Route sep syslog to correct sub-sourcetype

CSVD · May 7, 2020 · 474ffa0 · 474ffa0
1 parent 9d01492
commit 474ffa0
Show file tree

Hide file tree

Showing 4 changed files with 234 additions and 7 deletions.
diff --git a/package/etc/conf.d/filters/symantec/ep.conf b/package/etc/conf.d/filters/symantec/ep.conf
@@ -1,3 +1,51 @@
 filter f_symantec_ep {
     program("SymantecServer")
+};
+
+filter f_symantec_ep_proactive {
+    message(',Detection\stype:')
+};
+
+filter f_symantec_ep_risk {
+    message(',Risk\sname:')
+};
+
+filter f_symantec_ep_agt_system {
+    message(',Category:\s\d+,')
+};
+
+filter f_symantec_ep_packet {
+    message(',(?:Inbound|Outbound|Unknown),Application:')
+};
+
+filter f_symantec_ep_traffic {
+    message(',(?:Inbound|Outbound|Unknown),Begin(?:\sTime)?:')
+};
+
+filter f_symantec_ep_security {
+    message('CIDS\sSignature\sSubID:')
+};
+
+filter f_symantec_ep_scan {
+    message('Scan\sID:\s\d+')
+};
+
+filter f_symantec_ep_behavior {
+    message('Begin(?:\sTime)?:\s[^,]*,End(?:\sTime)?:')
+};
+
+filter f_symantec_ep_policy {
+    message('Admin:\s[^,]+,.*[Pp]olicy')
+};
+
+filter f_symantec_ep_admin {
+    message('Domain(?:\sName)?:\s[^,]{0,25},Admin:')
+};
+
+filter f_symantec_ep_agent {
+    message('(?:,The\smanagement\sserver|,The\sclient)')
+};
+
+filter f_symantec_ep_scm_system {
+    message('Site:\s[^,]+,Server(?:\sName)?:\s[^,]+,')
 };
diff --git a/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl b/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl
@@ -21,15 +21,78 @@ log {
         };
     };
 
-
+    if {
+        filter(f_symantec_ep_proactive);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:proactive:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_risk);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:risk:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_agt_system);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:agt:system:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_packet);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:packet:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_traffic);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:traffic:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_security);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:security:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_scan);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:scan:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_behavior);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:behavior:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_policy);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:policy:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_admin);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:admin:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_agent);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:agent:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_scm_system);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:scm:system:syslog"), index("epav"))
+        };
+    } else {
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:syslog"), index("epav"))
+        };
+    };
     rewrite {
-        set("symantec_ep_syslog", value("fields.sc4s_vendor_product"));
-        r_set_splunk_dest_default(sourcetype("symantec:ep:syslog"), index("epav"))
+        set("Symantec Endpoint Protection", value("fields.sc4s_vendor_product"));
     };
-    parser { p_add_context_splunk(key("symantec_ep_syslog")); };
+    parser { p_add_context_splunk(key("symantec_ep")); };
 
     parser (compliance_meta_by_source);
-    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
+    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
 
 {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_SYMANTEC_EP_HEC" "no")) }}
     destination(d_hec);

diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example
@@ -70,7 +70,7 @@
 #sc4s_events,index,main
 #sc4s_fallback,index,main
 #sc4s_metrics,index,em_metrics
-#symanrtec_ep,index,epav
+#symantec_ep,index,epav
 #vmware_nsx,index,main
 #zscaler_alerts,index,main
 #zscaler_dns,index,netdns

