Collect Symantec Event Export logs

Supported in:

This document describes how you can collect Symantec Event Export logs by setting up a Google Security Operations feed.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the following ingestion labels: SYMANTEC_EVENT_EXPORT and SEP.

Configure Symantec Event Export

  1. Sign in to the SEP 15/14.2 console.
  2. Select Integration.
  3. Click Client Application and copy the Customer ID and Domain ID, which are used when you create a Google Security Operations feed.
  4. Click + Add and provide an application name.
  5. Click Add.
  6. Go to the Details page and perform the following actions:
    • In the Devices Group Management section, select View.
    • In the Alerts & Events Rule Management section, select View.
    • In the Investigation Incident section, select View.
  7. Click Save.
  8. Click the menu (vertical ellipses) located at the end of the application name and click Client Secret.
  9. Copy the client ID and client secret, which are required when you configure the Google Security Operations feed.

Configure a feed in Google Security Operations to ingest Symantec Event Export logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add New.
  3. Enter a unique name for the Field Name.
  4. Select Google Cloud Storage as the Source Type.
  5. Select Symantec Event export as the Log Type
  6. Click Get a Service Account. Google Security Operations provides a unique service account that Google Security Operations uses to ingest data.
  7. Configure access for the service account to access the Cloud Storage objects. For more information, see Grant access to the Google Security Operations service account.
  8. Click Next.
  9. Configure the following mandatory input parameters:
    • Storage bucket URI: specify the storage bucket URI.
    • URI is a: specify the URI.
    • Source deletion option: specify the source deletion option.
  10. Click Next and then click Submit.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation.

For information about requirements for each feed type, see Feed configuration by type.

If you encounter issues when you create feeds, contact Google Security Operations support.

Field mapping reference

This parser extracts fields from Symantec Event Export logs in JSON or SYSLOG format, normalizing and mapping them to the UDM. It handles various log structures, using grok patterns for SYSLOG and JSON parsing for JSON formatted logs, and maps fields to UDM entities like principal, target, network, and security_result.

