Symantec Data Loss Prevention (Deprecated)

This Integration is part of the Symantec Data Loss Prevention Pack.#

Deprecated

Use the Symantec Data Loss Prevention V2 integration instead.

Symantec Data Loss Prevention let's you discover, monitor and protect your sensitive corporate information.

This integration is now deprecated. Please use the Symantec DLP v2 integration instead.

This integration was integrated and tested with Symantec DLP version 15.5. The integration uses the SOAP-based Incident Reporting and Update API.

Important Note: Symantec DLP 15.7 introduced a new RESTful API, which this integration does not support. If you want to use the new REST API, please file a feature request that we can track. For more information about the Symantec DLP REST API see the Synantec documentation.

Permissions

Symantec Data Loss Prevention requires that the integration user be assigned to the "Incident Reporting API Web Service" role. Make sure to follow Symantec's documentation on how to create such a role and assign it to the user:

Symantec DLP 15.5: Configuring Roles
Symantec DLP 15.7: Creating a user and role for an Incident Reporting API client

If you are using an AD User to authenticate as the API user make sure to follow the proper naming convention of:

<Username>:<Active_Directory_Domain_In_Upper_Case>
OR
<Role>\<Username>:<Active_Directory_Domain_In_Upper_Case>

More details at: https://knowledge.broadcom.com/external/article/159761/unable-to-authenticate-to-reporting-api.html

Fetch Incidents

The Symantec Data Loss Prevention integration is configured to fetch incidents and integrate them into Cortex XSOAR's incidents and has the fetch limit parameter.

Configure Symantec Data Loss Prevention on Cortex XSOAR

Navigate to Settings > Integrations > Servers & Services .
Search for Symantec Data Loss Prevention.
Click Add instance to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Enforce Server (e.g. https://192.168.0.1)
- Username
- Trust any certificate (not secure)
- Use system proxy settings
- Fetch incidents
- Incident type
- First fetch timestamp ( e.g., 12 hours, 7 days)
- Saved Report ID
- Fetch limit
Please note that for Active Directoy accounts, the username must follow the format username:DOMAIN .
Click Test to validate the new instance.

In order that the integration will work you must create a Web Service user, role and saved report in the Enforce Server administration.

To create an user and role do the following:

Log on to the Enforce Server administration console with Administator access mode.
Go to System > Login Management > Roles > Add Role
Enter a name for the new role in the Name field.
In the User Privileges section, select the privileges you want.
Click on the Save button.
Go to System > Login Management > DLP Users
Click on the Add User button and create a user.
Go to the Roles section, select the new role being created.
Select the same role in the Default Role menu.
Click on the Save button.

To create a saved report do the following:

Log on to the Enforce Server administration console.
Go to Incidents > Incident Reports
Select an incident from the list of reports.
Click Advanced Filters & Summarization.
In the Summarize By menu, verify that no primary summary selected and no secondary summary selected are chosen.
Select > Report > Save, and enter the report name in the Name field
Click Save
To retrive the ID of the saved report, move your mouse cursor over the report name.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

symantec-dlp-list-incidents: symantec-dlp-list-incidents
symantec-dlp-get-incident-details: symantec-dlp-get-incident-details
symantec-dlp-update-incident: symantec-dlp-update-incident
symantec-dlp-incident-binaries: symantec-dlp-incident-binaries
symantec-dlp-list-custom-attributes: symantec-dlp-list-custom-attributes
symantec-dlp-list-incident-status: symantec-dlp-list-incident-status
symantec-dlp-incident-violations: symantec-dlp-incident-violations

1. symantec-dlp-list-incidents

Returns a list of incidents.

Base Command

symantec-dlp-list-incidents

Input

Argument Name	Description	Required
creation_date	Get incidents with creation date later than specified. Given in free text (e.g. '2 days')	Optional

Context Output

Path	Type	Description
SymantecDLP.Incident.ID	Number	The ID of the Incident

Command Example

!symantec-dlp-list-incidents

Context Example

    [
        "SymantecDLP.Incident.ID": [
            1111,
            2222,
            3333
        ]
    ]

Human Readable Output

Symantec DLP incidents

ID
1111
2222
3333

Additional Information

2. symantec-dlp-get-incident-details

Returns the details of the specified incident.

