Release history for the Splunk Add-on for Symantec Endpoint Protection
Latest release
The latest version of the Splunk Add-on for Symantec Endpoint Protection is version 3.5.0. See Release notes for the Splunk Add-on for Symantec Endpoint Protection for the release notes of this latest version.
Version 3.4.0
Compatibility
Version 3.4.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.2, 7.3, 8.0, 8.1, 9.0 |
| CIM | 5.0.1 |
| Platforms | Windows for the data collection node |
| Vendor Products | Symantec Endpoint Protection versions 14.0 to 14.2RU2, 14.3.35 RU1 MP1, 14.3RU4 |
New features
Version 3.4.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:
- Compatibility with the latest version of Symantec Endpoint Protection version 14.3RU4.
- Support for the Splunk Common Information Model version 5.0.1.
- Added sc_admin role for compatibility with Splunk Cloud.
- Fixed the extractions for change_type and object_category for policy events.
Fixed issues
Version 3.4.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.
Known issues
Version 3.4.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.
Version 3.3.0
Version 3.3.0 of the Splunk Add-on for Symantec Endpoint Protection was released on April 29, 2021.
Compatibility
Version 3.3.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.2, 7.3, 8.0, 8.1 |
| CIM | 4.19.0 |
| Platforms | Windows for the data collection node |
| Vendor Products | Symantec Endpoint Protection versions 14.0 to 14.2RU2, 14.3.35 RU1 MP1 |
New features
Version 3.3.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:
- Added the support for the latest vendor product version Symantec Endpoint Protection 14.3.35RU1 MP1.
- Added the support for the latest Splunk Common Information Model version 4.19.0.
Fixed issues
Version 3.3.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.
Known issues
Version 3.3.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.
Vendor Limitations
Version 3.3.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) logging issues.
- Add-on does not support the vendor product version Symantec Endpoint Protection 14.3.33RU1 because it had issues which were fixed in the later version from the vendor.
Version 3.2.0
Version 3.2.0 of the Splunk Add-on for Symantec Endpoint Protection was released on October 26, 2020.
Compatibility
Version 3.2.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.2, 7.3, 8.0, 8.1 |
| CIM | 4.17.0 |
| Platforms | Windows for the data collection node |
| Vendor Products | Symantec Endpoint Protection versions 14.0 to 14.2RU2,14.3RU4 |
New features
Version 3.2.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:
- Improved CIM mapping.
- Updated TA code and text to remove biased language.
Fixed issues
Version 3.2.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2020-10-19 | ADDON-30219 | The events containing text "not blocked" was identifying action as "blocked" instead of "allowed" |
Known issues
Version 3.2.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.
Version 3.1.0
Version 3.1.0 of the Splunk Add-on for Symantec Endpoint Protection was released on May 29, 2020.
Compatibility
Version 3.1.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.0 or later |
| CIM | 4.15.0 |
| Platforms | Windows for the data collection node |
| Vendor Products | Symantec Endpoint Protection versions 14.0 to 14.2RU2 |
New features
Version 3.1.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:
- Support for Syslog events
- Improved CIM mapping
- New Splunk Connect for Syslog filter
- Removed malware category lookup
symantec_ep_malware_categories.csvand the associated configuration page.
Fixed issues
Version 3.1.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.
Known issues
Version 3.1.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2020-10-19 | ADDON-30219 | The events containing text "not blocked" was identifying action as "blocked" instead of "allowed" |
Version 3.0.1
Version 3.0.1 of the Splunk Add-on for Symantec Endpoint Protection was released on March 10, 2020.
Compatibility
Version 3.0.1 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.0 or later |
| CIM | 4.15.0 |
| Platforms | Windows for the data collection node |
| Vendor Products | Symantec Endpoint Protection versions 14.0 to 14.2RU2 |
New features
Version 3.0.1 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:
- FIPs compatibility.
