diff --git a/Content/Content Packs/Symantec Endpoint Content Pack.htm b/Content/Content Packs/Symantec Endpoint Content Pack.htm
index 30dd74a..2c9a511 100644
--- a/Content/Content Packs/Symantec Endpoint Content Pack.htm	
+++ b/Content/Content Packs/Symantec Endpoint Content Pack.htm	
@@ -1,217 +1,245 @@
 ﻿<?xml version="1.0" encoding="utf-8"?>
-<html xmlns:MadCap="http://www.madcapsoftware.com/Schemas/MadCap.xsd" xml:lang="en-us">
-    <head><title>Symantec Endpoint Content Pack</title>
+<html xmlns:MadCap="http://www.madcapsoftware.com/Schemas/MadCap.xsd">
+    <head>
+        <link href="../Resources/TableStyles/Alternate-Row-Color.css" rel="stylesheet" MadCap:stylesheetType="table" /><title>Symantec Endpoint Content Pack</title>
         <link href="../Resources/Stylesheets/Styles.css" rel="stylesheet" />
     </head>
     <body>
         <MadCap:snippetBlock src="../Resources/Snippets/IlluminateBanner.flsnp" />
-        <p>
-            <section class="infoBox">
-                <div class="title" style="font-weight: normal;"><b>Hint</b>:&#160;This content pack was first released in Illuminate v3.2.0. </div>
-            </section>
-        </p>
-        <p class="NormalWeb">Symantec Endpoint Protection is a security software suite that consists of anti-malware, intrusion prevention, and firewall features for server and desktop computers. This technology pack will process Symantec logs, providing normalization and enrichment of common events of interest.</p>
-        <h2><span class="Strong">Supported Version(s)</span>
-        </h2>
+        <p>Symantec Endpoint Protection is a security software suite that consists of anti-malware, intrusion prevention, and firewall features for server and desktop computers. This technology pack will process Symantec logs, providing normalization and enrichment of common events of interest.</p>
+        <h2 id="supported-versions">Supported Version(s)</h2>
         <ul>
             <li>
-                <p>14.3.8268.5000<br /></p>
+                <p>14.3.8268.5000</p>
             </li>
         </ul>
-        <h2><span class="Strong">Stream Configuration</span>
-        </h2>
-        <p class="NormalWeb">This technology pack includes one stream: </p>
+        <h2 id="requirements">Requirements</h2>
         <ul>
             <li>
-                <p class="NormalWeb">“Illuminate: Symantec Device Messages”</p>
+                <p>Configure a TCP Syslog input on Graylog</p>
+            </li>
+            <li>
+                <p>Configure Symantec Endpoint Protection Manager to transmit Syslog to your Graylog server Syslog input</p>
+            </li>
+            <li>
+                <p>For SEPM output configuration, please refer to <a href="https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-data-to-a-syslog-server-v8442743-d15e1107.html">the official documentation</a></p>
             </li>
         </ul>
+        <h2 id="stream-configuration">Stream Configuration</h2>
+        <p>This technology pack includes 1 stream:</p>
+        <ul>
+            <li>"Illuminate: Symantec Device Messages"</li>
+        </ul>
         <p>
             <section class="infoBox">
-                <div class="title" style="font-weight: normal;"><b>Hint</b>:  If this stream does not exist prior to the activation of this pack, then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.</div>
+                <div class="title"><b>Hint: </b><span style="font-weight: normal;">If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.</span>
+                </div>
             </section>
         </p>
-        <h2><span class="Strong">Index Set Configuration</span>
-            <br />
-        </h2>
-        <p class="NormalWeb">This technology pack includes one index set definition:</p>
+        <h2 id="index-set-configuration">Index Set Configuration</h2>
+        <p>This technology pack includes 1 index set definition:</p>
         <ul>
-            <li>
-                <p class="NormalWeb"> “Symantec Event Log Messages”<br /></p>
-            </li>
+            <li>"Symantec Event Log Messages"</li>
         </ul>
         <p>
             <section class="infoBox">
-                <div class="title" style="font-weight: normal;"><b>Hint</b>:  If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.</div>
