Highlighted
Frequent Contributor.
Frequent Contributor.
557 views

Symantec Endpoint Protection - Registration Succeeded - Category: Compromise

Hi All,

we are getting Events from a Symantec Endpoint Protection Manager. We have an issue with one Event:

End Time          Name                              Attacker Adress               Target Address          Priority          Device Vendor    Device Product

xx                    Registration Succeeded    x.x.x.x                                                             2                  Symantec          Endpoint Protection

The Problem is that this Event is Categorized with the parameters:

Category

Category Significanse: /Compromise

Category Behavior: /Found

Category Device Group: /IDS/Host/Antivirus

Category Outcome: /Success

Category Object: /Host/Infection/Virus


This Categorization causes that a Rule Fires and Puts the Attacker Address on a "Compromised" list. But i think this event indicates only that the registration of the client succeeded. Why is this Event Categorized this way?


We are Using a symantecendpointprotection_db type Connector (Version: 7.0.4.7088) to receive the events from the SEPM.

The Problem is that after this Symantec Event every Event with this Attacker Address has the priority 9 (Very High)

Does annyone else recognize the same behaviour?

Regards

Dennis

Labels (1)
0 Likes
Reply
5 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Symantec Endpoint Protection - Registration Succeeded - Category: Compromise

You may map any category for need events

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Symantec Endpoint Protection - Registration Succeeded - Category: Compromise

Doesn't work. You cannot override the category which comes from the connector, it seems.

And the ESM_101_5.2 manual says too "The Categorize Event utility available in the Console makes it possible to set event categories for events whose Connectors do not already provide event categories."

So any other idea? Does annyone else noticed the same behaviour?

0 Likes
Reply
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: Symantec Endpoint Protection - Registration Succeeded - Category: Compromise

Hi,

We are in the process of integrating Symantec Endpoint DB. We are installing the connector on Connector appliance.

However, the Symantec DB SQL server is using the authentication method as Windows mode instead of SQL server mode.

And due to security reasons, the SQL server authentication mode cannot be changed from Windows mode to SQL server mode or Mixed mode.

Is there a work around to integrate the DB even if the SQL server application is configured with Windows mode.

Regards,

Anirudh

0 Likes
Reply
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: Symantec Endpoint Protection - Registration Succeeded - Category: Compromise

Hello All,

This might help others.

There is a work around for this kind of requirement: Please follow the below mentioned steps to make it work

  • Create a Domain account that has the rights of a regular user.
  • Set up as a service account  to avoid interactive login and password expire.
  • In Sql server, work with your DBA to add that domain user to the SQL environment with permissions to read and write to the SEP DB.

Regards,

Anirudh

0 Likes
Reply
Highlighted
Respected Contributor.
Respected Contributor.

Re: Symantec Endpoint Protection - Registration Succeeded - Category: Compromise

Hey All,

do anyone know why some event that came in from symantec_DB_SEP does not tagged to any category? for example in the name field for "wharps", "packed.generic.504", "android.appenda", "android.dandro", and "sonar.rogueAV!gen1", there is nothing tagged to category behaviour, category device group, category object, category outcome, category significance or category technique. the field in these category are empty, do anyone know why? the reason is because when i run a report cateforyoutcome=/success, this which means i will missed out the field that is empty.

please advise.

Regards,

Julian

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.