-
Notifications
You must be signed in to change notification settings - Fork 61
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #110 from rathbuna/master
Add/Update Symantec Maps
- Loading branch information
Showing
18 changed files
with
649 additions
and
2 deletions.
There are no files selected for viewing
35 changes: 35 additions & 0 deletions
35
evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_100.map
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| Author: Andrew Rathbun | ||
| Description: Symantec Endpoint Protection client is online and able to access the management server | ||
| EventId: 100 | ||
| Channel: "Symantec Endpoint Protection Client" | ||
| Provider: "Symantec Endpoint Protection Client" | ||
| Maps: | ||
| - | ||
| Property: PayloadData1 | ||
| PropertyValue: "%PayloadData1%" | ||
| Values: | ||
| - | ||
| Name: PayloadData1 | ||
| Value: "/Event/EventData/Data" | ||
|
|
||
| # Documentation: | ||
| # https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html | ||
| # | ||
| # <Event> | ||
| # <System> | ||
| # <Provider Name="Symantec Endpoint Protection Client" /> | ||
| # <EventID Qualifiers="0">100</EventID> | ||
| # <Level>4</Level> | ||
| # <Task>1</Task> | ||
| # <Keywords>0x80000000000000</Keywords> | ||
| # <TimeCreated SystemTime="2020-06-20 02:08:50.0000000" /> | ||
| # <EventRecordID>43376</EventRecordID> | ||
| # <Channel>Symantec Endpoint Protection Client</Channel> | ||
| # <Computer>HOSTNAME.domain</Computer> | ||
| # <Security /> | ||
| # </System> | ||
| # <EventData> | ||
| # <Data>Symantec Endpoint Protection client is online and able to access the management server.</Data> | ||
| # <Binary></Binary> | ||
| # </EventData> | ||
| # </Event> |
35 changes: 35 additions & 0 deletions
35
evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_101.map
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| Author: Andrew Rathbun | ||
| Description: Symantec Endpoint Protection client is unable to connect to the management server | ||
| EventId: 101 | ||
| Channel: "Symantec Endpoint Protection Client" | ||
| Provider: "Symantec Endpoint Protection Client" | ||
| Maps: | ||
| - | ||
| Property: PayloadData1 | ||
| PropertyValue: "%PayloadData1%" | ||
| Values: | ||
| - | ||
| Name: PayloadData1 | ||
| Value: "/Event/EventData/Data" | ||
|
|
||
| # Documentation: | ||
| # https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html | ||
| # | ||
| # <Event> | ||
| # <System> | ||
| # <Provider Name="Symantec Endpoint Protection Client" /> | ||
| # <EventID Qualifiers="0">101</EventID> | ||
| # <Level>4</Level> | ||
| # <Task>1</Task> | ||
| # <Keywords>0x80000000000000</Keywords> | ||
| # <TimeCreated SystemTime="2020-06-20 02:08:50.0000000" /> | ||
| # <EventRecordID>43376</EventRecordID> | ||
| # <Channel>Symantec Endpoint Protection Client</Channel> | ||
| # <Computer>HOSTNAME.domain</Computer> | ||
| # <Security /> | ||
| # </System> | ||
| # <EventData> | ||
| # <Data>Symantec Endpoint Protection client is unable to connect to the management server.</Data> | ||
| # <Binary></Binary> | ||
| # </EventData> | ||
| # </Event> |
37 changes: 37 additions & 0 deletions
37
evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_12.map
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| Author: Andrew Rathbun | ||
| Description: Configuration changed | ||
| EventId: 12 | ||
| Channel: "Symantec Endpoint Protection Client" | ||
| Provider: "Symantec Endpoint Protection Client" | ||
| Maps: | ||
| - | ||
| Property: PayloadData1 | ||
| PropertyValue: "%PayloadData1%" | ||
| Values: | ||
| - | ||
| Name: PayloadData1 | ||
| Value: "/Event/EventData/Data" | ||
|
|
||
| # Documentation: | ||
| # https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html | ||
| # | ||
| # <Event> | ||
