Splunk® Supported Add-ons

Splunk Add-on for Symantec Endpoint Protection

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Release history for the Splunk Add-on for Symantec Endpoint Protection

Latest release

The latest version of the Splunk Add-on for Symantec Endpoint Protection is version 3.5.0. See Release notes for the Splunk Add-on for Symantec Endpoint Protection for the release notes of this latest version.

Version 3.4.0

Compatibility

Version 3.4.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.2, 7.3, 8.0, 8.1, 9.0
CIM 5.0.1
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection versions 14.0 to 14.2RU2, 14.3.35 RU1 MP1, 14.3RU4


New features

Version 3.4.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:

  • Compatibility with the latest version of Symantec Endpoint Protection version 14.3RU4.
  • Support for the Splunk Common Information Model version 5.0.1.
  • Added sc_admin role for compatibility with Splunk Cloud.
  • Fixed the extractions for change_type and object_category for policy events.

Fixed issues

Version 3.4.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.


Known issues

Version 3.4.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.


Version 3.3.0

Version 3.3.0 of the Splunk Add-on for Symantec Endpoint Protection was released on April 29, 2021.

Compatibility

Version 3.3.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.2, 7.3, 8.0, 8.1
CIM 4.19.0
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection versions 14.0 to 14.2RU2, 14.3.35 RU1 MP1

New features

Version 3.3.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:

  • Added the support for the latest vendor product version Symantec Endpoint Protection 14.3.35RU1 MP1.
  • Added the support for the latest Splunk Common Information Model version 4.19.0.


Fixed issues

Version 3.3.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.


Known issues

Version 3.3.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.



Vendor Limitations

Version 3.3.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) logging issues.

  • Add-on does not support the vendor product version Symantec Endpoint Protection 14.3.33RU1 because it had issues which were fixed in the later version from the vendor.

Version 3.2.0

Version 3.2.0 of the Splunk Add-on for Symantec Endpoint Protection was released on October 26, 2020.

Compatibility

Version 3.2.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.2, 7.3, 8.0, 8.1
CIM 4.17.0
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection versions 14.0 to 14.2RU2,14.3RU4

New features

Version 3.2.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:

  • Improved CIM mapping.
  • Updated TA code and text to remove biased language.

Fixed issues

Version 3.2.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.


Date resolved Issue number Description
2020-10-19 ADDON-30219 The events containing text "not blocked" was identifying action as "blocked" instead of "allowed"

Known issues

Version 3.2.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.



Version 3.1.0

Version 3.1.0 of the Splunk Add-on for Symantec Endpoint Protection was released on May 29, 2020.

Compatibility

Version 3.1.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.0 or later
CIM 4.15.0
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection versions 14.0 to 14.2RU2

New features

Version 3.1.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:

  • Support for Syslog events
  • Improved CIM mapping
  • New Splunk Connect for Syslog filter
  • Removed malware category lookup symantec_ep_malware_categories.csv and the associated configuration page.

Fixed issues

Version 3.1.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.


Known issues

Version 3.1.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.


Date filed Issue number Description
2020-10-19 ADDON-30219 The events containing text "not blocked" was identifying action as "blocked" instead of "allowed"


Version 3.0.1

Version 3.0.1 of the Splunk Add-on for Symantec Endpoint Protection was released on March 10, 2020.

Compatibility

Version 3.0.1 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.0 or later
CIM 4.15.0
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection versions 14.0 to 14.2RU2

New features

Version 3.0.1 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:

  • FIPs compatibility.
  • Support for new Vendor Product version 14.2RU1 and 14.2RU2.

Fixed issues

Version 3.0.1 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.


Date resolved Issue number Description
2020-02-05 ADDON-21970 SEP: Transforms no longer match after upgrade to SEP 14.2 RU1

Known issues

Version 3.0.1 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.


Date filed Issue number Description
2020-03-02 ADDON-25447 The value of Event_Description field is trimmed after single quote for sourcetype symantec:ep:admin:file for 14.2RU2

Third-party software attributions

Version 3.0.1 of the Splunk Add-on for Symantec Endpoint Protection incorporates the following:


Version 3.0

Version 3.0 of the Splunk Add-on for Symantec Endpoint Protection was released on November 21, 2017

Compatibility

Version 3.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.0 or later
CIM 4.2 or later
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection version 12.x and 14.x

New features

Version 3.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:

Python 3 support

Fixed issues

Version 3.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following (if any) issues.


Known issues

Version 3.0 of the Splunk Add-on for Symantec Endpoint Protection contains the following (if any) known issues.


