Improve Sysmantec Endpoint Protection (SEP) rules and decoders

[Lopuiz]

Hi team,

Exists some rules and decoders for Symantec products. They can be found in 0120-sysmantec-av_rules.xml, 0125-sysmantec-ws_rules.xml and 0330-sysmantec_decoders.xml files.

These rules have not been modified for three years and now have some flaws.
For example:

1. Rule 7320 is not correct.

Event number 13 fire Symantec AntiVirus Shutdown.

And following rule says event 13 occurs when the scan is started or stopped.

wazuh-ruleset/rules/0120-symantec-av_rules.xml

Lines 29 to 34 in 725a015

	<rule id="7320" level="3">
	<if_sid>7300, 7301</if_sid>
	<id>^2$|^3$|^4$|^13$</id>
	<description>Symantec-AV: Virus scan updated,started or stopped.</description>
	<group>pci_dss_5.1,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_SI.3,nist_800_53_AU.6,</group>
	</rule>

2. The symantec-av decoder also doesn't seem match SEP logs:

wazuh-ruleset/decoders/0330-symantec_decoders.xml

Lines 17 to 22 in 725a015

	<decoder name="symantec-av">
	<prematch>^\w\w\w\w\w\w\w\w\w\w\w\w,</prematch>
	<regex offset="after_prematch">^(\d+),\d+,\d+,(\S+),(\.+),</regex>
	<order>id, system_name, extra_data</order>
	<fts>name, location, id, system_name, extra_data</fts>
	</decoder>

3. Only exist rules for Eventlog logs format and not for Eventchannel logs format.

We could improve rules and decoders using the following information:
Symantec Endpoint Protection 12.1.x event log entries

Best regards,
Eva