+                <div class="title"><b>Hint: </b><span style="font-weight: normal;">If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.</span>
+                </div>
             </section>
         </p>
-        <h2><span class="Strong">Event Types Supported</span>
-        </h2>
-        <ul class="ul_2">
-            <li class="NormalWeb">
-                <p class="NormalWeb">Server Administration</p>
-            </li>
-            <li class="NormalWeb">
-                <p class="NormalWeb">Application and Device Control</p>
+        <h2 id="supported">Event Types Supported</h2>
+        <ul>
+            <li>
+                <p>Server Administration</p>
             </li>
-            <li class="NormalWeb">
-                <p class="NormalWeb">Server Client-Server Policy</p>
+            <li>
+                <p>Application and Device Control</p>
             </li>
-            <li class="NormalWeb">
-                <p class="NormalWeb">Server System</p>
+            <li>
+                <p>Server Client-Server Policy</p>
             </li>
-            <li class="NormalWeb">
-                <p class="NormalWeb">Client Packet</p>
+            <li>
+                <p>Server System</p>
             </li>
-            <li class="NormalWeb">
-                <p class="NormalWeb">Client Proactive Threat</p>
+            <li>
+                <p>Client Packet</p>
             </li>
-            <li class="NormalWeb">
-                <p class="NormalWeb">Client Risk</p>
+            <li>
+                <p>Client Proactive Threat</p>
             </li>
-            <li class="NormalWeb">
-                <p class="NormalWeb">Client Scan</p>
+            <li>
+                <p>Client Risk</p>
             </li>
-            <li class="NormalWeb">
-                <p class="NormalWeb">Client Security</p>
+            <li>
+                <p>Client Scan</p>
             </li>
-            <li class="NormalWeb">
-                <p class="NormalWeb">Client System</p>
+            <li>
+                <p>Client Security</p>
             </li>
-            <li class="NormalWeb">
-                <p class="NormalWeb">Client Traffic</p>
+            <li>
+                <p>Client System</p>
             </li>
-        </ul>
-        <h2><span class="Strong">Log Format Examples</span>
-        </h2>
-        <h3><span class="HTMLCode_1">Server Administration Admin</span>
-        </h3>
-        <p class="NormalWeb"><code class="linecode">WIN-TFB8L7BI77H SymantecServer: Site: My Site,Server Name: WIN-TFB8L7BI77H,Domain Name: Default,Admin: admin,Event Description: Administrator log on succeeded</code>
-        </p>
-        <h3><span class="HTMLCode_1">Application and Device Control</span>
-        </h3>
-        <p class="NormalWeb">-Behavior<code class="linecode"><br /></code><code class="linecode">WIN-TFB8L7BI77H SymantecServer: WIN-TFB8L7BI77H,172.16.14.42,Blocked, - Caller SHA256=e6b2c506042ff50415668cb9d0f24c34c2cf080f1023ca9565fdb846ccd39b53 - Target MD5=9a1d9fe9b1223273c314632d04008384 - Target Arguments='',Create Process,Begin: 2023-01-11 18:38:09,End Time: 2023-01-11 18:38:09,Rule: Rule 1 | Block anydesk.exe,10060,C:/Windows/explorer.exe,0,No Module Name,C:/Users/Administrator/Downloads/AnyDesk.exe,User Name: Administrator,Domain Name: WIN-TFB8L7BI77H,Action Type: ,File size (bytes): 399808,Device ID: SCSI\Disk&amp;Ven_&amp;Prod_ST500DM002-1BD14\4&amp;37da426a&amp;0&amp;000000</code><code class="linecode"><code class="linecode"><br /></code></code>-Agent<code class="linecode"><code class="linecode"><br /></code><code class="linecode">WIN-TFB8L7BI77H SymantecServer: Site: My Site,Server Name: WIN-TFB8L7BI77H,Domain Name: Default,The management server received the client log successfully,WIN-TFB8L7BI77H,Administrator,LocalComputer</code></code></p>
-        <h3><span class="HTMLCode_1">Server Client-Server Policy</span>
-        </h3>
-        <p class="NormalWeb"><code class="linecode">WIN-TFB8L7BI77H SymantecServer: Site: My Site,Server Name: WIN-TFB8L7BI77H,Domain Name: Default,Admin: admin,Event Description: Policy has been edited: Edited shared Firewall policy: Firewall policy,Firewall policy</code>
-        </p>
-        <h3><span class="HTMLCode_1">Server System</span>
-        </h3>
