Endpoint Protection

Hello all,

does anyone of you know which field in the log-messages from the Symantec Endpoint Protection Server contains the Download-Website Value which is visible on the client system when viewing a Security-Alarm.

When i look at a Security-Alarm (Security Risk found or Virus found) on the Client-System i can see the URL the file was downloaded from.

I want to see this value in our SIEM-Solution.

Thanks in Advance.

Hello,

Which SIEM are you using ? Are you using Syslog for SEP Logs or you have SEP Collector ?

Clients upload their logs to SEPM on heartbeat and whenever logs are written to database it is forwarded to Syslog/SIEM.

Admin-> Servers-> Local Site -> Configure External Logging 

Once done, configure the Logs - 

I don't know what SIEM you use but mine is in a field simply called 'URL'

Hello Mithun,

thanks for your reply.

We are using an ArcSight SmartConnector which is specially designed for SEPM. There are no problems or issues with this connector.

My question is which specific field conains the Download-URL of the File.

Maybe to understand to understand my problem better:

When you are using the SmartConnector for SEPM you have a default set of values which are displayed in ArcSight. But you can add other values like the md5 hash of the suspicious file to the fields which are displayed in ArcSight. And i am now searching for the value which contains the download url of the file because like i mentioned in the beginning it is existent on the SEP Client on the Client-System.