Updates have been made to SIEM's Symantec Endpoint Protection rule set. All rules are affected by the change across all versions of the SIEM.
Date: May 27, 2015
Affected Data Sources: Vendor: Symantec
Data Source Model: Endpoint Protection (ASP)
ESM Version: 9.2.0 and above
Description:
The entire rule set for Symantec Endpoint Protection has been reviewed, and all rules within that rule set have been refined. Each rule will now denote the source/type of log in the Category field, and ESM field mappings will be more consistent within those categories.
As part of those changes, many new ESM fields are being populated in existing rules. There will also be a few rules where some of the ESM fields are no longer being used in the interest of gathering more relevant data as well as consistency. This is in an effort to improve parsing and correlation for this data source. All rules within this data source will be affected by this change.
Deprecated Items:
The following rules are being deprecated for any of the following reasons: duplicate rules, overly greedy matches covering multiple types of events, and rule consolidation.
- Rule 1022417 will be replaced by rule 1027618.
- Rules 1055670 and 1055671 will be replaced by new rule 1064408.
- Rule 1017540 will be replaced by new rules 1064411, 1064410, and 1064408.
- Rule 1022414 will be replaced by new rule 1064410.
- Rule 1022429 will be replaced by rule 1049061.
- Rule 1027622 will be replaced by new rules 1064408 and 1064411.
- Rule 1022416 will be replaced by rule 1049061.
Changed Items:
All rules in the rule set will be updated for consistency within log types, and some ESM fields have been added or removed in that effort.
Added Items:
43 new rules have been added to cover more event types, as well as improve parsing for already covered events.