Date filed Issue number Description
2019-05-10 ADDON-21970 SEP: Transforms no longer match after upgrade to SEP 14.2 RU1

Workaround:
Upgrade to v3.0.1 from Splunkbase.

https://splunkbase.splunk.com/app/2772/

Third-party software attributions

Version 3.0 of the Splunk Add-on for Symantec Endpoint Protection incorporates the following:

Version 2.3.0

Version 2.3.0 of the Splunk Add-on for Symantec Endpoint Protection was released on November 21, 2017.

Compatibility

Version 2.3.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.6, 7.0, 7.1, 7.2
CIM 4.2 or later
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection version 12.x and 14.x

New features

Version 2.3.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:

Support for Symantec Endpoint Protection version 14.x.


Fixed issues

Version 2.3.0 of the Splunk Add-on for Symantec Endpoint Protection fixes the following issues.


Date resolved Issue number Description
2017-11-17 ADDON-13665 Malware_Attack DM has missing fields for Symantec data.
2017-10-25 ADDON-13605 Missing Symantec_ep.conf.spec file

Known issues

Version 2.3.0 of the Splunk Add-on for Symantec Endpoint Protection contains no known issues.


Date filed Issue number Description
2019-05-10 ADDON-21970 SEP: Transforms no longer match after upgrade to SEP 14.2 RU1

Workaround:
Upgrade to v3.0.1 from Splunkbase.

https://splunkbase.splunk.com/app/2772/

Third-party software attributions

Version 2.3.0 of the Splunk Add-on for Symantec Endpoint Protection incorporates the Httplib2 Python library.

Version 2.2.0

Version 2.2.0 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.3 or later
CIM 4.2 or later
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection version 12.X and later

New features

Version 2.2.0 of the Splunk Add-on for Symantec Endpoint Protection has the following new features:

  • In the setup to automatically update the malware category lookup table with the latest list of threats and risks from Symantec, the add-on now supports the following proxy types: http, http_no_tunnel, socks4, and socks5.
  • Compability with the extended the Malware data model with vector-url and vector-sender fields introduced in version 4.5.0 of the Splunk Common Information Model.

Fixed issues

Version 2.2.0 of the Splunk Add-on for Symantec Endpoint Protection has the following fixed issues.


Date resolved Issue number Description
2016-11-27 ADDON-11994 Incorrect mapping for 'app' in eventtype 'symantec_ep_traffic'
2016-11-24 ADDON-11877 Updating proxy settings in Splunk Web on Linux does not take effect until the next interval
2016-11-22 ADDON-12268 Fails to run malware lookup table update when the add-on is installed on a non-clustered search head connected to an indexer cluster
2016-11-07 ADDON-10944 Stanza field_extraction_for_agt_risk in transforms.conf is not correctly configured
2016-10-17 ADDON-9438 The malware_category_update.py script removes the lookups when SYMC is unreachable
2016-10-17 ADDON-9427 Fails to update the malware lookup table when the management port is not the default 8089

Known issues

Version 2.2.0 of the Splunk Add-on for Symantec Endpoint Protection has the following known issues.


Date filed Issue number Description
2017-02-27 ADDON-13866 File_hash is not extracted correctly for sourcetype=Symantec:ep_proactive:file
2017-02-20 ADDON-13665 Malware_Attack DM has missing fields for Symantec data.
2017-02-13 ADDON-13605 Missing Symantec_ep.conf.spec file
2016-11-25 ADDON-12390 Update Proxy setting from UI on Windows will not take effect until next interval if the operation is timeout

Workaround:
Perform one of the following:
  • Restart Splunk
  • In the Setup page, disable and then re-enable the script input by first clearing the Symantec Endpoint Protection Malware Category Lookup option and save, and then re-selecting the option and save.


2016-11-03 ADDON-11939, ADDON-12652 On Windows, when you set up the add-on through Splunk Web and save settings, the read operation timeout error message sometimes appears

Workaround:
Refresh the page.

If you enable proxy, wait until the next interval for the updated proxy settings to take effect.

2015-10-20 ADDON-6124 When you set up the add-on through Splunk Web on a search head cluster member, the settings will not take effect until all cluster members are restarted

Workaround:
Rolling-restart search cluster members after setup.
2015-10-20 ADDON-6123 When you distribute the add-on configurations using Deployer, proxy with authentication fails

Third-party software attributions

Version 2.2.0 of the Splunk Add-on for Symantec Endpoint Protection incorporates the Httplib2 Python library.


