Skip to content

Release history for the Splunk Add-on for Symantec Endpoint Protection

The latest version of the Splunk Add-on for Symantec Endpoint Protection is version 4.0.0. See Release notes for the Splunk Add-on for Symantec Endpoint Protection for the release notes of this latest version.

Version 3.4.1

Version 3.4.1 of the Splunk Add-on for Symantec Endpoint Protection was released on .

Compatibility

Version 3.4.1 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 7.2, 7.3, 8.0, 8.1, 9.0
CIM 5.0.2
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection versions 14.0 to 14.2RU2, 14.3.35 RU1 MP1, 14.3RU4

New features

Version 3.4.1 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:

  • Support for the Splunk Common Information Model version 5.0.2.

Fixed issues

Version 3.4.1 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.

  • Corrected the extractions of signature CIM field, End_Time and Event_Insert_Time fields for symantec:ep:proactive:file/syslogsourcetype

Known issues

Version 3.4.1 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.

Version 3.4.0

Compatibility

Version 3.4.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 7.2, 7.3, 8.0, 8.1, 9.0
CIM 5.0.1
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection versions 14.0 to 14.2RU2, 14.3.35 RU1 MP1, 14.3RU4

New features

Version 3.4.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:

  • Compatibility with the latest version of Symantec Endpoint Protection version 14.3RU4.
  • Support for the Splunk Common Information Model version 5.0.1.
  • Added sc_admin role for compatibility with Splunk Cloud.
  • Fixed the extractions for change_type and object_category for policy events.

Fixed issues

Version 3.4.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.

Known issues

Version 3.4.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.

Version 3.3.0

Version 3.3.0 of the Splunk Add-on for Symantec Endpoint Protection was released on April 29, 2021.

Compatibility

Version 3.3.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 7.2, 7.3, 8.0, 8.1
CIM 4.19.0
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection versions 14.0 to 14.2RU2, 14.3.35 RU1 MP1

New features

Version 3.3.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:

  • Added the support for the latest vendor product version Symantec Endpoint Protection 14.3.35RU1 MP1.
  • Added the support for the latest Splunk Common Information Model version 4.19.0.

Fixed issues

Version 3.3.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.

Known issues

Version 3.3.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.

Vendor Limitations

Version 3.3.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) logging issues.

  • Add-on does not support the vendor product version Symantec Endpoint Protection 14.3.33RU1 because it had issues which were fixed in the later version from the vendor.

Version 3.2.0

Version 3.2.0 of the Splunk Add-on for Symantec Endpoint Protection was released on October 26, 2020.

Compatibility

Version 3.2.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 7.2, 7.3, 8.0, 8.1
CIM 4.17.0
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection versions 14.0 to 14.2RU2,14.3RU4

New features

Version 3.2.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:

  • Improved CIM mapping.
  • Updated TA code and text to remove biased language.

Fixed issues

Version 3.2.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.

Known issues

Version 3.2.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.

Version 3.1.0

Version 3.1.0 of the Splunk Add-on for Symantec Endpoint Protection was released on May 29, 2020.

Compatibility

Version 3.1.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 7.0 or later
CIM 4.15.0
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection versions 14.0 to 14.2RU2

New features

Version 3.1.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:

  • Support for Syslog events
  • Improved CIM mapping
  • New Splunk Connect for Syslog filter
  • Removed malware category lookup symantec_ep_malware_categories.csv and the associated configuration page.

Fixed issues

Version 3.1.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.

Known issues

Version 3.1.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.

Version 3.0.1

Version 3.0.1 of the Splunk Add-on for Symantec Endpoint Protection was released on March 10, 2020.

Compatibility

Version 3.0.1 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 7.0 or later
CIM 4.15.0
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection versions 14.0 to 14.2RU2

New features

Version 3.0.1 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:

  • FIPs compatibility.
  • Support for new Vendor Product version 14.2RU1 and 14.2RU2.

Fixed issues

Version 3.0.1 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.

Known issues

Version 3.0.1 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.

Third-party software attributions

Version 3.0.1 of the Splunk Add-on for Symantec Endpoint Protection incorporates the following:

Version 3.0

Version 3.0 of the Splunk Add-on for Symantec Endpoint Protection was released on November 21, 2017

Compatibility

Version 3.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 7.0 or later
CIM 4.2 or later
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection version 12.x and 14.x

New features

Version 3.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:

Python 3 support

Fixed issues

Version 3.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.

Known issues

Version 3.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.

Third-party software attributions

Version 3.0 of the Splunk Add-on for Symantec Endpoint Protection incorporates the following:

Version 2.3.0

Version 2.3.0 of the Splunk Add-on for Symantec Endpoint Protection was released on November 21, 2017.

Compatibility

Version 2.3.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 6.6, 7.0, 7.1, 7.2
CIM 4.2 or later
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection version 12.x and 14.x

New features

Version 2.3.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:

Support for Symantec Endpoint Protection version 14.x.

Fixed issues

Version 2.3.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following issues.

Known issues

Version 2.3.0 of the Splunk Add-on for Symantec Endpoint Protection contains no known issues.

