wazuh-ruleset icon indicating copy to clipboard operation
wazuh-ruleset copied to clipboard

Published 20 hours ago verified publisher icon wazuh

Improve Sysmantec Endpoint Protection (SEP) rules and decoders

Open Lopuiz opened this issue 5 years ago • 0 comments

Hi team,

Exists some rules and decoders for Symantec products. They can be found in 0120-sysmantec-av_rules.xml, 0125-sysmantec-ws_rules.xml and 0330-sysmantec_decoders.xml files.

These rules have not been modified for three years and now have some flaws. For example:

  1. Rule 7320 is not correct.

Event number 13 fire Symantec AntiVirus Shutdown.

And following rule says event 13 occurs when the scan is started or stopped.

https://github.com/wazuh/wazuh-ruleset/blob/725a0155cfde0a849729d9d174f03e1453e31242/rules/0120-symantec-av_rules.xml#L29-L34

  1. The symantec-av decoder also doesn't seem match SEP logs:

https://github.com/wazuh/wazuh-ruleset/blob/725a0155cfde0a849729d9d174f03e1453e31242/decoders/0330-symantec_decoders.xml#L17-L22

  1. Only exist rules for Eventlog logs format and not for Eventchannel logs format.

We could improve rules and decoders using the following information: Symantec Endpoint Protection 12.1.x event log entries

Best regards, Eva

Lopuiz avatar Sep 30 '19 11:09 Lopuiz