Version 2.1.1

Version 2.1.1 of the Splunk Add-on for Symantec Endpoint Protection was released on April 1, 2016. Version 2.1.1 of the Splunk Add-on for Symantec Endpoint Protection is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.0 or later
CIM 4.2 or later
Platforms Windows for the data collection node
Vendor Products Symantec Endpoint Protection version 12.X and higher

Migration guide

The Splunk Add-on for Symantec Endpoint Protection is intended to replace TA-sep and TA-sav, currently packaged as a part of Splunk Enterprise Security. No migration activity is required, as the new add-on can run side-by-side with the older add-ons.

Note: The older add-ons are still needed to parse stored data from unsupported versions of Symantec Antivirus and Endpoint Protection.

Fixed issues

Version 2.1.1 of the Splunk Add-on for Symantec Endpoint Protection has the following fixed issues.

Date Issue number Description
2016-02-24 ADDON-7952 Performance issues in Splunk Enterprise Security due to tag expansions.

Known issues

Version 2.1.1 of the Splunk Add-on for Symantec Endpoint Protection has the following known issues.

Date Issue number Description
2016-01-30 ADDON-7646 FIPS mode is not supported by this add-on. For a workaround, see Add-ons and FIPS mode in the Splunk Add-ons manual.
2016-01-13 ADDON-5325 requireClientCert=true in server.conf is not supported by add-ons using modular inputs and REST. If this setting is enabled in server.conf, communication is broken between the modular input and splunkd and the add-on stops collecting data. The following error appears in the splunkd.log: "SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate." The workaround is to set requireClientCert=false.
2015-10-20 ADDON-6124/
SPL-108412
When perform setup from UI on a search head in a search head cluster, changes will not take effect until rolling-restart of search head cluster members.
2015-06-08 ADDON-4199/
SPL-103281
Validation error message on UI setup screen does not disappear after the issue is corrected, even though the configuration saves successfully.
2015-06-04 ADDON-4173/
SPL-91709
Setup screen takes a long time to save on Windows for Splunk platform versions 6.3.x or earlier. Workaround: Upgrade to version 6.4.0.

Third-party software attributions

Version 2.1.1 of the Splunk Add-on for Symantec Endpoint Protection incorporates the Httplib2 Python library.

Version 2.1.0

Version 2.1.0 of the Splunk Add-on for Symantec Endpoint Protection has the same compatibility specifications as version 2.1.1.

Migration guide

The Splunk Add-on for Symantec Endpoint Protection is intended to replace TA-sep and TA-sav, currently packaged as a part of Splunk Enterprise Security. No migration activity is required, as the new add-on can run side-by-side with the older add-ons.

Note: The older add-ons are still needed to parse stored data from unsupported versions of Symantec Antivirus and Endpoint Protection.

New Features

Version 2.1.0 of the Splunk Add-on for Symantec Endpoint Protection has the following enhancements.

Date Issue number Description
2015-10-05 ADDON-5859 Minor update for Splunk Add-on for Symantec Endpoint Protection which includes improvements to readability and maintainability. The complex regular expression has been rewritten using modular regex and named group capture and more comments have been added.
2015-10-05 ADDON-6012 Added mapping for traffic file to the Network Traffic CIM model. All traffic events are now mapped to the Network Traffic model.
2015-11-12 ADDON-6345 Added mapping for inbound blocked events in traffic file to Intrusion Detection CIM model.
2015-10-12 ADDON-4769 Refine eventtype symantec_ep_behavior: remove Malware and Operations tags from this event type and refine event type search to include blocked operations and exclude everything else.
2015-10-20 ADDON-6055 Add "category" and "description" for each source type with pulldown_type=true so the source types for the add-on are listed in the Network & Security category on the data input page.

Fixed issues

Version 2.1.0 of the Splunk Add-on for Symantec Endpoint Protection has the following fixed issues.

Date Issue number Description
2015-10-21 ADDON-4286 Automatic updates to malware category lookup file are not supported on a search head cluster.
2015-10-08 ADDON-4768 The last two fields for field_extraction_for_agt_risk and field_extraction_for_agt_behavior are not always included in logs for SEP manager. These fields have been set to be optional for extraction.
2015-10-13 ADDON-6010 Unable to update proxy setting from back-end when add-on installed on Windows using Splunk platform version 6.3.
2015-11-12 ADDON-6313 Field enhancements: extract and clean more fields which are not mapped to the CIM. Add and update fields that map to the CIM. Set the field value to be null if it is blank or empty.
2015-11-17 ADDON-6471 Changes needed to transforms.conf and props.conf to discard header rows for each source type.
2015-10-22 ADDON-6142 Add src and src_ip fields for eventtypes symantec_ep_risk and symantec_ep_proactive for CIM: Malware.
2015-12-01 ADDON-6473 Split event type symantec_ep_risk_alert_suspicious into symantec_ep_risk_alert_suspicious and symantec_ep_risk_alert_suspicious_attack.
2015-11-17 ADDON-6474 vendor_product CIM field missing.
2015-11-25 ADDON-6511 Domain extraction bug.
2015-11-03 ADDON-4285 Internal log isn't sourcetyped.