-        <p class="NormalWeb"><code class="linecode">WIN-TFB8L7BI77H SymantecServer: Site: My Site,Server Name: WIN-TFB8L7BI77H,Event Description: Failed to connect to the syslog server. External logging cannot proceed until the problem is resolved.</code>
-        </p>
-        <h3><span class="HTMLCode_1">Client Packet</span>
-        </h3>
-        <p class="NormalWeb"><code class="linecode">WIN-TFB8L7BI77H SymantecServer: WIN-Client,Local Host IP: 172.16.14.42,Local: 3,Remote Host IP: 172.16.14.10,Remote Host Name: ceredox-dc01.ceredox.comd,Remote: 3,Outbound,Application: ,Action: Blocked</code>
-        </p>
-        <h3><span class="HTMLCode_1">Client Proactive Threat</span>
-        </h3>
-        <p class="NormalWeb"><code class="linecode">WIN-TFB8L7BI77H SymantecServer: Security risk found,Computer name: WIN-Client,IP Address: 172.16.14.42,Detection type: Suspicious Behavior Detection,First Seen: Reputation was not used in this detection.,Application name: Microsoft® Windows® Operating System,Application type: Trojan Worm,Application version: 10.0.17763.1,Hash type: SHA-256,Application hash: 85dd6f8edf142f53746a51d11dcba853104bb0207cdf2d6c3529917c3c0fc8df,Company name: Microsoft Corporation,File size (bytes): 1652736,Sensitivity: 1,Detection score: 0,COH Engine Version: ,Detection Submissions No,Allowed application reason: Not on the allow list,Disposition: Good,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,Risk Level: High,Risk type: BPE,Source: SONAR Scan,Risk name: SONAR.SuspPE!gen43,Occurrences: 1,c:\windows\system32\certutil.exe,,Actual action: Access denied,Requested action: Left alone,Secondary action: Left alone,Event time: 2023-01-11 01:29:36,Event Insert Time: 2023-01-11 01:31:24,End Time: 2023-01-11 01:29:36,Domain Name: Default,Group Name: My Company\\Test,Server Name: WIN-TFB8L7BI77H,User Name: Administrator,Source Computer Name: ,Source Computer IP: ,Location: ,Intensive Protection Level: 0,Certificate issuer: Microsoft Windows,Certificate signer: Microsoft Windows Production PCA 2011,Certificate thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452,Signing timestamp: 1536994988,Certificate serial number: 33000001C422B2F79B793DACB20000000001C4</code>
-        </p>
-        <h3><span class="HTMLCode_1">Client Risk</span>
-        </h3>
-        <p class="NormalWeb"><code class="linecode">WIN-TFB8L7BI77H SymantecServer: Virus found,IP Address: 172.16.14.42,Computer name: WIN-Client,Source: Auto-Protect scan,Risk name: EICAR Test String,Occurrences: 1,File path: C:\Users\Administrator\Downloads\eicar_com.zip,Description: ,Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2023-01-12 12:25:36,Event Insert Time: 2023-01-12 12:27:05,End Time: 2023-01-12 12:25:36,Last update time: 2023-01-12 12:27:05,Domain Name: Default,Group Name: My Company\Test,Server Name: WIN-TFB8L7BI77H,User Name: Administrator,Source Computer Name: ,Source Computer IP: ,Disposition: Bad,Download site: [https://secure.eicar.org/eicar_com.zip,Web](https://secure.eicar.org/eicar_com.zip,Web) domain: [secure.eicar.org](http://secure.eicar.org/),Downloaded by: chrome.exe,Prevalence: This file has been seen by hundreds of thousands of Symantec users.,Confidence: This file is untrustworthy.,URL Tracking Status: On,First Seen: Symantec has known about this file for more than 1 year.,Sensitivity: ,Allowed application reason: Not on the allow list,Application hash: 2546DCFFC5AD854D4DDC64FBF056871CD5A00F2471CB7A5BFD4AC23B6E9EEDAD,Hash type: SHA2,Company name: ,Application name: eicar_com.zip,Application version: ,Application type: 127,File size (bytes): 184,Category set: Malware,Category type: Virus,Location: Default,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: 0,Certificate serial number:</code>
-        </p>
-        <h3><span class="HTMLCode_1">Client Scan</span>
-        </h3>
-        <p class="NormalWeb"><code class="linecode">WIN-TFB8L7BI77H SymantecServer: Scan ID: 1673417071,Begin: 2023-01-12 11:25:12,End Time: 2023-01-12 11:25:50,Completed,Duration (seconds): 38,User1: SYSTEM,User2: SYSTEM,Scan started on selected drives and folders and all extensions.,Scan Complete: Risks: 0 Scanned: 1102 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 748,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 1102,Omitted: 0,Computer: WIN-TFB8L7BI77H,IP Address: 172.16.14.42,Domain Name: Default,Group Name: My Company\Test,Server Name: WIN-TFB8L7BI77H,Scan Type: DefWatch</code>
