Symantec Data Loss Prevention (Beta)

beta

This is a beta Integration, which lets you implement and test pre-release software. Since the integration is beta, it might contain bugs. Updates to the integration during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the integration to help us identify issues, fix them, and continually improve.

Symantec Data Loss Prevention let's you discover, monitor and protect your sensitive corporate information.

Permissions

Symantec Data Loss Prevention requires that the integration user be assigned to the "Incident Reporting API Web Service" role. Make sure to follow Symantec's documentation on how to create such a role and assign it to the user:

If you are using an AD User to authenticate as the API user make sure to follow the proper naming convention of:

<Username>:<Active_Directory_Domain_In_Upper_Case>
OR
<Role>\<Username>:<Active_Directory_Domain_In_Upper_Case>
More details at: https://knowledge.broadcom.com/external/article/159761/unable-to-authenticate-to-reporting-api.html

Fetch Incidents

The Symantec Data Loss Prevention integration is configured to fetch incidents and integrate them into Demisto's incidents and has the fetch limit parameter.

Configure Symantec Data Loss Prevention on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Symantec Data Loss Prevention.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Enforce Server (e.g. https://192.168.0.1)
    • Username
    • Trust any certificate (not secure)
    • Use system proxy settings
    • Fetch incidents
    • Incident type
    • First fetch timestamp (
    • Saved Report ID
    • Fetch limit

    Please note that for Active Directoy accounts, the username must follow the format username:DOMAIN .

  4. Click Test to validate the new instance.

In order that the integration will work you must create a Web Service user, role and saved report in the Enforce Server administration.

To create an user and role do the following:

  1. Log on to the Enforce Server administration console with Administator access mode.
  2. Go to System > Login Management > Roles > Add Role
  3. Enter a name for the new role in the Name field.
  4. In the User Privileges section, select the privileges you want.
  5. Click on the Save button.
  6. Go to System > Login Management > DLP Users
  7. Click on the Add User button and create a user.
  8. Go to the Roles section, select the new role being created.
  9. Select the same role in the Default Role menu.
  10. Click on the Save button.

To create a saved report do the following:

  1. Log on to the Enforce Server administration console.
  2. Go to Incidents > Incident Reports
  3. Select an incident from the list of reports.
  4. Click Advanced Filters & Summarization.
  5. In the Summarize By menu, verify that no primary summary selected and no secondary summary selected are chosen.
  6. Select > Report > Save, and enter the report name in the Name field
  7. Click Save
  8. To retrive the ID of the saved report, move your mouse cursor over the report name.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. symantec-dlp-list-incidents: symantec-dlp-list-incidents
  2. symantec-dlp-get-incident-details: symantec-dlp-get-incident-details
  3. symantec-dlp-update-incident: symantec-dlp-update-incident
  4. symantec-dlp-incident-binaries: symantec-dlp-incident-binaries
  5. symantec-dlp-list-custom-attributes: symantec-dlp-list-custom-attributes
  6. symantec-dlp-list-incident-status: symantec-dlp-list-incident-status
  7. symantec-dlp-incident-violations: symantec-dlp-incident-violations

1. symantec-dlp-list-incidents


Returns a list of incidents.

Base Command

symantec-dlp-list-incidents

Input
Argument Name Description Required
creation_date Get incidents with creation date later than specified. Given in free text (e.g. '2 days') Optional

Context Output
Path Type Description
SymantecDLP.Incident.ID Number The ID of the Incident

Command Example

!symantec-dlp-list-incidents

Context Example
    [
        "SymantecDLP.Incident.ID": [
            1111,
            2222,
            3333
        ]
    ]
Human Readable Output

Symantec DLP incidents

ID
1111
2222
3333

Additional Information

2. symantec-dlp-get-incident-details


Returns the details of the specified incident.

