Skip to main content

Symantec Data Loss Prevention v2

This Integration is part of the Symantec Data Loss Prevention Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Symantec Data Loss Prevention enables you to discover, monitor and protect your sensitive corporate information. This integration was integrated and tested with Symantec Data Loss Prevention version 15.7 RESTful API.

Check Symantec DLP 15.7 API docs

Some changes have been made that might affect your existing content. If you are upgrading from a previous of this integration, see Breaking Changes.

Configure Symantec Data Loss Prevention v2 in Cortex#

ParameterDescriptionRequired
Enforce Server (e.g. https://192.168.0.1)True
UsernameTrue
PasswordTrue
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
Fetch limitMax fetch limit is 50False
Fetch incidents from typeIf not selected, fetches all incident types.False
Incident Status IDThe status ID of the incidents. To get the status IDs, run the `symantec-dlp-list-incident-status` command.False
Incident SeverityIf not selected, fetches high and medium incidents.False
Trust any certificate (not secure)False
Use system proxy settingsFalse
Fetch incidentsFalse
Incident typeFalse

Fetch Incidents#

The integration fetches incidents in the order they were created. Note that incident IDs may not be fetched in order, due to creation time differences.

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

symantec-dlp-list-incidents#


Returns a list of incidents.

Base Command#

symantec-dlp-list-incidents

Input#

Argument NameDescriptionRequired
creation_dateThe earliest time from which to get incidents. Supports ISO (e.g 2021-12-28T00:00:00Z) and free text (e.g. '2 days').Optional
status_idThe status ID of the incidents. To get status IDs, run the symantec-dlp-list-incident-status command.Optional
severityThe severity of the incidents. Possible values are: Info, Low, Medium, High.Optional
incident_typeThe incident type. Possible values are: Network, Discover, Endpoint.Optional
limitThe limit for number of incidents listed per page. Default is 50.Optional
pageThe page number you would like to view. Each page contains page_size values. Must be used along with page_size.
Default is 1.
Optional
page_sizeThe number of results per page to display.Optional

Context Output#

PathTypeDescription
SymantecDLP.Incident.IDNumberThe ID of the Incident.
SymantecDLP.Incident.messageTypeStringIndicates the Symantec DLP product component that generated the incident.
SymantecDLP.Incident.messageSourceStringThe localized label that corresponds to the Symantec DLP product that generated the incident.
SymantecDLP.Incident.detectionServerIdNumberThe ID of the detection server that created the incident.
SymantecDLP.Incident.policyVersionNumberThe version of the policy.
SymantecDLP.Incident.matchCountNumberIndicates the number of detection rule matches in the incident.
SymantecDLP.Incident.policyIdNumberThe ID of the policy.
SymantecDLP.Incident.creationDateDateThe creation date of the incident.
SymantecDLP.Incident.detectionDateDateThe detection date of the incident.
SymantecDLP.Incident.severityStringThe severity of the incident.
SymantecDLP.Incident.messageTypeIdNumberThe ID of the message type.
SymantecDLP.Incident.incidentStatusIdNumberThe status ID of the incident.

Command example#

!symantec-dlp-list-incidents limit=2 severity=High incident_type=Network creation_date="4 days"

Context Example#

{
"SymantecDLP": {
"Incident": [
{
"ID": 4044,
"creationDate": "2022-03-27T03:23:52.315",
"detectionDate": "2022-03-27T03:23:44.773",
"detectionServerId": 1,
"incidentStatusId": 1,
"matchCount": 3,
"messageSource": "NETWORK",
"messageType": "HTTP",
"messageTypeId": 3,
"policyId": 2,
"policyVersion": 4,
"severity": "High"
},
{
"ID": 4043,
"creationDate": "2022-03-27T03:23:52.299",
"detectionDate": "2022-03-27T03:23:44.773",
"detectionServerId": 1,
"incidentStatusId": 1,
"matchCount": 2,
"messageSource": "NETWORK",
"messageType": "HTTP",
"messageTypeId": 3,
"policyId": 41,
"policyVersion": 4,
"severity": "High"
}
]
}
}

Human Readable Output#

Symantec DLP incidents results#

IDSeverityStatusCreation DateIncident TypeMessage TypePolicy IDMatch Count
4044High12022-03-27T03:23:52.315NETWORKHTTP23
4043High12022-03-27T03:23:52.299NETWORKHTTP412

symantec-dlp-get-incident-details#


Returns details of the specified incident.

Base Command#

symantec-dlp-get-incident-details

Input#

Argument NameDescriptionRequired
incident_idIncident ID for which to retrieve details.Required
custom_attributesThis argument can get the following values:
all - All custom attributes are needed
none - None of the custom attributes are needed
specific attributes - A comma-separated list of custom attribute names. For example: ca1,ca2,ca3
custom attribute group name - A comma-separated list of custom attribute group names. For example: cag1, cag2, cag3.
This value retrieves all custom attributes in the mentioned group. The value "none" is default. Possible values are: all, none, specific attributes, custom attribute group name. Default is none.
Optional
custom_dataA comma-separated list of custom attribute names or custom attribute group names. For example: item1,item2,item3.Optional

