You want to know why Symantec Endpoint Protection Manager (SEPM) sends you an email notification warning of a security breach or suspicious activity

The email is as follows:

Subject: Security breach detected on [Servername]
Body: Message from:
Server name: [Servername]
Server IP: IP1,IP2
Security breach: suspicious activity from [Servername] was detected on Symantec Endpoint Protection Manager [Servername]. Check the log files for details.

Examples of what might be seen in the SEPM logs.

--------

scm-server-0.log
SEVERE: AuthorizationProcessException encountered

stdout-0.log
SEVERE com.sygate.scm.server.security.requestauthorization.AuthorizationProcessException: UpdateObject object privilege data not found for AdministratorState. Authorization cannot be performed

-------

scm-server-0.log
SEVERE: RequestTamperedException encountered​

stdout-0.log
SEVERE: com.sygate.scm.server.security.requestauthorization.RequestTamperedException: Remote IP address mismatch between login and current request

SEP 14.3.x

Situations when this email is sent:  

• Request Authorization failed

the SEPM performs a server-side authorization check on each incoming request to ensure that the privileges needed for the operation in the request are assigned to the admin in the session.

If the privileges associated with the admin in the session do not allow the operation in the request, the request will be rejected, and an exception will be logged in the server's debug logs and in the audit log in the database (V_AUDIT_LOG.) 

• Request Tampering detected

A request signature with each incoming request is sent and the server validates this signature.

This is not a configurable alert. It is built-in and cannot be turned off.

The event time can be located in scm-server-0.log, and stdout-0.log has an expanded output. Further details can be found by querying the audit log. See How to view the Audit Log for Symantec Endpoint Protection Manager 12.1 RU5 Web Services