Hi,
We are using a SIEM to help ingest the SEP logs (those sent by the syslog configuration) and we have noticed that the logs in the application include fields that are not present in the logs sent via syslog:
Examples are:
Network and Host Exploit Mitigation: Attack
Events not present in Splunk
- Event Type
- Event Time
- Severity
- Alert
- Send Snmp Trap
- Hardware Key
- OS Type
- Site Name
- Group Name
Symantec Risk
Events present in Symantec, not in Splunk
- Risk Severity
- Discovered
- Risk Detection Method
- Event Type
- Performance Impact
- Overall Rating
- Detection Reason
- Minimum Sensitivity Level
Events found in Splunk, but do not exist in Symantec
- Signing Timestamp
- Source
- Last Update Time
- Source IP
- Web Domain
- Hash Type
- Application Name
- Application Version
- Application Type
Symantec Scan
Events in Symantec and not in Splunk
- Operating System
- User Name
- Group
- Server
- Status
- Scan Type
Thanks,
Andrew