From e8622a4aec5d9693f0cf85df2a01cd62666c1081 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Fri, 10 Jan 2025 19:06:53 +0530 Subject: [PATCH 1/9] New doc for Symantec Endpoint Security Service --- cid-redirects.json | 1 + .../product-list/product-list-m-z.md | 2 +- docs/integrations/saas-cloud/index.md | 7 +- .../symantec-endpoint-security-service.md | 262 ++++++++++++++++++ sidebars.ts | 1 + 5 files changed, 271 insertions(+), 2 deletions(-) create mode 100644 docs/integrations/saas-cloud/symantec-endpoint-security-service.md diff --git a/cid-redirects.json b/cid-redirects.json index 8c65bf3a27..891f831653 100644 --- a/cid-redirects.json +++ b/cid-redirects.json @@ -1595,6 +1595,7 @@ "/cid/10198": "/docs/integrations/saas-cloud/microsoft-graph-azure-ad-reporting", "/cid/10193": "/docs/integrations/saas-cloud/asana", "/cid/10181": "/docs/integrations/saas-cloud/atlassian", + "/cid/10207": "/docs/integrations/saas-cloud/symantec-endpoint-security-service", "/cid/10197": "/docs/integrations/saas-cloud/symantec-web-security-service", "/cid/6016": "/docs/integrations/saas-cloud/trend-micro-vision-one", "/cid/10112": "/docs/integrations/app-development/jfrog-xray", diff --git a/docs/integrations/product-list/product-list-m-z.md b/docs/integrations/product-list/product-list-m-z.md index b59fd2f96d..1fe816c309 100644 --- a/docs/integrations/product-list/product-list-m-z.md +++ b/docs/integrations/product-list/product-list-m-z.md @@ -162,7 +162,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [ | Thumbnail icon | [Sucuri](https://sucuri.net/) | Cloud SIEM integration: [Sucuri](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/cdfd2ba0-77eb-4e11-b071-6f4d01fda607.md) | | Thumbnail icon | [Sumo Logic](https://www.sumologic.com/) | Apps:
- [Enterprise Audit - Cloud SIEM](/docs/integrations/sumo-apps/cse/)
- [Flex](/docs/integrations/sumo-apps/flex/)
- [Sumo Logic Audit App](/docs/integrations/sumo-apps/audit/)
- [Sumo Logic Data Volume App](/docs/integrations/sumo-apps/data-volume/)
- [Sumo Logic Enterprise Audit Apps](/docs/integrations/sumo-apps/enterprise-audit/) (multiple apps)
- [Sumo Logic Enterprise Search Audit App](/docs/integrations/sumo-apps/enterprise-search-audit/)
- [Sumo Logic Infrequent Data Tier App](/docs/integrations/sumo-apps/infrequent-data-tier/)
- [Sumo Logic Log Analysis QuickStart App](/docs/integrations/sumo-apps/log-analysis-quickstart/)
- [Sumo Logic Security Analytics App](/docs/integrations/sumo-apps/security-analytics/)
Automation integrations:
- [Automation Tools](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools/)
- [Basic Tools](/docs/platform-services/automation-service/app-central/integrations/basic-tools/)
- [ESMTP](/docs/platform-services/automation-service/app-central/integrations/esmtp/)
- [HTTP Tools](/docs/platform-services/automation-service/app-central/integrations/http-tools/)
- [Incident Tools](/docs/platform-services/automation-service/app-central/integrations/incident-tools/)
- [IMAP](/docs/platform-services/automation-service/app-central/integrations/imap/)
- [Mail Tools](/docs/platform-services/automation-service/app-central/integrations/mail-tools/)
- [POP3](/docs/platform-services/automation-service/app-central/integrations/pop3/)
- [SMTP V3](/docs/platform-services/automation-service/app-central/integrations/smtp-v3/)
- [Sumo Logic Cloud SIEM](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-cloud-siem/)
- [Sumo Logic Cloud SIEM Internal](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-cloud-siem-internal/)
- [Sumo Logic Log Analytics](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-log-analytics/)
- [Sumo Logic Log Analytics Internal](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-log-analytics-internal/)
- [Sumo Logic Notifications](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-notifications/)
- [Sumo Logic Notifications by Gmail](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-notifications-by-gmail/)
- [Sumo Logic Notifications by Microsoft](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-notifications-by-microsoft)
- [Triage Tools](/docs/platform-services/automation-service/app-central/integrations/triage-tools/)
- [ZIP Tools](/docs/platform-services/automation-service/app-central/integrations/zip-tools/)
Cloud SIEM integration: [Sumo Logic](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/34A5019C-7BEC-4BF8-A3B7-C38D567126C6.md)
Collector: [Universal Connector](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source)
Community app: [Cloud Security Posture Management (CSPM) for Sumo Logic](https://github.com/SumoLogic/sumologic-content/tree/master/CSPM) | | Thumbnail icon | [Superwise](https://superwise.ai/) | Webhook: [Superwise](/docs/integrations/webhooks/superwise/) | -| Thumbnail icon | [Symantec](https://sep.securitycloud.symantec.com/v2/landing) | App: [Symantec Web Security Service](/docs/integrations/saas-cloud/symantec-web-security-service/)
Automation integrations:
- [Javelin AD Protect](/docs/platform-services/automation-service/app-central/integrations/javelin-ad-protect/)
- [Symantec DeepSight](/docs/platform-services/automation-service/app-central/integrations/symantec-deepsight/)
- [Symantec EDR](/docs/platform-services/automation-service/app-central/integrations/symantec-edr/)
- [Symantec Endpoint Protection](/docs/platform-services/automation-service/app-central/integrations/symantec-endpoint-protection/)
- [Symantec Endpoint Protection Cloud](/docs/platform-services/automation-service/app-central/integrations/symantec-endpoint-protection-cloud/)
- [Symantec Secure Web Gateway (Bluecoat)](/docs/platform-services/automation-service/app-central/integrations/symantec-secure-web-gateway-bluecoat/)
- [Symantec WebPulse](/docs/platform-services/automation-service/app-central/integrations/symantec-webpulse/)
Collectors:
- [Symantec Endpoint Security Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/symantec-endpoint-security-source/)
- [Symantec Web Security Service Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/symantec-web-security-service-source/)
- [Symantec Proxy Secure Gateway - Cloud SIEM](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway/)
- [Symantec Proxy Secure Gateway (Blue Coat Proxy) - Cloud SIEM](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy/)
Cloud SIEM integration: [Symantec](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/64c7f49c-f95a-4f4a-8540-56ec5fb1d96b.md)
Community app: [Sumo Logic for Symantec WSS](https://github.com/SumoLogic/sumologic-content/tree/master/Symantec/WSS) | +| Thumbnail icon | [Symantec](https://sep.securitycloud.symantec.com/v2/landing) | App:
- [Symantec Endpoint Security Service](/docs/integrations/saas-cloud/symantec-endpoint-security-service/)
