Symantec Endpoint Protection sample event messages

Use this sample event message to verify a successful integration with the QRadar® product.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Symantec Endpoint Protection sample message when you use the Syslog connector

The following sample event message shows a firewall block.

<51>Oct 3 23:51:53 symantec.endpointprotection.english.test SymantecServer: 20-11111A111111,Event Description: The client will block traffic from IP address for the next 60 seconds (from 03/10/2019 23:51:04 to 03/10/2019 23:52:04). ,Local:,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP:,Remote Host MAC: 000000000000,Inbound,OTHERS,,Begin: 2019-10-03 23:51:04,End: 2019-10-03 23:52:04,Occurrences: 1,Application: ,Location: Test Loc - VPN,User: A1111111,Domain: TESTDOMAIN,Local Port: 0,Remote Port: 0,CIDS Signature ID: 0,CIDS Signature string: ,CIDS Signature SubID: 0,Intrusion URL: ,Intrusion Payload URL: ,SHA-256: ,MD-5:
Table 1. Field names and highlighted values in the event payload
QRadar product field name Highlighted values in the event payload
Event ID Event Description (firewall block is extracted)
Source IP
Destination IP
Username A1111111
Device Time 2019-10-03 23:51:04