Endpoint Protection Small Business Edition

Greetings.

I am trying to find a local source of Attacker IP address in the IPS alerts. I've checked Event Logs and log files under  \ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs  to no avail.

Am I missing it somewhere?

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

  <Provider Name="Symantec Network Protection" /> 

  <EventID Qualifiers="0">400</EventID> 

  <Level>3</Level> 

  <Task>0</Task> 

  <Keywords>0x80000000000000</Keywords> 

  <TimeCreated SystemTime="2017-04-24T07:10:14.000000000Z" /> 

  <EventRecordID>123456</EventRecordID> 

  <Channel>Application</Channel> 

  <Computer>Server.domain</Computer> 

  <Security /> 

  </System>

- <EventData>

  <Data>[SID: 27349] System Infected: GhostNet Backdoor Activity 3 attack blocked. Traffic has been blocked for this application: SYSTEM</Data> 

  </EventData>

  </Event>

A high-risk intrusion was detected on Server within group Servers on 4/24/2017 2:10:14 AM.

IPS Alert Name

Attack: an intrusion attempt was blocked.

Status

Blocked

Attack Signature

System Infected: Ghostnet Backdoor Activity

Targeted Application

SYSTEM

Targeted IP

192.168.1.2

Targeted Port Number

443

Targeted Host Name

N/A

Symantec.cloud - Endpoint Protection    SEP-12.1.7166.6700
Windows Server 2008R2 Standard

Adding it into the alert email would be okay too, as I can process those with automation, but a local source would be ideal.

Best,
Tim

From the IPS log in SEPM, open the details portion and it should show the remote IP (attacker).

Thanks, Brian. I should have been more clear...

Is there a local source that can be read programmatically, such as a log file, event log entry, etc. with this information?

(I'm not using SEPM -- only the Symantec hostedendpoint site for management, so not sure if SEPM would log this to a file or event log itself.)

Best,
Tim