-        </p>
-        <h3><span class="HTMLCode_1">Client Security</span>
-        </h3>
-        <p class="NormalWeb"><code class="linecode">WIN-TFB8L7BI77H SymantecServer: WIN-TFB8L7BI77H,Event Description: [SID: 60501] URL reputation: Browser navigation to known bad URL attack blocked. Traffic has been blocked for this application: C:\Program Files\Google\Chrome\Application\Chrome.exe,Event Type: Browser Protection event,Local Host IP: 0.0.0.0,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 0.0.0.0,Remote Host MAC: 000000000000,Outbound,OTHERS,,Begin: 2023-01-12 12:21:33,End Time: 2023-01-12 12:21:33,Occurrences: 1,Application: C:/Program Files/Google/Chrome/Application/chrome.exe,Location: Default,User Name: Administrator,Domain Name: WIN-TFB8L7BI77H,Local Port: 0,Remote Port: 0,CIDS Signature ID: 60501,CIDS Signature string: URL reputation: Browser navigation to known bad URL,CIDS Signature SubID: 0,Intrusion URL: http:/[www.eicar.eu/,Intrusion](http://www.eicar.eu/,Intrusion) Payload URL: ,SHA-256: ,MD-5: ,Intensive Protection Level: Level 1,URL Risk: N/A,URL Category: Malicious Sources/Malnets* Client System</code><code class="linecode"><br /></code><code class="linecode">WIN-TFB8L7BI77H SymantecServer: WIN-Client,Category: 2,LiveUpdate Manager,Event Description: An update for Revocation Data was successfully installed. The new sequence number is 230112003.,Event time: 2023-01-12 15:29:51,Group Name: My Company\Test</code>
-        </p>
-        <h3><span class="HTMLCode_1">Client Traffic</span>
-        </h3>
-        <p class="NormalWeb"><code class="linecode">WIN-TFB8L7BI77H SymantecServer: DESKTOP-D2IQ7II,Local Host IP: 172.16.14.58,Local Port: 3,Local Host MAC: F8B156BAD2E9,Remote Host IP: 8.8.8.8,Remote Host Name: dns.google,Remote Port: 3,Remote Host MAC: 001AE3B5F444,ICMP,Outbound,Begin: 2023-01-12 16:59:58,End Time: 2023-01-12 16:59:58,Occurrences: 1,Application: ,Rule: Block all other IP traffic and log,Location: Default,User Name: admin,Domain Name: DESKTOP-D2IQ7II,Action: Blocked,SHA-256: ,MD-5:</code>
-        </p>
-        <h2><span class="Strong">Requirements</span>
-            <br />
-        </h2>
-        <ul>
             <li>
-                <p>Configure a TCP Syslog input on Graylog.</p>
+                <p>Client Traffic</p>
             </li>
         </ul>
+        <h2 id="log-format-example">Log Format Examples</h2>
+        <h4>Server Administration Admin</h4>
+        <p><code class="linecode">`WIN-TFB8L7BI77H SymantecServer: Site: My Site,Server Name: WIN-TFB8L7BI77H,Domain Name: Default,Admin: admin,Event Description: Administrator log on succeeded`</code>
+        </p>
+        <h4>Application and Device Control</h4>
+        <p><code class="linecode">-Behavior
+        `WIN-TFB8L7BI77H SymantecServer: WIN-TFB8L7BI77H,172.16.14.42,Blocked, - Caller SHA256=e6b2c506042ff50415668cb9d0f24c34c2cf080f1023ca9565fdb846ccd39b53 - Target MD5=9a1d9fe9b1223273c314632d04008384 - Target Arguments='',Create Process,Begin: 2023-01-11 18:38:09,End Time: 2023-01-11 18:38:09,Rule: Rule 1 | Block anydesk.exe,10060,C:/Windows/explorer.exe,0,No Module Name,C:/Users/Administrator/Downloads/AnyDesk.exe,User Name: Administrator,Domain Name: WIN-TFB8L7BI77H,Action Type: ,File size (bytes): 399808,Device ID: SCSI\Disk&Ven_&Prod_ST500DM002-1BD14\4&37da426a&0&000000`
+        -Agent
+        `WIN-TFB8L7BI77H SymantecServer: Site: My Site,Server Name: WIN-TFB8L7BI77H,Domain Name: Default,The management server received the client log successfully,WIN-TFB8L7BI77H,Administrator,LocalComputer`</code>
+        </p>
+        <h4>Server Client-Server Policy</h4>
+        <p><code class="linecode">`WIN-TFB8L7BI77H SymantecServer: Site: My Site,Server Name: WIN-TFB8L7BI77H,Domain Name: Default,Admin: admin,Event Description: Policy has been edited: Edited shared Firewall policy: Firewall policy,Firewall policy`
+
+        </code>
+        </p>
+        <h4>Server System</h4>
+        <p><code class="linecode">`WIN-TFB8L7BI77H SymantecServer: Site: My Site,Server Name: WIN-TFB8L7BI77H,Event Description: Failed to connect to the syslog server. External logging cannot proceed until the problem is resolved.`
+
+        </code>
+        </p>
+        <h4>Client Packet</h4>
