Lookups for the Splunk Add-on for Symantec Endpoint Protection¶
The Splunk Add-on for Symantec Endpoint Protection has the following
lookups
that map fields from Symantec Endpoint Manager systems to CIM-compliant
values in the Splunk platform. The lookup files are located in
$SPLUNK_HOME/etc/apps/Splunk_TA_symantec-ep/lookups.
| Filename | Description |
|---|---|
symantec_ep_admin_authentication_action.csv |
Maps the event_description field to a CIM-compliant action value. |
symantec_ep_actions.csv |
Maps vendor_action to action |
symantec_ep_admin_actions_340.csv |
Maps vendor_action to action, vendor_action |
symantec_ep_icmp_types.csv |
Maps icmp_type_code to icmp_type_name, icmp_type_code |
symantec_ep_severity.csv |
Maps vendor_severity to severity |
symantec_ep_alert_type_340.csv |
Maps description to type, severity |
symantec_ep_authentication_fields.csv |
Maps description to action, reason |
symantec_ep_change_action_340.csv |
Maps event_action to action |
symantec_ep_change_data_model_fields_340.csv |
Maps vendor_action to status, change_type, object_category |
symantec_ep_data_model_340.csv |
Maps event_description to cim_data_model, dataset |
symantec_ep_endpoint_service_fields.csv |
Maps description to service, service_name, , status |