Base Command

symantec-dlp-get-incident-details

Input
Argument Name Description Required
incident_id Incident ID to get details of. Required
custom_attributes This argument can get the following values: all - If all custom attributes are needed none - If none of the custom attributes are needed specific attributes - A list of custom attributes names, seperated by comma. For example: ca1,ca2,ca3 custom attribute group name - A list of custom attributes group names, seperated by comma. For example: cag1, cag2, cag3. This value will retrive all custom attributes in the mentioned group. The value "none" is default. Optional
custom_data A list of custom attributes names / custom attribute group names. List should be comma seperated. For example: item1,item2,item3 Optional

Context Output
Path Type Description
SymantecDLP.Incident.ID Number The ID of the incident.
SymantecDLP.Incident.LongID Number The long ID of the incident.
SymantecDLP.Incident.StatusCode String The status code of the incident.
SymantecDLP.Incident.CreationDate Date The creation date of the incident.
SymantecDLP.Incident.DetectionDate Date The detection date of the incident.
SymantecDLP.Incident.Severity String The severity of the incident.
SymantecDLP.Incident.MessageSource String The localized label that corresponds to the Symantec DLP product that generated the incident.
SymantecDLP.Incident.MessageSourceType String Indicates the Symantec DLP product that generated the incident. Can be: NETWORK, DISCOVER, ENDPOINT, DIM, DAR.
SymantecDLP.Incident.MessageType String Indicates the Symantec DLP product component that generated the incident.
SymantecDLP.Incident.MessageTypeID Number The ID of the Message Type.
SymantecDLP.Incident.Policy.Name String The name of the policy.
SymantecDLP.Incident.Policy.Version String The version of the policy.
SymantecDLP.Incident.Policy.Label String The label of the policy.
SymantecDLP.Incident.Policy.ID Number The ID of the policy.
SymantecDLP.Incident.BlockedStatus String Indicates whether the message was blocked or not.
SymantecDLP.Incident.MatchCount Number Indicates the number of detection rule matches in the incident.
SymantecDLP.Incident.RuleViolationCount Number Indicates the number of policy rules that were violated.
SymantecDLP.Incident.DetectionServer String The name of the detection server that created the incident.
SymantecDLP.Incident.DataOwner.Name String The name of the data owner.
SymantecDLP.Incident.DataOwner.Email String The email of the data owner.
SymantecDLP.Incident.EventDate Date The date and time at which the violation event occurred.
SymantecDLP.Incident.ViolatedPolicyRule.Name String The name of the rule within the policy that the message violated.
SymantecDLP.Incident.ViolatedPolicyRule.ID Number The ID of the rule within the policy that the message violated.
SymantecDLP.Incident.OtherViolatedPolicy.Name String The name of any additional policies that the message violated.
SymantecDLP.Incident.OtherViolatedPolicy.Version String The version of any additional policies that the message violated.
SymantecDLP.Incident.OtherViolatedPolicy.Label String The label of any additional policies that the message violated.
SymantecDLP.Incident.OtherViolatedPolicy.ID Number The ID of any additional policies that the message violated.
SymantecDLP.Incident.CustomAttribute.Name String The custom attribute name.
SymantecDLP.Incident.CustomAttribute.Value String The custom attribute value.

Command Example

!symantec-dlp-get-incident-details incident_id=2222 custom_attributes="specific attributes " custom_data=ca1,ca2,ca3

Context Example
"SymantecDLP.Incident: {
    'ID': 2222,
    'LongID': 2222,
    'StatusCode': 'SUCCESS',
    'CreationDate': '2018-08-01T11:50:16',
    'DetectionDate': '2018-08-01T11:50:16',
    'Severity': 'high',
    'MessageSource': 'Endpoint',
    'MessageSourceType': 'ENDPOINT',
    'MessageType': 'Endpoint Copy to Network Share',
    'MessageTypeID': 33,
    'Policy.Name': 'CCN number',
    'Policy.Version': 1,
    'Policy.Label': 'label',
    'Policy.ID': '2203',
    'ViolatedPolicyRule': [
        'Name': CCN number,
        'ID': '334'
    ],
    'OtherViolatedPolicy': [
        'Name': 'CREDIT CARD POLICY TEST',
        'Version': 13,
        'Label': 'label12'
        'ID': '2134'
    ],
    'BlockedStatus': 'Passed',
    'MatchCount': 1,
    'RuleViolationCount': 1,
    'DetectionServer': 'Local - Endpoint',
    'DataOwner': {
        'Name': 'name',
        'Email': 'email',
    },
    'EventDate': '2018-08-01T11:50:16',
    'CustomAttribute': [
        {
            'Name': 'ca1'
            'Value': 'val1'
        },
        {
            'Name': 'ca2'
            'Value': 'val2'
        },
        {
            'Name': 'ca3'
            'Value': 'val3'
        },
    ]
}
Human Readable Output