Known issues

Version 2.1.0 of the Splunk Add-on for Symantec Endpoint Protection has the following known issues.

Date Issue number Description
2016-01-30 ADDON-7646 FIPS mode is not supported by this add-on. For a workaround, see Add-ons and FIPS mode in the Splunk Add-ons manual.
2016-01-13 ADDON-5325 requireClientCert=true in server.conf is not supported by add-ons using modular inputs and REST. If this setting is enabled in server.conf, communication is broken between the modular input and splunkd and the add-on stops collecting data. The following error appears in the splunkd.log: "SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate." The workaround is to set requireClientCert=false.
2015-10-20 ADDON-6124/
SPL-108412
When perform setup from UI on a search head in a search head cluster, changes will not take effect until rolling-restart of search head cluster members.
2015-06-08 ADDON-4199/
SPL-103281
Validation error message on UI setup screen does not disappear after the issue is corrected, even though the configuration saves successfully.
2015-06-04 ADDON-4173/
SPL-91709
Setup screen takes a long time to save on Windows.

Third-party software attributions

Version 2.1.0 of the Splunk Add-on for Symantec Endpoint Protection incorporates the Httplib2 Python library.

Version 2.0.1

Version 2.0.1 of the Splunk Add-on for Symantec Endpoint Protection has the same compatibility specifications as version 2.1.0.

Migration guide

The Splunk Add-on for Symantec Endpoint Protection is intended to replace TA-sep and TA-sav, currently packaged as a part of Splunk Enterprise Security. No migration activity is required, as the new add-on can run side-by-side with the older add-ons.

Note: The older add-ons are still needed to parse stored data from unsupported versions of Symantec Antivirus and Endpoint Protection.

Fixed issues

Version 2.0.1 of the Splunk Add-on for Symantec Endpoint Protection had the following fixed issue.

Date Issue number Description
06/26/15 ADDON-4339 Global stanza in default/props.conf applies to all add-ons, causing KV extraction to fail, as well as anything that relies on the KV extraction.

Known issues

Version 2.0.1 of the Splunk Add-on for Symantec Endpoint Protection had the following known issues.

Date Issue number Description
06/17/15 ADDON-4286 Automatic updates to malware category lookup file are not supported on a search head cluster.
06/08/15 ADDON-4199/
SPL-103281
Validation error message on UI setup screen does not disappear after the issue is corrected, even though the configuration saves successfully.
06/04/15 ADDON-4173/
SPL-91709
Setup screen takes a long time to save on Windows.

Third-party software attributions

Version 2.0.1 of the Splunk Add-on for Symantec Endpoint Protection incorporates the Httplib2 Python library.

Version 2.0.0

Version 2.0.0 of the Splunk Add-on for Symantec Endpoint Protection has the same compatibility specifications as version 2.0.1.

Migration guide

The Splunk Add-on for Symantec Endpoint Protection is intended to replace TA-sep and TA-sav, currently packaged as a part of Splunk Enterprise Security. No migration activity is required, as the new add-on can run side-by-side with the older add-ons.

Note: The older add-ons are still needed to parse stored data from unsupported versions of Symantec Antivirus and Endpoint Protection.

New features

Version 2.0.0 of the Splunk Add-on for Symantec Endpoint Protection had the following new features.

Date Issue number Description
05/31/15 ADDON-721/
ADDON-3760
Splunk-supported add-on for Symantec Endpoint Protection 12.x.

Known issues

Version 2.0.0 of the Splunk Add-on for Symantec Endpoint Protection had the following known issues.

Date Issue number Description
06/26/15 ADDON-4339 Global stanza in default/props.conf applies to all add-ons, causing KV extraction to fail, as well as anything that relies on the KV extraction.
06/17/15 ADDON-4286 Automatic updates to malware category lookup file are not supported on a search head cluster.
06/08/15 ADDON-4199/
SPL-103281
Validation error message on UI setup screen does not disappear after the issue is corrected, even though the configuration saves successfully.
06/04/15 ADDON-4173/
SPL-86716
Setup screen takes a long time to save on Windows.

Third-party software attributions

Version 2.0.0 of the Splunk Add-on for Symantec Endpoint Protection incorporates the Httplib2 Python library.

Last modified on 17 February, 2023
PREVIOUS
Release notes for the Splunk Add-on for Symantec Endpoint Protection
 

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters