Collect Symantec Event Export logs

Supported in:

Google SecOps SIEM

This document describes how you can collect Symantec Event Export logs by setting up a Google Security Operations feed.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the following ingestion labels: SYMANTEC_EVENT_EXPORT and SEP.

Configure Symantec Event Export

Sign in to the SEP 15/14.2 console.
Select Integration.
Click Client Application and copy the Customer ID and Domain ID, which are used when you create a Google Security Operations feed.
Click + Add and provide an application name.
Click Add.
Go to the Details page and perform the following actions:
- In the Devices Group Management section, select View.
- In the Alerts & Events Rule Management section, select View.
- In the Investigation Incident section, select View.
Click Save.
Click the menu (vertical ellipses) located at the end of the application name and click Client Secret.
Copy the client ID and client secret, which are required when you configure the Google Security Operations feed.

Configure a feed in Google Security Operations to ingest Symantec Event Export logs

Go to SIEM Settings > Feeds.
Click Add New.
Enter a unique name for the Field Name.
Select Google Cloud Storage as the Source Type.
Select Symantec Event export as the Log Type
Click Get a Service Account. Google Security Operations provides a unique service account that Google Security Operations uses to ingest data.
Configure access for the service account to access the Cloud Storage objects. For more information, see Grant access to the Google Security Operations service account.
Click Next.
Configure the following mandatory input parameters:
- Storage bucket URI: specify the storage bucket URI.
- URI is a: specify the URI.
- Source deletion option: specify the source deletion option.
Click Next and then click Submit.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation.

For information about requirements for each feed type, see Feed configuration by type.

If you encounter issues when you create feeds, contact Google Security Operations support.

Field mapping reference

This parser extracts fields from Symantec Event Export logs in JSON or SYSLOG format, normalizing and mapping them to the UDM. It handles various log structures, using grok patterns for SYSLOG and JSON parsing for JSON formatted logs, and maps fields to UDM entities like principal, target, network, and security_result.

