Data loss prevention software detects potential data breaches or data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).
Symantec DLP (Data Loss Prevention) includes techniques for identifying confidential or sensitive information. Sometimes confused with discovery, data identification is a process by which organizations use a DLP technology to determine what to look for. Symantec DLP can discover, monitor, and protect sensitive data wherever it's used – in the office, on the road, or in the cloud. It gives you complete visibility and control across the broadest range of data loss channels: cloud apps, endpoints, data repositories, emails, and web communications.
This document provides information about the Symantec DLP connector, which facilitates automated interactions, with a Symantec DLP server using FortiSOAR™ playbooks. Add the Symantec DLP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about an incident or updating an incident on the Symantec DLP server.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Symantec DLP Versions: 15.0 and later
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Symantec DLP connector and click Configure to configure the following parameters:
| Parameter | Description |
|---|---|
| Server URL | IP or URL of the Symantec DLP server to which you will connect and perform the automated operations. |
| Username | Username to access the Symantec DLP server to which you will connect and perform the automated operations. |
| Password | Password to access the Symantec DLP server to which you will connect and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
| Protocol | Protocol used to remotely connect to the Symantec DLP server. Choose between http or https. By default, https is used. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Incident Status | Retrieves a list of custom incident status values available on the Symantec DLP server. | get_status Investigation |
| Get Incidents IDs | Retrieves a list of all available incidents IDs stored in the Report ID that you have specified. | list_records Containment |
| Get Incident Details | Retrieves details of a single Symantec DLP incident, based on the Symantec DLP incident ID that you have specified. | get_record Remediation |
| Get Custom Attributes | Retrieves details of custom attribute values available on the Symantec DLP server. | list_attribute Investigation |
| Get Incident Violations | Retrieves details of violations associated with the specified incident ID, based on the Symantec DLP incident ID that you have specified. | incident_violations Remediation |
| Update Incident | Updates an incident record on the Symantec DLP server, based on the incident ID and other parameters you have specified. | update_record Remediation |
None
The JSON output retrieves a list of all custom incident status values available on the Symantec DLP server.
Following image displays a sample output:
| Parameter | Description |
|---|---|
| Report ID | ID of the saved report that you want to execute on the Enforce Server. You must have created this report using the Enforce Server administration console before executing the Web Service call. The incidents are retrieved using this Report ID. |
| Creation Date Greater Than (YYYY-MM-DD) | Constrains the list of returned incident IDs to include only those Symantec DLP incidents that were created after the date you specify, in the YYYY-MM-DD format, in this parameter.If you do not specify any date then this operation will not retrieve any reports. |
Note: For this operation to work, you must generate the report using the Enforce Server administration console and you must pass the ID of this report to the Symantec DLP API, using the Report ID parameter. The procedure for creating a report using the Enforce Server administration console, see the Creating reports using the Enforce Server administration console section.
The JSON output retrieves a list of all available incidents IDs stored on the Symantec DLP server, based on the Report ID you have specified.
Following image displays a sample output:
| Parameter | Description |
|---|---|
| Include Violations | (Optional) Select this parameter to include policy violation data, for the incident you have specified using the Incident ID, along with the basic incident details. |
| Include History | (Optional) Select this parameter to include historical information, for the incident you have specified using the Incident ID, along with the basic incident details. |
| Incident Long ID | Unique ID of the Symantec DLP incident for which you want to retrieve details. |
The JSON output retrieves the details of the incident from the Symantec DLP server, based on the incident ID and other parameters you have specified.
Following image displays a sample output:
None
The JSON output retrieves details of custom attribute values available on the Symantec DLP server.
Following image displays a sample output:
| Parameter | Description |
|---|---|
| Include Image Violations | (Optional) Select this parameter to include image violation data, for the incident you have specified using the Incident ID, along with the basic incident details. |
| Incident Long ID | Unique ID of the Symantec DLP incident for which you want to retrieve violation details. |
The JSON output retrieves the details of the violations associated with the specified incident ID from the Symantec DLP server.