- Support for new Vendor Product version 14.2RU1 and 14.2RU2.
Fixed issues
Version 3.0.1 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2020-02-05 | ADDON-21970 | SEP: Transforms no longer match after upgrade to SEP 14.2 RU1 |
Known issues
Version 3.0.1 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2020-03-02 | ADDON-25447 | The value of Event_Description field is trimmed after single quote for sourcetype symantec:ep:admin:file for 14.2RU2 |
Third-party software attributions
Version 3.0.1 of the Splunk Add-on for Symantec Endpoint Protection incorporates the following:
Version 3.0
Version 3.0 of the Splunk Add-on for Symantec Endpoint Protection was released on November 21, 2017
Compatibility
Version 3.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.0 or later |
| CIM | 4.2 or later |
| Platforms | Windows for the data collection node |
| Vendor Products | Symantec Endpoint Protection version 12.x and 14.x |
New features
Version 3.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:
Python 3 support
Fixed issues
Version 3.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.
Known issues
Version 3.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2019-05-10 | ADDON-21970 | SEP: Transforms no longer match after upgrade to SEP 14.2 RU1 Workaround: Upgrade to v3.0.1 from Splunkbase. |
Third-party software attributions
Version 3.0 of the Splunk Add-on for Symantec Endpoint Protection incorporates the following:
Version 2.3.0
Version 2.3.0 of the Splunk Add-on for Symantec Endpoint Protection was released on November 21, 2017.
Compatibility
Version 2.3.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 6.6, 7.0, 7.1, 7.2 |
| CIM | 4.2 or later |
| Platforms | Windows for the data collection node |
| Vendor Products | Symantec Endpoint Protection version 12.x and 14.x |
New features
Version 2.3.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:
Support for Symantec Endpoint Protection version 14.x.
Fixed issues
Version 2.3.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2017-11-17 | ADDON-13665 | Malware_Attack DM has missing fields for Symantec data. |
| 2017-10-25 | ADDON-13605 | Missing Symantec_ep.conf.spec file |
Known issues
Version 2.3.0 of the Splunk Add-on for Symantec Endpoint Protection contains no known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2019-05-10 | ADDON-21970 | SEP: Transforms no longer match after upgrade to SEP 14.2 RU1 Workaround: Upgrade to v3.0.1 from Splunkbase. |
Third-party software attributions
Version 2.3.0 of the Splunk Add-on for Symantec Endpoint Protection incorporates the Httplib2 Python library.
Version 2.2.0
Version 2.2.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 6.3 or later |
| CIM | 4.2 or later |
| Platforms | Windows for the data collection node |
| Vendor Products | Symantec Endpoint Protection version 12.X and later |
New features
Version 2.2.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:
- In the setup to automatically update the malware category lookup table with the latest list of threats and risks from Symantec, the add-on now supports the following proxy types: http, http_no_tunnel, socks4, and socks5.
- Compability with the extended the Malware data model with vector-url and vector-sender fields introduced in version 4.5.0 of the Splunk Common Information Model.
Fixed issues
Version 2.2.0 of the Splunk Add-on for Symantec Endpoint Protection has the following fixed issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2016-11-27 | ADDON-11994 | Incorrect mapping for 'app' in eventtype 'symantec_ep_traffic' |
| 2016-11-24 | ADDON-11877 | Updating proxy settings in Splunk Web on Linux does not take effect until the next interval |
| 2016-11-22 | ADDON-12268 | Fails to run malware lookup table update when the add-on is installed on a non-clustered search head connected to an indexer cluster |
| 2016-11-07 | ADDON-10944 | Stanza field_extraction_for_agt_risk in transforms.conf is not correctly configured
|
| 2016-10-17 | ADDON-9438 | The malware_category_update.py script removes the lookups when SYMC is unreachable
|
| 2016-10-17 | ADDON-9427 | Fails to update the malware lookup table when the management port is not the default 8089 |
Known issues
Version 2.2.0 of the Splunk Add-on for Symantec Endpoint Protection has the following known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2017-02-27 | ADDON-13866 | File_hash is not extracted correctly for sourcetype=Symantec:ep_proactive:file |
| 2017-02-20 | ADDON-13665 | Malware_Attack DM has missing fields for Symantec data. |
| 2017-02-13 | ADDON-13605 | Missing Symantec_ep.conf.spec file |
| 2016-11-25 | ADDON-12390 | Update Proxy setting from UI on Windows will not take effect until next interval if the operation is timeout Workaround: Perform one of the following:
|
| 2016-11-03 | ADDON-11939, ADDON-12652 | On Windows, when you set up the add-on through Splunk Web and save settings, the read operation timeout error message sometimes appears Workaround: Refresh the page. If you enable proxy, wait until the next interval for the updated proxy settings to take effect. |
| 2015-10-20 | ADDON-6124 | When you set up the add-on through Splunk Web on a search head cluster member, the settings will not take effect until all cluster members are restarted Workaround: Rolling-restart search cluster members after setup. |
| 2015-10-20 | ADDON-6123 | When you distribute the add-on configurations using Deployer, proxy with authentication fails |
Third-party software attributions
Version 2.2.0 of the Splunk Add-on for Symantec Endpoint Protection incorporates the Httplib2 Python library.
Version 2.1.1
Version 2.1.1 of the Splunk Add-on for Symantec Endpoint Protection was released on April 1, 2016. Version 2.1.1 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 6.0 or later |
| CIM | 4.2 or later |
| Platforms | Windows for the data collection node |
| Vendor Products | Symantec Endpoint Protection version 12.X and higher |
Migration guide
The Splunk Add-on for Symantec Endpoint Protection is intended to replace TA-sep and TA-sav, currently packaged as a part of Splunk Enterprise Security. No migration activity is required, as the new add-on can run side-by-side with the older add-ons.
Note: The older add-ons are still needed to parse stored data from unsupported versions of Symantec Antivirus and Endpoint Protection.
Fixed issues
Version 2.1.1 of the Splunk Add-on for Symantec Endpoint Protection has the following fixed issues.
| Date | Issue number | Description |
|---|---|---|
| 2016-02-24 | ADDON-7952 | Performance issues in Splunk Enterprise Security due to tag expansions. |
Known issues
Version 2.1.1 of the Splunk Add-on for Symantec Endpoint Protection has the following known issues.
| Date | Issue number | Description |
|---|---|---|
| 2016-01-30 | ADDON-7646 | FIPS mode is not supported by this add-on. For a workaround, see Add-ons and FIPS mode in the Splunk Add-ons manual. |
| 2016-01-13 | ADDON-5325 | requireClientCert=true in server.conf is not supported by add-ons using modular inputs and REST. If this setting is enabled in server.conf, communication is broken between the modular input and splunkd and the add-on stops collecting data. The following error appears in the splunkd.log: "SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate." The workaround is to set requireClientCert=false.
|
| 2015-10-20 | ADDON-6124/ SPL-108412 |
When perform setup from UI on a search head in a search head cluster, changes will not take effect until rolling-restart of search head cluster members. |
| 2015-06-08 | ADDON-4199/ SPL-103281 |
Validation error message on UI setup screen does not disappear after the issue is corrected, even though the configuration saves successfully. |
| 2015-06-04 | ADDON-4173/ SPL-91709 |
Setup screen takes a long time to save on Windows for Splunk platform versions 6.3.x or earlier. Workaround: Upgrade to version 6.4.0. |
Third-party software attributions
Version 2.1.1 of the Splunk Add-on for Symantec Endpoint Protection incorporates the Httplib2 Python library.
Version 2.1.0
Version 2.1.0 of the Splunk Add-on for Symantec Endpoint Protection has the same compatibility specifications as version 2.1.1.
