This document explains the changes required to apply new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project for the Syslog - Symantec Endpoint Server log source type.
Prerequisites
-
Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.
-
Enable the new MPE rules in the LogRhythm System Monitor.
-
Select log source type Syslog - Symantec Endpoint Server.
-
Enable log processing policy LogRhythm Default v2.0.
For details on how to enable LogRhythm Default v2.0, see Apply LogRhythm Default v2.0 on a Log Source.
-
Supported Log Messages
The following table lists the log message types supported in the current MPE rules. Each linked page contains detailed information on parsing changes and new log processing settings.
|
Log Message Type |
Event Type |
|---|---|
|
V 2.0 : Catch All : SEPM System Events |
General System Information |
|
V 2.0 : General SEP LiveUpdate Information |
General LiveUpdate Information |
|
V 2.0 : Inbound SEP Host Packet Events |
General Traffic Log |
|
V 2.0 : Inbound SEP Host Traffic Events |
General Traffic Log |
|
V 2.0 : Inbound SEP Malcious Activity Detected |
General Attack Activity |
|
V 2.0 : Outbound SEP Host Packet Events |
General Traffic Log |
|
V 2.0 : Outbound SEP Host Traffic Events |
General Traffic Log |
|
V 2.0 : Outbound SEP Malcious Activity Detected |
General Attack Activity |
|
V 2.0 : SEP Administrative Events |
General Administrative Operation |
|
V 2.0 : SEP General Agent Activity Messages |
General System Information |
|
V 2.0 : SEP General Agent System Messages |
General System Information |
|
V 2.0 : SEP General Object Access Message |
General Information |
|
V 2.0 : SEP General Suspicious Activity Detected |
Suspicious Activity |
|
V 2.0 : SEP Logs Purged |
Logs Swept |
|
V 2.0 : SEP Malware Scan Information |
Scan Activity |
|
V 2.0 : SEP Policy Information |
General POLICY Information |
|
V 2.0 : SEP SONAR General Susp. Activity Detected |
Suspicious Activity |
|
V 2.0 : SEP Update Information |
Update Server Information |
Log Processing Policy Updates
This section details log processing policy updates made to AIE Rules, system reports and templates, tails, and investigations as part of LSO.
Updates to AIE Rules
The table below indicates changes made to AIE Rules using the new policy LogRhythm Default v2.0 with the new log source type Syslog - Symantec Endpoint Server. The Change Details column indicates where the new log source type was added.
|
AIE Rules |
Change Details |
|---|---|
|
NIST 800-53 : Error Condition Rule |
Removed Application and Vendor Message ID from Group By. |
|
NIST 800-53 : Internal : Malware Activity From Multiple Hosts Rule |
Removed Application from Group By. |
|
NIST 800-53 : Malware Rule |
Removed Vendor Message ID from Group By. |
|
CSC: Repeat Attacks Against a Host |
Removed Vendor Message ID from Group By. |
|
CSF: Antivirus Critical Condition Rule |
Removed existing Primary Criteria. Removed Host (Origin) Group By. Added new Primary Criteria:
|
|
CSF: Antivirus Error Condition Rule |
Removed existing Primary Criteria. Removed Host (Origin) Group By. Added new Primary Criteria:
|
|
CSF: Intrnl Malware from Mltpl Hosts |
Removed Group By:
|
|
CSF: Malware Rule |
Removed Group By:
|
|
NERC-CIP: System Critical/Error Status Rule |
Removed Group By:
|
|
NERC-CIP: Malware Detected Rule |
Removed Group By:
|
|
SOX: Malware Alert |
Removed Group By:
|
|
MAS: Malware Alert |
Removed Group By:
|
|
PCI-DSS: Antivirus Failure Alert Rule |
Removed existing Primary Criteria. Removed Application Group By. Added new Primary Criteria:
|
|
PCI-DSS: Malware Alert |
Removed Group By:
|
|
CCF: PRD Envir Config/Policy Change Alarm |
Removed Group By:
|
Updates to System Reports
-
No changes
Updates to System Report Templates
-
No changes
Updates to System Tails
-
No changes
Updates to System Investigations
-
No changes