+        <p><code class="linecode">`WIN-TFB8L7BI77H SymantecServer: WIN-Client,Local Host IP: 172.16.14.42,Local: 3,Remote Host IP: 172.16.14.10,Remote Host Name: ceredox-dc01.ceredox.comd,Remote: 3,Outbound,Application: ,Action: Blocked`</code>
+        </p>
+        <h4>Client Proactive Threat</h4>
+        <p><code class="linecode">`WIN-TFB8L7BI77H SymantecServer: Security risk found,Computer name: WIN-Client,IP Address: 172.16.14.42,Detection type: Suspicious Behavior Detection,First Seen: Reputation was not used in this detection.,Application name: Microsoft® Windows® Operating System,Application type: Trojan Worm,Application version: 10.0.17763.1,Hash type: SHA-256,Application hash: 85dd6f8edf142f53746a51d11dcba853104bb0207cdf2d6c3529917c3c0fc8df,Company name: Microsoft Corporation,File size (bytes): 1652736,Sensitivity: 1,Detection score: 0,COH Engine Version: ,Detection Submissions No,Allowed application reason: Not on the allow list,Disposition: Good,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,Risk Level: High,Risk type: BPE,Source: SONAR Scan,Risk name: SONAR.SuspPE!gen43,Occurrences: 1,c:\windows\system32\certutil.exe,,Actual action: Access denied,Requested action: Left alone,Secondary action: Left alone,Event time: 2023-01-11 01:29:36,Event Insert Time: 2023-01-11 01:31:24,End Time: 2023-01-11 01:29:36,Domain Name: Default,Group Name: My Company\\Test,Server Name: WIN-TFB8L7BI77H,User Name: Administrator,Source Computer Name: ,Source Computer IP: ,Location: ,Intensive Protection Level: 0,Certificate issuer: Microsoft Windows,Certificate signer: Microsoft Windows Production PCA 2011,Certificate thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452,Signing timestamp: 1536994988,Certificate serial number: 33000001C422B2F79B793DACB20000000001C4`</code>
+        </p>
+        <h4>Client Risk</h4>
+        <p><code class="linecode">`WIN-TFB8L7BI77H SymantecServer: Virus found,IP Address: 172.16.14.42,Computer name: WIN-Client,Source: Auto-Protect scan,Risk name: EICAR Test String,Occurrences: 1,File path: C:\Users\Administrator\Downloads\eicar_com.zip,Description: ,Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2023-01-12 12:25:36,Event Insert Time: 2023-01-12 12:27:05,End Time: 2023-01-12 12:25:36,Last update time: 2023-01-12 12:27:05,Domain Name: Default,Group Name: My Company\Test,Server Name: WIN-TFB8L7BI77H,User Name: Administrator,Source Computer Name: ,Source Computer IP: ,Disposition: Bad,Download site: [https://secure.eicar.org/eicar_com.zip,Web](https://secure.eicar.org/eicar_com.zip,Web) domain: [secure.eicar.org](http://secure.eicar.org/),Downloaded by: chrome.exe,Prevalence: This file has been seen by hundreds of thousands of Symantec users.,Confidence: This file is untrustworthy.,URL Tracking Status: On,First Seen: Symantec has known about this file for more than 1 year.,Sensitivity: ,Allowed application reason: Not on the allow list,Application hash: 2546DCFFC5AD854D4DDC64FBF056871CD5A00F2471CB7A5BFD4AC23B6E9EEDAD,Hash type: SHA2,Company name: ,Application name: eicar_com.zip,Application version: ,Application type: 127,File size (bytes): 184,Category set: Malware,Category type: Virus,Location: Default,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: 0,Certificate serial number:`</code>
+        </p>
+        <h4>Client Scan</h4>
+        <p><code class="linecode">`WIN-TFB8L7BI77H SymantecServer: Scan ID: 1673417071,Begin: 2023-01-12 11:25:12,End Time: 2023-01-12 11:25:50,Completed,Duration (seconds): 38,User1: SYSTEM,User2: SYSTEM,Scan started on selected drives and folders and all extensions.,Scan Complete: Risks: 0 Scanned: 1102 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 748,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 1102,Omitted: 0,Computer: WIN-TFB8L7BI77H,IP Address: 172.16.14.42,Domain Name: Default,Group Name: My Company\Test,Server Name: WIN-TFB8L7BI77H,Scan Type: DefWatch`</code>
+        </p>
+        <h4>Client Security</h4>