- [Symantec Web Security Service](/docs/integrations/saas-cloud/symantec-web-security-service/)
Automation integrations:
- [Javelin AD Protect](/docs/platform-services/automation-service/app-central/integrations/javelin-ad-protect/)
- [Symantec DeepSight](/docs/platform-services/automation-service/app-central/integrations/symantec-deepsight/)
- [Symantec EDR](/docs/platform-services/automation-service/app-central/integrations/symantec-edr/)
- [Symantec Endpoint Protection](/docs/platform-services/automation-service/app-central/integrations/symantec-endpoint-protection/)
- [Symantec Endpoint Protection Cloud](/docs/platform-services/automation-service/app-central/integrations/symantec-endpoint-protection-cloud/)
- [Symantec Secure Web Gateway (Bluecoat)](/docs/platform-services/automation-service/app-central/integrations/symantec-secure-web-gateway-bluecoat/)
- [Symantec WebPulse](/docs/platform-services/automation-service/app-central/integrations/symantec-webpulse/)
Collectors:
- [Symantec Endpoint Security Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/symantec-endpoint-security-source/)
- [Symantec Web Security Service Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/symantec-web-security-service-source/)
- [Symantec Proxy Secure Gateway - Cloud SIEM](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway/)
- [Symantec Proxy Secure Gateway (Blue Coat Proxy) - Cloud SIEM](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy/)
Cloud SIEM integration: [Symantec](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/64c7f49c-f95a-4f4a-8540-56ec5fb1d96b.md)
Community app: [Sumo Logic for Symantec WSS](https://github.com/SumoLogic/sumologic-content/tree/master/Symantec/WSS) | | Thumbnail icon | [Sysdig](https://sysdig.com/) | Cloud SIEM integration: [Sysdig](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/c4de0854-e718-45e1-a4c8-63623755aa43.md) | | Thumbnail icon | [syslog-ng](https://www.syslog-ng.com/) | Automation integration: [Syslog-NG](/docs/platform-services/automation-service/app-central/integrations/syslog-ng/)
Collector: [syslog-ng](/docs/send-data/hosted-collectors/cloud-syslog-source/syslog-ng/) | diff --git a/docs/integrations/saas-cloud/index.md b/docs/integrations/saas-cloud/index.md index e8077e6d27..0c66131a07 100644 --- a/docs/integrations/saas-cloud/index.md +++ b/docs/integrations/saas-cloud/index.md @@ -297,7 +297,12 @@ Learn about the Sumo Logic apps for SaaS and Cloud applications.

Identify security threats by analyzing alerts and events logs.

- +
+
+ icon

Symantec Endpoint Security Service

 +

Gain insights into the log data and identify potential security threats.

+
+
icon

Symantec Web Security Service

 diff --git a/docs/integrations/saas-cloud/symantec-endpoint-security-service.md b/docs/integrations/saas-cloud/symantec-endpoint-security-service.md new file mode 100644 index 0000000000..7d6ec8d787 --- /dev/null +++ b/docs/integrations/saas-cloud/symantec-endpoint-security-service.md @@ -0,0 +1,262 @@ +--- +id: symantec-endpoint-security-service +title: Symantec Endpoint Security Service +sidebar_label: Symantec Endpoint Security Service +description: The Sumo Logic app for Symantec Web Security provides real-time insights into the log data by leveraging the Symantec Endpoint Security Service. +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +icon + +Symantec Endpoint Security safeguards organizations from various network threats and risks. The Sumo Logic app for Symantec Endpoint Security provides visibility into log data by using the Symantec Endpoint Security Service. This service collects and forwards the Symantec Endpoint Security data to Sumo Logic for analysis, offering a comprehensive view of the endpoint security statuses through various widgets. These widgets present essential information, including the number of incidents categorised by type, impacted hosts, malicious files, threat details, and critical or high-severity incidents. The dashboard also highlights potential security vulnerabilities, such as the top 10 affected hosts, IP addresses, and malicious files. This allows administrators to monitor and manage endpoint security in real time, enhancing quick responses to threats. +By utilizing the Symantec Endpoint Security Service, organizations can protect their employees' endpoints and enhance their defenses against emerging threats. + +## Log types + +This app uses [Symantec Endpoint Security Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/symantec-endpoint-security-source/) to collect Incidents and Event Logs from Symantec Endpoint Security. + +## Sample log message + +
+Incident Log +```json + { + "customer_uid": "TEST-JvOsaJktSS-eyL-dXhxOvA", + "incident_uid": "afb07d00-89dd-4813-8e1e-3ed5fa83444d", + "type": "INCIDENT_UPDATE", + "conclusion": "Suspicious Activity", + "remediation": "Change the credentials for accounts which have accessed this endpoint. Employ software whitelisting tools to prevent unauthorized access to the LSASS process and the Windows Registry Security Accounts Manager. Mandate that administrator accounts have unique passwords per system to limit the exposure caused by the theft of credentials. Similarly, avoid the inclusion of user or domain accounts in local administrator groups to limit exposure due to credential theft associated with such accounts.", + "priority_id": 4, + "category_id": 1, + "modified": "2023-04-26T23:38:48.634+00:00", + "state_id": 1, + "id": 4, + "product_uid": "31B0C880-0229-49E8-94C5-48D56B1BD7B9", + "device_time": 1682552328634, + "ref_incident_uid": 102106, + "rule_name": "Advanced Attack Technique", + "created": "2023-04-26T15:44:19.345+00:00", + "type_id": 8076, + "incident_url": "https://sep.securitycloud.symantec.com/v2/incidents/incidentListing/afb07d00-89dd-4813-8e1e-3ed5fa83444d/details", + "message": "OS Credential Dumping", + "version": "1.0", + "product_name": "Symantec Integrated Cyber Defense Manager", + "event_id": 80760004, + "domain_uid": "TEST-ZBg_IqnyTAijNjP2BOOcuw", + "detection_type": "Advanced Analytics", + "severity_id": 4, + "time": 1682552328634, + "suspected_breach": "Yes" +} +``` +
+ +