| # <System> | ||
| # <Provider Name="Symantec Endpoint Protection Client" /> | ||
| # <EventID Qualifiers="16639">12</EventID> | ||
| # <Level>4</Level> | ||
| # <Task>0</Task> | ||
| # <Keywords>0x80000000000000</Keywords> | ||
| # <TimeCreated SystemTime="2021-02-12 04:33:35.0000000" /> | ||
| # <EventRecordID>49724</EventRecordID> | ||
| # <Channel>Symantec Endpoint Protection Client</Channel> | ||
| # <Computer>HOSTNAME.domain</Computer> | ||
| # <Security /> | ||
| # </System> | ||
| # <EventData> | ||
| # <Data> | ||
| # | ||
| # Changed value 'HKLM\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\AdministratorOnly\Security\UseScanNetDrivePassword' from '0' to '1'</Data> | ||
| # <Binary></Binary> | ||
| # </EventData> | ||
| # </Event> |
35 changes: 35 additions & 0 deletions
35
evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_129.map
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| Author: Andrew Rathbun | ||
| Description: Reputation check timed out during unproven file evaluation, likely due to network delays | ||
| EventId: 129 | ||
| Channel: "Symantec Endpoint Protection Client" | ||
| Provider: "Symantec Endpoint Protection Client" | ||
| Maps: | ||
| - | ||
| Property: PayloadData1 | ||
| PropertyValue: "%PayloadData1%" | ||
| Values: | ||
| - | ||
| Name: PayloadData1 | ||
| Value: "/Event/EventData/Data" | ||
|
|
||
| # Documentation: | ||
| # https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html | ||
| # | ||
| # <Event> | ||
| # <System> | ||
| # <Provider Name="Symantec Endpoint Protection Client" /> | ||
| # <EventID Qualifiers="0">129</EventID> | ||
| # <Level>4</Level> | ||
| # <Task>1</Task> | ||
| # <Keywords>0x80000000000000</Keywords> | ||
| # <TimeCreated SystemTime="2020-06-20 02:08:50.0000000" /> | ||
| # <EventRecordID>43376</EventRecordID> | ||
| # <Channel>Symantec Endpoint Protection Client</Channel> | ||
| # <Computer>HOSTNAME.domain</Computer> | ||
| # <Security /> | ||
| # </System> | ||
| # <EventData> | ||
| # <Data>Reputation check timed out during unproven file evaluation, likely due to network delays.</Data> | ||
| # <Binary></Binary> | ||
| # </EventData> | ||
| # </Event> |
37 changes: 37 additions & 0 deletions
37
evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_2.map
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| Author: Andrew Rathbun | ||
| Description: Scan stopped | ||
| EventId: 2 | ||
| Channel: "Symantec Endpoint Protection Client" | ||
| Provider: "Symantec Endpoint Protection Client" | ||
| Maps: | ||
| - | ||
| Property: PayloadData1 | ||
| PropertyValue: "%PayloadData1%" | ||
| Values: | ||
| - | ||
| Name: PayloadData1 | ||
| Value: "/Event/EventData/Data" | ||
|
|
||
| # Documentation: | ||
| # https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html | ||
| # | ||
| # <Event> | ||
| # <System> | ||
| # <Provider Name="Symantec Endpoint Protection Client" /> | ||
| # <EventID Qualifiers="16639">2</EventID> | ||
| # <Level>4</Level> | ||
| # <Task>0</Task> | ||
| # <Keywords>0x80000000000000</Keywords> | ||
| # <TimeCreated SystemTime="2020-05-15 08:00:45.0000000" /> | ||
| # <EventRecordID>43501</EventRecordID> | ||
| # <Channel>Symantec Endpoint Protection Client</Channel> | ||
| # <Computer>HOSTNAME.domain</Computer> | ||
| # <Security /> | ||
| # </System> | ||
| # <EventData> | ||
| # <Data> | ||
| # | ||
| # Scan Complete: Risks: 0 Scanned: 610 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 679</Data> | ||
| # <Binary></Binary> | ||
| # </EventData> | ||
| # </Event> |
46 changes: 46 additions & 0 deletions
46
evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_200.map
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| Author: Andrew Rathbun | ||
| Description: Content downloaded successfully to the client | ||
| EventId: 200 | ||
