Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

Data loss prevention software detects potential data breaches or data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).

Symantec DLP (Data Loss Prevention) includes techniques for identifying confidential or sensitive information. Sometimes confused with discovery, data identification is a process by which organizations use a DLP technology to determine what to look for. Symantec DLP can discover, monitor, and protect sensitive data wherever it's used – in the office, on the road, or in the cloud. It gives you complete visibility and control across the broadest range of data loss channels: cloud apps, endpoints, data repositories, emails, and web communications.

This document provides information about the Symantec DLP connector, which facilitates automated interactions, with a Symantec DLP server using FortiSOAR™ playbooks. Add the Symantec DLP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about an incident or updating an incident on the Symantec DLP server.

 

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with Symantec DLP Versions: 15.0 and later

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL of the Symantec DLP server to which you will connect and perform the automated operations and the credentials to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Symantec DLP connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL IP or URL of the Symantec DLP server to which you will connect and perform the automated operations.
Username Username to access the Symantec DLP server to which you will connect and perform the automated operations.
Password Password to access the Symantec DLP server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.
Protocol Protocol used to remotely connect to the Symantec DLP server. Choose between http or https.
By default, https is used.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Incident Status Retrieves a list of custom incident status values available on the Symantec DLP server. get_status
Investigation
Get Incidents IDs Retrieves a list of all available incidents IDs stored in the Report ID that you have specified. list_records
Containment
Get Incident Details Retrieves details of a single Symantec DLP incident, based on the Symantec DLP incident ID that you have specified. get_record
Remediation
Get Custom Attributes Retrieves details of custom attribute values available on the Symantec DLP server. list_attribute
Investigation
Get Incident Violations Retrieves details of violations associated with the specified incident ID, based on the Symantec DLP incident ID that you have specified. incident_violations
Remediation
Update Incident Updates an incident record on the Symantec DLP server, based on the incident ID and other parameters you have specified. update_record
Remediation

 

operation: Get Incident Status

Input parameters

None

Output

The JSON output retrieves a list of all custom incident status values available on the Symantec DLP server.

Following image displays a sample output:
 

Sample output of the Get Incident Status operation
 

operation: Get Incidents IDs

Input parameters

 

Parameter Description
Report ID ID of the saved report that you want to execute on the Enforce Server. You must have created this report using the Enforce Server administration console before executing the Web Service call.
The incidents are retrieved using this Report ID.
Creation Date Greater Than (YYYY-MM-DD) Constrains the list of returned incident IDs to include only those Symantec DLP incidents that were created after the date you specify, in the YYYY-MM-DD format, in this parameter.
If you do not specify any date then this operation will not retrieve any reports.

 

Note: For this operation to work, you must generate the report using the Enforce Server administration console and you must pass the ID of this report to the Symantec DLP API, using the Report ID parameter. The procedure for creating a report using the Enforce Server administration console, see the Creating reports using the Enforce Server administration console section.

Output

The JSON output retrieves a list of all available incidents IDs stored on the Symantec DLP server, based on the Report ID you have specified.

Following image displays a sample output:
 

Sample output of the Get Incidents IDs operation

 

operation: Get Incident Details

Input parameters

 

Parameter Description
Include Violations (Optional) Select this parameter to include policy violation data, for the incident you have specified using the Incident ID, along with the basic incident details.
Include History (Optional) Select this parameter to include historical information, for the incident you have specified using the Incident ID, along with the basic incident details.
Incident Long ID Unique ID of the Symantec DLP incident for which you want to retrieve details.

 

Output

The JSON output retrieves the details of the incident from the Symantec DLP server, based on the incident ID and other parameters you have specified.

Following image displays a sample output:
 

Sample output of the Get Incident Details operation

 

operation: Get Custom Attributes

Input parameters

None

Output

The JSON output retrieves details of custom attribute values available on the Symantec DLP server.

Following image displays a sample output:
 

Sample output of the Get Custom Attributes operation

 

operation: Get Incident Violations

Input parameters

 

Parameter Description
Include Image Violations (Optional) Select this parameter to include image violation data, for the incident you have specified using the Incident ID, along with the basic incident details.
Incident Long ID Unique ID of the Symantec DLP incident for which you want to retrieve violation details.

 

Output

The JSON output retrieves the details of the violations associated with the specified incident ID from the Symantec DLP server.