Symantec DLP incident 2222 details

ID Creation Date Detection Date Severity Status DLP Module DLP Module subtype Policy Name
2222 2018-08-01T11:50:16 2018-08-01T11:50:16 high SUCCESS ENDPOINT Endpoint Copy to Network Share CCN number

3. symantec-dlp-update-incident


Updates the details of a specific incident.

Base Command

symantec-dlp-update-incident

Input
Argument Name Description Required
incident_id Incident ID to update. Optional
severity Represents the severity level of the incident. Optional
status Represents the status value of the incident. You define incident status values using the Enforce Server administration console. Optional
remediation_status Represents the remediation status of an incident. Optional
remediation_location Represents the remediation location of the incident. Values can be user-defined. Optional
custom_attribute_name The custom attribute name. Optional
custom_attribute_value The custom attribute value. Optional
data_owner_name The data owner name. Optional
data_owner_email The data owner email. Optional
note The note to be added. Optional
note_time The time of the note in ISO format. Optional

Context Output
There are no context output for this command.

Command Example

!symantec-dlp-update-incident incident_id=2222 data_owner_email=EMAIL data_owner_name=NAME note=NOTE note_time=2018-08-01T11:50:16

Human Readable Output

Symantec DLP incident 2222 details

Batch ID Inaccessible Incident Long ID Inaccessible Incident ID Status Code
44102 [] [] SUCCESS

4. symantec-dlp-incident-binaries


Retrieves additional components of the message that generated the incident, might include binary files.

Base Command

symantec-dlp-incident-binaries

Input
Argument Name Description Required
incident_id Incident ID to get binaries of. Optional
include_original_message Indicates whether the Web Service should include the original message in the response document or not. Optional
include_all_components Indicates whether the Web Service should include all message components (for example, headers and file attachments) in the response document or not. Optional

Context Output
Path Type Description
SymantecDLP.Incident.ID Number The ID of the incident.
SymantecDLP.Incident.LongID Number The long ID of the incident.
SymantecDLP.Incident.OriginalMessage String The original message of the incident.
SymantecDLP.Component.ID Number The ID of the component
SymantecDLP.Component.Name String The name of the component.
SymantecDLP.Component.TypeID Number The ID of the type of the component.
SymantecDLP.Component.Type String The type of the component
SymantecDLP.Component.Content String The content of the component
SymantecDLP.Component.LongID Number The long ID of the component.

Command Example

!symantec-dlp-incident-binaries incident_id=2222

Context Example
"SymantecDLP.Incident": {
    'ID': 2222,
    'OriginalMessage': 'msg',
    'Component': [
        'ID': 69065,
        'Name': 'CCN.txt',
        'TypeID': 'ATTACHMENT_TEXT',
        'Content': '4386280016300125',
        'LongID': 69065 
    ],
    'LongID': 2222
}
Human Readable Output

Symantec DLP incident 2222 binaries

ID Original Message Long ID
2222 msg 2222

5. symantec-dlp-list-custom-attributes


Returns a list of all custom attribute names defined in the Symantec DLP deployment.

Base Command

symantec-dlp-list-custom-attributes

Context Output
There are no context output for this command.

Command Example

!symantec-dlp-list-custom-attributes

Human Readable Output

Symantec DLP custom attributes

Custom Attribute
ca1
ca2
ca3

6. symantec-dlp-list-incident-status


Returns a list of the custom status values defined in the Symantec DLP deployment.

Base Command

symantec-dlp-list-incident-status

Context Output
There are no context output for this command.

Command Example

!symantec-dlp-list-incident-status

Human Readable Output

Symantec DLP incident status

Incident Status
status1
status2
status3

7. symantec-dlp-incident-violations


Returns the highlighted matches of a specific incident.