Migration guide
The Splunk Add-on for Symantec Endpoint Protection is intended to replace TA-sep and TA-sav, currently packaged as a part of Splunk Enterprise Security. No migration activity is required, as the new add-on can run side-by-side with the older add-ons.
Note: The older add-ons are still needed to parse stored data from unsupported versions of Symantec Antivirus and Endpoint Protection.
New Features
Version 2.1.0 of the Splunk Add-on for Symantec Endpoint Protection has the following enhancements.
| Date | Issue number | Description |
|---|---|---|
| 2015-10-05 | ADDON-5859 | Minor update for Splunk Add-on for Symantec Endpoint Protection which includes improvements to readability and maintainability. The complex regular expression has been rewritten using modular regex and named group capture and more comments have been added. |
| 2015-10-05 | ADDON-6012 | Added mapping for traffic file to the Network Traffic CIM model. All traffic events are now mapped to the Network Traffic model. |
| 2015-11-12 | ADDON-6345 | Added mapping for inbound blocked events in traffic file to Intrusion Detection CIM model. |
| 2015-10-12 | ADDON-4769 | Refine eventtype symantec_ep_behavior: remove Malware and Operations tags from this event type and refine event type search to include blocked operations and exclude everything else. |
| 2015-10-20 | ADDON-6055 | Add "category" and "description" for each source type with pulldown_type=true so the source types for the add-on are listed in the Network & Security category on the data input page. |
Fixed issues
Version 2.1.0 of the Splunk Add-on for Symantec Endpoint Protection has the following fixed issues.
| Date | Issue number | Description |
|---|---|---|
| 2015-10-21 | ADDON-4286 | Automatic updates to malware category lookup file are not supported on a search head cluster. |
| 2015-10-08 | ADDON-4768 | The last two fields for field_extraction_for_agt_risk and field_extraction_for_agt_behavior are not always included in logs for SEP manager. These fields have been set to be optional for extraction. |
| 2015-10-13 | ADDON-6010 | Unable to update proxy setting from back-end when add-on installed on Windows using Splunk platform version 6.3. |
| 2015-11-12 | ADDON-6313 | Field enhancements: extract and clean more fields which are not mapped to the CIM. Add and update fields that map to the CIM. Set the field value to be null if it is blank or empty. |
| 2015-11-17 | ADDON-6471 | Changes needed to transforms.conf and props.conf to discard header rows for each source type. |
| 2015-10-22 | ADDON-6142 | Add src and src_ip fields for eventtypes symantec_ep_risk and symantec_ep_proactive for CIM: Malware. |
| 2015-12-01 | ADDON-6473 | Split event type symantec_ep_risk_alert_suspicious into symantec_ep_risk_alert_suspicious and symantec_ep_risk_alert_suspicious_attack. |
| 2015-11-17 | ADDON-6474 | vendor_product CIM field missing. |
| 2015-11-25 | ADDON-6511 | Domain extraction bug. |
| 2015-11-03 | ADDON-4285 | Internal log isn't sourcetyped. |
Known issues
Version 2.1.0 of the Splunk Add-on for Symantec Endpoint Protection has the following known issues.
| Date | Issue number | Description |
|---|---|---|
| 2016-01-30 | ADDON-7646 | FIPS mode is not supported by this add-on. For a workaround, see Add-ons and FIPS mode in the Splunk Add-ons manual. |
| 2016-01-13 | ADDON-5325 | requireClientCert=true in server.conf is not supported by add-ons using modular inputs and REST. If this setting is enabled in server.conf, communication is broken between the modular input and splunkd and the add-on stops collecting data. The following error appears in the splunkd.log: "SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate." The workaround is to set requireClientCert=false.
|
| 2015-10-20 | ADDON-6124/ SPL-108412 |
When perform setup from UI on a search head in a search head cluster, changes will not take effect until rolling-restart of search head cluster members. |
| 2015-06-08 | ADDON-4199/ SPL-103281 |
Validation error message on UI setup screen does not disappear after the issue is corrected, even though the configuration saves successfully. |
| 2015-06-04 | ADDON-4173/ SPL-91709 |
Setup screen takes a long time to save on Windows. |
Third-party software attributions
Version 2.1.0 of the Splunk Add-on for Symantec Endpoint Protection incorporates the Httplib2 Python library.
