Hi everyone,
we are using an ArcSight Smart Connector to pull all interesting SEP event information into our SIEM.
It seems like the SEP field "severity" is not available in ArcSight or maybe I just can't find it.
The event in SEPM looks like this (see Symantec_event.jpg):
Schweregrad = Severity
Kritisch = Critical
Is this kind of information mapped to an ArcSight field?
Or does this Smart Connector version not read the information from the SEPM database?
I took a look in the SymantecEndpointProtectionDBConfig guide and it seems like the severity info should be mapped to ArcSight's "Device Severity" field, is it right?
But for this event the entry in Device Severity is "Warning" and not "Critical". So this must be a different info.
SEPM Version 14.2.4814.1101
MSSQL Version 11.00.7462
Smart Connector Version (Linux) 7.12.0.8149.0
Hope someone can answer my questions.
Kind regards
Dominik