Context Output#

PathTypeDescription
SymantecDLP.Incident.IDNumberThe ID of the incident.
SymantecDLP.Incident.policyVersionNumberThe version of the policy.
SymantecDLP.Incident.attachmentInfo.componentTypeNumberThe ID of the type of the message component that generated the incident.
SymantecDLP.Incident.attachmentInfo.messageComponentNameStringThe name of the file or attachment that generated the incident.
SymantecDLP.Incident.attachmentInfo.messageComponentIdNumberThe ID of the message component that generated the incident.
SymantecDLP.Incident.attachmentInfo.wasCrackedBooleanIndicates if the message component that generated the incident was cracked.
SymantecDLP.Incident.attachmentInfo.documentFormatStringThe file format of the message component that generated the incident.
SymantecDLP.Incident.attachmentInfo.mimeTypeStringThe standard mime type of the message component that generated the incident.
SymantecDLP.Incident.attachmentInfo.originalSizeNumberThe size, in bytes, of the file or attachment that generated the incident.
SymantecDLP.Incident.messageSubjectStringThe subject of the message that caused the incident.
SymantecDLP.Incident.policyNameStringThe name of the policy.
SymantecDLP.Incident.policyGroupNameStringThe name of the policy group.
SymantecDLP.Incident.policyGroupIdNumberThe ID of the policy group of the policy that was violated.
SymantecDLP.Incident.messageSourceStringThe localized label that corresponds to the Symantec DLP product that generated the incident.
SymantecDLP.Incident.messageIdNumberThe ID of the message that caused the incident.
SymantecDLP.Incident.messageOriginatorIDNumberThe ID of the sender or originator of the message that caused the incident.
SymantecDLP.Incident.matchCountNumberThe total number of policy violation matches produced by policies for this incident.
SymantecDLP.Incident.creationDateDateThe creation date of the incident.
SymantecDLP.Incident.isBlockedStatusSupersededBooleanSpecifies whether the incident response was superseded by another response.
SymantecDLP.Incident.detectionServerNameStringThe name of the detection server that created the incident.
SymantecDLP.Incident.networkSenderPortNumberThe port number on the host from which network traffic originated.
SymantecDLP.Incident.messageTypeStringIndicates the Symantec DLP product component that generated the incident.
SymantecDLP.Incident.policyIdNumberThe ID of the policy.
SymantecDLP.Incident.detectionDateDateThe detection date of the incident.
SymantecDLP.Incident.messageTypeIdNumberThe ID of the message type.
SymantecDLP.Incident.detectionServerIdNumberThe ID of the detection server or cloud detector that created the incident.
SymantecDLP.Incident.messageDateDateThe date and time that the network message that caused the incident originated.
SymantecDLP.Incident.senderIPAddressStringThe IP address of the sender.
SymantecDLP.Incident.endpointMachineIpAddressStringThe IP address of the endpoint machine.
SymantecDLP.Incident.recipientInfo.recipientTypeNumberThe type of the recipient.
SymantecDLP.Incident.recipientInfo.recipientPortNumberThe port of the recipient.
SymantecDLP.Incident.recipientInfo.recipientDomainStringThe domain of the recipient.
SymantecDLP.Incident.recipientInfo.recipientIdentifierStringThe identifier of the recipient.
SymantecDLP.Incident.recipientInfo.recipientIPAddressStringThe IP address of the recipient.
SymantecDLP.Incident.recipientInfo.recipientUrlStringThe URL address of the recipient.
SymantecDLP.Incident.networkSenderIdentifierStringThe name and/or IP address of the user who caused the incident.
SymantecDLP.Incident.isHidingNotAllowedBooleanIndicates if incident hiding is not allowed for the incident.
SymantecDLP.Incident.incidentStatusNameStringThe status of the incident.
SymantecDLP.Incident.dataOwnerEmailStringThe email of the data owner.
SymantecDLP.Incident.dataOwnerNameStringThe name of the data owner.
SymantecDLP.Incident.severityNumberThe severity of the incident.
SymantecDLP.Incident.incidentStatusIdNumberThe status ID of the incident.
SymantecDLP.Incident.isHiddenBooleanThe hidden state of the incident.
SymantecDLP.Incident.preventOrProtectStatusIdNumberThe remediation status ID.
SymantecDLP.Incident.CustomAttribute.NameStringThe name of the custom attribute.
SymantecDLP.Incident.CustomAttribute.ValueStringThe value of the custom attribute.
SymantecDLP.Incident.CustomAttribute.IndexNumberThe index of the custom attribute.
SymantecDLP.Incident.fileCreateDateDateThe date and time the file was created.
SymantecDLP.Incident.discoverServerStringThe name of the file share, server, or SQL database that was scanned.
SymantecDLP.Incident.fileAccessDateDateThe date and time the file was last accessed.
SymantecDLP.Incident.discoverTargetNameStringThe name of the Discover scan target.
SymantecDLP.Incident.discoverRepositoryLocationStringThe location, file location, or other path to the resource which generated the incident.
SymantecDLP.Incident.discoverScanIdNumberThe ID of the Discover scan.
SymantecDLP.Incident.discoverContentRootPathStringThe full path on the file share, server, or SQL database that was scanned.
SymantecDLP.Incident.discoverMillisSinceFirstSeenNumberThe time from the first incident generated, by the same policy on the same file, or resource using Discover detection, up to the detection time of the current incident.
SymantecDLP.Incident.isBlockedStatusSupersededBooleanSpecifies whether the incident response was superseded by another response.
SymantecDLP.Incident.messageAclEntries.principalStringThe principal of the entry.
SymantecDLP.Incident.messageAclEntries.aclTypeStringThe type of resource the access control list applies to.
SymantecDLP.Incident.messageAclEntries.permissionStringThe permission of the entry.
SymantecDLP.Incident.messageAclEntries.grantDenyStringWhether access is allowed or not.
SymantecDLP.Incident.discoverTargetIdNumberThe ID of the Discover scan target.
SymantecDLP.Incident.discoverScanStartDateDateThe date and time that the Discover scan started.
SymantecDLP.Incident.discoverNameStringThe name of the file or resource that caused the incident.
SymantecDLP.Incident.fileOwnerStringThe owner of the file at the time the incident was created.
SymantecDLP.Incident.discoverUrlStringThe URL of the resource scanned.
SymantecDLP.Incident.endpointFilePathStringThe file system path of the file that violated the policy.
SymantecDLP.Incident.endpointApplicationPathStringThe path to the application that caused the incident.
SymantecDLP.Incident.endpointVolumeNameStringThe name of the local drive where the incident occurred.
SymantecDLP.Incident.domainUserNameStringThe domain and user name associated with the incident.
SymantecDLP.Incident.fileCreatedByStringThe name of the user who created the file.
SymantecDLP.Incident.fileModifiedByStringThe name of the user who last modified the file.
SymantecDLP.Incident.endpointDeviceInstanceIdStringThe ID to specifically identify an endpoint computer.
SymantecDLP.Incident.endpointFileNameStringThe name of the file that violated the policy.
SymantecDLP.Incident.endpointConnectionStatusStringThe location of the endpoint computer, on or off the corporate network.
SymantecDLP.Incident.endpointMachineIpAddressStringThe IP address of the computer on which the incident occurred, if the computer is in the corporate network.
SymantecDLP.Incident.endpointMachineNameStringThe name of the computer on which the incident occurred.
SymantecDLP.Incident.endpointApplicationNameStringThe name of the application that caused the incident.

