Symantec Endpoint Protection Integration

Symantec Endpoint Protection

Version: Symantec-Endpoint-Protection Version 12.1.6 to 14.

Symantec Endpoint Protection, developed by Symantec Corporation, is an antivirus and personal firewall software for centrally managed corporate environments providing security for both servers and workstations. Netsurion support for Symantec’s Antivirus and IDS/IPS events is now available. Symantec’s security policy will consist of specific rules enabled with logging used to capture and send to Netsurion. These events will be auto-identified, if enabled, and parsed into the Netsurion report tables for later review.

Netsurion Data Source Integration for Symantec Endpoint Protection allows you to monitor the following components:-

Operations - Agent created and deleted, Application blocked, Auto-protect disabled, Device disabled, Intrusion prevention disabled and Security risk detected
Security - New Risks Detected in the Network, TruScan Proactive Threat Detection Over Time, TruScan Proactive Threat Distribution, Detected Risks Not Confirmed and Permitted Applications
Compliance - Virus detected, Web attack blocked, Virus deletion failed, At Risk Computers and Confirmed Risks

Once Symantec Endpoint Protection is configured to deliver events to Netsurion Manager; alerts, dashboards and reports can be configured into Netsurion.

Some of the Data Source Integrations available in Netsurion are listed below.

Alerts

Type	Name	Description
Security	SEP - Live update started	This alert is generated when live update has been started.
Security	SEP - No update found	This alert is generated when no update are to be found.
Security	SEP - Remediation action failed	This alert is generated when remediation action fails.
Security	SEP - Remediation action pending	This alert is generated when remediation action is pending.
Security	SEP - Scan stopped	This alert is generated when scan is stopped.
Security	SEP - Security risk found	This alert is generated when security risk is found.
Compliance	SEP - Service shutdown	This alert is generated when service is shutdown.
Compliance	SEP - Virus detected	This alert is generated when virus is detected.
Compliance	SEP - Whitelist failure	This alert is generated when whitelist fails.
Compliance	SEP - Web attack blocked	This alert is generated when web attack is blocked.

Reports

Type	Name	Description
Security	SEP - New Risks detected in the network	This report has been generated when a new set of risk has been detected in a network.
Security	SEP - TruScan proactive threat detection over time	This report has been generated when a threat has been detected over a period of time during a scan.
Security	SEP - TruScan proactive threat distribution	This report has been generated when a threat has been distributed during a scan.
Security	SEP - Detected risks not confirmed	This report has been generated when a risk has been detected but it has not been confirmed as a risk.
Security	SEP - Permitted applications	This report has been generated when an application has been given permission.
Compliance	SEP - Virus detected	This report has been generated when a virus has been detected in the system.
Compliance	SEP - Web attack blocked	This report has been generated when a web attack has been blocked.
Compliance	SEP - Virus deletion failed	This report has been generated when a virus has been detected and SEP tries to delete it but fails to delete.
Compliance	SEP - At risk computers	This report has been generated when a computer has been detected as a risk.
Compliance	SEP - Confirmed risks	This report has been generated when a risk has been detected and has been confirmed as a risk.

Documentation

The configuration details in this guide are consistent with Netsurion version 8.X and later, Symantec Endpoint Protection version 12.1.6 to 14.

Download Integration Guide for more information.