| Channel: "Symantec Endpoint Protection Client" | ||
| Provider: "Symantec Endpoint Protection Client" | ||
| Maps: | ||
| - | ||
| Property: PayloadData1 | ||
| PropertyValue: "%PayloadData1%" | ||
| Values: | ||
| - | ||
| Name: PayloadData1 | ||
| Value: "/Event/EventData/Data" | ||
|
|
||
| # Documentation: | ||
| # https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html | ||
| # | ||
| # <Event> | ||
| # <System> | ||
| # <Provider Name="Symantec Endpoint Protection Client" /> | ||
| # <EventID Qualifiers="0">200</EventID> | ||
| # <Level>4</Level> | ||
| # <Task>1</Task> | ||
| # <Keywords>0x80000000000000</Keywords> | ||
| # <TimeCreated SystemTime="2020-06-20 02:08:50.0000000" /> | ||
| # <EventRecordID>43376</EventRecordID> | ||
| # <Channel>Symantec Endpoint Protection Client</Channel> | ||
| # <Computer>HOSTNAME.domain</Computer> | ||
| # <Security /> | ||
| # </System> | ||
| # <EventData> | ||
| # <Data>Content downloaded successfully to the client | ||
| # | ||
| # Product: SEPC Iron Revocation List 14.0 | ||
| # Version: MicroDefsB.CurDefs | ||
| # Language: SymAllLanguages | ||
| # Moniker: {810D5A61-809F-49c2-BD75-177F066792BA} | ||
| # Sequence: 200615040 | ||
| # Publish Date: Monday, June 15, 2020 | ||
| # Revision: 040 | ||
| # Source: Symantec Endpoint Protection Manager | ||
| # Remote File Path: FILEPATHHERE | ||
| # Size: 91892 bytes</Data> | ||
| # <Binary></Binary> | ||
| # </EventData> | ||
| # </Event> |
45 changes: 45 additions & 0 deletions
45
evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_201.map
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| Author: Andrew Rathbun | ||
| Description: Content download to the client failed | ||
| EventId: 201 | ||
| Channel: "Symantec Endpoint Protection Client" | ||
| Provider: "Symantec Endpoint Protection Client" | ||
| Maps: | ||
| - | ||
| Property: PayloadData1 | ||
| PropertyValue: "%PayloadData1%" | ||
| Values: | ||
| - | ||
| Name: PayloadData1 | ||
| Value: "/Event/EventData/Data" | ||
|
|
||
| # Documentation: | ||
| # https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html | ||
| # | ||
| # <Event> | ||
| # <System> | ||
| # <Provider Name="Symantec Endpoint Protection Client" /> | ||
| # <EventID Qualifiers="0">201</EventID> | ||
| # <Level>4</Level> | ||
| # <Task>1</Task> | ||
| # <Keywords>0x80000000000000</Keywords> | ||
| # <TimeCreated SystemTime="2020-06-20 02:08:50.0000000" /> | ||
| # <EventRecordID>43376</EventRecordID> | ||
| # <Channel>Symantec Endpoint Protection Client</Channel> | ||
| # <Computer>HOSTNAME.domain</Computer> | ||
| # <Security /> | ||
| # </System> | ||
| # <EventData> | ||
| # <Data>Content download to the client failed | ||
| # | ||
| # Product: SEPC Iron Revocation List 14.0 | ||
| # Version: MicroDefsB.CurDefs | ||
| # Language: SymAllLanguages | ||
| # Moniker: {810D5A61-809F-49c2-BD75-16790647D2BA} | ||
| # Sequence: 2006130679 | ||
| # Publish Date: Saturday, June 13, 2020 | ||
| # Revision: 034 | ||
| # Source: Symantec Endpoint Protection Manager | ||
| # Remote File Path: FILEPATHHERE | ||
| # Size: 58575 bytes</Data># <Binary></Binary> | ||
| # </EventData> | ||
| # </Event> |
44 changes: 44 additions & 0 deletions
44
evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_202.map
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| Author: Andrew Rathbun | ||
| Description: Symantec Endpoint Protection client is online and able to access the management server | ||
| EventId: 202 | ||
| Channel: "Symantec Endpoint Protection Client" | ||
| Provider: "Symantec Endpoint Protection Client" | ||
| Maps: | ||
| - | ||
| Property: PayloadData1 | ||
| PropertyValue: "%PayloadData1%" | ||
| Values: | ||
| - | ||
| Name: PayloadData1 | ||
| Value: "/Event/EventData/Data" | ||
|
|
||