Following image displays a sample output:
 

Sample output of the Get Incident Violations operation

 

operation: Update Incident

Input parameters

 

Parameter Description
Batch ID Symantec suggests that you use a unique integer value like a UUID or a GUID to track incidents per batch. Use the Batch ID in a native client application using the API to update incident. You can choose to give any integer value as the Batch ID.
Incident Long ID Unique ID of the Symantec DLP incident that you want to update.
Incident Severity (Optional) Severity of the incident that you want to update.
Choose between High, Medium, Low, and Info.
Incident Status (Optional) Status Value of the incident that you want to update.
Incident status values are defined using the Enforce Server administration console.
Note Creation Time (Optional) Time the note was added to the incident that you want to update.
Note Text (Optional) Content of the note that you want to add to the incident that you want to update.
Remediation Status (Optional) Remediation status of the incident that you want to update.
Remediation status is a static list that is present in Symantec DLP and its values are such as Blocked, Passed, Content_Removed, etc.
Remediation Location (Optional) Remediation location of the incident that you want to update.
You can define the values of the Remediation location.
Custom Attribute Value (Optional) Value of custom attribute(s) associated with the incident that you want to update.
Custom Attribute Name (Optional) Name of the custom attribute(s) associated with the incident that you want to update.

 

Output

The JSON output retrieves details of the incident, along with the updated data, from the Symantec DLP server, based on the incident ID you have specified.

 

Included playbooks

The Sample-Symantec DLP-1.0.0 playbook collection comes bundled with the Symantec DLP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec DLP connector.

  • Get Custom Attributes
  • Get Incident Details
  • Get Incidents IDs
  • Get Incident Status
  • Get Incident Violations
  • Update Incident

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

 

Creating reports using the Enforce Server administration console

Use the following procedure to create a saved report for an Incident Reporting and Update API Web Service client:

  1. Log on to the Enforce Server administration console as the Incident Reporting and Update API Web Service user.
    Note: The saved report must be accessible to the Incident Reporting and Update API Web Service user.
  2. Select Incidents > Incident Reports.
  3. Select an existing incident list from the list of available reports.
    You can select a system-defined incident list, such as, Incidents All as the basis for the new report.
  4. (Optional) Use the Filter and Severity controls on the report to limit the incident IDs that the report returns.
    1. Click Advanced Filters & Summarization.
    2. In the Summarize By menu, verify that both the <no primary summary selected> and the <no secondary summary selected> options are selected.
      You cannot access a summary report using the Incident Reporting and Update API Web Service.
    3. (Optional) Click Add Filter and add one or more advanced filters to limit the incident IDs that the report returns.
      Note: Role-based access privileges might further limit the results that are returned from the Incident Reporting and Update API Web Service.
  5. Select Report > SaveAs.
  6. Type a name for the report in the Name field, and optionally type the description for the report in the Description field.
  7. Click Save.
    The new saved report appears under the Saved Reports heading in the left pane.

Note: To determine the ID of the saved report, hover your mouse over the reportname. The tooltip displays the report ID and the name of the report. For example, if the tooltip displays ViewReport 83, a web service client can request the incident list by passing the report ID as 83.

 

About the connector

Data loss prevention software detects potential data breaches or data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).

Symantec DLP (Data Loss Prevention) includes techniques for identifying confidential or sensitive information. Sometimes confused with discovery, data identification is a process by which organizations use a DLP technology to determine what to look for. Symantec DLP can discover, monitor, and protect sensitive data wherever it's used – in the office, on the road, or in the cloud. It gives you complete visibility and control across the broadest range of data loss channels: cloud apps, endpoints, data repositories, emails, and web communications.

This document provides information about the Symantec DLP connector, which facilitates automated interactions, with a Symantec DLP server using FortiSOAR™ playbooks. Add the Symantec DLP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about an incident or updating an incident on the Symantec DLP server.

 

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with Symantec DLP Versions: 15.0 and later

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Symantec DLP connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL IP or URL of the Symantec DLP server to which you will connect and perform the automated operations.
Username Username to access the Symantec DLP server to which you will connect and perform the automated operations.
Password Password to access the Symantec DLP server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.
Protocol Protocol used to remotely connect to the Symantec DLP server. Choose between http or https.
By default, https is used.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Incident Status Retrieves a list of custom incident status values available on the Symantec DLP server. get_status
Investigation
Get Incidents IDs Retrieves a list of all available incidents IDs stored in the Report ID that you have specified. list_records
Containment
Get Incident Details Retrieves details of a single Symantec DLP incident, based on the Symantec DLP incident ID that you have specified. get_record
Remediation
Get Custom Attributes Retrieves details of custom attribute values available on the Symantec DLP server. list_attribute
Investigation
Get Incident Violations Retrieves details of violations associated with the specified incident ID, based on the Symantec DLP incident ID that you have specified. incident_violations
Remediation
Update Incident Updates an incident record on the Symantec DLP server, based on the incident ID and other parameters you have specified. update_record
Remediation

 

operation: Get Incident Status

Input parameters

None

Output

The JSON output retrieves a list of all custom incident status values available on the Symantec DLP server.

Following image displays a sample output:
 

Sample output of the Get Incident Status operation
 

operation: Get Incidents IDs

Input parameters

 

Parameter Description
Report ID ID of the saved report that you want to execute on the Enforce Server. You must have created this report using the Enforce Server administration console before executing the Web Service call.
The incidents are retrieved using this Report ID.
Creation Date Greater Than (YYYY-MM-DD) Constrains the list of returned incident IDs to include only those Symantec DLP incidents that were created after the date you specify, in the YYYY-MM-DD format, in this parameter.
If you do not specify any date then this operation will not retrieve any reports.