Third-party software attributions

Version 2.3.0 of the Splunk Add-on for Symantec Endpoint Protection incorporates the Httplib2 Python library.

Version 2.2.0

Version 2.2.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 6.3 or later
CIM 4.2 or later
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection version 12.X and later

New features

Version 2.2.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:

  • In the setup to automatically update the malware category lookup table with the latest list of threats and risks from Symantec, the add-on now supports the following proxy types: http, http_no_tunnel, socks4, and socks5.
  • Compability with the extended the Malware data model with vector-url and vector-sender fields introduced in version 4.5.0 of the Splunk Common Information Model.

Fixed issues

Version 2.2.0 of the Splunk Add-on for Symantec Endpoint Protection has the following fixed issues.

Known issues

Version 2.2.0 of the Splunk Add-on for Symantec Endpoint Protection has the following known issues.

Third-party software attributions

Version 2.2.0 of the Splunk Add-on for Symantec Endpoint Protection incorporates the Httplib2 Python library.

Version 2.1.1

Version 2.1.1 of the Splunk Add-on for Symantec Endpoint Protection was released on April 1, 2016. Version 2.1.1 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 6.0 or later
CIM 4.2 or later
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection version 12.X and higher

Migration guide

The Splunk Add-on for Symantec Endpoint Protection is intended to replace TA-sep and TA-sav, currently packaged as a part of Splunk Enterprise Security. No migration activity is required, as the new add-on can run side-by-side with the older add-ons.

Note: The older add-ons are still needed to parse stored data from unsupported versions of Symantec Antivirus and Endpoint Protection.

Fixed issues

Version 2.1.1 of the Splunk Add-on for Symantec Endpoint Protection has the following fixed issues.

Date Issue number Description
2016-02-24 ADDON-7952 Performance issues in Splunk Enterprise Security due to tag expansions.

Known issues

Version 2.1.1 of the Splunk Add-on for Symantec Endpoint Protection has the following known issues.

Date

Issue number

Description

2016-01-30

ADDON-7646

FIPS mode is not supported by this add-on. For a workaround, see Add-ons and FIPS mode in the Splunk Add-ons manual.

2016-01-13

ADDON-5325

requireClientCert=true in server.conf is not supported by add-ons using modular inputs and REST. If this setting is enabled in server.conf, communication is broken between the modular input and splunkd and the add-on stops collecting data. The following error appears in the splunkd.log: "SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate." The workaround is to set requireClientCert=false.

2015-10-20

ADDON-6124/
SPL-108412

When perform setup from UI on a search head in a search head cluster, changes will not take effect until rolling-restart of search head cluster members.

2015-06-08

ADDON-4199/
SPL-103281

Validation error message on UI setup screen does not disappear after the issue is corrected, even though the configuration saves successfully.

2015-06-04

ADDON-4173/
SPL-91709

Setup screen takes a long time to save on Windows for Splunk platform versions 6.3.x or earlier. Workaround: Upgrade to version 6.4.0.

Third-party software attributions

Version 2.1.1 of the Splunk Add-on for Symantec Endpoint Protection incorporates the Httplib2 Python library.

Version 2.1.0

Version 2.1.0 of the Splunk Add-on for Symantec Endpoint Protection has the same compatibility specifications as version 2.1.1.

Migration guide

The Splunk Add-on for Symantec Endpoint Protection is intended to replace TA-sep and TA-sav, currently packaged as a part of Splunk Enterprise Security. No migration activity is required, as the new add-on can run side-by-side with the older add-ons.

Note: The older add-ons are still needed to parse stored data from unsupported versions of Symantec Antivirus and Endpoint Protection.

New Features

Version 2.1.0 of the Splunk Add-on for Symantec Endpoint Protection has the following enhancements.

Date Issue number Description
2015-10-05 ADDON-5859 Minor update for Splunk Add-on for Symantec Endpoint Protection which includes improvements to readability and maintainability. The complex regular expression has been rewritten using modular regex and named group capture and more comments have been added.
2015-10-05 ADDON-6012 Added mapping for traffic file to the Network Traffic CIM model. All traffic events are now mapped to the Network Traffic model.
2015-11-12 ADDON-6345 Added mapping for inbound blocked events in traffic file to Intrusion Detection CIM model.
2015-10-12 ADDON-4769 Refine eventtype symantec_ep_behavior: remove Malware and Operations tags from this event type and refine event type search to include blocked operations and exclude everything else.
2015-10-20 ADDON-6055 Add “category” and “description” for each source type with pulldown_type=true so the source types for the add-on are listed in the Network & Security category on the data input page.

Fixed issues

Version 2.1.0 of the Splunk Add-on for Symantec Endpoint Protection has the following fixed issues.