Command example#

!symantec-dlp-get-incident-details incident_id=1 custom_attributes="custom attribute group name" custom_data="att group2"

Context Example#

{
"SymantecDLP": {
"Incident": {
"ID": 1,
"attachmentInfo": [
{
"componentType": 3,
"documentFormat": "unknown",
"messageComponentId": 5,
"messageComponentName": "token",
"mimeType": "application/octet-stream",
"originalSize": 0,
"wasCracked": false
}
],
"creationDate": "2021-12-20T13:25:46.103",
"customAttributeGroup": [
{
"customAttribute": [
{
"index": 4,
"name": "kjv",
"value": "test"
}
],
"name": "att group2"
}
],
"dataOwnerEmail": "testing@gmail.com",
"dataOwnerName": "test123",
"detectionDate": "2021-12-20T13:25:27.56",
"detectionServerId": 1,
"detectionServerName": "Detection - Network monitor",
"endpointMachineIpAddress": "1.31.25.150",
"incidentStatusId": 1,
"incidentStatusName": "incident.status.New",
"isBlockedStatusSuperseded": false,
"isHidden": false,
"isHidingNotAllowed": false,
"matchCount": 1,
"messageDate": "2021-12-20T13:25:27.623",
"messageId": 2,
"messageOriginatorID": 2,
"messageSource": "NETWORK",
"messageSubject": "HTTP incident",
"messageType": "HTTP",
"messageTypeId": 3,
"networkSenderIdentifier": "1.31.25.150",
"networkSenderPort": 51108,
"policyGroupId": 1,
"policyGroupName": "policy_group.default.name",
"policyId": 2,
"policyName": "Network Test policy",
"policyVersion": 1,
"preventOrProtectStatusId": 0,
"recipientInfo": [
{
"recipientDomain": "1.254.1.254",
"recipientIPAddress": "1.254.1.254",
"recipientIdentifier": "http://1.254.1.254/latest/api/token",
"recipientPort": 80,
"recipientType": 1,
"recipientUrl": "http://1.254.1.254/latest/api/token"
}
],
"senderIPAddress": "1.31.25.150",
"severity": "Medium"
}
}
}

Human Readable Output#

Symantec DLP incident 1 details#

StatusCreation DateDetection DateIncident TypePolicy NamePolicy Group NameDetection Server NameMessage TypeMessage SourceData Owner NameData Owner EmailCustom Attributes
12021-12-20T13:25:46.1032021-12-20T13:25:27.56NETWORKNetwork Test policypolicy_group.default.nameDetection - Network monitorHTTPNETWORKtest123testing@gmail.com- name: att group2
customAttribute:
- name: kjv
value: test

symantec-dlp-update-incident#


Updates the details of a specific incident.

Base Command#

symantec-dlp-update-incident

Input#

Argument NameDescriptionRequired
incident_idsThe incident IDs to update.Required
data_owner_emailThe data owner email.Optional
data_owner_nameThe data owner name.Optional
noteThe note to be added.Optional
incident_status_idThe status ID to update. Run the symantec-dlp-list-incident-status command to get the status ID.Optional
remediation_status_nameThe remediation status name of an incident.Optional
remediation_locationThe remediation location of the incident. Values can be user-defined.Optional
severityThe severity level of the incident. Possible values are: Info, Low, Medium, High.Optional
custom_attributesThe custom attributes to update. To get the custom attribute details, run the symantec-dlp-get-incident-details command with the custom_attributes=all command.
Format:
{columnIndex}:{newValue}
For example, 1:update, 4:att.
Optional

Context Output#

There is no context output for this command.

Command example#

!symantec-dlp-update-incident incident_ids=1,2 severity=Medium data_owner_email=testing@gmail.com custom_attributes=4:test

Human Readable Output#

Symantec DLP incidents: ['1', '2'] were updated

symantec-dlp-list-incident-status#


Returns a list of the custom status values defined in the Symantec DLP deployment.

Base Command#

symantec-dlp-list-incident-status

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
SymantecDLP.IncidentStatus.idNumberThe ID of the status.
SymantecDLP.IncidentStatus.nameStringThe name of the status.

Command example#

!symantec-dlp-list-incident-status

Context Example#

{
"SymantecDLP": {
"IncidentStatus": [
{
"id": 1,
"name": "incident.status.New"
},
{
"id": 42,
"name": "Escalated"
},
{
"id": 21,
"name": "In Process"
},
{
"id": 43,
"name": "False Positive"
},
{
"id": 44,
"name": "Configuration Error"
},
{
"id": 45,
"name": "Resolved"
},
{
"id": 61,
"name": "Custom status"
}
]
}
}

Human Readable Output#

Symantec DLP incidents status#

IdName
1incident.status.New
42Escalated
21In Process
43False Positive
44Configuration Error
45Resolved
61Custom status

symantec-dlp-get-incident-history#


Returns the history of the specified incident.

Base Command#

symantec-dlp-get-incident-history

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required
limitThe limit of the incident history list per page. Default is 50.Optional

Context Output#

PathTypeDescription
SymantecDLP.IncidentHistory.incidentHistoryDateStringThe date of the incident history.
SymantecDLP.IncidentHistory.dlpUserNameStringThe name of the user.
SymantecDLP.IncidentHistory.incidentHistoryActionStringThe action of the incident history.
SymantecDLP.IncidentHistory.incidentHistoryDetailStringThe incident history detail.
SymantecDLP.IncidentHistory.policyGroupIdNumberThe ID of the policy group.
SymantecDLP.IncidentHistory.detectionServerNameStringThe name of the detection server that created the incident.
SymantecDLP.IncidentHistory.incidentHistoryIdNumberThe ID of the incident history.
SymantecDLP.IncidentHistory.messageSourceStringThe localized label that corresponds to the Symantec DLP product that generated the incident.
SymantecDLP.IncidentHistory.messageDateStringThe date of the message.
SymantecDLP.IncidentHistory.IDNumberThe ID of the incident.

Command example#

!symantec-dlp-get-incident-history limit=6 incident_id=2

Context Example#

{
"SymantecDLP": {
"IncidentHistory": {
"ID": 2,
"incidentHistory": [
{
"detectionServerName": "Detection - Network monitor",
"dlpUserName": "Administrator",
"incidentHistoryAction": "SET_STATUS",
"incidentHistoryDate": "2021-12-20T13:25:46.197",
"incidentHistoryDetail": "incident.status.New",
"messageDate": "2021-12-20T13:25:27.623",
"messageSource": "NETWORK",
"policyGroupId": 1
},
{
"detectionServerName": "Detection - Network monitor",
"dlpUserName": "Administrator",
"incidentHistoryAction": "MESSAGE_NOT_RETAINED",
"incidentHistoryDate": "2021-12-20T13:25:27.576",
"messageDate": "2021-12-20T13:25:27.623",
"messageSource": "NETWORK",
"policyGroupId": 1
},
{
"detectionServerName": "Detection - Network monitor",
"dlpUserName": "Administrator",
"incidentHistoryAction": "SET_SEVERITY",
"incidentHistoryDate": "2021-12-20T13:25:27.576",
"incidentHistoryDetail": "incident.severity.High",
"messageDate": "2021-12-20T13:25:27.623",
"messageSource": "NETWORK",
"policyGroupId": 1
},
{
"detectionServerName": "Detection - Network monitor",
"dlpUserName": "Administrator",
"incidentHistoryAction": "DETECTED",
"incidentHistoryDate": "2021-12-20T13:25:27.576",
"messageDate": "2021-12-20T13:25:27.623",
"messageSource": "NETWORK",
"policyGroupId": 1
}
]
}
}
}

Human Readable Output#

Symantec DLP Incident 2 history results#

DLP User NameHistory DateIncident History Action
Administrator2021-12-20T13:25:46.197SET_STATUS
Administrator2021-12-20T13:25:27.576MESSAGE_NOT_RETAINED
Administrator2021-12-20T13:25:27.576SET_SEVERITY
Administrator2021-12-20T13:25:27.576DETECTED

symantec-dlp-list-remediation-status#


Returns a list of the remediation status values defined in the Symantec DLP deployment.

Base Command#

symantec-dlp-list-remediation-status

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
SymantecDLP.IncidentRemediationStatus.idNumberThe ID of the remediation status.
SymantecDLP.IncidentRemediationStatus.nameStringThe name of the remediation status.

