Categories › Endpoint Secure › sangfor EDR log field description

Newbie856707 Posted 24 Jan 2024 09:50

sangfor EDR log field description

I need to send the EDR logs to our own siem platform, and I need to understand the meaning of each field of the EDR logs to correspond with the rules of my siem platform. Please provide the log field description file of the EDR for me.

Enrico Vanzetto Posted 30 Jan 2024 18:31

HI, you have to understand the logs that you get from syslog.
Try to do some test event and filter it out on syslog.
Unfortunately i can't find any inormation about event logs fields.
Better ask to your Sangfor sales contact these info.

Prosi Posted 30 Jan 2024 18:31

SIEM collects, aggregates, analyzes, and stores large volumes of log data from across the enterprise. SIEM started its journey with a very broad approach: collecting available log and event data from almost any source across the enterprise to be stored for several use cases.

Tayyab0101 Posted 30 Jan 2024 20:48

make changes in the syslog file for siem server details. it will start populating the logs.

mdamores Posted 31 Jan 2024 07:42

Once you gathered the logs from syslog. It is best to contact Sangfor support and share them the logs you captured so they can translate it to you in details.

jerome_itable Posted 31 Jan 2024 08:46

pmateus Posted 31 Jan 2024 23:53

Hi,
Please check the following log field descriptions:

•time: The timestamp of the log event, in the format of yyyy-MM-dd HH:mm:ss.

•type: The type of the log event, such as threat, operation, or system.

•level: The severity level of the log event, such as low, medium, high, or critical.

•src_ip: The source IP address of the log event

•dst_ip: The destination IP address of the log event

•src_port: The source port of the log event

•dst_port: The destination port of the log event

•protocol: The protocol of the log event, such as TCP, UDP, or ICMP.

•action: The action taken by the Sangfor EDR agent, such as block, allow, quarantine, or alert.

•user: The user name associated with the log event

•host: The host name or IP address of the endpoint device where the log event occurred.

•os: The operating system of the endpoint device, such as Windows, Linux, or Mac OS.

•agent_version: The version of the Sangfor EDR agent installed on the endpoint device.

•event_id: The unique identifier of the log event, for reference and correlation.

•event_name: The name or description of the log event, such as ransomware detection, file operation, or agent update.

•event_detail: The detailed information of the log event, such as the file name, path, hash, or URL involved in the event

Thanks,

查看完整版本: sangfor EDR log field description