Scenario: Object Audit level logging with Symantec EndPoint Protection being sent to SIEM solution.
Objective: Prevent AV Scans from flooding SIEM
Problem: Windows Audit Policy (auditpol) can exclude based on username but not based on process name. Symantec scans generate security logs but do not have a username associated with them. At scan time, SIEM solution becomes inundated with events from scans.
Sample (notice the User= is BLANK)
<13>Jan 22 12:19:42 HOSTNAME
AgentDevice=WindowsLog
AgentLogFile=Security
PluginVersion=1.0.14
Source=Microsoft-Windows-Security-Auditing
Computer=HOSTNAME.FQDN
User=
Domain=
EventID=4663
EventIDCode=4663
EventType=8
EventCategory=12800
RecordNumber=4917837
TimeGenerated=1358874971
TimeWritten=1358874971
Message=An attempt was made to access an object.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: HOSTNAME$
Account Domain: CORP
Logon ID: 0x3e7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\ehome\ehshell.dll
Handle ID: 0x2c0
Process Information:
Process ID: 0xbec
Process Name: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
Access Request Information:
Accesses: WriteAttributes
Access Mask: 0x100