Forum Discussion
Solved
HOW TO CONNECT SYMANTEC ENDPOINT PROTECTION LOGS TO SENTINEL?
Hello ,I have been trying without success to connect SEP logs to Sentinel. So far I have tried ICDx and CEF .Any run down?
- If you can get the data from SEP to a Syslog Server: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-data-to-a-syslog-server-v8442743-d15e1107.html you can the use the Parser in the Sentinel Github? https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/SymantecEndpointProtection/SymantecEndpointProtection.txt (you need to edit the server names in the Parser). I've never tried this in a CSP sub though. Source: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Symantec%20Endpoint%20Protection/Data%20Connectors/Connector_Syslog_SymantecEndpointProtection.json
5 Replies
- If you can get the data from SEP to a Syslog Server: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-data-to-a-syslog-server-v8442743-d15e1107.html you can the use the Parser in the Sentinel Github? https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/SymantecEndpointProtection/SymantecEndpointProtection.txt (you need to edit the server names in the Parser). I've never tried this in a CSP sub though. Source: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Symantec%20Endpoint%20Protection/Data%20Connectors/Connector_Syslog_SymantecEndpointProtection.json
- Clive_Watson I did manage to make substantial progress on this. But I was wondering if I can put IP addresses instead of server names in the Parser?
- You can amend the parser, but if you do Microsoft could change it in the future.
- Clive_Watson There are only 3 connectors from Symantec and SEP is not one of them. When access it from Contect hub,it shows an error since my subscription is a CSP one. Any workaround?