 

Note: For this operation to work, you must generate the report using the Enforce Server administration console and you must pass the ID of this report to the Symantec DLP API, using the Report ID parameter. The procedure for creating a report using the Enforce Server administration console, see the Creating reports using the Enforce Server administration console section.

Output

The JSON output retrieves a list of all available incidents IDs stored on the Symantec DLP server, based on the Report ID you have specified.

Following image displays a sample output:
 

Sample output of the Get Incidents IDs operation

 

operation: Get Incident Details

Input parameters

 

Parameter Description
Include Violations (Optional) Select this parameter to include policy violation data, for the incident you have specified using the Incident ID, along with the basic incident details.
Include History (Optional) Select this parameter to include historical information, for the incident you have specified using the Incident ID, along with the basic incident details.
Incident Long ID Unique ID of the Symantec DLP incident for which you want to retrieve details.

 

Output

The JSON output retrieves the details of the incident from the Symantec DLP server, based on the incident ID and other parameters you have specified.

Following image displays a sample output:
 

Sample output of the Get Incident Details operation

 

operation: Get Custom Attributes

Input parameters

None

Output

The JSON output retrieves details of custom attribute values available on the Symantec DLP server.

Following image displays a sample output:
 

Sample output of the Get Custom Attributes operation

 

operation: Get Incident Violations

Input parameters

 

Parameter Description
Include Image Violations (Optional) Select this parameter to include image violation data, for the incident you have specified using the Incident ID, along with the basic incident details.
Incident Long ID Unique ID of the Symantec DLP incident for which you want to retrieve violation details.

 

Output

The JSON output retrieves the details of the violations associated with the specified incident ID from the Symantec DLP server.

Following image displays a sample output:
 

Sample output of the Get Incident Violations operation

 

operation: Update Incident

Input parameters

 

Parameter Description
Batch ID Symantec suggests that you use a unique integer value like a UUID or a GUID to track incidents per batch. Use the Batch ID in a native client application using the API to update incident. You can choose to give any integer value as the Batch ID.
Incident Long ID Unique ID of the Symantec DLP incident that you want to update.
Incident Severity (Optional) Severity of the incident that you want to update.
Choose between High, Medium, Low, and Info.
Incident Status (Optional) Status Value of the incident that you want to update.
Incident status values are defined using the Enforce Server administration console.
Note Creation Time (Optional) Time the note was added to the incident that you want to update.
Note Text (Optional) Content of the note that you want to add to the incident that you want to update.
Remediation Status (Optional) Remediation status of the incident that you want to update.
Remediation status is a static list that is present in Symantec DLP and its values are such as Blocked, Passed, Content_Removed, etc.
Remediation Location (Optional) Remediation location of the incident that you want to update.
You can define the values of the Remediation location.
Custom Attribute Value (Optional) Value of custom attribute(s) associated with the incident that you want to update.
Custom Attribute Name (Optional) Name of the custom attribute(s) associated with the incident that you want to update.

 

Output

The JSON output retrieves details of the incident, along with the updated data, from the Symantec DLP server, based on the incident ID you have specified.

 

Included playbooks

The Sample-Symantec DLP-1.0.0 playbook collection comes bundled with the Symantec DLP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec DLP connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

 

Creating reports using the Enforce Server administration console

Use the following procedure to create a saved report for an Incident Reporting and Update API Web Service client:

  1. Log on to the Enforce Server administration console as the Incident Reporting and Update API Web Service user.
    Note: The saved report must be accessible to the Incident Reporting and Update API Web Service user.
  2. Select Incidents > Incident Reports.
  3. Select an existing incident list from the list of available reports.
    You can select a system-defined incident list, such as, Incidents All as the basis for the new report.
  4. (Optional) Use the Filter and Severity controls on the report to limit the incident IDs that the report returns.
    1. Click Advanced Filters & Summarization.
    2. In the Summarize By menu, verify that both the <no primary summary selected> and the <no secondary summary selected> options are selected.
      You cannot access a summary report using the Incident Reporting and Update API Web Service.
    3. (Optional) Click Add Filter and add one or more advanced filters to limit the incident IDs that the report returns.
      Note: Role-based access privileges might further limit the results that are returned from the Incident Reporting and Update API Web Service.
  5. Select Report > SaveAs.
  6. Type a name for the report in the Name field, and optionally type the description for the report in the Description field.
  7. Click Save.
    The new saved report appears under the Saved Reports heading in the left pane.

Note: To determine the ID of the saved report, hover your mouse over the reportname. The tooltip displays the report ID and the name of the report. For example, if the tooltip displays ViewReport 83, a web service client can request the incident list by passing the report ID as 83.