Base Command

symantec-dlp-get-incident-details

Input

Argument Name	Description	Required
incident_id	Incident ID to get details of.	Required
custom_attributes	This argument can get the following values: all - If all custom attributes are needed none - If none of the custom attributes are needed specific attributes - A list of custom attributes names, seperated by comma. For example: ca1,ca2,ca3 custom attribute group name - A list of custom attributes group names, seperated by comma. For example: cag1, cag2, cag3. This value will retrive all custom attributes in the mentioned group. The value "none" is default.	Optional
custom_data	A list of custom attributes names / custom attribute group names. List should be comma seperated. For example: item1,item2,item3	Optional

Context Output

Path	Type	Description
SymantecDLP.Incident.ID	Number	The ID of the incident.
SymantecDLP.Incident.LongID	Number	The long ID of the incident.
SymantecDLP.Incident.StatusCode	String	The status code of the incident.
SymantecDLP.Incident.CreationDate	Date	The creation date of the incident.
SymantecDLP.Incident.DetectionDate	Date	The detection date of the incident.
SymantecDLP.Incident.Severity	String	The severity of the incident.
SymantecDLP.Incident.MessageSource	String	The localized label that corresponds to the Symantec DLP product that generated the incident.
SymantecDLP.Incident.MessageSourceType	String	Indicates the Symantec DLP product that generated the incident. Can be: NETWORK, DISCOVER, ENDPOINT, DIM, DAR.
SymantecDLP.Incident.MessageType	String	Indicates the Symantec DLP product component that generated the incident.
SymantecDLP.Incident.MessageTypeID	Number	The ID of the Message Type.
SymantecDLP.Incident.Policy.Name	String	The name of the policy.
SymantecDLP.Incident.Policy.Version	String	The version of the policy.
SymantecDLP.Incident.Policy.Label	String	The label of the policy.
SymantecDLP.Incident.Policy.ID	Number	The ID of the policy.
SymantecDLP.Incident.BlockedStatus	String	Indicates whether the message was blocked or not.
SymantecDLP.Incident.MatchCount	Number	Indicates the number of detection rule matches in the incident.
SymantecDLP.Incident.RuleViolationCount	Number	Indicates the number of policy rules that were violated.
SymantecDLP.Incident.DetectionServer	String	The name of the detection server that created the incident.
SymantecDLP.Incident.DataOwner.Name	String	The name of the data owner.
SymantecDLP.Incident.DataOwner.Email	String	The email of the data owner.
SymantecDLP.Incident.EventDate	Date	The date and time at which the violation event occurred.
SymantecDLP.Incident.ViolatedPolicyRule.Name	String	The name of the rule within the policy that the message violated.
SymantecDLP.Incident.ViolatedPolicyRule.ID	Number	The ID of the rule within the policy that the message violated.
SymantecDLP.Incident.OtherViolatedPolicy.Name	String	The name of any additional policies that the message violated.
SymantecDLP.Incident.OtherViolatedPolicy.Version	String	The version of any additional policies that the message violated.
SymantecDLP.Incident.OtherViolatedPolicy.Label	String	The label of any additional policies that the message violated.
SymantecDLP.Incident.OtherViolatedPolicy.ID	Number	The ID of any additional policies that the message violated.
SymantecDLP.Incident.CustomAttribute.Name	String	The custom attribute name.
SymantecDLP.Incident.CustomAttribute.Value	String	The custom attribute value.

Command Example

!symantec-dlp-get-incident-details incident_id=2222 custom_attributes="specific attributes " custom_data=ca1,ca2,ca3

Context Example

"SymantecDLP.Incident: {
    'ID': 2222,
    'LongID': 2222,
    'StatusCode': 'SUCCESS',
    'CreationDate': '2018-08-01T11:50:16',
    'DetectionDate': '2018-08-01T11:50:16',
    'Severity': 'high',
    'MessageSource': 'Endpoint',
    'MessageSourceType': 'ENDPOINT',
    'MessageType': 'Endpoint Copy to Network Share',
    'MessageTypeID': 33,
    'Policy.Name': 'CCN number',
    'Policy.Version': 1,
    'Policy.Label': 'label',
    'Policy.ID': '2203',
    'ViolatedPolicyRule': [
        'Name': CCN number,
        'ID': '334'
    ],
    'OtherViolatedPolicy': [
        'Name': 'CREDIT CARD POLICY TEST',
        'Version': 13,
        'Label': 'label12'
        'ID': '2134'
    ],
    'BlockedStatus': 'Passed',
    'MatchCount': 1,
    'RuleViolationCount': 1,
    'DetectionServer': 'Local - Endpoint',
    'DataOwner': {
        'Name': 'name',
        'Email': 'email',
    },
    'EventDate': '2018-08-01T11:50:16',
    'CustomAttribute': [
        {
            'Name': 'ca1'
            'Value': 'val1'
        },
        {
            'Name': 'ca2'
            'Value': 'val2'
        },
        {
            'Name': 'ca3'
            'Value': 'val3'
        },
    ]
}