Command example#

!symantec-dlp-list-remediation-status

Context Example#

{
"SymantecDLP": {
"IncidentRemediationStatus": [
{
"id": 0,
"name": "PASSED"
},
{
"id": 1,
"name": "BLOCKED"
},
{
"id": 2,
"name": "MESSAGE_MODIFIED"
},
{
"id": 3,
"name": "PROTECT_FILE_COPIED"
},
{
"id": 4,
"name": "PROTECT_FILE_QUARANTINED"
},
{
"id": 5,
"name": "PROTECT_FILE_DELETED"
},
{
"id": 6,
"name": "PROTECT_REMEDIATION_ERROR"
},
{
"id": 8,
"name": "CONTENT_REMOVED"
},
{
"id": 9,
"name": "ENDPOINT_BLOCK"
},
{
"id": 10,
"name": "ENDPOINT_NOTIFY"
},
{
"id": 11,
"name": "FLEX_RESPONSE_EXECUTED"
},
{
"id": 12,
"name": "FLEX_RESPONSE_ERROR"
},
{
"id": 13,
"name": "FLEX_RESPONSE_REQUESTED"
},
{
"id": 14,
"name": "ENDPOINT_NOTIFY_CANCEL_ALLOW"
},
{
"id": 15,
"name": "ENDPOINT_NOTIFY_CANCEL_BLOCK"
},
{
"id": 16,
"name": "ENDPOINT_NOTIFY_CANCEL_TIMEOUT_ALLOW"
},
{
"id": 17,
"name": "ENDPOINT_NOTIFY_CANCEL_TIMEOUT_BLOCK"
},
{
"id": 18,
"name": "ENDPOINT_FILE_QUARANTINE_FAILED"
},
{
"id": 19,
"name": "ENDPOINT_FILE_QUARANTINED"
},
{
"id": 20,
"name": "UNKNOWN"
},
{
"id": 21,
"name": "EMAIL_QUARANTINED"
},
{
"id": 22,
"name": "EMAIL_APPROVED"
},
{
"id": 23,
"name": "EMAIL_BLOCKED"
},
{
"id": 24,
"name": "CUSTOM_ACTION_ON_EMAIL"
},
{
"id": 25,
"name": "EMAIL_MESSAGE_EXPUNGED"
},
{
"id": 26,
"name": "TRANSPORT_HEADERS_ADDED"
},
{
"id": 27,
"name": "VISUAL_TAG_ADDED"
},
{
"id": 28,
"name": "VISUAL_TAG_ADDITION_FAILED"
},
{
"id": 29,
"name": "QUARANTINE_FAILED"
},
{
"id": 30,
"name": "REST_ENCRYPTED"
},
{
"id": 31,
"name": "REST_PERFORMED_DRM"
},
{
"id": 32,
"name": "REST_PERFORMED_BREAK_LINKS"
},
{
"id": 33,
"name": "REST_PERFORMED_CUSTOM_ACTION"
},
{
"id": 34,
"name": "ENCRYPTED"
},
{
"id": 35,
"name": "ENCRYPT_FAILED"
},
{
"id": 36,
"name": "ENDPOINT_USER_ENCRYPT_CANCEL_ENCRYPT"
},
{
"id": 37,
"name": "ENDPOINT_USER_ENCRYPT_CANCEL_PREVENT"
},
{
"id": 38,
"name": "ENDPOINT_USER_ENCRYPT_CANCEL_TIMEOUT_ENCRYPT"
},
{
"id": 39,
"name": "ENDPOINT_USER_ENCRYPT_CANCEL_TIMEOUT_PREVENT"
},
{
"id": 40,
"name": "PROTECT_FILE_ENCRYPTED"
},
{
"id": 41,
"name": "REST_ACTION_REQUESTED"
},
{
"id": 42,
"name": "REST_ACTION_SUCCESS"
},
{
"id": 43,
"name": "REST_ACTION_FAILURE"
},
{
"id": 44,
"name": "REST_ACTION_WARNING"
},
{
"id": 45,
"name": "REST_USER_REMEDIATED"
},
{
"id": 46,
"name": "MANUAL_ACTION_REQUESTED"
},
{
"id": 47,
"name": "REST_RESTRICTED_FILE_AUTHORIZATION"
},
{
"id": 48,
"name": "REST_PREVENTED_PHYSICAL_ACCESS"
},
{
"id": 49,
"name": "REST_ADDITIONAL_ACCESS_PROTECTION"
},
{
"id": 50,
"name": "ENDPOINT_ENCRYPT"
},
{
"id": 51,
"name": "ENDPOINT_ENCRYPT_PREVENT_ENFORCED"
},
{
"id": 52,
"name": "ENDPOINT_ICT_TAGGING_SUCCESS"
},
{
"id": 53,
"name": "ENDPOINT_ICT_TAGGING_FAILURE"
},
{
"id": 54,
"name": "ENDPOINT_ICT_TAGGING_NOT_SUPPORTED"
},
{
"id": 55,
"name": "ENDPOINT_ICD_SUCCESS"
},
{
"id": 56,
"name": "ENDPOINT_ICD_FAILURE"
},
{
"id": 57,
"name": "PROTECT_FILE_TAGGED"
},
{
"id": 58,
"name": "PROTECT_FILE_TAGGING_FAILED"
},
{
"id": 59,
"name": "PROTECT_FILE_TAGGING_NOT_SUPPORTED"
},
{
"id": 60,
"name": "PROTECT_REMEDIATION_FAILED_CORRUPTION"
},
{
"id": 61,
"name": "REMEDIATION_PENDING"
},
{
"id": 62,
"name": "REMEDIATION_OVERRIDEN"
}
]
}
}

Human Readable Output#

Incidents remediation status results#

IdName
0PASSED
1BLOCKED
2MESSAGE_MODIFIED
3PROTECT_FILE_COPIED
4PROTECT_FILE_QUARANTINED
5PROTECT_FILE_DELETED
6PROTECT_REMEDIATION_ERROR
8CONTENT_REMOVED
9ENDPOINT_BLOCK
10ENDPOINT_NOTIFY
11FLEX_RESPONSE_EXECUTED
12FLEX_RESPONSE_ERROR
13FLEX_RESPONSE_REQUESTED
14ENDPOINT_NOTIFY_CANCEL_ALLOW
15ENDPOINT_NOTIFY_CANCEL_BLOCK
16ENDPOINT_NOTIFY_CANCEL_TIMEOUT_ALLOW
17ENDPOINT_NOTIFY_CANCEL_TIMEOUT_BLOCK
18ENDPOINT_FILE_QUARANTINE_FAILED
19ENDPOINT_FILE_QUARANTINED
20UNKNOWN
21EMAIL_QUARANTINED
22EMAIL_APPROVED
23EMAIL_BLOCKED
24CUSTOM_ACTION_ON_EMAIL
25EMAIL_MESSAGE_EXPUNGED
26TRANSPORT_HEADERS_ADDED
27VISUAL_TAG_ADDED
28VISUAL_TAG_ADDITION_FAILED
29QUARANTINE_FAILED
30REST_ENCRYPTED
31REST_PERFORMED_DRM
32REST_PERFORMED_BREAK_LINKS
33REST_PERFORMED_CUSTOM_ACTION
34ENCRYPTED
35ENCRYPT_FAILED
36ENDPOINT_USER_ENCRYPT_CANCEL_ENCRYPT
37ENDPOINT_USER_ENCRYPT_CANCEL_PREVENT
38ENDPOINT_USER_ENCRYPT_CANCEL_TIMEOUT_ENCRYPT
39ENDPOINT_USER_ENCRYPT_CANCEL_TIMEOUT_PREVENT
40PROTECT_FILE_ENCRYPTED
41REST_ACTION_REQUESTED
42REST_ACTION_SUCCESS
43REST_ACTION_FAILURE
44REST_ACTION_WARNING
45REST_USER_REMEDIATED
46MANUAL_ACTION_REQUESTED
47REST_RESTRICTED_FILE_AUTHORIZATION
48REST_PREVENTED_PHYSICAL_ACCESS
49REST_ADDITIONAL_ACCESS_PROTECTION
50ENDPOINT_ENCRYPT
51ENDPOINT_ENCRYPT_PREVENT_ENFORCED
52ENDPOINT_ICT_TAGGING_SUCCESS
53ENDPOINT_ICT_TAGGING_FAILURE
54ENDPOINT_ICT_TAGGING_NOT_SUPPORTED
55ENDPOINT_ICD_SUCCESS
56ENDPOINT_ICD_FAILURE
57PROTECT_FILE_TAGGED
58PROTECT_FILE_TAGGING_FAILED
59PROTECT_FILE_TAGGING_NOT_SUPPORTED
60PROTECT_REMEDIATION_FAILED_CORRUPTION
61REMEDIATION_PENDING
62REMEDIATION_OVERRIDEN

