Symantec SEP, SEM and IP address

[Brad Judy <win-hied () BRADJUDY COM>]

We have recently started using a SEM for collecting and correlating a
variety of event logs.  We've run into a problem with the fact that Symantec
Endpoint Protection's management server does not log the client IP address
in virus detection events, preventing us from properly correlating them to
the source and to other events.  So far, I haven't received much traction
with Symantec on getting this fixed, so I have created an "idea" for this
feature on their support site here:

 

http://www.symantec.com/connect/idea/include-client-ip-address-virus-detecti
on-event-logs

 

As far as I can tell, the SEP management server tracks system information
and virus alerts in different tables that are linked by the computer's
NetBIOS name (or perhaps an assigned database key that isn't visible in the
GUI).  It tracks the last known IP address in the system table, but does not
track the IP address held by the client at the time each virus was detected.
This information is particularly important for SEM correlation or building
out incident timelines.  

 

If you share this frustration with SEP logs, please log in and bump the idea
to get some attention.  

 

Thanks,

 

Brad Judy

 

Emory University