+Event Log +```json +{ + "customer_uid": "TEST-JvOsaJktSS-eyL-dXhxOvA", + "incident_uid": "6af35ed1-ee4a-463a-a40d-dde000dead84", + "type": "INCIDENT_CREATION", + "conclusion": "Malicious File", + "remediation": "You can isolate the endpoint(s), remove the file(s) and/or clean the system(s).", + "priority_id": 4, + "category_id": 1, + "modified": "2023-04-26T21:01:13.426+00:00", + "state_id": 1, + "id": 4, + "product_uid": "31B0C880-0229-49E8-94C5-48D56B1BD7B9", + "events": [ + { + "type_id": 8031, + "type": "sandbox_file_detection", + "id": 14, + "message": "Sandbox result for the 'Chrome.exe' file is malicious.", + "user_name": "SYSTEM", + "device_uid": "KLXOjk4ET-CeJZBA3iipkw", + "device_name": "Victim-1", + "device_time": "2023-04-26T21:01:09.003Z", + "severity_id": 5, + "category_id": 1, + "feature_uid": "3F3DC574-02A7-11E9-8EB2-F2801F1B9FD1", + "product_uid": "E3A8F790-52A2-4BE3-87D7-93698CDDD021", + "status_detail": "File is malicious", + "command_uid": "365f1e54-8cb6-4d6c-9478-078e456709e3", + "status_id": 1, + "device_ip": "172.28.53.29", + "device_os_name": "Windows 10 Professional Edition", + "device_domain": "evilcorp.com", + "product_ver": "14.3.9513.7000", + "customer_uid": "TEST-JvOsaJktSS-eyL-dXhxOvA", + "domain_uid": "TEST-ZBg_IqnyTAijNjP2BOOcuw", + "ref_uid": "2e080e9a-791f-33fd-90b7-de575f267025", + "threat": { + "provider": "Cynic", + "type_id": 5, + "name": "Threat Detected By Cynic", + "risk_id": 100, + "id": 0 + }, + "file": { + "path": "C:\\Users\\edradmin\\Desktop\\Chrome.exe", + "name": "Chrome.exe", + "sha2": "39fff7c11c59ce946cfec471d99baaa832266a07ab6f30cd123e385ca9436efa" + }, + "version": "1.0", + "product_name": "Symantec Endpoint Detection and Response", + "feature_name": "Endpoint Detection and Response", + "feature_ver": "1.0", + "edr_event_data_type": "malicious", + "event_data_type": "sep", + "user": { + "name": "SYSTEM" + }, + "time": "2023-04-26T21:01:09.003Z", + "timezone": 0, + "log_time": "2023-04-26T21:01:11.285Z", + "uuid": "8031:77c48db0-e475-11ed-d50e-0000633d5a56", + "log_name": "event_service_6_t2_2023-04-26" + } + ], + "device_time": 1682542873426, + "ref_incident_uid": 102108, + "rule_name": "Critical Cynic Detections", + "created": "2023-04-26T21:01:13.426+00:00", + "type_id": 8075, + "incident_url": "https://sep.securitycloud.symantec.com/v2/incidents/incidentListing/6af35ed1-ee4a-463a-a40d-dde000dead84/details", + "message": "Sandbox detection: Chrome.exe", + "version": "1.0", + "product_name": "Symantec Integrated Cyber Defense Manager", + "event_id": 80750004, + "domain_uid": "TEST-ZBg_IqnyTAijNjP2BOOcuw", + "detection_type": "Sandbox", + "severity_id": 5, + "time": 1682542873426, + "suspected_breach": "No" +} +``` +
+ +## Sample queries + +```sql title="Incidents by Severity" +_sourceCategory="Labs/SES" !device_uid +| json "incident_uid", "type", "severity_id", "priority_id", "category_id", "conclusion", "detection_type", "state_id", "suspected_breach", "created", "modified", "message", "incident_url", "rule_name", "product_name", "remediation" as incident_uid, type, severity, priority, category, conclusion, detection_type, state, suspected_breach, created_timestamp, modified_timestamp, message, incident_url, rule_name, product_name, remediation nodrop + +| if (severity in ("1", "2", "6") , "Reserved", if (severity matches "3", "Minor", if (severity matches "4", "Major", if (severity matches "5", "Critical", "Other")))) as severity +| if (category matches "1", "Security", "Other") as category +| if (state matches "0" , "Unknown", if (state matches "1", "New", if (state matches "2", "In Progress", if (state matches "3", "On Hold", if (state matches "4", "Resolved", if (state matches "5", "Closed", "Other")))))) as state + +// global filters +| where severity matches "{{severity}}" +| where category matches "{{category}}" +| where type matches "{{type}}" +| where state matches "{{state}}" +| where conclusion matches "{{conclusion}}" + +| count by incident_uid, severity +| count by severity +| sort by _count, severity +``` + +```sql title="Incidents Over Time" +_sourceCategory="Labs/SES" !device_uid +| json "incident_uid", "type", "severity_id", "priority_id", "category_id", "conclusion", "detection_type", "state_id", "suspected_breach", "created", "modified", "message", "incident_url", "rule_name", "product_name", "remediation" as incident_uid, type, severity, priority, category, conclusion, detection_type, state, suspected_breach, created_timestamp, modified_timestamp, message, incident_url, rule_name, product_name, remediation nodrop + +| if (severity in ("1", "2", "6") , "Reserved", if (severity matches "3", "Minor", if (severity matches "4", "Major", if (severity matches "5", "Critical", "Other")))) as severity +| if (category matches "1", "Security", "Other") as category +| if (state matches "0" , "Unknown", if (state matches "1", "New", if (state matches "2", "In Progress", if (state matches "3", "On Hold", if (state matches "4", "Resolved", if (state matches "5", "Closed", "Other")))))) as state + +// global filters +| where severity matches "{{severity}}" +| where category matches "{{category}}" +| where type matches "{{type}}" +| where state matches "{{state}}" +| where conclusion matches "{{conclusion}}" + +| timeslice 1d +| count by incident_uid, state, _timeslice +| count as frequency by _timeslice, state +| fillmissing timeslice, values all in state +| transpose row _timeslice column state +``` + +```sql title="Top 10 Devices by Events" +_sourceCategory="Labs/SES" device_uid +| json "events", "incident_uid", "type", "conclusion", "rule_name", "message", "suspected_breach", "detection_type", "product_name", "incident_url" as events, incident_uid, incident_type, incident_conclusion, incident_rule_name, incident_message, suspected_breach, detection_type, incident_product_name, incident_url +| parse regex field=events "(?\{(?:[^\{\}]|\{[^\{\}]*\})*\})" multi +| json field=event "uuid", "severity_id", "category_id", "type", "edr_event_data_type", "device_name", "user_name", "file.name", "file.path", "file.sha2", "device_uid", "device_ip", "device_os_name", "device_domain", "threat.id", "threat.type_id", "threat.name", "threat.risk_id", "threat.provider", "message", "type_id", "status_detail", "product_name", "feature_name" as uuid, severity, category, type, edr_event_type, device_name, user_name, file_name, file_path, file_sha2, device_uid, device_ip, device_os_name, device_domain, threat_id, threat_type_id, threat_name, threat_risk_id, threat_provider, message, type_id, status_detail, product_name, feature_name nodrop + +| if (severity in ("1", "2", "6") , "Reserved", if (severity matches "3", "Minor", if (severity matches "4", "Major", if (severity matches "5", "Critical", "Other")))) as severity +| if (category matches "1", "Security", "Other") as category + +// global filters +| where severity matches "{{severity}}" +| where category matches "{{category}}" +| where type matches "{{type}}" +| where user_name matches "{{user_name}}" +| where device_name matches "{{device_name}}" + +| where !isBlank(device_name) +| count by device_name, uuid +| count as frequency by device_name +| sort by frequency, device_name +| limit 10 +``` + +## Set up collection + +To set up the [Cloud-to-Cloud Integration for Symantec Endpoint Security