Symantec Epm

Overview

Symantec Endpoint Protection (SEP) is an enterprise security suite that protects endpoints from malware, viruses, and network threats. SEP provides antivirus, firewall, intrusion prevention, and application control capabilities. The firewall component generates events for blocked traffic, policy violations, and potential security threats.

App Function

• Parse Symantec EPM firewall events from dedicated syslog port
• Extract source/destination IPs, ports, protocols, and applications
• Identify blocked traffic and policy violations
• Map security events to MITRE ATT&CK techniques
• Categorize events with Event Class: security
• Provide dashboards for threat analysis and endpoint monitoring

Vendor Documentation

• Symantec Endpoint Protection Documentation
• SEP Administration Guide

Device Configuration

LogZilla Dedicated Port

Symantec EPM requires a dedicated syslog port:

1. Navigate to Settings > System > Application Ports
2. Set Symantec Endpoint Protection syslog port (e.g., 5520)
3. Click Save

Both TCP and UDP listeners are enabled on the configured port.

SEPM Syslog Configuration

1. Log in to Symantec Endpoint Protection Manager console
2. Navigate to Admin > Servers > Local Site
3. Right-click the management server and select Edit Site Properties
4. Select the Log Settings tab
5. Check Enable transmission of logs to a Syslog server
6. Enter the LogZilla server IP and the dedicated port configured above
7. Select UDP or TCP protocol
8. Click OK to save

Firewall Policy Logging

1. In SEPM, navigate to Policies > Firewall
2. Edit the firewall policy applied to endpoints
3. Under Logging, ensure firewall events are logged
4. Apply the policy to client groups

Verification

Generate firewall events on a managed endpoint, then verify events appear in LogZilla with Vendor tag set to Symantec.

Incoming Log Format

Symantec EPM firewall events use this format:

text
Wrap: OnCopyFullscreen
<date> <host> <device>: <id>,Local: <src_ip>,Local: <src_port>,Local: <src_mac>,
Remote: <dst_ip>,Remote: <dst_host>,Remote: <dst_port>,Remote: <dst_mac>,
<proto>,<dir>,Begin: <begin>,End: <end>,Occurrences: <count>,
Application: <app>,"Rule: <rule>",Location: <loc>,User: <user>,
Domain: <domain>,Action: <action>

Parsed Metadata Fields

Log Examples

Allowed Traffic

text
Wrap: OnCopyFullscreen
May  5 12:34:56 hostname device1: id1,Local: 10.0.0.1,Local: 1234,
Local: 01:23:45:67:89:ab,Remote: 192.168.1.1,Remote: example.com,
Remote: 80,Remote: ff:ff:ff:ff:ff:ff,TCP,inbound,
Begin: 2023-05-05 12:00:00,End: 2023-05-05 12:30:00,Occurrences: 10,
Application: HTTP,"Rule: Allow web traffic",Location: Office,
User: jdoe,Domain: EXAMPLE,Action: allow

Blocked Outbound Traffic

text
Wrap: OnCopyFullscreen
Jun 15 08:22:33 server firewall1: blocked_conn,Local: 192.168.1.50,
Local: 54321,Local: aa:bb:cc:dd:ee:ff,Remote: 10.10.10.10,
Remote: malware.bad,Remote: 443,Remote: 11:22:33:44:55:66,TCP,outbound,
Begin: 2023-06-15 08:20:00,End: 2023-06-15 08:22:33,Occurrences: 5,
Application: unknown.exe,Rule: Block malware,Location: Default,
User: admin,Domain: CORP,Action: blocked

MITRE ATT&CK Mappings

Triggers

Dashboards