Date Issue number Description
2015-10-21 ADDON-4286 Automatic updates to malware category lookup file are not supported on a search head cluster.
2015-10-08 ADDON-4768 The last two fields for field_extraction_for_agt_risk and field_extraction_for_agt_behavior are not always included in logs for SEP manager. These fields have been set to be optional for extraction.
2015-10-13 ADDON-6010 Unable to update proxy setting from back-end when add-on installed on Windows using Splunk platform version 6.3.
2015-11-12 ADDON-6313 Field enhancements: extract and clean more fields which are not mapped to the CIM. Add and update fields that map to the CIM. Set the field value to be null if it is blank or empty.
2015-11-17 ADDON-6471 Changes needed to transforms.conf and props.conf to discard header rows for each source type.
2015-10-22 ADDON-6142 Add src and src_ip fields for eventtypes symantec_ep_risk and symantec_ep_proactive for CIM: Malware.
2015-12-01 ADDON-6473 Split event type symantec_ep_risk_alert_suspicious into symantec_ep_risk_alert_suspicious and symantec_ep_risk_alert_suspicious_attack.
2015-11-17 ADDON-6474 vendor_product CIM field missing.
2015-11-25 ADDON-6511 Domain extraction bug.
2015-11-03 ADDON-4285 Internal log isn’t sourcetyped.

Known issues

Version 2.1.0 of the Splunk Add-on for Symantec Endpoint Protection has the following known issues.

Date

Issue number

Description

2016-01-30

ADDON-7646

FIPS mode is not supported by this add-on. For a workaround, see Add-ons and FIPS mode in the Splunk Add-ons manual.

2016-01-13

ADDON-5325

requireClientCert=true in server.conf is not supported by add-ons using modular inputs and REST. If this setting is enabled in server.conf, communication is broken between the modular input and splunkd and the add-on stops collecting data. The following error appears in the splunkd.log: "SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate." The workaround is to set requireClientCert=false.

2015-10-20

ADDON-6124/
SPL-108412

When perform setup from UI on a search head in a search head cluster, changes will not take effect until rolling-restart of search head cluster members.

2015-06-08

ADDON-4199/
SPL-103281

Validation error message on UI setup screen does not disappear after the issue is corrected, even though the configuration saves successfully.

2015-06-04

ADDON-4173/
SPL-91709

Setup screen takes a long time to save on Windows.

Third-party software attributions

Version 2.1.0 of the Splunk Add-on for Symantec Endpoint Protection incorporates the Httplib2 Python library.

Version 2.0.1

Version 2.0.1 of the Splunk Add-on for Symantec Endpoint Protection has the same compatibility specifications as version 2.1.0.

Migration guide

The Splunk Add-on for Symantec Endpoint Protection is intended to replace TA-sep and TA-sav, currently packaged as a part of Splunk Enterprise Security. No migration activity is required, as the new add-on can run side-by-side with the older add-ons.

Note: The older add-ons are still needed to parse stored data from unsupported versions of Symantec Antivirus and Endpoint Protection.

Fixed issues

Version 2.0.1 of the Splunk Add-on for Symantec Endpoint Protection had the following fixed issue.

Date Issue number Description
06/26/15 ADDON-4339 Global stanza in default/props.conf applies to all add-ons, causing KV extraction to fail, as well as anything that relies on the KV extraction.

Known issues

Version 2.0.1 of the Splunk Add-on for Symantec Endpoint Protection had the following known issues.

Date

Issue number

Description

06/17/15

ADDON-4286

Automatic updates to malware category lookup file are not supported on a search head cluster.

06/08/15

ADDON-4199/
SPL-103281

Validation error message on UI setup screen does not disappear after the issue is corrected, even though the configuration saves successfully.

06/04/15

ADDON-4173/
SPL-91709

Setup screen takes a long time to save on Windows.

Third-party software attributions

Version 2.0.1 of the Splunk Add-on for Symantec Endpoint Protection incorporates the Httplib2 Python library.

Version 2.0.0

Version 2.0.0 of the Splunk Add-on for Symantec Endpoint Protection has the same compatibility specifications as version 2.0.1.

Migration guide

The Splunk Add-on for Symantec Endpoint Protection is intended to replace TA-sep and TA-sav, currently packaged as a part of Splunk Enterprise Security. No migration activity is required, as the new add-on can run side-by-side with the older add-ons.

Note: The older add-ons are still needed to parse stored data from unsupported versions of Symantec Antivirus and Endpoint Protection.

New features

Version 2.0.0 of the Splunk Add-on for Symantec Endpoint Protection had the following new features.

Date

Issue number

Description

05/31/15

ADDON-721/
ADDON-3760

Splunk-supported add-on for Symantec Endpoint Protection 12.x.

Known issues

Version 2.0.0 of the Splunk Add-on for Symantec Endpoint Protection had the following known issues.

Date

Issue number

Description

06/26/15

ADDON-4339

Global stanza in default/props.conf applies to all add-ons, causing KV extraction to fail, as well as anything that relies on the KV extraction.

06/17/15

ADDON-4286

Automatic updates to malware category lookup file are not supported on a search head cluster.

06/08/15

ADDON-4199/
SPL-103281

Validation error message on UI setup screen does not disappear after the issue is corrected, even though the configuration saves successfully.

06/04/15

ADDON-4173/
SPL-86716

Setup screen takes a long time to save on Windows.

Third-party software attributions

Version 2.0.0 of the Splunk Add-on for Symantec Endpoint Protection incorporates the Httplib2 Python library.