Endpoint Protection

 View Only

  • 1.  Endpoint Manager Log filter operators

    Posted Sep 16, 2015 12:11 PM

    Issue: I am attempting to use operators within the "advanced filter" section of log searching. My goal is to obtain port scan logs from any IP address with the exception of a single internal IP. The only operators I see available, however, are (*) and (?) within the "remote IP address" field. Idealistically, my search would be: * NOT <ip address>.

     

    Exact location within product: I am using the symantec endpoint protection manager web console. Under Monitors > Logs > Log Type: Network Threat Protection > Advanved Filters 

     

    Does anyone have advice on how to exclude specific IP addresses from the log search? In this case, I have internal vulnerability scanners that trigger valid port scans and would like to ignore their logs within this specific filter.



  • 2.  RE: Endpoint Manager Log filter operators

    Posted Sep 16, 2015 12:19 PM

    The filters (*) and (?) are only for including data, there isn't a filter to exclude.

    Quickest I guess would be to export to CSV and import into Excel and filter based on that need.



  • 3.  RE: Endpoint Manager Log filter operators

    Trusted Advisor
    Posted Sep 16, 2015 03:30 PM

    Hello,

    These logs could be easily exported.

    Once exported you could easily use your techniques as provided in the articles below -

    Metrics using data from SEPM

    Metrics using data from SEPM (Part2)

    Metrics using data from SEPM (part three)

     

    Regards,



  • 4.  RE: Endpoint Manager Log filter operators

    Posted Sep 16, 2015 11:26 PM

    your best bet is to simply export the attack log as a csv file and filter port scan attack and you can easily filter out a specific IP address of your wish in the remote IP column