Version 2.0.1
Version 2.0.1 of the Splunk Add-on for Symantec Endpoint Protection has the same compatibility specifications as version 2.1.0.
Migration guide
The Splunk Add-on for Symantec Endpoint Protection is intended to replace TA-sep and TA-sav, currently packaged as a part of Splunk Enterprise Security. No migration activity is required, as the new add-on can run side-by-side with the older add-ons.
Note: The older add-ons are still needed to parse stored data from unsupported versions of Symantec Antivirus and Endpoint Protection.
Fixed issues
Version 2.0.1 of the Splunk Add-on for Symantec Endpoint Protection had the following fixed issue.
| Date | Issue number | Description |
|---|---|---|
| 06/26/15 | ADDON-4339 | Global stanza in default/props.conf applies to all add-ons, causing KV extraction to fail, as well as anything that relies on the KV extraction. |
Known issues
Version 2.0.1 of the Splunk Add-on for Symantec Endpoint Protection had the following known issues.
| Date | Issue number | Description |
|---|---|---|
| 06/17/15 | ADDON-4286 | Automatic updates to malware category lookup file are not supported on a search head cluster. |
| 06/08/15 | ADDON-4199/ SPL-103281 |
Validation error message on UI setup screen does not disappear after the issue is corrected, even though the configuration saves successfully. |
| 06/04/15 | ADDON-4173/ SPL-91709 |
Setup screen takes a long time to save on Windows. |
Third-party software attributions
Version 2.0.1 of the Splunk Add-on for Symantec Endpoint Protection incorporates the Httplib2 Python library.
Version 2.0.0
Version 2.0.0 of the Splunk Add-on for Symantec Endpoint Protection has the same compatibility specifications as version 2.0.1.
Migration guide
The Splunk Add-on for Symantec Endpoint Protection is intended to replace TA-sep and TA-sav, currently packaged as a part of Splunk Enterprise Security. No migration activity is required, as the new add-on can run side-by-side with the older add-ons.
Note: The older add-ons are still needed to parse stored data from unsupported versions of Symantec Antivirus and Endpoint Protection.
New features
Version 2.0.0 of the Splunk Add-on for Symantec Endpoint Protection had the following new features.
| Date | Issue number | Description |
|---|---|---|
| 05/31/15 | ADDON-721/ ADDON-3760 |
Splunk-supported add-on for Symantec Endpoint Protection 12.x. |
Known issues
Version 2.0.0 of the Splunk Add-on for Symantec Endpoint Protection had the following known issues.
| Date | Issue number | Description |
|---|---|---|
| 06/26/15 | ADDON-4339 | Global stanza in default/props.conf applies to all add-ons, causing KV extraction to fail, as well as anything that relies on the KV extraction. |
| 06/17/15 | ADDON-4286 | Automatic updates to malware category lookup file are not supported on a search head cluster. |
| 06/08/15 | ADDON-4199/ SPL-103281 |
Validation error message on UI setup screen does not disappear after the issue is corrected, even though the configuration saves successfully. |
| 06/04/15 | ADDON-4173/ SPL-86716 |
Setup screen takes a long time to save on Windows. |
Third-party software attributions
Version 2.0.0 of the Splunk Add-on for Symantec Endpoint Protection incorporates the Httplib2 Python library.
| Release notes for the Splunk Add-on for Symantec Endpoint Protection |
This documentation applies to the following versions of Splunk® Supported Add-ons: released, released
Download manual
Feedback submitted, thanks!