Classification

Rule Name

Rule Type

Common Event

Classification

Catch All - Symantec AntiVirusBase RuleGeneral Symantec AntiVirus InformationInformation
EVID 2 : Scan CompleteSub RuleScan CompleteOther Audit Success
EVID 3 : Scan StartedSub RuleScan StartedInformation
EVID 6 : ErrorSub RuleAnti-Virus Error MessageError
EVID 7 : New Virus File DownloadedSub RuleFile DownloadInformation
EVID 12 : Symantec Endpoint ProtectionSub RuleGeneral Symantec AntiVirus InformationInformation
EVID 13 : Shutdown SuccessfulSub RuleSystem Startup Or Shutdown ActivityStartup and Shutdown
EVID 14 : Startup SuccessfulSub RuleSystem Startup Or Shutdown ActivityStartup and Shutdown
EVID 16 : New File Request SuccessfulSub RuleRequest ApprovedOther Audit Success
EVID 21 : Scan CancelledSub RuleScan CancelledWarning
EVID 40 :  Virus Definition MissingSub RuleVirus Definitions Are Not Up To DateWarning
EVID 45 : Security Risk DetectedSub RuleSuspicious Network ActivitySuspicious
EVID 51 : Security Risk DetectedSub RuleSuspicious ActivitySuspicious
EVID 65 : Scan SuspendedSub RuleScan StoppedInformation
EVID 66 : Scan ResumedSub RuleScan ResumedInformation
EVID 69 : Scan FailureSub RuleScan Failure - Password ProtectedWarning
EVID 80 : Download FailedSub RuleDownload Object FailureAccess Failure
EVID 34054 : SONAR EnabledSub RuleConfiguration Enabled : SystemConfiguration
EVID 34057Sub RuleConfiguration Enabled : SecurityConfiguration

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Symantec AntiVirus'/><EventID Qualifiers='33023'>80</EventID><Level>Error</Level><Task>None</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2020-07-08T07:45:14.000000000Z'/><EventRecordID>613862</EventRecordID><Channel>Application</Channel><Computer>_destinationhostname</Computer><Security/></System><EventData><Data>

Symantec Endpoint Protection has failed to load the latest virus definitions.</Data></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in log message

Log Value

LogRhythm Schema

Data Type

Provider NameSymantec AntiVirus<vendorinfo>Text/String
EventID Qualifiers80<vmid>Number
LevelError<severity>Text/String
N/AN/A<login>Text/String
N/AN/A<domainorigin>Text/String
Computer_destinationhostname<dname>Text/String
N/AN/A<object>Text/String
N/AN/A<objectname>Text/String
N/AN/A<objecttype>Text/String
N/AN/A<parentprocesspath>Text/String
N/AN/A<command>Text/String