Human Readable Output

Symantec DLP incident 2222 details

ID	Creation Date	Detection Date	Severity	Status	DLP Module	DLP Module subtype	Policy Name
2222	2018-08-01T11:50:16	2018-08-01T11:50:16	high	SUCCESS	ENDPOINT	Endpoint Copy to Network Share	CCN number

3. symantec-dlp-update-incident

Updates the details of a specific incident.

Base Command

symantec-dlp-update-incident

Input

Argument Name	Description	Required
incident_id	Incident ID to update.	Optional
severity	Represents the severity level of the incident.	Optional
status	Represents the status value of the incident. You define incident status values using the Enforce Server administration console.	Optional
remediation_status	Represents the remediation status of an incident.	Optional
remediation_location	Represents the remediation location of the incident. Values can be user-defined.	Optional
custom_attribute_name	The custom attribute name.	Optional
custom_attribute_value	The custom attribute value.	Optional
data_owner_name	The data owner name.	Optional
data_owner_email	The data owner email.	Optional
note	The note to be added.	Optional
note_time	The time of the note in ISO format.	Optional

Context Output

There are no context output for this command.

Command Example

!symantec-dlp-update-incident incident_id=2222 data_owner_email=EMAIL data_owner_name=NAME note=NOTE note_time=2018-08-01T11:50:16

Human Readable Output

Symantec DLP incident 2222 details

Batch ID	Inaccessible Incident Long ID	Inaccessible Incident ID	Status Code
44102	[]	[]	SUCCESS

4. symantec-dlp-incident-binaries

Retrieves additional components of the message that generated the incident, might include binary files.

Base Command

symantec-dlp-incident-binaries

Input

Argument Name	Description	Required
incident_id	Incident ID to get binaries of.	Optional
include_original_message	Indicates whether the Web Service should include the original message in the response document or not.	Optional
include_all_components	Indicates whether the Web Service should include all message components (for example, headers and file attachments) in the response document or not.	Optional

Context Output

Path	Type	Description
SymantecDLP.Incident.ID	Number	The ID of the incident.
SymantecDLP.Incident.LongID	Number	The long ID of the incident.
SymantecDLP.Incident.OriginalMessage	String	The original message of the incident.
SymantecDLP.Component.ID	Number	The ID of the component
SymantecDLP.Component.Name	String	The name of the component.
SymantecDLP.Component.TypeID	Number	The ID of the type of the component.
SymantecDLP.Component.Type	String	The type of the component
SymantecDLP.Component.Content	String	The content of the component
SymantecDLP.Component.LongID	Number	The long ID of the component.

Command Example

!symantec-dlp-incident-binaries incident_id=2222

Context Example

"SymantecDLP.Incident": {
    'ID': 2222,
    'OriginalMessage': 'msg',
    'Component': [
        'ID': 69065,
        'Name': 'CCN.txt',
        'TypeID': 'ATTACHMENT_TEXT',
        'Content': '4386280016300125',
        'LongID': 69065 
    ],
    'LongID': 2222
}

Human Readable Output

Symantec DLP incident 2222 binaries

ID	Original Message	Long ID
2222	msg	2222

5. symantec-dlp-list-custom-attributes

Returns a list of all custom attribute names defined in the Symantec DLP deployment.

Base Command

symantec-dlp-list-custom-attributes

Context Output

There are no context output for this command.

Command Example

!symantec-dlp-list-custom-attributes

Human Readable Output

Symantec DLP custom attributes

Custom Attribute
ca1
ca2
ca3

6. symantec-dlp-list-incident-status

Returns a list of the custom status values defined in the Symantec DLP deployment.

Base Command

symantec-dlp-list-incident-status

Context Output

There are no context output for this command.

Command Example

!symantec-dlp-list-incident-status

Human Readable Output

Symantec DLP incident status

Incident Status
status1
status2
status3

7. symantec-dlp-incident-violations

Returns the highlighted matches of a specific incident.