| # Documentation: | ||
| # https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html | ||
| # | ||
| # <Event> | ||
| # <System> | ||
| # <Provider Name="Symantec Endpoint Protection Client" /> | ||
| # <EventID Qualifiers="0">202</EventID> | ||
| # <Level>4</Level> | ||
| # <Task>1</Task> | ||
| # <Keywords>0x80000000000000</Keywords> | ||
| # <TimeCreated SystemTime="2020-06-20 02:08:50.0000000" /> | ||
| # <EventRecordID>43376</EventRecordID> | ||
| # <Channel>Symantec Endpoint Protection Client</Channel> | ||
| # <Computer>HOSTNAME.domain</Computer> | ||
| # <Security /> | ||
| # </System> | ||
| # <EventData> | ||
| # <Data>Content installed successfully on the client | ||
| # | ||
| # Product: SEPC Iron Revocation List 14.0 | ||
| # Version: MicroDefsB.CurDefs | ||
| # Language: SymAllLanguages | ||
| # Moniker: {810D5A61-809F-49c2-BD75-177F0647D2BA} | ||
| # Sequence: 200613034 | ||
| # Publish Date: Saturday, June 13, 2020 | ||
| # Revision: 034 | ||
| # </Data> | ||
| # <Binary></Binary> | ||
| # </EventData> | ||
| # </Event> |
37 changes: 37 additions & 0 deletions
37
evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_21.map
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| Author: Andrew Rathbun | ||
| Description: Scan canceled | ||
| EventId: 21 | ||
| Channel: "Symantec Endpoint Protection Client" | ||
| Provider: "Symantec Endpoint Protection Client" | ||
| Maps: | ||
| - | ||
| Property: PayloadData1 | ||
| PropertyValue: "%PayloadData1%" | ||
| Values: | ||
| - | ||
| Name: PayloadData1 | ||
| Value: "/Event/EventData/Data" | ||
|
|
||
| # Documentation: | ||
| # https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html | ||
| # | ||
| # <Event> | ||
| # <System> | ||
| # <Provider Name="Symantec Endpoint Protection Client" /> | ||
| # <EventID Qualifiers="16639">21</EventID> | ||
| # <Level>4</Level> | ||
| # <Task>0</Task> | ||
| # <Keywords>0x80000000000000</Keywords> | ||
| # <TimeCreated SystemTime="2020-05-15 08:00:45.0000000" /> | ||
| # <EventRecordID>43501</EventRecordID> | ||
| # <Channel>Symantec Endpoint Protection Client</Channel> | ||
| # <Computer>HOSTNAME.domain</Computer> | ||
| # <Security /> | ||
| # </System> | ||
| # <EventData> | ||
| # <Data> | ||
| # | ||
| # Scan Canceled: Risks: 0 Scanned: 610 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 679</Data> | ||
| # <Binary></Binary> | ||
| # </EventData> | ||
| # </Event> |
37 changes: 37 additions & 0 deletions
37
evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_23.map
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| Author: Andrew Rathbun | ||
| Description: Symantec Endpoint Protection Auto-Protect Enabled | ||
| EventId: 23 | ||
| Channel: "Symantec Endpoint Protection Client" | ||
| Provider: "Symantec Endpoint Protection Client" | ||
| Maps: | ||
| - | ||
| Property: PayloadData1 | ||
| PropertyValue: "%PayloadData1%" | ||
| Values: | ||
| - | ||
| Name: PayloadData1 | ||
| Value: "/Event/EventData/Data" | ||
|
|
||
| # Documentation: | ||
| # https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html | ||
| # | ||
| # <Event> | ||
| # <System> | ||
| # <Provider Name="Symantec Endpoint Protection Client" /> | ||
| # <EventID Qualifiers="49807">23</EventID> | ||
| # <Level>4</Level> | ||
| # <Task>0</Task> | ||
| # <Keywords>0x80000000000000</Keywords> | ||
| # <TimeCreated SystemTime="2021-02-03 09:23:40.0000000" /> | ||
| # <EventRecordID>49777</EventRecordID> | ||
| # <Channel>Symantec Endpoint Protection Client</Channel> | ||
| # <Computer>HOSTNAME.domain</Computer> | ||
| # <Security /> | ||
| # </System> | ||
| # <EventData> | ||
| # <Data> | ||
| # | ||
| # Symantec Endpoint Protection Auto-Protect Enabled.</Data> | ||
| # <Binary></Binary> | ||
| # </EventData> | ||
| # </Event> |
Oops, something went wrong.