENERIC_EVENT |
SCAN_FILE |
| 用户基于事件访问资源 | USER_UNCATEGORIZED |
USER_RESOURCE_ACCESS |
| 用户正在尝试终止 | GENERIC_EVENT |
STATUS_SHUTDOWN |
VAPI_NAME = File Delete |
USER_UNCATEGORIZED |
FILE_DELETION |
VAPI_NAME = File Write |
USER_UNCATEGORIZED |
FILE_CREATION |
需要更多帮助?从社区成员和 Google SecOps 专业人士那里获得解答。