diff --git a/tests/test_symantec_ep.py b/tests/test_symantec_ep.py
@@ -30,7 +30,123 @@ def test_symantec_ep_agent(record_property, setup_wordlist, setup_splunk, setup_
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
     st = env.from_string(
-        'search _time={{ epoch }} index=epav host="{{ host }}" sourcetype="symantec:ep:syslog"'
+        'search _time={{ epoch }} index=epav host="{{ host }}" sourcetype="symantec:ep:agent:syslog"'
+    )
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1
+
+# Apr 14 10:41:51 xxxxx-xxxxx SymantecServer: yyyyyy,Category: 2,LiveUpdate Manager,Event Description: A LiveUpdate session ran successfully.  No new updates were available.,Event time: 2020-04-14 10:41:33,Group Name: My Company\Default Group
+def test_symantec_ep_agt_system(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        "{{ mark }}{{ bsd }} {{host}} " + r"SymantecServer: yyyyyy,Category: 2,LiveUpdate Manager,Event Description: A LiveUpdate session ran successfully.  No new updates were available.,Event time: 2020-04-14 10:41:33,Group Name: My Company\Default Group"
+    )
+    message = mt.render(mark="<13>", bsd=bsd, host=host)
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search _time={{ epoch }} index=epav host="{{ host }}" sourcetype="symantec:ep:agt:system:syslog"'
+    )
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1
+
+# Apr 14 09:07:42 xxxxx-xxxxx SymantecServer: Site: Site xxxxx-xxxxx,Server Name: xxxxx-xxxxx,Event Description: No updates found for Application Control Data 14.2 RU2.
+def test_symantec_ep_scm_system(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        "{{ mark }}{{ bsd }} {{host}} " + "SymantecServer: Site: Site xxxxx-xxxxx,Server Name: xxxxx-xxxxx,Event Description: No updates found for Application Control Data 14.2 RU2."
+    )
+    message = mt.render(mark="<13>", bsd=bsd, host=host)
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search _time={{ epoch }} index=epav host="{{ host }}" sourcetype="symantec:ep:scm:system:syslog"'
+    )
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1
+
+# Apr 14 10:03:23 xxxxx-xxxxx SymantecServer: Scan ID: 1581582179,Begin: 2020-04-14 10:01:04,End Time: 2020-04-14 10:02:14,Completed,Duration (seconds): 70,User1: Spiderman,User2: Spiderman,Scan started on selected drives and folders and all extensions.,Scan Complete:  Risks: 0   Scanned: 1062   Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 698,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 1062,Omitted: 0,Computer: yyyyyyy,IP Address: 1.1.1.1,Domain Name: Default,Group Name: My Company\Preprod Tuesday,Server Name: xxxxx-xxxxx
+def test_symantec_ep_scan(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        "{{ mark }}{{ bsd }} {{host}} " + r"SymantecServer: Scan ID: 1581582179,Begin: 2020-04-14 10:01:04,End Time: 2020-04-14 10:02:14,Completed,Duration (seconds): 70,User1: Spiderman,User2: Spiderman,Scan started on selected drives and folders and all extensions.,Scan Complete:  Risks: 0   Scanned: 1062   Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 698,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 1062,Omitted: 0,Computer: yyyyyyy,IP Address: 1.1.1.1,Domain Name: Default,Group Name: My Company\Preprod Tuesday,Server Name: xxxxx-xxxxx"
+    )
+    message = mt.render(mark="<13>", bsd=bsd, host=host)
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search _time={{ epoch }} index=epav host="{{ host }}" sourcetype="symantec:ep:scan:syslog"'
+    )
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1
+
+# Apr 14 10:42:32 xxxxx-xxxxx SymantecServer: yyyyyy,...,Blocked,C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.3335.1000.105\Bin\ccSvcHst.exe,,Begin: 2020-04-14 10:36:40,End Time: 2020-04-14 10:36:40,Rule: ,3248,C:\PROGRAM FILES (X86)\BIGFIX ENTERPRISE\BES CLIENT\BESCLIENT.EXE,0,,C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.3335.1000.105\Bin\ccSvcHst.exe,User Name: SYSTEM,Domain Name: ,Action Type: 55,File size (bytes): ,Device ID: 
+def test_symantec_ep_behavior(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        "{{ mark }}{{ bsd }} {{host}} " + r"SymantecServer: yyyyyy,...,Blocked,C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.3335.1000.105\Bin\ccSvcHst.exe,,Begin: 2020-04-14 10:36:40,End Time: 2020-04-14 10:36:40,Rule: ,3248,C:\PROGRAM FILES (X86)\BIGFIX ENTERPRISE\BES CLIENT\BESCLIENT.EXE,0,,C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.3335.1000.105\Bin\ccSvcHst.exe,User Name: SYSTEM,Domain Name: ,Action Type: 55,File size (bytes): ,Device ID: "
+    )
+    message = mt.render(mark="<13>", bsd=bsd, host=host)
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search _time={{ epoch }} index=epav host="{{ host }}" sourcetype="symantec:ep:behavior:syslog"'
     )
     search = st.render(epoch=epoch, host=host)