symantec-dlp-get-incident-original-message#


Fetches the original message from an incident. Requires SDLP 15.8.

Base Command#

symantec-dlp-get-incident-original-message

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required

Context Output#

PathTypeDescription
InfoFile.EntryIDStringThe EntryID of the original message file.
InfoFile.ExtensionStringThe extension of the original message file.
InfoFile.NameStringThe name of the original message file.
InfoFile.InfoStringThe info of the original message file.
InfoFile.SizeNumberThe size of the original message file.
InfoFile.TypeStringThe type of the original message file.

Command example#

!symantec-dlp-get-incident-original-message incident_id=1

Context Example#

{
"File": {
"EntryID": "2442@1a367091-9d9f-4851-8e71-bfbbb66563a6",
"Info": "text/plain",
"MD5": "cb79735bc7c9de30eb3a63110c6febd9",
"Name": "unknown",
"SHA1": "30dcc9ed8a7b1f44de4c4cdcde055708f96487d5",
"SHA256": "d085bf376b122a38064ef32ede13b0ff64b7dc085079e1cfd57ae664bf76d78b",
"SHA512": "3db852235a9d84dccacc04e805c5a3d843d0cd90c71833e2b8c68c17f77f04aadd88f8f72216a9f23417336e689c342a25588390002edd51605067a78bfabfa4",
"SSDeep": "3:ZwRRrPD+sGMw2Bu:+7Dy324",
"Size": 37,
"Type": "ASCII text, with no line terminators"
}
}

Human Readable Output#

symantec-dlp-get-report-filters#


Retrieves the filter criteria for a saved search in the Enforce console by report ID. Requires SDLP 16.0.

Base Command#

symantec-dlp-get-report-filters

Input#

Argument NameDescriptionRequired
report_idReport ID for which to retrieve filters.Required

Context Output#

PathTypeDescription
SymantecDLP.ReportFilterUnknownThe filter criteria for a saved search in the Enforce console.

Command example#

!symantec-dlp-get-report-filters report_id=1

Context Example#

{
"SymantecDLP": {
"ReportFilter": {
"filter": {
"booleanOperator": "AND",
"filterType": "booleanLogic",
"filters": [
{
"filterType": "string",
"operandOne": {
"name": "messageSource"
},
"operandTwoValues": [
"NETWORK"
],
"operator": "EQ"
},
{
"booleanOperator": "AND",
"filterType": "booleanLogic",
"filters": [
{
"filterType": "localDateTime",
"operandOne": {
"name": "messageDate"
},
"operandTwoValues": [
"2022-01-01T00:00:00"
],
"operator": "GTE"
},
{
"filterType": "localDateTime",
"operandOne": {
"name": "messageDate"
},
"operandTwoValues": [
"2022-12-31T23:59:59"
],
"operator": "LTE"
},
{
"filterType": "string",
"operandOne": {
"function": "UPPER",
"name": "networkSenderIdentifier"
},
"operandTwoValues": [
"example_email@demisto.com"
],
"operator": "IN"
}
]
}
]
},
"filterString": "{\"select\": [{\"id\": 173, \"name\": \"messageDate\"}, {\"id\": 174, \"name\": \"incidentId\"}, {\"id\": 175, \"name\": \"networkSenderIdentifier\"}, {\"id\": 176, \"name\": \"messageSubject\"}, {\"id\": 177, \"name\": \"recipientIdentifier\"}, {\"id\": 178, \"name\": \"policyName\"}, {\"id\": 179, \"name\": \"matchCount\"}, {\"id\": 180, \"name\": \"incidentStatusName\"}], \"filter\": {\"filterType\": \"booleanLogic\", \"booleanOperator\": \"AND\", \"filters\": [{\"filterType\": \"string\", \"operandOne\": {\"name\": \"messageSource\"}, \"operator\": \"EQ\", \"operandTwoValues\": [\"NETWORK\"]}, {\"filterType\": \"booleanLogic\", \"booleanOperator\": \"AND\", \"filters\": [{\"filterType\": \"localDateTime\", \"operandOne\": {\"name\": \"messageDate\"}, \"operator\": \"GTE\", \"operandTwoValues\": [\"2022-01-01T00:00:00\"]}, {\"filterType\": \"localDateTime\", \"operandOne\": {\"name\": \"messageDate\"}, \"operator\": \"LTE\", \"operandTwoValues\": [\"2022-12-31T23:59:59\"]}, {\"filterType\": \"string\", \"operandOne\": {\"name\": \"networkSenderIdentifier\", \"function\": \"UPPER\"}, \"operator\": \"IN\", \"operandTwoValues\": [\"example_email@demisto.com\"]}]}]}, \"orderBy\": [{\"field\": {\"name\": \"messageDate\"}, \"order\": \"DESC\"}]}",
"orderBy": [
{
"field": {
"name": "messageDate"
},
"order": "DESC"
}
],
"select": [
{
"id": 173,
"name": "messageDate"
},
{
"id": 174,
"name": "incidentId"
},
{
"id": 175,
"name": "networkSenderIdentifier"
},
{
"id": 176,
"name": "messageSubject"
},
{
"id": 177,
"name": "recipientIdentifier"
},
{
"id": 178,
"name": "policyName"
},
{
"id": 179,
"name": "matchCount"
},
{
"id": 180,
"name": "incidentStatusName"
}
]
}
}
}

Human Readable Output#

Returned results for report id 1

symantec-dlp-list-users#


Returns details for all SDLP users from the Enforce console. Requires SDLP 16.0.

