SPE Cloudwatch log value details
search cancel

SPE Cloudwatch log value details

book

Article ID: 433954

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

Symantec Protection Engine can be configured to send logs directly to AWS Cloudwatch.  Below is the description and ID values for each field.

Environment

  • Symantec Protection Engine 9.0 and later.

Resolution

SPE writes to six AWS CloudWatch log groups.  Those groups are as follows:

Log Group Name Contents Notes
SPE_Threat One record per file-level threat/policy detection event. Parent container summaries and component-level detections each produce a record.  
SPE_FileResponse The final response/disposition record per scan request.  The action SPE told the client to do with the file. Includes final action (allow, block, delete, quarantine).  
SPE_Health Health and status events from SPE itself — service startup/shutdown, LiveUpdate events, license events, connectivity issues.  
SPE_Policy Events related to policy application, policy changes, and policy violation detections (file attribute policy, container policy, etc.).  
SPE_RCL Resource Consumption Logs — periodic metrics about SPE engine resource usage.  
SPE_Stats Periodic scan statistics aggregates.  

 

 

 

Field Name Description
detection_uid

A UUID string.

The unique identifier for a detection event. For container scans (where one submission produces multiple events), the parent event and all child component events share the same `detection_uid`, allowing them to be correlated. This is how you know that two log entries belong to the same scan submission.
device_time Unix epoch time in milliseconds.
message

A human-readable description of the event. Only present when there is something specific to report (e.g., `"An infection has been found"`). Message field not included parent container events.
severity_id

The severity level of the event. 

ID Name Description
0 Unknown The event severity is not known.
1 Informational Informational. No action needed.
2 Warning The user decides if action is needed.
3 Minor Action is required but the situation is not serious at this time.
4 Major Action is required immediately.  Standard severity for malware detection.
5 Critical Action is required immediately and the scope is broad.
6 Fatal An error occurred but it is too late to take remedial action.
version Schema version string.  
category_id

The event Category ID based on the schema.

Value Description
1 Security

 

This is the only category used by SPE.
message_id

A numeric code identifying the specific message text. Used for localization/translation lookup.

ID Name
2 An infection has been found

Parent container events do not have a message_id.
id

The disposition (outcome) or action of the event.

 

ID Name Description
0 Unknown Disposition is unknown.
1 Blocked Action was blocked, with no further remediation (e.g., access denied to file).
2 Allowed Action was allowed — exception/exclusion created by admin.
3 No Action Remediation action failed.
4 Logged Logged only, no action taken.
5 Command Script Run Event triggered a script to run in response to the detection.
6 Corrected Repaired/cleaned.
7 Partially Corrected Partially repaired.
8 Uncorrected Still infected — remediation was not possible.
10 Delayed Requires reboot to finish. (Deprecated)
11 Deleted Cleaned by deletion.
12 Quarantined Moved to quarantine.
13 Restored  Released from quarantine.
14 Detected Finding is pending analysis.
15 Exonerated No longer suspicious (re-scored).
16 Tagged Marked with extended attributes.

 
type

The event type and type id based on the schema.

ID Name Description
8031 File Detection File Detection events report the detection and resolution of file threats or policy violations.

 

SPE always uses 8031 for threat and detection events.  
type_id See type row above.
subfeature_name

Identifies which engine or feature produced the detection.

Name Description
AV Antivirus engine detection
DISARM Active Content Removal (Disarm) detection.  Embedded links.
ENCRYPTED_FILE Encrypted file detection.
timezone The difference in minutes between device local time and UTC. `0` means UTC. Uses the same convention as Windows `TimeZoneInformation.Bias` (positive values are west of UTC).
product_ver The version string of the SPE product installed.
device_ip The IP address of the SPE instance that generated the event.
source_asset_type A storage system (NAS, object store, etc.) submitted the file.
source facility Always returns Symantec Endpoint Protection for SPE events.  Name of the subsystem providing the data.
source type_id
ID Name
1 System
component A string showing the path of the specific sub-component within a container that triggered the detection. This field only appears on component-level events (when SPE scans inside an archive and finds a threat in one of the contained files). The parent event lacks this field.
file name The filename of the scanned object. For container entries, this is the top-level container name. For component entries (`component` field present), it shows the full path within the container.
file url The URL/path of the file as provided by the client. `"no_path"` means the client did not supply a file path.
file sha2  SHA-256 hash of the file (present when available).
file size File size in bytes (present when available).
policy uid The policy identifier applied during scanning. `"DEFAULT"` means the default SPE policy was used. Custom policy names appear here when configured.
policy version The version number of the policy.
content_ver

The antivirus content definition version used during the scan.

Format example: `"20260204.113"` (date-based, YYYYMMDD.build). Absent on parent container events when SPE emits the summary before processing all components.
threat name

Threat name as reported by the detection engine.  Examples names include:

  • Specific threat names such as: EICAR Test String, Trojan.Gen.2, etc.
  • Non-threat specific summary string.  This means a summary message was provided by SPE for parent container detect events when multiple components involved in the detection.  Possible examples of this include
Name Description
Specific threat name Ex: EICAR Test String
One or more contained risks The scanned archive/container had one or more infected components.  This is the parent/container summary event. The individual component events (with their own `threat.name`) follow separately.
Encrypted container The container is encrypted and cannot be scanned.
Malformed container The container file is malformed and cannot be fully extracted.

 
threat id The numeric threat identifier as assigned by the detection engine (e.g., `11101` for EICAR). `0` on parent container summary events where no single threat ID applies
threat type_id

The category of threat detected.

ID Name
1 Malware
2 Behavioral
3 Potentially Unwanted Applications (PUA)
4 Exploit (MEM)
5 Heuristic
6 Security Risk
threat risk_id

The cumulative risk rating (from the reputation policy).

ID Name
0 Unknown
100 Bad
200 Somewhat Bad
300  Neutral
400 Somewhat Good
500 Untrusted
501 Bad IPS Signature from Safe URL
threat sub_id

`0` in most AV scenarios.  The threat sub-identifier, pertains only to IPS threats. 
device_os_type_id

When present.  OS of the device.

ID Operating System
0 Unknown
100 Windows
200 Linux
300 Solaris
301 AIX
302 HP-UX
400 Macintosh
500 iOS
501 Android
1001 Other
status_id

When present.

ID Description
0 Unknown
1 Success
2 Failure
3 In Progress
4 Partial Success

Additional Information

The underlying schema for all these values is Broadcom's ICD Schema 1.0.0 at icd-schema.symantec.com.

 

CloudFormation template parameters for Symantec Protection Engine

Powered by Wolken Software