AlienVault® USM Anywhere™

Symantec ATP

When you configure Symantec ATP to send log data to USM Anywhere, you can use the Symantec ATP plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Symantec
Device Type EndPoint Security
Connection Type Syslog

Integrating Symantec ATP

Before you configure the Symantec ATP integration, you must have the IP Address of the USM Anywhere Sensor.

To configure Symantec ATP to send log data to the USM Anywhere Sensor

  1. From the ATP Manager, select Settings > Appliances, then click Edit - Default Appliance Settings.
  2. In the Syslog panel, click +Add Syslog Server.
  3. In the Add Syslog Server dialog box:
    • In the Host field, enter the IP address of the USM Anywhere sensor.
    • In the Protocol field, select UDP.
    • In the Port field, enter 514.
  4. Click Save.

Plugin Enablement

The Symantec ATP plugin automatically processes all messages when the raw message contains "Symantec|ATPU" or "Symantec|SEDR".

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • customheader_0
  • customheader_1
  • customheader_2
  • customheader_3
  • customfield_0
  • customfield_1
  • customfield_2
  • customfield_3
  • destination_address
  • destination_port
  • device_external_id
  • device_nt_domain
  • event_name
  • http_referer
  • malware_family
  • malware_variant
  • operating_system
  • rep_device_address
  • rep_device_hostname
  • reputation_score
  • source_address
  • source_hostname
  • source_mac
  • source_port
  • source_user_group
  • source_username
  • timestamp_occured
  • time_end
  • time_start

Additional Resources and Troubleshooting

http://help.symantec.com/api/productGroups/SATP_P_QA/products/ATP_P/pdfcontents/v106663531_v113989298/title

For troubleshooting, refer to the vendor documentation:

https://support.symantec.com/en_US/article.DOC9155.html

https://www.symantec.com/connect/topics/how/troubleshooting