Service Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/symantec-endpoint-security-source/), follow the instructions provided. These instructions will guide you through the process of creating a source using the Symantec Endpoint Security Service Source category, which you will need to use when installing the app. By following these steps, you can ensure that your Symantec Endpoint Security Service app is properly integrated and configured to collect and analyze your Symantec Endpoint Security Service data. + +## Installing the Symantec Endpoint Security Service app + +import AppInstall2 from '../../reuse/apps/app-install-v2.md'; + + + +## Viewing the Symantec Endpoint Security Service dashboards + +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; + + + +### Incidents Overview + +The **Symantec Endpoint Security Service - Incidents Overview** dashboard provides a detailed view of endpoint incidents through various widgets. These widgets display data such as the total number of incidents, total count of open incidents, high severity incidents, high priority incidents, cynic detection, newly identified incidents, unknown incidents, incidents distribution by event type, severity, category, conclusion, detection type, state, priority, and suspected breach. Additionally, it includes incident resolution rates, incidents over time, average resolution time of incidents, sandbox detections over time, summaries of all incidents, unresolved incidents, and remediation specifics. This enables administrators to monitor and manage endpoint security effectively in real time, promptly identifying and addressing potential incidents.
Symantec-Endpoint-Security-Service-Incidents-Overview + +### Events Overview + +The **Symantec Endpoint Security Service - Events Overview** The "Symantec Endpoint Security - Events Overview" dashboard provides a comprehensive view of endpoint security status through various widgets. These widgets display key data such as the total number of events, high severity events, suspicious files, event distribution based on severity, category, event type, EDR event type, affected endpoints, top users linked to events, top malicious files, top SHA256 of files, top affected IPs, events over time, sandbox file detection events over time, and summaries of malicious files, events, hosts, threats, and incidents with the device. The dashboard also includes information on geographic locations of affected endpoints, and helps administrators monitor, manage, and respond to security threats in real time. This enables businesses to secure endpoints and defend against a wide range of threats.
Symantec-Endpoint-Security-Service-Events-Overview + +## Create monitors for Symantec Endpoint Security app + +import CreateMonitors from '../../reuse/apps/create-monitors.md'; + + + +### Symantec Endpoint Security monitors + +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | +|:--|:--|:--|:--| +| `Embargoed Device` | This alert is triggered when a device is associated with multiple incidents. It helps you to monitor and stop potentially harmful devices, enhancing your ability to identify suspicious activity. | Critical | Count > 0 | +| `File Execution in Suspicious Path` | This alert is triggered when some file activity happens from the suspicious file path. It helps you to monitor activity from unusual or suspicious file paths, enhancing your ability to identify suspicious activity. | Critical | Count > 0 | +| `High Priority or Severity Incidents Detected` | This alert is triggered when an incident is created with high priority or severity. It helps you to monitor and stop potentially harmful events that could compromise endpoint security. | Critical | Count > 0 | +| `High-Risk Threat Detected by Cynic` | This alert is triggered when a high-risk threat is detected by the cynic. It allows you to quickly identify endpoints with a high concentration of threat activity, enabling swift action to contain and remediate potential infections. | Critical | Count > 0 | +| `Hight-Severity Malicious File Detected` | This alert is triggered when a known malicious file with high severity is detected running on a device. It helps you to monitor and stop potentially harmful files that could compromise device security and network integrity. | Critical | Count > 0 | +| `Incidents Detected from Embargoed Locations` | This alert triggers when an incident is detected from a location identified as high-risk. This helps you to monitor incidents from unusual or restricted geographic locations, enhancing your ability to identify suspicious activity. | Critical | Count > 0 | +| `Sandbox Malicious File Detected` | This alert is triggered when a known malicious file is detected by the sandbox. It helps you to monitor and stop potentially harmful files that could compromise device security and network integrity. | Critical | Count > 0 | +| `Spike in Impacted Devices Count` | This alert is triggered when a spike is detected in the number of impacted devices. It helps you to monitor and stop potentially harmful devices, enhancing your ability to identify suspicious activity. | Critical | Count > 0 | +| `Unresolved Incident Aging Beyond 7 days` | This alert is triggered when an incident is created and remains unresolved for 7 days. It helps you to monitor pending incidents for an extended period, enhancing your ability to identify suspicious activity. | Critical | Count > 0 | + +## Upgrade/Downgrade the Symantec Endpoint Security Service app (Optional) + +import AppUpdate from '../../reuse/apps/app-update.md'; + + + +## Uninstalling the Symantec Endpoint Security Service app (Optional) + +import AppUninstall from '../../reuse/apps/app-uninstall.md'; + + \ No newline at end of file diff --git a/sidebars.ts b/sidebars.ts index 0bd9418bff..10f171e989 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -2486,6 +2486,7 @@ integrations: [ 'integrations/saas-cloud/sentinelone', 'integrations/saas-cloud/slack', 'integrations/saas-cloud/sophos', + 'integrations/saas-cloud/symantec-endpoint-security-service', 'integrations/saas-cloud/symantec-web-security-service', 'integrations/saas-cloud/tenable', 'integrations/saas-cloud/trend-micro-vision-one', From f61cd6ef7e01275ba3772a087758e5414e6099b4 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Fri, 10 Jan 2025 19:35:45 +0530 Subject: [PATCH 2/9] added release note --- blog-service/2025-01-10-apps.md | 14 ++++++++++++++ .../symantec-endpoint-security-service.md | 4 ++++ 2 files changed, 18 insertions(+) create mode 100644 blog-service/2025-01-10-apps.md diff --git a/blog-service/2025-01-10-apps.md b/blog-service/2025-01-10-apps.md new file mode 100644 index 0000000000..b0992ea778 --- /dev/null +++ b/blog-service/2025-01-10-apps.md @@ -0,0 +1,14 @@ +--- +title: Symantec