Skip to content

How Splunk and Symantec Can Work Together

A Brief Rundown on Symantec

If you’re not familiar with Symantec, here’s a quick rundown: at a high level, it’s a leading cybersecurity company who helps organizations, governments, and people secure critical data, wherever it lives. Along with a myriad of other solutions, Symantec provides endpoint protection, advanced threat protection, and host intrusion prevention solutions.

In addition, Symantec also provides a comprehensive set of logs:

  • Server Administration
  • Application and Device Control
  • Server Client
  • Server Policy
  • Server System
  • Client Packet
  • Client Proactive Threat
  • Client Risk
  • Client Scan
  • Client Security
  • Client System
  • Client Traffic

How Splunk and Symantec Work Together

Symantec provides sys logs on the Symantec server that can be collected by Splunk. They also provide an app, the Symantec ATP app for Splunk. This app can be used in conjunction with Splunk’s adaptive response framework.

Why Use Splunk and Symantec?

Together, Splunk and Symantec provide rich endpoint logs that give you a lot of coverage over different areas, such as the above. Some of those logs allow you to gain more information than what you’d get out of some of the other endpoint solutions that are out there, mainly the packet logs.

If you’re focused on tracking user behavior on endpoints, such as violations of policy, Splunk and Symantec together are a very effective combo solution.

Symantec provides the capability to do application blacklisting or whitelisting on endpoints. For instance, if you have hash values of known bad malicious files or executables, you can take those known bad file hashes, upload them into Symantec Endpoint Protection (SEP) server, and require that if that particular application tries to run, it gets blocked, and you’re notified. This makes it easy to see if malicious files try to run on a particular host and endpoint.

Another application worth evaluating is when your employees are using USB or storage devices. Sometimes, employees may have permitted devices, but you don’t have visibility into what’s being transferred onto those devices. Through the logs in Splunk, Symantec allows you to see that an employee has transferred different files to their storage devices.

Scheduled scanning is also a great option if you’re interested in seeing when devices get scanned, how long scans take, if they discover anything, and whether scans get completed.

Best Practice: Splunk Universal Forwarder

There are several different ways to collect the the Symantec endpoint logs. The old way used to be to send it from your Symantec server to a sys log server, but the best practice today is to put a Splunk universal forwarder on your Symantec Endpoint Protection (SEP) server and collect the logs directly from the SEP server. This enables you to get the logs in a better format, and you can also control the collection a lot better using sys logs. Plus, if you’re using encryption on your forwarders, you’re transporting that data from your Symantec server securely.

If you have questions about using Splunk and Symantec together, August Schell is here to provide guidance. Get in touch with an August Schell Splunk engineer, or call us to speak to someone today at (301)-838-9470.