F a c t S h e e t
Splunk® App for Symantec
Use Splunk and Symantec to better monitor,
investigate and eliminate endpoint t...
F a c t s h e e t
250 Brannan St, San Francisco, CA, 94107 info@splunk.com | sales@splunk.com 866-438-7758 ...
Upcoming SlideShare
Loading in …5

Splunk for symantec


Published on

Splunk for Symantec Application

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Splunk for symantec

  1. 1. F a c t S h e e t Splunk® App for Symantec Use Splunk and Symantec to better monitor, investigate and eliminate endpoint threats The Splunk App for Symantec The Splunk App for Symantec is a free app available on Splunkbase that sits on top of Splunk. It ingests data from Symantec Endpoint Protection 11 or 12 and offers out-of-the- box dashboards, reports and fast access to your SEP data. The Splunk App for Symantec allows SEP customers to easily visualize key metrics such as which machines are infected, the overall amount of malware detected on hosts and activity related to the SEP firewall or IDS on hosts. It also contains search capabilities where you can search your data to check for specific malware infections. In addition, the App gives the ability to drill into client logs to more easily identify hosts having failures, agent trends and more. The SEP data can quickly be summarized for a broad picture view, but can quickly be drilled down into to get the raw data on specific risks detected. Lastly, customers can also customize the Splunk App for Symantec by creating their own dashboards, visualizations, forms and alerts to accommodate their specific needs. The Splunk App for Symantec can receive data from SEP in two different ways. It will ingest data over syslog or by using the Splunk Universal Forwarder to monitor the SEP log files on the SEP Manager server. For the second option, the Universal Forwarder then sends the data to a Splunk indexer encrypted and via TCP for better security and reliability. Splunk will then index this data and allow you to perform further analysis on it. Once the SEP data is in Splunk it can be correlated with other data in Splunk from sources such as web proxies, network firewalls and IDS, DHCP, AD, email servers, NetFlow and Windows event logs to detect the presence of advanced threats that may hide behind credentials and use other stealthy methods to evade detection from traditional stand- alone security products. The Splunk App for Symantec is compliant with the Splunk Common Information Model (CIM), making it easier to correlate Symantec data with data already in Splunk. Other Splunk apps that use the CIM include the Splunk App for Enterprise Security, Splunk App for PCI Compliance, the Splunk App for FireEye, the Splunk App for Palo Alto Networks, the Splunk App for Blue Coat and the Splunk App for FISMA. Splunk App for Symantec—Dashboards and Reports The Splunk App for Symantec generates SEP specific dashboards and reports in real time, enabling immediate visibility on key SEP metrics. The Splunk App for Symantec also supports core Splunk functionality such as the ability to schedule and email reports to others, role-based access control to limit who can view and/or act on specific data in Splunk or an App, and drill-down actions that enable you to delve deeper into the details behind graphical elements and charts. Symantec and Splunk Symantec™ Endpoint Protection (SEP) 11 and 12 offer comprehensive defense against complex attacks for both physical and virtual environments. It integrates multiple, essential security technologies in a single, high performance agent with a single management console. These security technologies include anti-virus, anti-malware, firewall, IDS, application control, device control and network access control. SEP integrates with VMware® vShield™ Endpoint for virtual environments and provides leading protection without slowing you down. Splunk Enterprise is a security intelligence platform that collects, indexes, and harnesses machine-generated big data coming from websites, applications, servers, networks and security products, such as Symantec Endpoint Protection. Splunk is often used as a big data platform for security use cases, including incident investigations and forensics, security reporting and visualization, and security information and event management (SIEM) threat correlation. For SIEM use cases, Splunk connects the dots across siloed, separate products to detect and alert on advanced threats that otherwise would evade detection. The Splunk platform extracts additional value from point solutions by allowing the end user to create data visualizations that reflect long term trending of threats, see them in the context of other IT data and link solutions together to automate security processes. • Real-time dashboards and panels to easily view and investigate events from Symantec™ Endpoint Protection (SEP) 11 and 12 • Fast reporting and drill-down over large amounts of SEP data to quickly identify, prioritize, and investigate security risks • Correlate SEP data with other data sources in Splunk Enterprise™ to detect and remediate additional advanced threats H i g h l i g hts
  2. 2. F a c t s h e e t www.splunk.com 250 Brannan St, San Francisco, CA, 94107 info@splunk.com | sales@splunk.com 866-438-7758 | 415-848-8400 www.splunkbase.com Copyright © 2013 Splunk Inc. All rights reserved. Splunk Enterprise is protected by U.S. and international copyright and intellectual property laws. Splunk is a registered trademark or trademark of Splunk Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item # FS-Splunk-Symantec-103 The following dashboards are just some of the many available in the Splunk App for Symantec: Host Overview: • Systems with most virus detections in the last 24 hours • Scans, viruses/spyware, processes blocked and SONAR detections per day over the last month Virus/Spyware Information: • Infected systems • Total risks detected • Viruses found • Suspicious events found • Detections by scan type • Systems with mitigated and unmitigated risks • Malware Information • Blocked processes Firewall and IDS Dashboards: • Number of firewall and IDS events today • Number of firewall and IDS events per day over the last month • Inbound and outbound firewall events • IDS event detail Symantec Endpoint Protection Manager (SEPM) Dashboard: • Number of SEPM system events • SEPM event trends • Detail on SEPM events Client Log Information • Number of client log events • Number of systems with failures • System that has produced the most logs • Agent event trends • Agent event information • Systems with failures Free Download Download Splunk for free. You’ll get a Splunk Enterprise license for 60 days and you can index up to 500 megabytes of data per day. After 60 days, or anytime before then, you can convert to a perpetual Free license or purchase an Enterprise license by contacting sales@splunk.com. Try out the App, it’s free! Go to Splunk.com > Splunkbase and search for “Symantec” to download the App.