UDM Mapping Table

Log Field UDM Mapping Logic
actor.cmd_line principal.process.command_line The raw log's actor.cmd_line is mapped directly to the UDM.
actor.file.full_path principal.process.file.full_path The raw log's actor.file.path or file.path is mapped directly to the UDM.
actor.file.md5 principal.process.file.md5 The raw log's actor.file.md5 is converted to lowercase and mapped directly to the UDM.
actor.file.sha1 principal.process.file.sha1 The raw log's actor.file.sha1 is converted to lowercase and mapped directly to the UDM.
actor.file.sha2 principal.process.file.sha256 The raw log's actor.file.sha2 or file.sha2 is converted to lowercase and mapped directly to the UDM.
actor.file.size principal.process.file.size The raw log's actor.file.size is converted to a string and then to an unsigned integer and mapped directly to the UDM.
actor.pid principal.process.pid The raw log's actor.pid is converted to a string and mapped directly to the UDM.
actor.user.domain principal.administrative_domain The raw log's actor.user.domain is mapped directly to the UDM. If connection.direction_id is 1, it's mapped to target.administrative_domain.
actor.user.name principal.user.user_display_name The raw log's actor.user.name is mapped directly to the UDM. If user_name exists, it takes precedence.
actor.user.sid principal.user.windows_sid The raw log's actor.user.sid is mapped directly to the UDM.
connection.direction_id network.direction If connection.direction_id is 1 and connection.dst_ip exists, network.direction is set to INBOUND. If connection.direction_id is 2 and connection.dst_ip exists, network.direction is set to OUTBOUND.
connection.dst_ip target.ip The raw log's connection.dst_ip is mapped directly to the UDM.
connection.dst_port target.port The raw log's connection.dst_port is converted to an integer and mapped directly to the UDM.
connection.src_ip principal.ip The raw log's connection.src_ip is mapped directly to the UDM.
connection.src_port principal.port The raw log's connection.src_port is converted to an integer and mapped directly to the UDM. Handles cases where connection.src_port is an array.
device_domain principal.administrative_domain or target.administrative_domain The raw log's device_domain is mapped to principal.administrative_domain if connection.direction_id is not 1. If connection.direction_id is 1, it's mapped to target.administrative_domain.
device_group principal.group.group_display_name or target.group.group_display_name The raw log's device_group is mapped to principal.group.group_display_name if connection.direction_id is not 1. If connection.direction_id is 1, it's mapped to target.group.group_display_name.
device_ip src.ip The raw log's device_ip is mapped directly to the UDM.
device_name principal.hostname or target.hostname The raw log's device_name is mapped to principal.hostname if connection.direction_id is not 1. If connection.direction_id is 1, it's mapped to target.hostname.
device_networks intermediary.ip, intermediary.mac The raw log's device_networks array is processed. IPv4 and IPv6 addresses are merged into intermediary.ip. MAC addresses are converted to lowercase, hyphens are replaced with colons, and then merged into intermediary.mac.
device_os_name principal.platform_version or target.platform_version The raw log's device_os_name is mapped to principal.platform_version if connection.direction_id is not 1. If connection.direction_id is 1, it's mapped to target.platform_version.
device_public_ip principal.ip The raw log's device_public_ip is mapped directly to the UDM.
device_uid principal.resource.id or target.resource.id The raw log's device_uid is mapped to principal.resource.id if connection.direction_id is not 1. If connection.direction_id is 1, it's mapped to target.resource.id.
feature_name security_result.category_details The raw log's feature_name is mapped directly to the UDM.
file.path principal.process.file.full_path The raw log's file.path is mapped directly to the UDM. If actor.file.path exists, it takes precedence.
file.sha2 principal.process.file.sha256 The raw log's file.sha2 is converted to lowercase and mapped directly to the UDM. If actor.file.sha2 exists, it takes precedence.
log_time metadata.event_timestamp The raw log's log_time is parsed using various date formats and used as the event timestamp.
message security_result.summary or network.ip_protocol or metadata.description The raw log's message field is processed. If it contains "UDP", network.ip_protocol is set to "UDP". If it contains "IP", network.ip_protocol is set to "IP6IN4". If it contains "ICMP", network.ip_protocol is set to "ICMP". Otherwise, it's mapped to security_result.summary. If the description field exists, the message field is mapped to metadata.description.
parent.cmd_line principal.process.parent_process.command_line The raw log's parent.cmd_line is mapped directly to the UDM.
parent.pid principal.process.parent_process.pid The raw log's parent.pid is converted to a string and mapped directly to the UDM.
policy.name security_result.rule_name The raw log's policy.name is mapped directly to the UDM.
policy.rule_name security_result.description The raw log's policy.rule_name is mapped directly to the UDM.
policy.rule_uid security_result.rule_id The raw log's policy.rule_uid is mapped directly to the UDM. If policy.uid exists, it takes precedence.
policy.uid security_result.rule_id The raw log's policy.uid is mapped directly to the UDM.
product_name metadata.product_name The raw log's product_name is mapped directly to the UDM.
product_uid metadata.product_log_id The raw log's product_uid is mapped directly to the UDM.
product_ver metadata.product_version The raw log's product_ver is mapped directly to the UDM.
severity_id security_result.severity If severity_id is 1, 2, or 3, security_result.severity is set to INFORMATIONAL. If it's 4, it's set to ERROR. If it's 5, it's set to CRITICAL.
threat.id security_result.threat_id The raw log's threat.id is converted to a string and mapped directly to the UDM.
threat.name security_result.threat_name The raw log's threat.name is mapped directly to the UDM.
type_id metadata.event_type, metadata.product_event_type Used in conjunction with other fields to determine the appropriate metadata.event_type and metadata.product_event_type.
user_email principal.user.email_addresses The raw log's user_email is merged into the UDM.
user_name principal.user.user_display_name The raw log's user_name is mapped directly to the UDM.
uuid target.process.pid The raw log's uuid is parsed to extract the process ID, which is mapped to target.process.pid.
N/A metadata.vendor_name Set to "SYMANTEC".
N/A metadata.log_type Set to "SYMANTEC_EVENT_EXPORT".
N/A principal.resource.resource_type Set to "DEVICE" when connection.direction_id is not 1 or is empty.
N/A target.resource.resource_type Set to "DEVICE" when connection.direction_id is 1.

Changes

2023-11-07

  • Added support for SYSLOG format logs.
  • Added "not null" checks to "parent.cmd_line", "parent.pid", "actor.pid", "actor.cmd_line", "device_name", "device_group", "device_os_name", "device_group", "device_domain", "device_uid" prior mapping to UDM.
  • Mapped "device_name" to "principal.hostname".
  • Mapped "user_name" to "principal.user.user_display_name".
  • Mapped "actor.user.name" to "principal.user.user_display_name".
  • Mapped "actor.user.domain" to "principal.administrative_domain".
  • Mapped "actor.user.sid" to "principal.user.windows_sid".
  • Mapped "actor.file.size" to "principal.process.file.size".
  • Mapped "device_public_ip" to "principal.ip".
  • Mapped "device_networks.ipv6" to "intermediary.ip".
  • Mapped "user_email" to "principal.user.email_addresses".

2022-08-19

  • enhancement - reduced generic event percentage.
  • Mapped "type_id" to event.idm.read_only_udm.metadata.event_type
  • Parsed logs for type_id = 21