Endpoint Security Service (Apps) +image: https://help.sumologic.com/img/sumo-square.png +keywords: + - apps + - symantec-endpoint-security-service +hide_table_of_contents: true +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +icon + +We're excited to introduce the new Symantec Endpoint Security Service app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud Symantec Endpoint Security source that collects incident and event logs data from the Symantec Endpoint Security platform. This app provides real-time insights into the log data that allows you to monitor and manage endpoint security in real time, enhancing quick responses to threats. [Learn more](/docs/integrations/saas-cloud/symantec-endpoint-security-service/). \ No newline at end of file diff --git a/docs/integrations/saas-cloud/symantec-endpoint-security-service.md b/docs/integrations/saas-cloud/symantec-endpoint-security-service.md index 7d6ec8d787..5230048dd6 100644 --- a/docs/integrations/saas-cloud/symantec-endpoint-security-service.md +++ b/docs/integrations/saas-cloud/symantec-endpoint-security-service.md @@ -12,6 +12,10 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; Symantec Endpoint Security safeguards organizations from various network threats and risks. The Sumo Logic app for Symantec Endpoint Security provides visibility into log data by using the Symantec Endpoint Security Service. This service collects and forwards the Symantec Endpoint Security data to Sumo Logic for analysis, offering a comprehensive view of the endpoint security statuses through various widgets. These widgets present essential information, including the number of incidents categorised by type, impacted hosts, malicious files, threat details, and critical or high-severity incidents. The dashboard also highlights potential security vulnerabilities, such as the top 10 affected hosts, IP addresses, and malicious files. This allows administrators to monitor and manage endpoint security in real time, enhancing quick responses to threats. By utilizing the Symantec Endpoint Security Service, organizations can protect their employees' endpoints and enhance their defenses against emerging threats. +:::info +This app includes [built-in monitors](#symantec-endpoint-security-monitors). For details on creating custom monitors, refer to [Create monitors for Symantec Endpoint Security app](#create-monitors-for-symantec-endpoint-security-app). +::: + ## Log types This app uses [Symantec Endpoint Security Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/symantec-endpoint-security-source/) to collect Incidents and Event Logs from Symantec Endpoint Security. From de0a869e6ce66f9be595a9dcef1073c28e004aa1 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Fri, 10 Jan 2025 19:50:34 +0530 Subject: [PATCH 3/9] minor fixes on naming conventions --- .../symantec-endpoint-security-service.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/integrations/saas-cloud/symantec-endpoint-security-service.md b/docs/integrations/saas-cloud/symantec-endpoint-security-service.md index 5230048dd6..e4fdc0a71c 100644 --- a/docs/integrations/saas-cloud/symantec-endpoint-security-service.md +++ b/docs/integrations/saas-cloud/symantec-endpoint-security-service.md @@ -1,7 +1,7 @@ --- id: symantec-endpoint-security-service -title: Symantec Endpoint Security Service -sidebar_label: Symantec Endpoint Security Service +title: Symantec Endpoint Security +sidebar_label: Symantec Endpoint Security description: The Sumo Logic app for Symantec Web Security provides real-time insights into the log data by leveraging the Symantec Endpoint Security Service. --- @@ -20,7 +20,7 @@ This app includes [built-in monitors](#symantec-endpoint-security-monitors). For This app uses [Symantec Endpoint Security Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/symantec-endpoint-security-source/) to collect Incidents and Event Logs from Symantec Endpoint Security. -## Sample log message +### Sample log message
Incident Log @@ -142,7 +142,7 @@ This app uses [Symantec Endpoint Security Source](/docs/send-data/hosted-collect ```
-## Sample queries +### Sample queries ```sql title="Incidents by Severity" _sourceCategory="Labs/SES" !device_uid @@ -211,15 +211,15 @@ _sourceCategory="Labs/SES" device_uid ## Set up collection -To set up the [Cloud-to-Cloud Integration for Symantec Endpoint Security Service Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/symantec-endpoint-security-source/), follow the instructions provided. These instructions will guide you through the process of creating a source using the Symantec Endpoint Security Service Source category, which you will need to use when installing the app. By following these steps, you can ensure that your Symantec Endpoint Security Service app is properly integrated and configured to collect and analyze your Symantec Endpoint Security Service data. +To set up the [Cloud-to-Cloud Integration for Symantec Endpoint Security Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/symantec-endpoint-security-source/), follow the instructions provided. These instructions will guide you through the process of creating a source using the Symantec Endpoint Security Source category, which you will need to use when installing the app. By following these steps, you can ensure that your Symantec Endpoint Security app is properly integrated and configured to collect and analyze your Symantec Endpoint Security data. -## Installing the Symantec Endpoint Security Service app +## Installing the Symantec Endpoint Security app import AppInstall2 from '../../reuse/apps/app-install-v2.md'; -## Viewing the Symantec Endpoint Security Service dashboards +## Viewing the Symantec Endpoint Security dashboards import ViewDashboards from '../../reuse/apps/view-dashboards.md'; @@ -227,11 +227,11 @@ import ViewDashboards from '../../reuse/apps/view-dashboards.md'; ### Incidents Overview -The **Symantec Endpoint Security Service - Incidents Overview** dashboard provides a detailed view of endpoint incidents through various widgets. These widgets display data such as the total number of incidents, total count of open incidents, high severity incidents, high priority incidents, cynic detection, newly identified incidents, unknown incidents, incidents distribution by event type, severity, category, conclusion, detection type, state, priority, and suspected breach. Additionally, it includes incident resolution rates, incidents over time, average resolution time of incidents, sandbox detections over time, summaries of all incidents, unresolved incidents, and remediation specifics. This enables administrators to monitor and manage endpoint security effectively in real time, promptly identifying and addressing potential incidents.
