SOLVED

How to configure Symantec endpoint protection manager logs using azure sentinel data connectors?

%3CLINGO-SUB%20id%3D%22lingo-sub-682820%22%20slang%3D%22en-US%22%3EHow%20to%20configure%20Symantec%20endpoint%20protection%20manager%20logs%20using%20azure%20sentinel%20data%20connectors%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-682820%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20not%20able%20to%20add%20Symantec%20Endpoint%20Protection%20Manager%20logs%20to%20Sentinel.%20Can%20anyone%20help%20me%20on%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-686364%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20configure%20Symantec%20endpoint%20protection%20manager%20logs%20using%20azure%20sentinel%20data%20connectors%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-686364%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F357536%22%20target%3D%22_blank%22%3E%40dkjagadabi%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESymantec%20have%20instructions%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.symantec.com%2Fen_US%2Farticle.HOWTO130011.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.symantec.com%2Fen_US%2Farticle.HOWTO130011.html%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20need%20to%20select%20the%20same%20Log%20analytics%20workspace%20to%20copy%20the%20logs%20to%20that%20you%20open%20with%20Sentinel.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-693910%22%20slang%3D%22en-US%22%3ERE%3A%20How%20to%20configure%20Symantec%20endpoint%20protection%20manager%20logs%20using%20azure%20sentinel%20data%20connectors%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-693910%22%20slang%3D%22en-US%22%3EYou%20might%20also%20want%20to%20check%20the%20Dashboards%20in%20Github%20as%20these%20appear%20to%20have%20been%20updated%20in%20the%20last%20week%3A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FDashboards%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FDashboards%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2326870%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20configure%20Symantec%20endpoint%20protection%20manager%20logs%20using%20azure%20sentinel%20data%20connectors%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2326870%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BThis%20is%20a%20404%20link%2C%20I%20can't%20even%20access%20this%20doc%20when%20logged%20into%20the%20broadcom%20site.%20Do%20you%20have%20an%20updated%20link%20by%20any%20change%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2326875%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20configure%20Symantec%20endpoint%20protection%20manager%20logs%20using%20azure%20sentinel%20data%20connectors%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2326875%22%20slang%3D%22en-US%22%3EDoes%20this%20work%3F%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2326959%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20configure%20Symantec%20endpoint%20protection%20manager%20logs%20using%20azure%20sentinel%20data%20connectors%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2326959%22%20slang%3D%22en-US%22%3ENo%20this%20did%20not%20give%20me%20much.%20I%20am%20trying%20to%20figure%20out%20how%20to%20actually%20forward%20the%20logs.%20I%20also%20noticed%20you%20do%20not%20have%20a%20SEP%20connector%20yet.%20I%20see%20one%20in%20the%20repo%20but%20it's%20not%20active%20on%20our%20instance.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2672737%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20configure%20Symantec%20endpoint%20protection%20manager%20logs%20using%20azure%20sentinel%20data%20connectors%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2672737%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20any%20work%20around%20to%20forward%20Symantec%20end%20point%20protection%20manager%20to%20Azure%20Sentinel%20t2%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F813755%22%20target%3D%22_blank%22%3E%40paulhoff%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi team,

 

I am not able to add Symantec Endpoint Protection Manager logs to Sentinel. Can anyone help me on this.

6 Replies
best response confirmed by dkjagadabi (New Contributor)
Solution

@dkjagadabi 

 

Symantec have instructions: https://support.symantec.com/en_US/article.HOWTO130011.html 

 

You need to select the same Log analytics workspace to copy the logs to that you open with Sentinel.

You might also want to check the Dashboards in Github as these appear to have been updated in the last week: https://github.com/Azure/Azure-Sentinel/tree/master/Dashboards

@CliveWatson This is a 404 link, I can't even access this doc when logged into the broadcom site. Do you have an updated link by any change?

No this did not give me much. I am trying to figure out how to actually forward the logs. I also noticed you do not have a SEP connector yet. I see one in the repo but it's not active on our instance.

Is there any work around to forward Symantec end point protection manager to Azure Sentinel t2@paulhoff