UDM Mapping Table

Log Field	UDM Mapping	Logic
`actor.cmd_line`	`principal.process.command_line`	The raw log's `actor.cmd_line` is mapped directly to the UDM.
`actor.file.full_path`	`principal.process.file.full_path`	The raw log's `actor.file.path` or `file.path` is mapped directly to the UDM.
`actor.file.md5`	`principal.process.file.md5`	The raw log's `actor.file.md5` is converted to lowercase and mapped directly to the UDM.
`actor.file.sha1`	`principal.process.file.sha1`	The raw log's `actor.file.sha1` is converted to lowercase and mapped directly to the UDM.
`actor.file.sha2`	`principal.process.file.sha256`	The raw log's `actor.file.sha2` or `file.sha2` is converted to lowercase and mapped directly to the UDM.
`actor.file.size`	`principal.process.file.size`	The raw log's `actor.file.size` is converted to a string and then to an unsigned integer and mapped directly to the UDM.
`actor.pid`	`principal.process.pid`	The raw log's `actor.pid` is converted to a string and mapped directly to the UDM.
`actor.user.domain`	`principal.administrative_domain`	The raw log's `actor.user.domain` is mapped directly to the UDM. If `connection.direction_id` is 1, it's mapped to `target.administrative_domain`.
`actor.user.name`	`principal.user.user_display_name`	The raw log's `actor.user.name` is mapped directly to the UDM. If `user_name` exists, it takes precedence.
`actor.user.sid`	`principal.user.windows_sid`	The raw log's `actor.user.sid` is mapped directly to the UDM.
`connection.direction_id`	`network.direction`	If `connection.direction_id` is 1 and `connection.dst_ip` exists, `network.direction` is set to `INBOUND`. If `connection.direction_id` is 2 and `connection.dst_ip` exists, `network.direction` is set to `OUTBOUND`.
`connection.dst_ip`	`target.ip`	The raw log's `connection.dst_ip` is mapped directly to the UDM.
`connection.dst_port`	`target.port`	The raw log's `connection.dst_port` is converted to an integer and mapped directly to the UDM.
`connection.src_ip`	`principal.ip`	The raw log's `connection.src_ip` is mapped directly to the UDM.
`connection.src_port`	`principal.port`	The raw log's `connection.src_port` is converted to an integer and mapped directly to the UDM. Handles cases where `connection.src_port` is an array.
`device_domain`	`principal.administrative_domain` or `target.administrative_domain`	The raw log's `device_domain` is mapped to `principal.administrative_domain` if `connection.direction_id` is not 1. If `connection.direction_id` is 1, it's mapped to `target.administrative_domain`.
`device_group`	`principal.group.group_display_name` or `target.group.group_display_name`	The raw log's `device_group` is mapped to `principal.group.group_display_name` if `connection.direction_id` is not 1. If `connection.direction_id` is 1, it's mapped to `target.group.group_display_name`.
`device_ip`	`src.ip`	The raw log's `device_ip` is mapped directly to the UDM.
`device_name`	`principal.hostname` or `target.hostname`	The raw log's `device_name` is mapped to `principal.hostname` if `connection.direction_id` is not 1. If `connection.direction_id` is 1, it's mapped to `target.hostname`.
`device_networks`	`intermediary.ip`, `intermediary.mac`	The raw log's `device_networks` array is processed. IPv4 and IPv6 addresses are merged into `intermediary.ip`. MAC addresses are converted to lowercase, hyphens are replaced with colons, and then merged into `intermediary.mac`.
`device_os_name`	`principal.platform_version` or `target.platform_version`	The raw log's `device_os_name` is mapped to `principal.platform_version` if `connection.direction_id` is not 1. If `connection.direction_id` is 1, it's mapped to `target.platform_version`.
`device_public_ip`	`principal.ip`	The raw log's `device_public_ip` is mapped directly to the UDM.
`device_uid`	`principal.resource.id` or `target.resource.id`	The raw log's `device_uid` is mapped to `principal.resource.id` if `connection.direction_id` is not 1. If `connection.direction_id` is 1, it's mapped to `target.resource.id`.
`feature_name`	`security_result.category_details`	The raw log's `feature_name` is mapped directly to the UDM.
`file.path`	`principal.process.file.full_path`	The raw log's `file.path` is mapped directly to the UDM. If `actor.file.path` exists, it takes precedence.
`file.sha2`	`principal.process.file.sha256`	The raw log's `file.sha2` is converted to lowercase and mapped directly to the UDM. If `actor.file.sha2` exists, it takes precedence.
`log_time`	`metadata.event_timestamp`	The raw log's `log_time` is parsed using various date formats and used as the event timestamp.
`message`	`security_result.summary` or `network.ip_protocol` or `metadata.description`	The raw log's `message` field is processed. If it contains "UDP", `network.ip_protocol` is set to "UDP". If it contains "IP", `network.ip_protocol` is set to "IP6IN4". If it contains "ICMP", `network.ip_protocol` is set to "ICMP". Otherwise, it's mapped to `security_result.summary`. If the `description` field exists, the `message` field is mapped to `metadata.description`.
`parent.cmd_line`	`principal.process.parent_process.command_line`	The raw log's `parent.cmd_line` is mapped directly to the UDM.
`parent.pid`	`principal.process.parent_process.pid`	The raw log's `parent.pid` is converted to a string and mapped directly to the UDM.
`policy.name`	`security_result.rule_name`	The raw log's `policy.name` is mapped directly to the UDM.
`policy.rule_name`	`security_result.description`	The raw log's `policy.rule_name` is mapped directly to the UDM.
`policy.rule_uid`	`security_result.rule_id`	The raw log's `policy.rule_uid` is mapped directly to the UDM. If `policy.uid` exists, it takes precedence.
`policy.uid`	`security_result.rule_id`	The raw log's `policy.uid` is mapped directly to the UDM.
`product_name`	`metadata.product_name`	The raw log's `product_name` is mapped directly to the UDM.
`product_uid`	`metadata.product_log_id`	The raw log's `product_uid` is mapped directly to the UDM.
`product_ver`	`metadata.product_version`	The raw log's `product_ver` is mapped directly to the UDM.
`severity_id`	`security_result.severity`	If `severity_id` is 1, 2, or 3, `security_result.severity` is set to `INFORMATIONAL`. If it's 4, it's set to `ERROR`. If it's 5, it's set to `CRITICAL`.
`threat.id`	`security_result.threat_id`	The raw log's `threat.id` is converted to a string and mapped directly to the UDM.
`threat.name`	`security_result.threat_name`	The raw log's `threat.name` is mapped directly to the UDM.
`type_id`	`metadata.event_type`, `metadata.product_event_type`	Used in conjunction with other fields to determine the appropriate `metadata.event_type` and `metadata.product_event_type`.
`user_email`	`principal.user.email_addresses`	The raw log's `user_email` is merged into the UDM.
`user_name`	`principal.user.user_display_name`	The raw log's `user_name` is mapped directly to the UDM.
`uuid`	`target.process.pid`	The raw log's `uuid` is parsed to extract the process ID, which is mapped to `target.process.pid`.
N/A	`metadata.vendor_name`	Set to "SYMANTEC".
N/A	`metadata.log_type`	Set to "SYMANTEC_EVENT_EXPORT".
N/A	`principal.resource.resource_type`	Set to "DEVICE" when `connection.direction_id` is not 1 or is empty.
N/A	`target.resource.resource_type`	Set to "DEVICE" when `connection.direction_id` is 1.

Changes

2023-11-07

Added support for SYSLOG format logs.
Added "not null" checks to "parent.cmd_line", "parent.pid", "actor.pid", "actor.cmd_line", "device_name", "device_group", "device_os_name", "device_group", "device_domain", "device_uid" prior mapping to UDM.
Mapped "device_name" to "principal.hostname".
Mapped "user_name" to "principal.user.user_display_name".
Mapped "actor.user.name" to "principal.user.user_display_name".
Mapped "actor.user.domain" to "principal.administrative_domain".
Mapped "actor.user.sid" to "principal.user.windows_sid".
Mapped "actor.file.size" to "principal.process.file.size".
Mapped "device_public_ip" to "principal.ip".
Mapped "device_networks.ipv6" to "intermediary.ip".
Mapped "user_email" to "principal.user.email_addresses".

2022-08-19

enhancement - reduced generic event percentage.
Mapped "type_id" to event.idm.read_only_udm.metadata.event_type
Parsed logs for type_id = 21