Symantec-Endpoint-Security-Service-Incidents-Overview +The **Symantec Endpoint Security - Incidents Overview** dashboard provides a detailed view of endpoint incidents through various widgets. These widgets display data such as the total number of incidents, total count of open incidents, high severity incidents, high priority incidents, cynic detection, newly identified incidents, unknown incidents, incidents distribution by event type, severity, category, conclusion, detection type, state, priority, and suspected breach. Additionally, it includes incident resolution rates, incidents over time, average resolution time of incidents, sandbox detections over time, summaries of all incidents, unresolved incidents, and remediation specifics. This enables administrators to monitor and manage endpoint security effectively in real time, promptly identifying and addressing potential incidents.
Symantec-Endpoint-Security-Incidents-Overview ### Events Overview -The **Symantec Endpoint Security Service - Events Overview** The "Symantec Endpoint Security - Events Overview" dashboard provides a comprehensive view of endpoint security status through various widgets. These widgets display key data such as the total number of events, high severity events, suspicious files, event distribution based on severity, category, event type, EDR event type, affected endpoints, top users linked to events, top malicious files, top SHA256 of files, top affected IPs, events over time, sandbox file detection events over time, and summaries of malicious files, events, hosts, threats, and incidents with the device. The dashboard also includes information on geographic locations of affected endpoints, and helps administrators monitor, manage, and respond to security threats in real time. This enables businesses to secure endpoints and defend against a wide range of threats.
Symantec-Endpoint-Security-Service-Events-Overview +The **Symantec Endpoint Security - Events Overview** The "Symantec Endpoint Security - Events Overview" dashboard provides a comprehensive view of endpoint security status through various widgets. These widgets display key data such as the total number of events, high severity events, suspicious files, event distribution based on severity, category, event type, EDR event type, affected endpoints, top users linked to events, top malicious files, top SHA256 of files, top affected IPs, events over time, sandbox file detection events over time, and summaries of malicious files, events, hosts, threats, and incidents with the device. The dashboard also includes information on geographic locations of affected endpoints, and helps administrators monitor, manage, and respond to security threats in real time. This enables businesses to secure endpoints and defend against a wide range of threats.
Symantec-Endpoint-Security-Events-Overview ## Create monitors for Symantec Endpoint Security app @@ -253,13 +253,13 @@ import CreateMonitors from '../../reuse/apps/create-monitors.md'; | `Spike in Impacted Devices Count` | This alert is triggered when a spike is detected in the number of impacted devices. It helps you to monitor and stop potentially harmful devices, enhancing your ability to identify suspicious activity. | Critical | Count > 0 | | `Unresolved Incident Aging Beyond 7 days` | This alert is triggered when an incident is created and remains unresolved for 7 days. It helps you to monitor pending incidents for an extended period, enhancing your ability to identify suspicious activity. | Critical | Count > 0 | -## Upgrade/Downgrade the Symantec Endpoint Security Service app (Optional) +## Upgrade/Downgrade the Symantec Endpoint Security app (Optional) import AppUpdate from '../../reuse/apps/app-update.md'; -## Uninstalling the Symantec Endpoint Security Service app (Optional) +## Uninstalling the Symantec Endpoint Security app (Optional) import AppUninstall from '../../reuse/apps/app-uninstall.md'; From 07463ebbdf4b5d8c1da3f77a2fdbab5c629ecaa6 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Fri, 10 Jan 2025 20:00:13 +0530 Subject: [PATCH 4/9] Update docs/integrations/saas-cloud/symantec-endpoint-security-service.md Co-authored-by: Jagadisha V <129049263+JV0812@users.noreply.github.com> --- .../saas-cloud/symantec-endpoint-security-service.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/saas-cloud/symantec-endpoint-security-service.md b/docs/integrations/saas-cloud/symantec-endpoint-security-service.md index e4fdc0a71c..85e223dab6 100644 --- a/docs/integrations/saas-cloud/symantec-endpoint-security-service.md +++ b/docs/integrations/saas-cloud/symantec-endpoint-security-service.md @@ -18,7 +18,7 @@ This app includes [built-in monitors](#symantec-endpoint-security-monitors). For ## Log types -This app uses [Symantec Endpoint Security Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/symantec-endpoint-security-source/) to collect Incidents and Event Logs from Symantec Endpoint Security. +This app uses [Symantec Endpoint Security Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/symantec-endpoint-security-source/) to collect the incidents and event logs from the Symantec Endpoint Security platform. ### Sample log message From 8e2607a143ef847b493445ca95151f43ae881c7a Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Fri, 10 Jan 2025 20:24:14 +0530 Subject: [PATCH 5/9] Update symantec-endpoint-security-service.md --- .../saas-cloud/symantec-endpoint-security-service.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/integrations/saas-cloud/symantec-endpoint-security-service.md b/docs/integrations/saas-cloud/symantec-endpoint-security-service.md index 85e223dab6..75d391a610 100644 --- a/docs/integrations/saas-cloud/symantec-endpoint-security-service.md +++ b/docs/integrations/saas-cloud/symantec-endpoint-security-service.md @@ -231,7 +231,7 @@ The **Symantec Endpoint Security - Incidents Overview** dashboard provides a det ### Events Overview -The **Symantec Endpoint Security - Events Overview** The "Symantec Endpoint Security - Events Overview" dashboard provides a comprehensive view of endpoint security status through various widgets. These widgets display key data such as the total number of events, high severity events, suspicious files, event distribution based on severity, category, event type, EDR event type, affected endpoints, top users linked to events, top malicious files, top SHA256 of files, top affected IPs, events over time, sandbox file detection events over time, and summaries of malicious files, events, hosts, threats, and incidents with the device. The dashboard also includes information on geographic locations of affected endpoints, and helps administrators monitor, manage, and respond to security threats in real time. This enables businesses to secure endpoints and defend against a wide range of threats.