+        <p><code class="linecode">`WIN-TFB8L7BI77H SymantecServer: WIN-TFB8L7BI77H,Event Description: [SID: 60501] URL reputation: Browser navigation to known bad URL attack blocked. Traffic has been blocked for this application: C:\Program Files\Google\Chrome\Application\Chrome.exe,Event Type: Browser Protection event,Local Host IP: 0.0.0.0,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 0.0.0.0,Remote Host MAC: 000000000000,Outbound,OTHERS,,Begin: 2023-01-12 12:21:33,End Time: 2023-01-12 12:21:33,Occurrences: 1,Application: C:/Program Files/Google/Chrome/Application/chrome.exe,Location: Default,User Name: Administrator,Domain Name: WIN-TFB8L7BI77H,Local Port: 0,Remote Port: 0,CIDS Signature ID: 60501,CIDS Signature string: URL reputation: Browser navigation to known bad URL,CIDS Signature SubID: 0,Intrusion URL: http:/[www.eicar.eu/,Intrusion](http://www.eicar.eu/,Intrusion) Payload URL: ,SHA-256: ,MD-5: ,Intensive Protection Level: Level 1,URL Risk: N/A,URL Category: Malicious Sources/Malnets* Client System
+        WIN-TFB8L7BI77H SymantecServer: WIN-Client,Category: 2,LiveUpdate Manager,Event Description: An update for Revocation Data was successfully installed. The new sequence number is 230112003.,Event time: 2023-01-12 15:29:51,Group Name: My Company\Test`</code>
+        </p>
+        <h4>Client Traffic</h4>
+        <p><code class="linecode">`WIN-TFB8L7BI77H SymantecServer: DESKTOP-D2IQ7II,Local Host IP: 172.16.14.58,Local Port: 3,Local Host MAC: F8B156BAD2E9,Remote Host IP: 8.8.8.8,Remote Host Name: dns.google,Remote Port: 3,Remote Host MAC: 001AE3B5F444,ICMP,Outbound,Begin: 2023-01-12 16:59:58,End Time: 2023-01-12 16:59:58,Occurrences: 1,Application: ,Rule: Block all other IP traffic and log,Location: Default,User Name: admin,Domain Name: DESKTOP-D2IQ7II,Action: Blocked,SHA-256: ,MD-5:`</code>
+        </p>
+        <h2 id="what-is-provided">What is Provided</h2>
         <ul>
             <li>
-                <p>Configure Symantec Endpoint Protection Manager to transmit Syslog to your Graylog server Syslog input.<br />For SEPM output configuration, please refer to <a href="https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-data-to-a-syslog-server-v8442743-d15e1107.html">the official documentation</a>.</p>
+                <p>Parsing rules to extract Symantec logs into Graylog schema compatible fields</p>
             </li>
         </ul>
-        <h2><span class="Strong">What is Provided?</span>
-            <br />
-        </h2>
+        <h2 id="events">Categorized Events</h2>
         <ul>
             <li>
-                <p class="NormalWeb">Parsing rules to extract Symantec logs into Graylog schema compatible fields.</p>
-            </li>
-        </ul>
-        <h2><span class="Strong">Categorized Events</span>
-        </h2>
-        <ul class="ul_2">
-            <li class="NormalWeb">
-                <p class="NormalWeb">Client Risk: alert message</p>
+                <p>Client Risk: alert message</p>
             </li>
-            <li class="NormalWeb">
-                <p class="NormalWeb">Client Security: alert message</p>
+            <li>
+                <p>Client Security: alert message</p>
             </li>
-            <li class="NormalWeb">
-                <p class="NormalWeb">Client Proactive Threat: alert message</p>
+            <li>
+                <p>Client Proactive Threat: alert message</p>
             </li>
-            <li class="NormalWeb">
-                <p class="NormalWeb">Server Administration (log on event): logon</p>
+            <li>
+                <p>Server Administration (log on event): logon</p>
             </li>
-            <li class="NormalWeb">
-                <p class="NormalWeb">Server Administration (log off event): logoff</p>
+            <li>
+                <p>Server Administration (log off event): logoff</p>
             </li>
-            <li class="NormalWeb">
-                <p class="NormalWeb">Server Administration (log on failed): logon</p>
+            <li>
+                <p>Server Administration (log on failed): logon</p>
             </li>
-            <li class="NormalWeb">
-                <p class="NormalWeb">Server Administration (admin password change): administrative password reset</p>
+            <li>
+                <p>Server Administration (admin password change): administrative password reset</p>
             </li>
         </ul>
         <p>
             <section class="infoBox">
-                <div class="title" style="font-weight: normal;"><b>Hint</b>: Client Risk logs are set statically to <code class="linecode">alert_severity high</code>.</div>
+                <div class="title"><b>Hint: </b><span style="font-weight: normal;">Client Risk logs are set statically to <code class="linecode">alert_severity</code> high.</span>