Base Command#

symantec-dlp-list-users

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
SymantecDLP.UsersUnknownList of SDLP users and details.

Command example#

!symantec-dlp-list-users

Context Example#

{
"SymantecDLP": {
"Users": {
"accountDisabled": "no",
"emailAddress": "test@gmail.com",
"roles": [
"API Web"
],
"userId": 1,
"userName": "User1"
}
}
}

Human Readable Output#

Symantec DLP Users#

AccountdisabledEmailaddressRolesUseridUsername
notest@gmail.comAPI Web1User1

symantec-dlp-get-sender-recipient-pattern#


Returns a sender/recipient pattern. Requires SDLP 16.0.

Base Command#

symantec-dlp-get-sender-recipient-pattern

Input#

Argument NameDescriptionRequired
pattern_idPattern ID for which to retrieve pattern details.Required

Context Output#

PathTypeDescription
SymantecDLP.SenderRecipientPatternUnknownSender/recipient pattern returned from the Enforce console.

Command example#

!symantec-dlp-get-sender-recipient-pattern pattern_id=1

Context Example#

{
"SymantecDLP": {
"SenderRecipientPattern": {
"description": "demo",
"id": 1,
"ipAddresses": [
"1.1.1.1",
"2.2.2.2"
],
"modifiedBy": {
"id": 343,
"name": "AdminUsername "
},
"modifiedDate": "05/16/23 12:20 PM",
"name": "XSOAR Sender Block Example",
"ruleType": 4,
"userPatterns": [
"domain-jsmith",
"domain-jdoe"
]
}
}
}

Human Readable Output#

XSOAR Sender Block Example#

descriptionidipAddressesmodifiedBymodifiedDatenameruleTypeuserPatterns
demo11.1.1.1,
2.2.2.2
id: 343
name: AdminUsername
05/16/23 12:20 PMXSOAR Sender Block Example4domain-jsmith,
domain-jdoe

symantec-dlp-list-sender-recipient-patterns#


Returns a list of all sender/recipient patterns from the Enforce console. Requires SDLP 16.0.

Base Command#

symantec-dlp-list-sender-recipient-patterns

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
SymantecDLP.PatternsUnknownThe list of all sender/recipient patterns returned from the Enforce console.

Command example#

!symantec-dlp-list-sender-recipient-patterns

Context Example#

{
"SymantecDLP": {
"Patterns": {
"description": "demo",
"id": 1,
"ipAddresses": [
"1.1.1.1",
"2.2.2.2"
],
"modifiedBy": {
"id": 343,
"name": "AdminUsername "
},
"modifiedDate": "05/16/23 12:20 PM",
"name": "XSOAR Sender Block Example",
"ruleType": 4,
"userPatterns": [
"domain-jsmith",
"domain-jdoe"
]
}
}
}

Human Readable Output#

Sender/Recipient Patterns#

descriptionidipAddressesmodifiedBymodifiedDatenameruleTypeuserPatterns
demo11.1.1.1,
2.2.2.2
id: 343
name: AdminUsername
05/16/23 12:20 PMXSOAR Sender Block Example4domain-jsmith,
domain-jdoe

symantec-dlp-update-sender-pattern#


Updates a sender pattern in the Enforce console. Requires SDLP 16.0.

Base Command#

symantec-dlp-update-sender-pattern

Input#

Argument NameDescriptionRequired
pattern_idID number of the pattern to update.Required
ipsComma-separated list of IP addresses for the pattern. Note: These IP values will replace the existing values in the pattern.Optional
usersComma-separated list of emails, Windows names, or screen names for the pattern. Note: These user values will replace the existing values in the pattern.Optional
nameName of the sender pattern. Note: This value will change the name of the pattern if different from the existing name.Required
descriptionDescription of the sender pattern.Optional

Context Output#

PathTypeDescription
SymantecDLP.SenderUpdateUnknownResults of updating the sender pattern from the Enforce Console.

Command example#

!symantec-dlp-update-sender-pattern pattern_id=1 name="XSOAR Sender Block Example" description="demo"

Context Example#

{
"SymantecDLP": {
"SenderUpdate": {
"description": "demo",
"id": 1,
"ipAddresses": [
"1.1.1.1",
"2.2.2.2"
],
"modifiedBy": {
"id": 343,
"name": "AdminUsername "
},
"modifiedDate": "05/16/23 12:20 PM",
"name": "XSOAR Sender Block Example",
"ruleType": 4,
"userPatterns": [
"domain-jsmith",
"domain-jdoe"
]
}
}
}

Human Readable Output#

Sender Pattern Update Results#

descriptionidipAddressesmodifiedBymodifiedDatenameruleTypeuserPatterns
demo11.1.1.1,
2.2.2.2
id: 343
name: AdminUsername
05/16/23 12:20 PMXSOAR Sender Block Example4domain-jsmith,
domain-jdoe

symantec-dlp-update-recipient-pattern#


Updates a recipient pattern in the Enforce console. Requires SDLP 16.0.