Symantec-Endpoint-Security-Events-Overview +The **Symantec Endpoint Security - Events Overview** The "Symantec Endpoint Security - Events Overview" dashboard provides a comprehensive view of endpoint security status through various widgets. These widgets display key data such as the total number of events, high-severity events, suspicious files, event distribution based on severity, category, event type, EDR event type, affected endpoints, top users linked to events, top malicious files, top SHA256 of files, top affected IPs, events over time, sandbox file detection events over time, and summaries of malicious files, events, hosts, threats, and incidents with the device. The dashboard also includes information on the geographic locations of affected endpoints and helps administrators monitor, manage, and respond to security threats in real-time. This enables businesses to secure endpoints and defend against various threats.
Symantec-Endpoint-Security-Events-Overview ## Create monitors for Symantec Endpoint Security app @@ -248,7 +248,7 @@ import CreateMonitors from '../../reuse/apps/create-monitors.md'; | `High Priority or Severity Incidents Detected` | This alert is triggered when an incident is created with high priority or severity. It helps you to monitor and stop potentially harmful events that could compromise endpoint security. | Critical | Count > 0 | | `High-Risk Threat Detected by Cynic` | This alert is triggered when a high-risk threat is detected by the cynic. It allows you to quickly identify endpoints with a high concentration of threat activity, enabling swift action to contain and remediate potential infections. | Critical | Count > 0 | | `Hight-Severity Malicious File Detected` | This alert is triggered when a known malicious file with high severity is detected running on a device. It helps you to monitor and stop potentially harmful files that could compromise device security and network integrity. | Critical | Count > 0 | -| `Incidents Detected from Embargoed Locations` | This alert triggers when an incident is detected from a location identified as high-risk. This helps you to monitor incidents from unusual or restricted geographic locations, enhancing your ability to identify suspicious activity. | Critical | Count > 0 | +| `Incidents Detected from Embargoed Locations` | This alert is triggered when an incident is detected from a location identified as high-risk. This helps you to monitor incidents from unusual or restricted geographic locations, enhancing your ability to identify suspicious activity. | Critical | Count > 0 | | `Sandbox Malicious File Detected` | This alert is triggered when a known malicious file is detected by the sandbox. It helps you to monitor and stop potentially harmful files that could compromise device security and network integrity. | Critical | Count > 0 | | `Spike in Impacted Devices Count` | This alert is triggered when a spike is detected in the number of impacted devices. It helps you to monitor and stop potentially harmful devices, enhancing your ability to identify suspicious activity. | Critical | Count > 0 | | `Unresolved Incident Aging Beyond 7 days` | This alert is triggered when an incident is created and remains unresolved for 7 days. It helps you to monitor pending incidents for an extended period, enhancing your ability to identify suspicious activity. | Critical | Count > 0 | @@ -263,4 +263,4 @@ import AppUpdate from '../../reuse/apps/app-update.md'; import AppUninstall from '../../reuse/apps/app-uninstall.md'; - \ No newline at end of file + From 94f442586dd2ba8dccc63b8af990e3a6bbf69763 Mon Sep 17 00:00:00 2001 From: Himanshu Pal Date: Fri, 10 Jan 2025 20:53:25 +0530 Subject: [PATCH 6/9] added use case section --- .../symantec-endpoint-security-service.md | 23 ++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/docs/integrations/saas-cloud/symantec-endpoint-security-service.md b/docs/integrations/saas-cloud/symantec-endpoint-security-service.md index 75d391a610..b768bd80b4 100644 --- a/docs/integrations/saas-cloud/symantec-endpoint-security-service.md +++ b/docs/integrations/saas-cloud/symantec-endpoint-security-service.md @@ -227,11 +227,28 @@ import ViewDashboards from '../../reuse/apps/view-dashboards.md'; ### Incidents Overview -The **Symantec Endpoint Security - Incidents Overview** dashboard provides a detailed view of endpoint incidents through various widgets. These widgets display data such as the total number of incidents, total count of open incidents, high severity incidents, high priority incidents, cynic detection, newly identified incidents, unknown incidents, incidents distribution by event type, severity, category, conclusion, detection type, state, priority, and suspected breach. Additionally, it includes incident resolution rates, incidents over time, average resolution time of incidents, sandbox detections over time, summaries of all incidents, unresolved incidents, and remediation specifics. This enables administrators to monitor and manage endpoint security effectively in real time, promptly identifying and addressing potential incidents.
Symantec-Endpoint-Security-Incidents-Overview +Symantec Endpoint Security - Incidents Overview dashboard provides details on security incidents, their severity, priority, and current status across your endpoint environment. + +Use this dashboard to: +* Quickly assess the overall security posture by viewing the number of total, open, high severity, and high priority incidents. +* Identify trends in incident types and categories to focus on areas requiring immediate attention or process improvements. +* Monitor incident resolution times and track the progress of open incidents to ensure timely response and remediation. +* Prioritze incidents by severity and priority to allocate resources effectively and address the most critical threats first. +* Analyze the distribution of incidents across different states and detection types to understand the lifecycle of security events in your environment. + +Symantec Endpoint Security - Incidents Overview ### Events Overview -The **Symantec Endpoint Security - Events Overview** The "Symantec Endpoint Security - Events Overview" dashboard provides a comprehensive view of endpoint security status through various widgets. These widgets display key data such as the total number of events, high-severity events, suspicious files, event distribution based on severity, category, event type, EDR event type, affected endpoints, top users linked to events, top malicious files, top SHA256 of files, top affected IPs, events over time, sandbox file detection events over time, and summaries of malicious files, events, hosts, threats, and incidents with the device. The dashboard also includes information on the geographic locations of affected endpoints and helps administrators monitor, manage, and respond to security threats in real-time. This enables businesses to secure endpoints and defend against various threats.
