Symantec Endpoint Protection

The IBM® QRadar® DSM for Symantec Endpoint Protection collects events from a Symantec Endpoint Protection system.

The IBM® QRadar® DSM for Symantec Endpoint Protection parses events from Symantec Endpoint Protection System in the following languages: English, French, German, Italian, Japanese, Russian, and Polish.

The following table describes the specifications for the Symantec Endpoint Protection DSM:
Table 1. Symantec Endpoint Protection DSM specifications
Specification Value
Manufacturer Symantec
DSM name Symantec Endpoint Protection
RPM file name DSM-SymantecEndpointProtection-QRadar_version-build_number.noarch.rpm
Supported versions Endpoint Protection V11, V12, and V14
Protocol Syslog
Event format Syslog
Recorded event types All Audit and Security Logs
Automatically discovered? Yes
Includes identity? No
Includes custom properties? No
More information Symantec website (
To integrate Symantec Endpoint Protection with QRadar , complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM Support Website onto your QRadar Console:
    • DSMCommon RPM
    • Symantec Endpoint Protection DSM RPM
  2. Configure your Symantec Endpoint Protection device to send syslog events to QRadar.
  3. If QRadar does not automatically detect the log source, add a Symantec Endpoint Protection log source on the QRadar Console.
  4. Verify that QRadar is configured correctly.
    The following table shows a sample normalized event message from Symantec Endpoint Protection:
    Table 2. Symantec Endpoint Protection sample message
    Event name Low level category Sample log message
    Blocked Access Denied
     <51>Mar  3 13:52:13 <Server> Syman
    tecServer: USER,<IP_address>,
    Blocked,[AC13-1.5] Block from load
    ing other DLLs - Caller MD5=xxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxx,Load Dl
    l,Begin: 2017-03-03 13:48:18,End: 2
    017-03-03 13:48:18,Rule: Corp Endpo
    int - Browser Restrictions | [AC13-
    1.5] Block from loading other DLLs,
    6804,C:/Program Files (x86)/Microso
    ft Office/Office14/WINPROJ.EXE,0,N
    o Module Name,C:/Users/USER
    2010.DLL,User: USER,Domain
    : LAB,Action Type: ,File size (
    bytes): 4216832,Device ID: SCSI\