Add/Update Symantec Maps

evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_100.map

@@ -0,0 +1,35 @@
+Author: Andrew Rathbun
+Description: Symantec Endpoint Protection client is online and able to access the management server
+EventId: 100
+Channel: "Symantec Endpoint Protection Client"
+Provider: "Symantec Endpoint Protection Client"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values:
+      -
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+
+# Documentation:
+# https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html
+#
+# <Event>
+#  <System>
+#    <Provider Name="Symantec Endpoint Protection Client" />
+#    <EventID Qualifiers="0">100</EventID>
+#    <Level>4</Level>
+#    <Task>1</Task>
+#    <Keywords>0x80000000000000</Keywords>
+#    <TimeCreated SystemTime="2020-06-20 02:08:50.0000000" />
+#    <EventRecordID>43376</EventRecordID>
+#    <Channel>Symantec Endpoint Protection Client</Channel>
+#    <Computer>HOSTNAME.domain</Computer>
+#    <Security />
+#  </System>
+#  <EventData>
+#    <Data>Symantec Endpoint Protection client is online and able to access the management server.</Data>
+#    <Binary></Binary>
+#  </EventData>
+# </Event>

evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_101.map

@@ -0,0 +1,35 @@
+Author: Andrew Rathbun
+Description: Symantec Endpoint Protection client is unable to connect to the management server
+EventId: 101
+Channel: "Symantec Endpoint Protection Client"
+Provider: "Symantec Endpoint Protection Client"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values:
+      -
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+
+# Documentation:
+# https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html
+#
+# <Event>
+#  <System>
+#    <Provider Name="Symantec Endpoint Protection Client" />
+#    <EventID Qualifiers="0">101</EventID>
+#    <Level>4</Level>
+#    <Task>1</Task>
+#    <Keywords>0x80000000000000</Keywords>
+#    <TimeCreated SystemTime="2020-06-20 02:08:50.0000000" />
+#    <EventRecordID>43376</EventRecordID>
+#    <Channel>Symantec Endpoint Protection Client</Channel>
+#    <Computer>HOSTNAME.domain</Computer>
+#    <Security />
+#  </System>
+#  <EventData>
+#    <Data>Symantec Endpoint Protection client is unable to connect to the management server.</Data>
+#    <Binary></Binary>
+#  </EventData>
+# </Event>

evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_12.map

@@ -0,0 +1,37 @@
+Author: Andrew Rathbun
+Description: Configuration changed
+EventId: 12
+Channel: "Symantec Endpoint Protection Client"
+Provider: "Symantec Endpoint Protection Client"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values:
+      -
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+
+# Documentation:
+# https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html
+#
+# <Event>
+#   <System>
+#     <Provider Name="Symantec Endpoint Protection Client" />
+#     <EventID Qualifiers="16639">12</EventID>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Keywords>0x80000000000000</Keywords>
+#     <TimeCreated SystemTime="2021-02-12 04:33:35.0000000" />
+#     <EventRecordID>49724</EventRecordID>
+#     <Channel>Symantec Endpoint Protection Client</Channel>
+#     <Computer>HOSTNAME.domain</Computer>
+#     <Security />
+#   </System>
+#   <EventData>
+#     <Data>
+#
+# Changed value 'HKLM\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\AdministratorOnly\Security\UseScanNetDrivePassword' from '0' to '1'</Data>
+#     <Binary></Binary>
+#   </EventData>
+# </Event>

evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_129.map

@@ -0,0 +1,35 @@
+Author: Andrew Rathbun
+Description: Reputation check timed out during unproven file evaluation, likely due to network delays
+EventId: 129
+Channel: "Symantec Endpoint Protection Client"
+Provider: "Symantec Endpoint Protection Client"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values:
+      -
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+
+# Documentation:
+# https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html
+#
+# <Event>
+#  <System>
+#    <Provider Name="Symantec Endpoint Protection Client" />
+#    <EventID Qualifiers="0">129</EventID>
+#    <Level>4</Level>
+#    <Task>1</Task>
+#    <Keywords>0x80000000000000</Keywords>
+#    <TimeCreated SystemTime="2020-06-20 02:08:50.0000000" />
+#    <EventRecordID>43376</EventRecordID>
+#    <Channel>Symantec Endpoint Protection Client</Channel>
+#    <Computer>HOSTNAME.domain</Computer>
+#    <Security />
+#  </System>
+#  <EventData>
+#    <Data>Reputation check timed out during unproven file evaluation, likely due to network delays.</Data>
+#    <Binary></Binary>
+#  </EventData>
+# </Event>

evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_2.map

@@ -0,0 +1,37 @@
+Author: Andrew Rathbun
+Description: Scan stopped
+EventId: 2
+Channel: "Symantec Endpoint Protection Client"
+Provider: "Symantec Endpoint Protection Client"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values:
+      -
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+
+# Documentation:
+# https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html
+#
+# <Event>
+#   <System>
+#     <Provider Name="Symantec Endpoint Protection Client" />
+#     <EventID Qualifiers="16639">2</EventID>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Keywords>0x80000000000000</Keywords>
+#     <TimeCreated SystemTime="2020-05-15 08:00:45.0000000" />
+#     <EventRecordID>43501</EventRecordID>
+#     <Channel>Symantec Endpoint Protection Client</Channel>
+#     <Computer>HOSTNAME.domain</Computer>
+#     <Security />
+#   </System>
+#   <EventData>
+#     <Data>
+#
+# Scan Complete:  Risks: 0   Scanned: 610   Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 679</Data>
+#     <Binary></Binary>
+#   </EventData>
+# </Event>

evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_200.map

@@ -0,0 +1,46 @@
+Author: Andrew Rathbun
+Description: Content downloaded successfully to the client
+EventId: 200
+Channel: "Symantec Endpoint Protection Client"
+Provider: "Symantec Endpoint Protection Client"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values:
+      -
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+
+# Documentation:
+# https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html
+#
+# <Event>
+#  <System>
+#    <Provider Name="Symantec Endpoint Protection Client" />
+#    <EventID Qualifiers="0">200</EventID>
+#    <Level>4</Level>
+#    <Task>1</Task>
+#    <Keywords>0x80000000000000</Keywords>
+#    <TimeCreated SystemTime="2020-06-20 02:08:50.0000000" />
+#    <EventRecordID>43376</EventRecordID>
+#    <Channel>Symantec Endpoint Protection Client</Channel>
+#    <Computer>HOSTNAME.domain</Computer>
+#    <Security />
+#  </System>
+#  <EventData>
+#     <Data>Content downloaded successfully to the client
+#
+# Product: SEPC Iron Revocation List 14.0
+# Version: MicroDefsB.CurDefs
+# Language: SymAllLanguages
+# Moniker: {810D5A61-809F-49c2-BD75-177F066792BA}
+# Sequence: 200615040
+# Publish Date: Monday, June 15, 2020
+# Revision: 040
+# Source: Symantec Endpoint Protection Manager
+# Remote File Path: FILEPATHHERE
+# Size: 91892 bytes</Data>
+#    <Binary></Binary>
+#  </EventData>
+# </Event>

evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_201.map

@@ -0,0 +1,45 @@
+Author: Andrew Rathbun
+Description: Content download to the client failed
+EventId: 201
+Channel: "Symantec Endpoint Protection Client"
+Provider: "Symantec Endpoint Protection Client"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values:
+      -
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+
+# Documentation:
+# https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html
+#
+# <Event>
+#  <System>
+#    <Provider Name="Symantec Endpoint Protection Client" />
+#    <EventID Qualifiers="0">201</EventID>
+#    <Level>4</Level>
+#    <Task>1</Task>
+#    <Keywords>0x80000000000000</Keywords>
+#    <TimeCreated SystemTime="2020-06-20 02:08:50.0000000" />
+#    <EventRecordID>43376</EventRecordID>
+#    <Channel>Symantec Endpoint Protection Client</Channel>
+#    <Computer>HOSTNAME.domain</Computer>
+#    <Security />
+#  </System>
+#  <EventData>
+#     <Data>Content download to the client failed
+#
+# Product: SEPC Iron Revocation List 14.0
+# Version: MicroDefsB.CurDefs
+# Language: SymAllLanguages
+# Moniker: {810D5A61-809F-49c2-BD75-16790647D2BA}
+# Sequence: 2006130679
+# Publish Date: Saturday, June 13, 2020
+# Revision: 034
+# Source: Symantec Endpoint Protection Manager
+# Remote File Path: FILEPATHHERE
+# Size: 58575 bytes</Data>#    <Binary></Binary>
+#  </EventData>
+# </Event>

evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_202.map

@@ -0,0 +1,44 @@
+Author: Andrew Rathbun
+Description: Symantec Endpoint Protection client is online and able to access the management server
+EventId: 202
+Channel: "Symantec Endpoint Protection Client"
+Provider: "Symantec Endpoint Protection Client"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values:
+      -
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+
+# Documentation:
+# https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html
+#
+# <Event>
+#  <System>
+#    <Provider Name="Symantec Endpoint Protection Client" />
+#    <EventID Qualifiers="0">202</EventID>
+#    <Level>4</Level>
+#    <Task>1</Task>
+#    <Keywords>0x80000000000000</Keywords>
+#    <TimeCreated SystemTime="2020-06-20 02:08:50.0000000" />
+#    <EventRecordID>43376</EventRecordID>
+#    <Channel>Symantec Endpoint Protection Client</Channel>
+#    <Computer>HOSTNAME.domain</Computer>
+#    <Security />
+#  </System>
+#  <EventData>
+#     <Data>Content installed successfully on the client
+#
+# Product: SEPC Iron Revocation List 14.0
+# Version: MicroDefsB.CurDefs
+# Language: SymAllLanguages
+# Moniker: {810D5A61-809F-49c2-BD75-177F0647D2BA}
+# Sequence: 200613034
+# Publish Date: Saturday, June 13, 2020
+# Revision: 034
+# </Data>
+#    <Binary></Binary>
+#  </EventData>
+# </Event>

evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_21.map

@@ -0,0 +1,37 @@
+Author: Andrew Rathbun
+Description: Scan canceled
+EventId: 21
+Channel: "Symantec Endpoint Protection Client"
+Provider: "Symantec Endpoint Protection Client"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values:
+      -
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+
+# Documentation:
+# https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html
+#
+# <Event>
+#   <System>
+#     <Provider Name="Symantec Endpoint Protection Client" />
+#     <EventID Qualifiers="16639">21</EventID>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Keywords>0x80000000000000</Keywords>
+#     <TimeCreated SystemTime="2020-05-15 08:00:45.0000000" />
+#     <EventRecordID>43501</EventRecordID>
+#     <Channel>Symantec Endpoint Protection Client</Channel>
+#     <Computer>HOSTNAME.domain</Computer>
+#     <Security />
+#   </System>
+#   <EventData>
+#     <Data>
+#
+# Scan Canceled:  Risks: 0   Scanned: 610   Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 679</Data>
+#     <Binary></Binary>
+#   </EventData>
+# </Event>

evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_23.map

@@ -0,0 +1,37 @@
+Author: Andrew Rathbun
+Description: Symantec Endpoint Protection Auto-Protect Enabled
+EventId: 23
+Channel: "Symantec Endpoint Protection Client"
+Provider: "Symantec Endpoint Protection Client"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values:
+      -
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+
+# Documentation:
+# https://knowledge.broadcom.com/external/article/156288/symantec-endpoint-protection-121x-event.html
+#
+# <Event>
+#   <System>
+#     <Provider Name="Symantec Endpoint Protection Client" />
+#     <EventID Qualifiers="49807">23</EventID>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Keywords>0x80000000000000</Keywords>
+#     <TimeCreated SystemTime="2021-02-03 09:23:40.0000000" />
+#     <EventRecordID>49777</EventRecordID>
+#     <Channel>Symantec Endpoint Protection Client</Channel>
+#     <Computer>HOSTNAME.domain</Computer>
+#     <Security />
+#   </System>
+#   <EventData>
+#     <Data>
+#
+# Symantec Endpoint Protection Auto-Protect Enabled.</Data>
+#     <Binary></Binary>
+#   </EventData>
+# </Event>