Symantec-Endpoint-Security-Events-Overview +Symantec Endpoint Security - Events Overview dashboard provides details on security events, their severity, types, and geographical distribution across the protected endpoints. + +Use this dashboard to: +* Quickly assess the overall security posture by viewing the total events, high severity events, and suspicious files counts at the top of the dashboard. +* Analyze event trends over time and identify peak periods of security incidents using the Events Over Time graph. +* Identify the most affected devices, allowing for targeted investigation and remediation of compromised assets. +* Visualize the geographical distribution of affected devices and event locations to detect potential regional attack patterns or vulnerabilities. + +Symantec Endpoint Security - Events Overview ## Create monitors for Symantec Endpoint Security app @@ -243,7 +260,7 @@ import CreateMonitors from '../../reuse/apps/create-monitors.md'; | Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | |:--|:--|:--|:--| -| `Embargoed Device` | This alert is triggered when a device is associated with multiple incidents. It helps you to monitor and stop potentially harmful devices, enhancing your ability to identify suspicious activity. | Critical | Count > 0 | +| `Devices With Multiple Incidents` | This alert is triggered when a device is associated with multiple incidents. It helps you to monitor and stop potentially harmful devices, enhancing your ability to identify suspicious activity. | Critical | Count > 0 | | `File Execution in Suspicious Path` | This alert is triggered when some file activity happens from the suspicious file path. It helps you to monitor activity from unusual or suspicious file paths, enhancing your ability to identify suspicious activity. | Critical | Count > 0 | | `High Priority or Severity Incidents Detected` | This alert is triggered when an incident is created with high priority or severity. It helps you to monitor and stop potentially harmful events that could compromise endpoint security. | Critical | Count > 0 | | `High-Risk Threat Detected by Cynic` | This alert is triggered when a high-risk threat is detected by the cynic. It allows you to quickly identify endpoints with a high concentration of threat activity, enabling swift action to contain and remediate potential infections. | Critical | Count > 0 | From cca201428959fab4c6ee875b1bfb5d1b726476c4 Mon Sep 17 00:00:00 2001 From: Himanshu Pal Date: Fri, 10 Jan 2025 21:20:19 +0530 Subject: [PATCH 7/9] fix spellcheck error --- .../saas-cloud/symantec-endpoint-security-service.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/saas-cloud/symantec-endpoint-security-service.md b/docs/integrations/saas-cloud/symantec-endpoint-security-service.md index b768bd80b4..e559b49307 100644 --- a/docs/integrations/saas-cloud/symantec-endpoint-security-service.md +++ b/docs/integrations/saas-cloud/symantec-endpoint-security-service.md @@ -233,7 +233,7 @@ Use this dashboard to: * Quickly assess the overall security posture by viewing the number of total, open, high severity, and high priority incidents. * Identify trends in incident types and categories to focus on areas requiring immediate attention or process improvements. * Monitor incident resolution times and track the progress of open incidents to ensure timely response and remediation. -* Prioritze incidents by severity and priority to allocate resources effectively and address the most critical threats first. +* Prioritize incidents by severity and priority to allocate resources effectively and address the most critical threats first. * Analyze the distribution of incidents across different states and detection types to understand the lifecycle of security events in your environment. Symantec Endpoint Security - Incidents Overview From b1e6a2a0fbffc00860280265277f343952818d39 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Fri, 10 Jan 2025 21:21:00 +0530 Subject: [PATCH 8/9] Update docs/integrations/saas-cloud/symantec-endpoint-security-service.md Co-authored-by: Jagadisha V <129049263+JV0812@users.noreply.github.com> --- .../saas-cloud/symantec-endpoint-security-service.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/saas-cloud/symantec-endpoint-security-service.md b/docs/integrations/saas-cloud/symantec-endpoint-security-service.md index e559b49307..224e98128d 100644 --- a/docs/integrations/saas-cloud/symantec-endpoint-security-service.md +++ b/docs/integrations/saas-cloud/symantec-endpoint-security-service.md @@ -227,7 +227,7 @@ import ViewDashboards from '../../reuse/apps/view-dashboards.md'; ### Incidents Overview -Symantec Endpoint Security - Incidents Overview dashboard provides details on security incidents, their severity, priority, and current status across your endpoint environment. +The **Symantec Endpoint Security - Incidents Overview** dashboard provides details on security incidents, their severity, priority, and current status across your endpoint environment. Use this dashboard to: * Quickly assess the overall security posture by viewing the number of total, open, high severity, and high priority incidents. From 6f7b99cc64a020f338f05158c8e8398a36363092 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Fri, 10 Jan 2025 21:21:13 +0530 Subject: [PATCH 9/9] Update docs/integrations/saas-cloud/symantec-endpoint-security-service.md Co-authored-by: Jagadisha V <129049263+JV0812@users.noreply.github.com> --- .../saas-cloud/symantec-endpoint-security-service.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/saas-cloud/symantec-endpoint-security-service.md b/docs/integrations/saas-cloud/symantec-endpoint-security-service.md index 224e98128d..cd32193536 100644 --- a/docs/integrations/saas-cloud/symantec-endpoint-security-service.md +++ b/docs/integrations/saas-cloud/symantec-endpoint-security-service.md @@ -240,7 +240,7 @@ Use this dashboard to: ### Events Overview -Symantec Endpoint Security - Events Overview dashboard provides details on security events, their severity, types, and geographical distribution across the protected endpoints. +The **Symantec Endpoint Security - Events Overview** dashboard provides details on security events, their severity, types, and geographical distribution across the protected endpoints. Use this dashboard to: * Quickly assess the overall security posture by viewing the total events, high severity events, and suspicious files counts at the top of the dashboard.