+                </div>
             </section>
         </p>
-        <p class="NormalWeb">SEPM supports three action types for the event types: <b>Client Proactive Threat</b> and <b>Client Risk</b>. The behavior is described as:</p>
+        <p>SEPM supports three action types for the event types: <strong>Client Proactive Threat</strong> and <strong>Client Risk</strong>. The behavior is described as:</p>
         <ul>
             <li>
-                <p class="NormalWeb"> Actual action: The action SEP took to remediate the mentioned threat.<br /></p>
+                <p>Actual action: The action SEP took to remediate the mentioned threat.</p>
             </li>
             <li>
-                <p class="NormalWeb">Requested action: This is the action SEP wants to perform and is usually the same as actual action.</p>
+                <p>Requested action: This is the action SEP wants to perform and is usually the same as actual action.</p>
             </li>
             <li>
-                <p class="NormalWeb">Secondary action: Action to take in case the actual action does not work.</p>
+                <p>Secondary action: Action to take in case the actual action does not work.</p>
             </li>
         </ul>
-        <p class="NormalWeb"> Graylog maps actual, requested, and secondary actions to:<br /></p>
+        <p>Graylog maps actual, requested, and secondary actions to:</p>
         <ul>
             <li>
-                <p class="NormalWeb">Actual action: <code class="linecode">vendor_event_action</code><br /></p>
+                <p>Actual action: <code class="linecode">vendor_event_action</code></p>
             </li>
             <li>
-                <p class="NormalWeb">Requested action: <code class="linecode">vendor_requested_action</code><br /></p>
+                <p>Requested action: <code class="linecode">vendor_requested_action</code></p>
             </li>
             <li>
-                <p class="NormalWeb">Secondary action: <code class="linecode">vendor_secondary_action</code></p>
-            </li>
-        </ul>
-        <p class="NormalWeb">The logs are identified by the keyword <b>SymantecServer</b>.</p>
-        <h2>
-            <MadCap:annotation MadCap:createDate="2023-06-28T09:20:06.5115008-08:00" MadCap:creator="AnnieZempel" MadCap:initials="AN" MadCap:comment="Added spotlight information for 3.4" MadCap:editor="AnnieZempel" MadCap:editDate="2023-06-28T09:20:12.9895651-08:00">Symantec </MadCap:annotation>Endpoint Spotlight Content Pack</h2>
-        <p class="NormalWeb">Introduced in Illuminate 3.4 the Symantec Endpoint <a href="../Installing Illuminate/Installing Graylog Illuminate.htm#Illumina3">Spotlight Content Pack</a> comes bundled with the Symantec Endpoint Security Content Pack. See <a href="../Installing Illuminate/Installing Graylog Illuminate.htm">Installing Illuminate</a> or <a href="../Upgrading Illuminate/Upgrading Graylog Illuminate.htm">Upgrading Illuminate</a> for more information on Spotlight Content Pack selection. This additional pack contains the following dashboards:</p>
-        <ul>
-            <li>
-                <p>Symantec Endpoint Protection: Overview Tab<br /><img src="../Resources/Images/Symantec Endpoint Protection- Overview Tab.png" /></p>
-            </li>
-            <li>
-                <p>Symantec Endpoint Protection: Alert Tab<br /><img src="../Resources/Images/Symantec Endpoint Protection- Alert Tab.png" /><br /><img src="../Resources/Images/Symantec Endpoint Protection- Alert Tab(1).png" /></p>
-            </li>
-            <li>
-                <p>Symantec Endpoint Protection: Authentication Tab<br /><img src="../Resources/Images/Symantec Endpoint Protection- Authentication Tab.png" /><br /><img src="../Resources/Images/Symantec Endpoint Protection- Authentication Tab(1).png" /></p>
+                <p>Secondary action: <code class="linecode">vendor_secondary_action</code></p>
             </li>
         </ul>
+        <p>The logs are identified by the keyword <strong>SymantecServer.</strong></p>
+        <h3 id="gim-categorization">GIM Categorization</h3>
+        <p>GIM categorization is provided for the following messages:</p>
+        <table cellspacing="21" style="width: 100%; mc-table-style: url('../Resources/TableStyles/Alternate-Row-Color.css');" class="TableStyle-Alternate-Row-Color">
