Release notes for the Splunk Add-on for Symantec Endpoint Protection¶
Version 4.0.0 of the Splunk Add-on for Symantec Endpoint Protection was
released on
Compatibility¶
Version 4.0.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 9.x, 10.0.x |
| CIM | 6.1.0 |
| Platforms | Windows for the data collection node |
| Vendor Products | Symantec Endpoint Protection versions 14.0 to 14.2RU2, 14.3.35 RU1 MP1, 14.3RU4, 14.3 RU10 |
New features¶
Version 4.0.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:
- Introduced a built-in dashboard to display following information:
- The version of installed add-on
- The total number of Symantec Endpoint Protection events ingested in Splunk
- The time-series graph of the Symantec Endpoint Protection events ingested in Splunk
- The number of events ingested in the selected indexes and sources
- Trends of events by index
- CIM supported events
- Support for the Splunk Common Information Model version 6.1.0.
- Support for Symantec Endpoint Protection 14.3 RU10
- CIM support has been added for the new events in the following datamodels:
Change:All_Changes,Alerts:Alerts,Intrusion_Detection:IDS_Attacks,Malware:Malware_Attacks
Breaking Changes¶
- Fields extraction of some of the events have been changed in the release 4.0.0. Details are mentioned in the table below
| Sourcetypes | Fields |
|---|---|
symantec:ep:admin:file, symantec:ep:admin:syslog |
object_attrs, app, object_category, action, object |
symantec:ep:agent:file, symantec:ep:agent:syslog |
object_attrs, object_category, object |
symantec:ep:agt:system:syslog, symantec:ep:agt_system:file |
src, command, vendor_account, interface, result_id, signature, signature_id, src_type, dest_type, object_attrs, change_type, type, app, object_category, mac, severity, object, ip |
symantec:ep:behavior:file |
src, parameter_file_name, caller_process_file_name, signature_id, category, dest_ip, src_ip, file_path, signature, file_name |
symantec:ep:packet:file |
dest_ip, src_ip |
symantec:ep:policy:file |
command, result_id, object_attrs, object, object_category |
symantec:ep:policy:syslog |
object_attrs, object, object_category |
symantec:ep:proactive:file |
dest_ip, severity |
symantec:ep:scan:file, symantec:ep:scan:syslog |
signature, app |
symantec:ep:scm_system:file, symantec:ep:scm:system:syslog |
src, signature_id, src_type, dest_type, object_attrs, type, app, object_category, event_action, cim_data_model, action, object |
symantec:ep:security:file, symantec:ep:security:syslog |
dest_type, src_type, app, src_port, src_ip, signature, src |
Fixed issues¶
Version 4.0.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.
Known issues¶
Version 4.0.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.