Greetings.
I am trying to find a local source of Attacker IP address in the IPS alerts. I've checked Event Logs and log files under \ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs to no avail.
Am I missing it somewhere?
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Symantec Network Protection" />
<EventID Qualifiers="0">400</EventID>
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-04-24T07:10:14.000000000Z" />
<EventRecordID>123456</EventRecordID>
<Channel>Application</Channel>
<Computer>Server.domain</Computer>
<Security />
</System>
- <EventData>
<Data>[SID: 27349] System Infected: GhostNet Backdoor Activity 3 attack blocked. Traffic has been blocked for this application: SYSTEM</Data>
</EventData>
</Event>
A high-risk intrusion was detected on Server within group Servers on 4/24/2017 2:10:14 AM.
IPS Alert Name
Attack: an intrusion attempt was blocked.
Status
Blocked
Attack Signature
System Infected: Ghostnet Backdoor Activity
Targeted Application
SYSTEM
Targeted IP
192.168.1.2
Targeted Port Number
443
Targeted Host Name
N/A
Symantec.cloud - Endpoint Protection SEP-12.1.7166.6700
Windows Server 2008R2 Standard
Adding it into the alert email would be okay too, as I can process those with automation, but a local source would be ideal.
Best,
Tim