Base Command#

symantec-dlp-update-recipient-pattern

Input#

Argument NameDescriptionRequired
pattern_idID number of the pattern to update.Required
ipsComma-separated list of IP addresses for the pattern. Note: These IP values will replace the existing values in the pattern.Optional
emailsComma-separated list of emails for the pattern. Note: These email values will replace the existing values in the pattern.Optional
domainsComma-separated list of domains for the pattern. Note: These domain values will replace the existing values in the pattern.Optional
nameName of the sender pattern. Note: This value will change the name of the pattern if different from the existing name.Required
descriptionDescription of the sender pattern.Optional

Context Output#

PathTypeDescription
SymantecDLP.RecipientUpdateUnknownResults of updating the recipient pattern from the Enforce Console.

Command example#

!symantec-dlp-update-recipient-pattern pattern_id=1 name="XSOAR Recipient Edit Test" description="updated from XSOAR for demo"

Context Example#

{
"SymantecDLP": {
"RecipientUpdate": {
"description": "updated from XSOAR for demo",
"emailAddresses": [
"test1@gmail.com",
"test2@gmail.com"
],
"id": 1,
"ipAddresses": [
"1.1.1.1",
"2.2.2.2"
],
"modifiedBy": {
"id": 343,
"name": "AdminUsername"
},
"modifiedDate": "05/16/23 12:18 PM",
"name": "XSOAR Recipient Edit Test",
"ruleType": 2,
"urlDomains": [
"example.com",
"external.com"
]
}
}
}

Human Readable Output#

Sender Pattern Update Results#

descriptionemailAddressesidipAddressesmodifiedBymodifiedDatenameruleTypeurlDomains
updated from XSOAR for demotest1@gmail.com,
test2@gmail.com
11.1.1.1,
2.2.2.2
id: 343
name: AdminUsername
05/16/23 12:18 PMXSOAR Recipient Edit Test2example.com,
external.com

symantec-dlp-get-message-body#


Returns the message body from the Enforce console by incident ID. Requires SDLP 16.0.

Base Command#

symantec-dlp-get-message-body

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required

Context Output#

PathTypeDescription
SymantecDLP.MessageBodyUnknownMessage body for the incident returned by the Enforce console.

Command example#

!symantec-dlp-get-message-body incident_id=1

Context Example#

{
"SymantecDLP": {
"MessageBody": {
"IncidentID": "1",
"MessageBody": "message body for incident 1"
}
}
}

Human Readable Output#

Message body for incident 1 written to context data

Breaking changes from the previous version of this integration - Symantec Data Loss Prevention v2#

Commands#

The following commands were removed in this version:#

  • symantec-dlp-incident-binaries
  • symantec-dlp-incident-violations
  • symantec-dlp-list-custom-attributes

Arguments#

The following arguments were removed in this version:#

In the symantec-dlp-update-incident command:

  • incident_id - this argument was replaced by incident_ids.
  • note_time
  • status
  • custom_attribute_name - this argument was replaced by custom_attributes.
  • custom_attribute_value - this argument was replaced by custom_attributes.
  • remediation_status - this argument was replaced by remediation_status_name.

The behavior of the following arguments was changed:#

In the symantec-dlp-update-incident command: custom_attribute_name and custom_attribute_value are now used in custom_attributes. incident_id argument are now called incident_ids and can get a list of incident IDs to update.

Outputs#

The following outputs were removed in this version:#

In the symantec-dlp-get-incident-details command:

  • SymantecDLP.Incident.LongID
  • SymantecDLP.Incident.StatusCode - this output was replaced by SymantecDLP.Incident.incidentStatusId.
  • SymantecDLP.Incident.CreationDate - this output was replaced by SymantecDLP.Incident.creationDate.
  • SymantecDLP.Incident.DetectionDate - this output was replaced by SymantecDLP.Incident.detectionDate.
  • SymantecDLP.Incident.Severity - this output was replaced by SymantecDLP.Incident.severity.
  • SymantecDLP.Incident.MessageSource - this output was replaced by SymantecDLP.Incident.messageSource.
  • SymantecDLP.Incident.MessageSourceType - this output was replaced by SymantecDLP.Incident.messageType.
  • SymantecDLP.Incident.MessageType - this output was replaced by SymantecDLP.Incident.messageType.
  • SymantecDLP.Incident.MessageTypeID - this output was replaced by SymantecDLP.Incident.messageTypeId.
  • SymantecDLP.Incident.Policy.Name - this output was replaced by SymantecDLP.Incident.policyName.
  • SymantecDLP.Incident.Policy.Version - this output was replaced by SymantecDLP.Incident.policyVersion.
  • SymantecDLP.Incident.Policy.Label
  • SymantecDLP.Incident.Policy.ID - this output was replaced by SymantecDLP.Incident.policyId.
  • SymantecDLP.Incident.BlockedStatus
  • SymantecDLP.Incident.MatchCount - this output was replaced by SymantecDLP.Incident.matchCount.
  • SymantecDLP.Incident.RuleViolationCount
  • SymantecDLP.Incident.DetectionServer - this output was replaced by SymantecDLP.Incident.detectionServerName.
  • SymantecDLP.Incident.DataOwner.Name - this output was replaced by SymantecDLP.Incident.dataOwnerName.
  • SymantecDLP.Incident.DataOwner.Email - this output was replaced by SymantecDLP.Incident.dataOwnerEmail.
  • SymantecDLP.Incident.EventDate
  • SymantecDLP.Incident.ViolatedPolicyRule.Name
  • SymantecDLP.Incident.ViolatedPolicyRule.ID
  • SymantecDLP.Incident.OtherViolatedPolicy.Name
  • SymantecDLP.Incident.OtherViolatedPolicy.Version
  • SymantecDLP.Incident.OtherViolatedPolicy.Label
  • SymantecDLP.Incident.OtherViolatedPolicy.ID

Additional Considerations for this version#

There is an issue with DLP API where some incidents get a 401 error. For these incidents, the missing data is returned. From the Network incident layout, in the description field, you can see information about this issue.