Need update for Parser for Symantec Endpoint Protection and CrowdStrike Falcon Endpoint Protection Connector #9420
Comments
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
|
Hi @AllyDao , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 22Nov23. Thanks! |
|
Hi @AllyDao ,Could you please share more details about the issue with logs and screen shots trying to reach over teams for the same,Thanks. |
|
Hi @AllyDao ,As discussed yesterday evening over team's call, got the details on issues, will work on it and get back to you with an update. |
|
Hi @AllyDao ,Currently working on replicating the issue and once replicates, will work on changes, will post updates by 29Nov23 |
|
Hi, I am still waiting for the information from your team |
|
Hi, why there is no update on this issue ? |
|
Hi @AllyDao ,Please check the attached updated Symantec parser from team,mean while trying to replicate the crowdstrike issue and will update you |
|
Hi @AllyDao ,As discussed over teams, please schedule call with customer for the Symantec parser issue, as we don't have data for CrowdStrike issue, checking workspaces and modifying the query. |
|
Hi @AllyDao ,As discussed over teams chat, shared both Symantec and CrowdStrike parsers, we need to test it as we don't have data, so please schedule call with customer,Thanks. |
|
Hi @AllyDao ,
|
|
Hi @AllyDao ,working on parser testing ,once done,will update you |
|
Hi @AllyDao , Still working on parser testing, will update you. |
|
Hi @AllyDao ,I have blocked time on monday for Symantic parser testing with customer as load testing still going on. |
|
Hi @AllyDao ,As discussed over teams yesterday ,asked to reschedule to today as per customer request,so rescheduled meeting today. |
|
Hi @AllyDao ,As discussed today over call,shared the updated Symantec parser and got the log types parsed from parser,sharing the below screen shot for reference,
Got the logs over email today after call,Will analyze the shared data and update the parser ,test and share V2 version |
|
Hi @AllyDao ,As discussed on 16Jan24,Shared the initial version of parser as the above log types are missing as don't have data,got the data on 16Jan24,so completed the analysis and working on changes,will update you for v2 version. |
|
Hi @AllyDao ,Blocked calendar with customer next week for symantic parser final version ,meanwhile testing it if find had any queries related to data will reach |
|
Hi @AllyDao ,As discussed over teams,scheduled call tomorrow for the Symantec parser testing. |
|
Hi @AllyDao ,As discussed over call, customer tested the parser and will be monitoring couple of days, will reach me if any issues, as both the parsers are resolved, so closing this issue (#9420) . and will be working on PR's next steps after couple of days,If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation. |
Is your feature request related to a problem? Please describe.
For CrowdStrike Falcon Endpoint Protection , the log severity in the original parser, there are 5, however, the result when I search, there is even more than 5 which is 10,28,63. Moreover, the message of the log severity 5 is the same as the log severity 2 which should not be.
For Symantec Endpoint Protection, the parser is not doing well as in OOTB use cases for Symantec, they have log type, and I don't get that information.
Describe the solution you'd like
Please information why for this happening and if I need to update my parser, if needed, please inform me the steps
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
n/a
Additional context
I cannot add screenshot to this when create case, if you have any concern, please reach me via my Teams : v-daohiep@microsoft.com
The text was updated successfully, but these errors were encountered: