Qradar supports Symantec endpoint security out of the box , see link for IBM knowledge center.
Symantec Endpoint DSM
Symantec EPS is combined of many endpoint security modules like HIPS, firewall and sonar.
We usually will see Virus associated logs like :
<54>Apr 10 00:00:25 Symantec Server SEPBEDPROD: Virus found,IP Address: 10.0.1.5,Computer name: af73075-pc,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 2,****SUMMARIZED DATA****,,Actual action: Left alone,Requested action: Left alone,Secondary action: Left alone,Event time: 2012-04-02 17:00:00,Inserted: 2012-04-02 18:00:00,End: 2012-04-02 17:59:59,Domain: Default,Group: My Company\MITRE Production Desktop\MAC Prod,Server: SEPBEDPROD,User: ,Source computer: ,Source IP: ,Disposition: Good,Download site: null,Web domain: null,Downloaded by: null,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: Low,0,Application hash: ,Hash type: SHA1,Company name: ,Application name: ,Application version: ,Application type: -1,File size (bytes)
And logs which are least known \ populer are risk found\ Detected logs which indicates some kind of compromise , lets say for example symantec detectes Hacking tool like mimikatz .
We will get a risk found alert and not a virus alert , so what is the problem ?.
For some unknown reason all symantec risk alerts are written as both SYSTEM category And Malware, but catgorized as system and warning , basically means our malware rules WOULD NOT WORK as they connected to high level categorize, meaning we wont get any related offense !
System Category view
Malware Category view
How can we deal with it , luckily we are using qradar so it’s pretty easy .
First enter admin tab and choose reference set .
Create new reference collection , Name it something you will remember.
Use Numeric type and add those QIDs:
Now use this reference set in a rule or in a building block.