sangfor EDR log field description

Newbie856707 Lv1Posted 24 Jan 2024 09:50

I need to send the EDR logs to our own siem platform, and I need to understand the meaning of each field of the EDR logs to correspond with the rules of my siem platform. Please provide the log field description file of the EDR for me.

Tammee Ong has solved this question and earned 10 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

For this particular issue, please send an email to tech.support@sangfor.com. The technical support team will assist you in resolving this matter promptly.
Is this answer helpful?
Enrico Vanzetto Lv4Posted 30 Jan 2024 18:31
  
HI, you have to understand the logs that you get from syslog.
Try to do some test event and filter it out on syslog.
Unfortunately i can't find any inormation about event logs fields.
Better ask to your Sangfor sales contact these info.
Prosi Lv3Posted 30 Jan 2024 18:31
  
SIEM collects, aggregates, analyzes, and stores large volumes of log data from across the enterprise. SIEM started its journey with a very broad approach: collecting available log and event data from almost any source across the enterprise to be stored for several use cases.
Tayyab0101 Lv2Posted 30 Jan 2024 20:48
  
make changes in the syslog file for siem server details. it will start populating the logs.
mdamores Posted 31 Jan 2024 07:42
  
Once you gathered the logs from syslog. It is best to contact Sangfor support and share them the logs you captured so they can translate it to you in details.
pmateus Lv2Posted 31 Jan 2024 23:53
  
Hi,
Please check the following log field descriptions:

•  time: The timestamp of the log event, in the format of yyyy-MM-dd HH:mm:ss.

•  type: The type of the log event, such as threat, operation, or system.

•  level: The severity level of the log event, such as low, medium, high, or critical.

•  src_ip: The source IP address of the log event

•  dst_ip: The destination IP address of the log event

•  src_port: The source port of the log event

•  dst_port: The destination port of the log event

•  protocol: The protocol of the log event, such as TCP, UDP, or ICMP.

•  action: The action taken by the Sangfor EDR agent, such as block, allow, quarantine, or alert.

•  user: The user name associated with the log event

•  host: The host name or IP address of the endpoint device where the log event occurred.

•  os: The operating system of the endpoint device, such as Windows, Linux, or Mac OS.

•  agent_version: The version of the Sangfor EDR agent installed on the endpoint device.

•  event_id: The unique identifier of the log event, for reference and correlation.

•  event_name: The name or description of the log event, such as ransomware detection, file operation, or agent update.

•  event_detail: The detailed information of the log event, such as the file name, path, hash, or URL involved in the event

Thanks,
Tammee Ong Lv1Posted 06 Jun 2024 11:47
  
For this particular issue, please send an email to tech.support@sangfor.com. The technical support team will assist you in resolving this matter promptly.

I Can Help:

Change

Moderator on This Board

3
14
3

Started Topics

Followers

Follow

43
2
2

Started Topics

Followers

Follow

1
3
5

Started Topics

Followers

Follow

7
11
4

Started Topics

Followers

Follow

18
8
0

Started Topics

Followers

Follow

Trending Topics

Board Leaders