Following image displays a sample output:
| Parameter | Description |
|---|---|
| Batch ID | Symantec suggests that you use a unique integer value like a UUID or a GUID to track incidents per batch. Use the Batch ID in a native client application using the API to update incident. You can choose to give any integer value as the Batch ID. |
| Incident Long ID | Unique ID of the Symantec DLP incident that you want to update. |
| Incident Severity | (Optional) Severity of the incident that you want to update. Choose between High, Medium, Low, and Info. |
| Incident Status | (Optional) Status Value of the incident that you want to update. Incident status values are defined using the Enforce Server administration console. |
| Note Creation Time | (Optional) Time the note was added to the incident that you want to update. |
| Note Text | (Optional) Content of the note that you want to add to the incident that you want to update. |
| Remediation Status | (Optional) Remediation status of the incident that you want to update. Remediation status is a static list that is present in Symantec DLP and its values are such as Blocked, Passed, Content_Removed, etc. |
| Remediation Location | (Optional) Remediation location of the incident that you want to update. You can define the values of the Remediation location. |
| Custom Attribute Value | (Optional) Value of custom attribute(s) associated with the incident that you want to update. |
| Custom Attribute Name | (Optional) Name of the custom attribute(s) associated with the incident that you want to update. |
The JSON output retrieves details of the incident, along with the updated data, from the Symantec DLP server, based on the incident ID you have specified.
The Sample-Symantec DLP-1.0.0 playbook collection comes bundled with the Symantec DLP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec DLP connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the following procedure to create a saved report for an Incident Reporting and Update API Web Service client:
Incidents All as the basis for the new report.Summarize By menu, verify that both the <no primary summary selected> and the <no secondary summary selected> options are selected.Note: To determine the ID of the saved report, hover your mouse over the reportname. The tooltip displays the report ID and the name of the report. For example, if the tooltip displays ViewReport 83, a web service client can request the incident list by passing the report ID as 83.
Data loss prevention software detects potential data breaches or data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).
Symantec DLP (Data Loss Prevention) includes techniques for identifying confidential or sensitive information. Sometimes confused with discovery, data identification is a process by which organizations use a DLP technology to determine what to look for. Symantec DLP can discover, monitor, and protect sensitive data wherever it's used – in the office, on the road, or in the cloud. It gives you complete visibility and control across the broadest range of data loss channels: cloud apps, endpoints, data repositories, emails, and web communications.
This document provides information about the Symantec DLP connector, which facilitates automated interactions, with a Symantec DLP server using FortiSOAR™ playbooks. Add the Symantec DLP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about an incident or updating an incident on the Symantec DLP server.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Symantec DLP Versions: 15.0 and later
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Symantec DLP connector and click Configure to configure the following parameters:
| Parameter | Description |
|---|---|
| Server URL | IP or URL of the Symantec DLP server to which you will connect and perform the automated operations. |
| Username | Username to access the Symantec DLP server to which you will connect and perform the automated operations. |
| Password | Password to access the Symantec DLP server to which you will connect and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
| Protocol | Protocol used to remotely connect to the Symantec DLP server. Choose between http or https. By default, https is used. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Incident Status | Retrieves a list of custom incident status values available on the Symantec DLP server. | get_status Investigation |
| Get Incidents IDs | Retrieves a list of all available incidents IDs stored in the Report ID that you have specified. | list_records Containment |
| Get Incident Details | Retrieves details of a single Symantec DLP incident, based on the Symantec DLP incident ID that you have specified. | get_record Remediation |
| Get Custom Attributes | Retrieves details of custom attribute values available on the Symantec DLP server. | list_attribute Investigation |
| Get Incident Violations | Retrieves details of violations associated with the specified incident ID, based on the Symantec DLP incident ID that you have specified. | incident_violations Remediation |
| Update Incident | Updates an incident record on the Symantec DLP server, based on the incident ID and other parameters you have specified. | update_record Remediation |
None
The JSON output retrieves a list of all custom incident status values available on the Symantec DLP server.
