The Symantec logs entries do not seem easy to parse with a lot of \r\ns separating the log entries. They are still readable however so I added the entire event details to the Threat Name field
The log entries with the rule are filtered by EventID to reduce noise as on a real system there are a lot of events that repeat such as antivirus definitions updated.
I will be attaching a sample Antivirus.csv and an EventLog with some events taken from a Virtual Machine to make for an easier review
SymantecEventLog.zip
The Symantec logs entries do not seem easy to parse with a lot of \r\ns separating the log entries. They are still readable however so I added the entire event details to the Threat Name field The log entries with the rule are filtered by EventID to reduce noise as on a real system there are a lot of events that repeat such as antivirus definitions updated. I will be attaching a sample Antivirus.csv and an EventLog with some events taken from a Virtual Machine to make for an easier review SymantecEventLog.zip