Base Command

symantec-dlp-incident-violations

Input

Argument Name	Description	Required
incident_id	The ID of the incident.	Optional
include_image_violations	Indicates whether image violations should be included in the Incident Violations Response.	Optional

Context Output

Path	Type	Description
SymantecDLP.Incident.ID	Number	The ID of the incident.
SymantecDLP.Incident.LongID	Number	The long ID of the incident.
SymantecDLP.Incident.StatusCode	String	The status code of the incident.
SymantecDLP.Incident.ViolatingComponent.Name	String	The name of the violationg component.
SymantecDLP.Incident.ViolatingComponent.DocumentFormat	String	The document format of the violationg component.
SymantecDLP.Incident.ViolatingComponent.Type	String	The type of the violationg component.
SymantecDLP.Incident.ViolatingComponent.TypeID	Number	The type ID of the violationg component.
SymantecDLP.Incident.ViolatingComponent.ViolatingCount	Number	Indicates the number of policy rules that were violated.
SymantecDLP.Incident.ViolatingComponent.ViolatingSegment.DocumentViolation	String	Details about the document violation.
SymantecDLP.Incident.ViolatingComponent.ViolatingSegment.FileSizeViolation	Number	Details about the file size violation.
SymantecDLP.Incident.ViolatingComponent.ViolatingSegment.Text.Data	String	The data that triggered the violation.
SymantecDLP.Incident.ViolatingComponent.ViolatingSegment.Text.Type	String	The type of data that triggered the violation.
SymantecDLP.Incident.ViolatingComponent.ViolatingSegment.Text.RuleID	Number	The rule ID which triggered the violation.
SymantecDLP.Incident.ViolatingComponent.ViolatingSegment.Text.RuleName	String	The rule name which triggered the violation.

Command Example

!symantec-dlp-incident-violations incident_id=35364

Context Example

"SymantecDLP.Incident": {
    'ID': 35364,
    'LongID': 35364,
    'StatusCode': 'SUCCESS',
    'ViolatingComponent': [
        {
            'Name': 'C:\\Users\\Administrator\\Desktop\\CCN.txt',
            'DocumentFormat': 'ascii',
            'Type': 'Attachment',
            'TypeID' 3,
            'ViolatingCount': 1,
            'ViolatingSegment': [
                {
                    'DocumentViolation': None,
                    'FileSizeViolation': None,
                    'Text': [
                        {
                            'Data': '4386280016300125',
                            'Type': 'Violation',
                            'RuleID': 12288,
                            'RuleName': 'CCN'
                        }
                    ]
                }
            ]
        }
    ]
}

Human Readable Output

Symantec DLP incident status

ID
35364

Troubleshooting

If you are encountering issues authenticating the configured API user, you can perform a test that the user you've configured has the proper role by running the following curl command:


 curl -i --user YOUR_DLP_USER:YOUR_PASS https://YOUR_DLP_SERVER/ProtectManager/services/v2011/incidents

Note : you may need to add to the curl command the "-k" option if the certificate is not trusted.

If the authentication fails you will receive a response similar to:

HTTP/1.1 200 
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: text/xml;charset=utf-8
Content-Length: 769
Date: Wed, 17 Jun 2020 13:12:43 GMT

<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S='http://schemas.xmlsoap.org/soap/envelope/'><S:Body>
<S:Fault xmlns:ns4='http://www.w3.org/2003/05/soap-envelope'>
<faultcode>S:Server</faultcode>
<faultstring>Authentication failed</faultstring><detail>
<ns4:AuthenticationFault xmlns:ns4='http://www.vontu.com/v2011/enforce/webservice/incident/schema'  xmlns:ns2='http://www.vontu.com/enforce/export/incident/common/schema'  xmlns:ns3='http://www.vontu.com/enforce/export/incident/schema'  xmlns:ns5='http://www.vontu.com/v2011/enforce/webservice/incident/common/schema'  xmlns:ns6='http://www.vontu.com/v2011/enforce/webservice/incident'>
<ns4:errorMessage>Authentication failed</ns4:errorMessage>
</ns4:AuthenticationFault></detail></S:Fault></S:Body></S:Envelope>

If you encounter an authentication failure, make sure to follow the instructions at the Permissions section of this document.

Having both "Kerberos" and "form" type authentication methods enabled on your Symantec DLP may cause connection issues. Disabling the form-type may assist solving such issues.