Following image displays a sample output:
| Parameter | Description |
|---|---|
| Report ID | ID of the saved report that you want to execute on the Enforce Server. You must have created this report using the Enforce Server administration console before executing the Web Service call. The incidents are retrieved using this Report ID. |
| Creation Date Greater Than (YYYY-MM-DD) | Constrains the list of returned incident IDs to include only those Symantec DLP incidents that were created after the date you specify, in the YYYY-MM-DD format, in this parameter.If you do not specify any date then this operation will not retrieve any reports. |
Note: For this operation to work, you must generate the report using the Enforce Server administration console and you must pass the ID of this report to the Symantec DLP API, using the Report ID parameter. The procedure for creating a report using the Enforce Server administration console, see the Creating reports using the Enforce Server administration console section.
The JSON output retrieves a list of all available incidents IDs stored on the Symantec DLP server, based on the Report ID you have specified.
Following image displays a sample output:
| Parameter | Description |
|---|---|
| Include Violations | (Optional) Select this parameter to include policy violation data, for the incident you have specified using the Incident ID, along with the basic incident details. |
| Include History | (Optional) Select this parameter to include historical information, for the incident you have specified using the Incident ID, along with the basic incident details. |
| Incident Long ID | Unique ID of the Symantec DLP incident for which you want to retrieve details. |
The JSON output retrieves the details of the incident from the Symantec DLP server, based on the incident ID and other parameters you have specified.
Following image displays a sample output:
None
The JSON output retrieves details of custom attribute values available on the Symantec DLP server.
Following image displays a sample output:
| Parameter | Description |
|---|---|
| Include Image Violations | (Optional) Select this parameter to include image violation data, for the incident you have specified using the Incident ID, along with the basic incident details. |
| Incident Long ID | Unique ID of the Symantec DLP incident for which you want to retrieve violation details. |
The JSON output retrieves the details of the violations associated with the specified incident ID from the Symantec DLP server.
Following image displays a sample output:
| Parameter | Description |
|---|---|
| Batch ID | Symantec suggests that you use a unique integer value like a UUID or a GUID to track incidents per batch. Use the Batch ID in a native client application using the API to update incident. You can choose to give any integer value as the Batch ID. |
| Incident Long ID | Unique ID of the Symantec DLP incident that you want to update. |
| Incident Severity | (Optional) Severity of the incident that you want to update. Choose between High, Medium, Low, and Info. |
| Incident Status | (Optional) Status Value of the incident that you want to update. Incident status values are defined using the Enforce Server administration console. |
| Note Creation Time | (Optional) Time the note was added to the incident that you want to update. |
| Note Text | (Optional) Content of the note that you want to add to the incident that you want to update. |
| Remediation Status | (Optional) Remediation status of the incident that you want to update. Remediation status is a static list that is present in Symantec DLP and its values are such as Blocked, Passed, Content_Removed, etc. |
| Remediation Location | (Optional) Remediation location of the incident that you want to update. You can define the values of the Remediation location. |
| Custom Attribute Value | (Optional) Value of custom attribute(s) associated with the incident that you want to update. |
| Custom Attribute Name | (Optional) Name of the custom attribute(s) associated with the incident that you want to update. |
The JSON output retrieves details of the incident, along with the updated data, from the Symantec DLP server, based on the incident ID you have specified.
The Sample-Symantec DLP-1.0.0 playbook collection comes bundled with the Symantec DLP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec DLP connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the following procedure to create a saved report for an Incident Reporting and Update API Web Service client:
Incidents All as the basis for the new report.Summarize By menu, verify that both the <no primary summary selected> and the <no secondary summary selected> options are selected.Note: To determine the ID of the saved report, hover your mouse over the reportname. The tooltip displays the report ID and the name of the report. For example, if the tooltip displays ViewReport 83, a web service client can request the incident list by passing the report ID as 83.