+            <col class="TableStyle-Alternate-Row-Color-Column-Column1" />
+            <col class="TableStyle-Alternate-Row-Color-Column-Column1" />
+            <thead>
+                <tr class="TableStyle-Alternate-Row-Color-Head-Header1">
+                    <th class="TableStyle-Alternate-Row-Color-HeadE-Column1-Header1">event_category</th>
+                    <th class="TableStyle-Alternate-Row-Color-HeadD-Column1-Header1">gim_event_type_code</th>
+                </tr>
+            </thead>
+            <tbody>
+                <tr class="TableStyle-Alternate-Row-Color-Body-Body1">
+                    <td class="TableStyle-Alternate-Row-Color-BodyE-Column1-Body1">password_change</td>
+                    <td class="TableStyle-Alternate-Row-Color-BodyD-Column1-Body1">111005</td>
+                </tr>
+                <tr class="TableStyle-Alternate-Row-Color-Body-Body2">
+                    <td class="TableStyle-Alternate-Row-Color-BodyE-Column1-Body2">log_out</td>
+                    <td class="TableStyle-Alternate-Row-Color-BodyD-Column1-Body2">102500</td>
+                </tr>
+                <tr class="TableStyle-Alternate-Row-Color-Body-Body1">
+                    <td class="TableStyle-Alternate-Row-Color-BodyE-Column1-Body1">log_on</td>
+                    <td class="TableStyle-Alternate-Row-Color-BodyD-Column1-Body1">100000</td>
+                </tr>
+                <tr class="TableStyle-Alternate-Row-Color-Body-Body2">
+                    <td class="TableStyle-Alternate-Row-Color-BodyE-Column1-Body2">log_on_failed</td>
+                    <td class="TableStyle-Alternate-Row-Color-BodyD-Column1-Body2">100000</td>
+                </tr>
+                <tr class="TableStyle-Alternate-Row-Color-Body-Body1">
+                    <td class="TableStyle-Alternate-Row-Color-BodyE-Column1-Body1">alert_risk_pro_default</td>
+                    <td class="TableStyle-Alternate-Row-Color-BodyD-Column1-Body1">309999</td>
+                </tr>
+                <tr class="TableStyle-Alternate-Row-Color-Body-Body2">
+                    <td class="TableStyle-Alternate-Row-Color-BodyB-Column1-Body2">alert_security_default</td>
+                    <td class="TableStyle-Alternate-Row-Color-BodyA-Column1-Body2">309999</td>
+                </tr>
+            </tbody>
+        </table>
+        <h2 id="spotlight-content-pack">Symantec Endpoint Spotlight Content Pack</h2>
+        <p>Introduced in Illuminate 3.4 the Symantec Endpoint <a href="https://go2docs.graylog.org/illuminate-current/installing_illuminate/installing_graylog_illuminate.htm#Illumina3">Spotlight Content Pack</a> comes bundled with the Symantec Endpoint Security Content Pack. See <a href="https://go2docs.graylog.org/illuminate-current/installing_illuminate/installing_graylog_illuminate.htm">Installing Illuminate</a> or <a href="https://go2docs.graylog.org/illuminate-current/upgrading_illuminate/upgrading_graylog_illuminate.htm">Upgrading Illuminate</a> for more information on Spotlight Content Pack selection. This additional pack contains the following dashboards:</p>
+        <h3>Symantec Endpoint Protection: Overview Tab</h3>
+        <p>
+            <img src="../Resources/Images/Symantec Endpoint Resources Folder/symantec_endpoint_protection-_overview_tab.webp" />
+        </p>
+        <h3>Symantec Endpoint Protection: Alert Tab</h3>
+        <p>
+            <img src="../Resources/Images/Symantec Endpoint Resources Folder/symantec_endpoint_protection-_alert_tab.webp" />
+        </p>
+        <p>
+            <img src="../Resources/Images/Symantec Endpoint Resources Folder/symantec_endpoint_protection-_alert_tab_1_.webp" />
+        </p>
+        <h3>Symantec Endpoint Protection: Authentication Tab</h3>
+        <p>
+            <img src="../Resources/Images/Symantec Endpoint Resources Folder/symantec_endpoint_protection-_authentication_tab.webp" />
+        </p>
+        <p>
+            <img src="../Resources/Images/Symantec Endpoint Resources Folder/symantec_endpoint_protection-_authentication_tab_1_.webp" />
+        </p>
     </body>
 </html>
\ No newline at end of file

event_category	gim_event_type_code
password_change	111005
log_out	102500
log_on	100000
log_on_failed	100000
alert_risk_pro_default	309999
alert_security_default	309999