Base Command

symantec-dlp-incident-violations

Input
Argument Name Description Required
incident_id The ID of the incident. Optional
include_image_violations Indicates whether image violations should be included in the Incident Violations Response. Optional

Context Output
Path Type Description
SymantecDLP.Incident.ID Number The ID of the incident.
SymantecDLP.Incident.LongID Number The long ID of the incident.
SymantecDLP.Incident.StatusCode String The status code of the incident.
SymantecDLP.Incident.ViolatingComponent.Name String The name of the violationg component.
SymantecDLP.Incident.ViolatingComponent.DocumentFormat String The document format of the violationg component.
SymantecDLP.Incident.ViolatingComponent.Type String The type of the violationg component.
SymantecDLP.Incident.ViolatingComponent.TypeID Number The type ID of the violationg component.
SymantecDLP.Incident.ViolatingComponent.ViolatingCount Number Indicates the number of policy rules that were violated.
SymantecDLP.Incident.ViolatingComponent.ViolatingSegment.DocumentViolation String Details about the document violation.
SymantecDLP.Incident.ViolatingComponent.ViolatingSegment.FileSizeViolation Number Details about the file size violation.
SymantecDLP.Incident.ViolatingComponent.ViolatingSegment.Text.Data String The data that triggered the violation.
SymantecDLP.Incident.ViolatingComponent.ViolatingSegment.Text.Type String The type of data that triggered the violation.
SymantecDLP.Incident.ViolatingComponent.ViolatingSegment.Text.RuleID Number The rule ID which triggered the violation.
SymantecDLP.Incident.ViolatingComponent.ViolatingSegment.Text.RuleName String The rule name which triggered the violation.

Command Example

!symantec-dlp-incident-violations incident_id=35364

Context Example
"SymantecDLP.Incident": {
    'ID': 35364,
    'LongID': 35364,
    'StatusCode': 'SUCCESS',
    'ViolatingComponent': [
        {
            'Name': 'C:\\Users\\Administrator\\Desktop\\CCN.txt',
            'DocumentFormat': 'ascii',
            'Type': 'Attachment',
            'TypeID' 3,
            'ViolatingCount': 1,
            'ViolatingSegment': [
                {
                    'DocumentViolation': None,
                    'FileSizeViolation': None,
                    'Text': [
                        {
                            'Data': '4386280016300125',
                            'Type': 'Violation',
                            'RuleID': 12288,
                            'RuleName': 'CCN'
                        }
                    ]
                }
            ]
        }
    ]
}
Human Readable Output

Symantec DLP incident status

ID
35364


Troubleshooting

If you are encountering issues authenticating the configured API user, you can perform a test that the user you've configured has the proper role by running the following curl command:

curl -i --user YOUR_DLP_USER:YOUR_PASS https://YOUR_DLP_SERVER/ProtectManager/services/v2011/incidents

Note : you may need to add to the curl command the "-k" option if the certificate is not trusted.

If the authentication fails you will receive a response similar to:

HTTP/1.1 200 
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: text/xml;charset=utf-8
Content-Length: 769
Date: Wed, 17 Jun 2020 13:12:43 GMT

<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S='http://schemas.xmlsoap.org/soap/envelope/'><S:Body>
<S:Fault xmlns:ns4='http://www.w3.org/2003/05/soap-envelope'>
<faultcode>S:Server</faultcode>
<faultstring>Authentication failed</faultstring><detail>
<ns4:AuthenticationFault xmlns:ns4='http://www.vontu.com/v2011/enforce/webservice/incident/schema'  xmlns:ns2='http://www.vontu.com/enforce/export/incident/common/schema'  xmlns:ns3='http://www.vontu.com/enforce/export/incident/schema'  xmlns:ns5='http://www.vontu.com/v2011/enforce/webservice/incident/common/schema'  xmlns:ns6='http://www.vontu.com/v2011/enforce/webservice/incident'>
<ns4:errorMessage>Authentication failed</ns4:errorMessage>
</ns4:AuthenticationFault></detail></S:Fault></S:Body></S:Envelope>

If you encounter an authentication failure, make sure to follow the instructions at the Permissions section of this document.