Azure Sentinel Log

Integration for Symantec

Endpoint Protection 12.x,
14.0 RU1, MP2
Information Protection Group

May 27, 2020

Document Classification - KPMG Highly Confidential

Review and Approval

Revision History
Version Author Date Revision
Draft Joshua Rains 12/16/2019 Initial content

0.1 Joshua Rains 12/19/2019 Format changes

0.2 Joshua Rains 01/07/2020 Introduction Update

0.3 Joshua Rains 01/08/2020 Transition Update

0.4 Joshua Rains 01/14/2020 Language update : KAS-R Appliance

0.5 Joshua Rains 01/27/2020 Contact details update

0.6 Joshua Rains 04/22/2020 Introduction update + Final format check

0.7 Joshua Rains 05/18/2020 Added Screenshots

This document has been reviewed by

Reviewer Date reviewed
1 Steve Ellis 04/25/2020

2 Bart Jan van der Vorst 06/18/2020

This document has been approved by

Subject matter experts
Name Signature Date reviewed
1 Adriano Carvalho 06/23/2020

Document Classification - KPMG Highly Confidential

 Contents

1 Introduction 4

1.1 Transition from RSA Netwitness to Azure Sentinel 4

1.2 Prerequisites 4

1.3 Context 4

2 Configuring Log Collection 6

2.1 Configure Syslog Collection 6

3 Troubleshooting 9

4 Appendix 10

Document Classification - KPMG Highly Confidential

1 Introduction
This document provides instructions and guidance to support KPMG Member Firms onboarding of
Symantec Endpoint Protection Manager (SEPM) logs to Microsoft Azure Sentinel. Azure Sentinel
is a SIEM solution used by Global IMSS service to collect logs for real-time threat detection,
proactive threat hunting and log storage for future forensic investigations and compliance. This
document will assist in configuring SEPM to send Syslog to the Azure Sentinel log collector.

1.1 Transition from RSA Netwitness to Azure Sentinel

If you are currently sending logs to RSA Netwitness you will need to adopt a hard cut over as part
of the transition to Azure Sentinel. The RSA RLC will be replaced by the KAS-R appliance for log
collection, with the KAS-R having the same IP address as the current RSA RLC, requiring no
additional steps from this guide to be carried out in order for logs to be sent to the KAS-R.

For devices not currently logging to an RSA RLC, please follow the steps below to configure
SEPM to send logs to Azure Sentinel.

1.2 Prerequisites

- Administrative credentials for SEPM console

- Obtain the following items from GO-FM IMSS Onboarding:
o KAS-R Appliance IP Address and port

1.3 Context

The following is a description of services and terminology used in the document:

Service Description

SEPM Symantec Endpoint Protection Manager

KAS-R This stands for KPMG Azure Sentinel Remote log collector

Log Analytics This is the service that stores log data and is leveraged by Azure
Sentinel as its data source.

Document Classification - KPMG Highly Confidential

After completing this document, you will have:
- Configured SEPM to send in Syslog format to the KAS-R Appliance
- Confirmed with GO-FM IMSS Onboarding that logs are being received into Azure Sentinel

Document Classification - KPMG Highly Confidential

2 Configuring Log Collection
In order to be able to send all the logs from SEPM to the KAS-R Appliance, Syslog must be
enabled and configured on the SEPM server. In order to stay consistent with any existing
log collection with RSA Netwitness, your Member Firm team should configure Syslog to
collect and send the following logs to the KAS-R Appliance:

Management Server Logs

— System Administrative log (defaults)

— System Service Activity log (defaults)

Client Logs

— Activity log (all defaults)

— Security log (critical, major)
— Traffic log (critical, major)
— Control log (all defaults)
— Risk Log

2.1 Configure Syslog Collection

Log on to the SEPM Console with administrative credentials

Click the Admin icon
Click Servers
Click the local or remote site from which you want to export log data. Select your SEPM
Master Logging Server from the dropdown
Click Configure External Logging
On the General tab, select Enable Transmission of Logs to a Syslog Server, and the
parameters as follows:

Field Value
Syslog Server IP address of the KAS-R Appliance
Destination Port TCP, 514
Log Facility 23
Export Logs to a Unchecked
Dump File

Document Classification - KPMG Highly Confidential

 On the Log Filter tab, select the logs that you want to monitor.
— Management Server Logs:
Field Value
System Administrative Unchecked
System Client – Server Unchecked
Activity
Audit Log Unchecked
System Server Activity Log Unchecked

— Client Logs:
Field Value
Client Activity Log Checked and Select: Fatal, Error, Warning, Info
Security Log Checked and Select: Critical, Major
Traffic Log Checked and Select: Critical, Major
Packet Log Unchecked

Field Value
Control Log Unchecked
Scan Log Unchecked
Risk Log Check
SONAR Protection Log Unchecked

Document Classification - KPMG Highly Confidential

Click OK
Contact the IMSS Onboarding team by email to verify the log collection has been
established within Sentinel. Use the following template to simplify the verification
process:

To: GO-FM IMSS Onboarding

Subject: Azure Sentinel Verification of Data Ingestion – SEPM (Member Firm
Name)
Body: I have gone through the process for configuring Symantec Endpoint
Protection and I am requesting confirmation that the KAS-R Appliance is receiving
the Syslog collection and log Ingestion is being successful in Azure Sentinel.
<Member Firm Name>
<Server/Device IP>

Document Classification - KPMG Highly Confidential

3 Troubleshooting

Please contact GO-FM IMSS Onboarding for any issues that you have during configuration
of the data source to send logs to the KAS-R Appliance.

Document Classification - KPMG Highly Confidential

4 Appendix

Document Classification - KPMG Highly Confidential

Contact us

Global IMSS Onboarding

Global IMSS Onboarding Function Mailbox
E go-fmimssonboarding@kpmg.com

Andrew Burgess
Global Head of Platform Security
T +44 207 3113218
E Andrew.Burgess2@KPMG.co.uk

Brian T. Geffert
Global Chief Information Security Officer
T +1 703 286 8055
E bgeffert@kpmg.com

www.kpmg.com

© 2020 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the
KPMG network of independent firms are affiliated with KPMG International. KPMG International provides
no services to clients. No member firm has any authority to obligate or bind KPMG International or any
other member firm vis-à-vis third parties, nor does KPMG International have any such authority to
obligate or bind any member firm. All rights reserved.
The information contained herein is of a general nature and is not intended to address the circumstances
of any particular individual or entity. Although we endeavour to provide accurate and timely information,
there can be no guarantee that such information is accurate as of the date it is received or that it will
continue to be accurate in the future. No one should act on such information without appropriate
professional advice after a thorough examination of the particular situation.

The KPMG name and logo are registered trademarks or trademarks of

KPMG International.

Document Classification - KPMG Highly Confidential