Data loss prevention software detects potential data breaches or data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).
Symantec DLP (Data Loss Prevention) includes techniques for identifying confidential or sensitive information. Sometimes confused with discovery, data identification is a process by which organizations use a DLP technology to determine what to look for. Symantec DLP can discover, monitor, and protect sensitive data wherever it's used – in the office, on the road, or in the cloud. It gives you complete visibility and control across the broadest range of data loss channels: cloud apps, endpoints, data repositories, emails, and web communications.
This document provides information about the Symantec DLP connector, which facilitates automated interactions, with a Symantec DLP server using FortiSOAR™ playbooks. Add the Symantec DLP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about an incident or updating an incident on the Symantec DLP server.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 6.4.0-1555 and 6.4.1
Symantec DLP Version Tested on: 15.0 and later
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Symantec DLP connector in version 2.0.0:
From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™repository and run the yum command as a root user to install connectors:
yum install cyops-connector-symantec-dlp
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Symantec DLP connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | IP or URL of the Symantec DLP server to which you will connect and perform the automated operations. |
Username | Username to access the Symantec DLP server to which you will connect and perform the automated operations. |
Password | Password to access the Symantec DLP server to which you will connect and perform the automated operations. |
Protocol | Protocol used to remotely connect to the Symantec DLP server. Choose between http or https. By default, https is used. |
Port | Port number used to connect to the Symantec DLP server. By default, this is set to 8443. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Incident Status | Retrieves a list of custom incident status values available on the Symantec DLP server. | get_status Investigation |
Get Incident Attachments | Retrieves additional components of the message that generated an incident, such as the message header, body, and binary attachments, based on the Symantec DLP incident ID that you have specified. | get_incident_attachment Investigation |
Get Incidents IDs | Retrieves a list of all available incidents IDs stored in the Report ID that you have specified. | list_records Containment |
Get Incident Details | Retrieves details of a single Symantec DLP incident, based on the Symantec DLP incident ID that you have specified. | get_record Remediation |
Get Custom Attributes | Retrieves details of custom attribute values available on the Symantec DLP server. | list_attribute Investigation |
Get Incident Violations | Retrieves details of violations associated with the specified incident ID, based on the Symantec DLP incident ID that you have specified. | incident_violations Remediation |
Update Incident | Updates an incident record on the Symantec DLP server, based on the incident ID and other parameters you have specified. | update_record Remediation |
None
The JSON output retrieves a list of all custom incident status values available on the Symantec DLP server.
The output contains the following populated JSON schema:
{
"ns5:incidentStatusList": {
"incidentStatusName": []
}
}
Parameter | Description |
---|---|
Incident Long ID | Unique Symantec DLP incident ID whose associated attachments such as message headers etc you want to retrieve from Symantec DLP. |
Include All Components | If you select this check box, then the Web Service will include all the message components (for example, headers and file attachments) in the response document retrieved from Symantec DLP. |
Include Original Message | If you select this check box, then the Web Service will include the original message in the response document retrieved from Symantec DLP. |
The output contains the following populated JSON schema:
{
"ns5:incidentBinariesResponse": {
"@xmlns:ns2": "",
"@xmlns:ns3": "",
"@xmlns:ns4": "",
"@xmlns:ns5": "",
"@xmlns:ns6": "",
"ns5:Component": [
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"file": [],
"size": "",
"@type": "",
"@context": "",
"filename": "",
"mimeType": "",
"uploadDate": ""
},
"name": "",
"type": "",
"@type": "",
"@context": "",
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": "",
"description": ""
}
],
"ns5:incidentId": "",
"ns5:incidentLongId": "",
"ns5:originalMessage": ""
}
}
Parameter | Description |
---|---|
Report ID | ID of the saved report that you want to execute on the Enforce Server. You must have created this report using the Enforce Server administration console before executing the Web Service call. The incidents are retrieved using this Report ID. |
Creation Date Greater Than (YYYY-MM-DD) | Constrains the list of returned incident IDs to include only those Symantec DLP incidents that were created after the date you specify, in the YYYY-MM-DD format, in this parameter.If you do not specify any date then this operation will not retrieve any reports. |
Note: For this operation to work, you must generate the report using the Enforce Server administration console and you must pass the ID of this report to the Symantec DLP API, using the Report ID parameter. The procedure for creating a report using the Enforce Server administration console, see the Creating reports using the Enforce Server administration console section.
The JSON output retrieves a list of all available incidents IDs stored on the Symantec DLP server, based on the Report ID you have specified.
The output contains the following populated JSON schema:
{
"ns5:incidentListResponse": {
"ns5:incidentId": [],
"ns5:incidentLongId": []
&nbnbsp; }
}
Parameter | Description |
---|---|
Include Violations | (Optional) Select this parameter to include policy violation data, for the incident you have specified using the Incident ID, along with the basic incident details. |
Include History | (Optional) Select this parameter to include historical information, for the incident you have specified using the Incident ID, along with the basic incident details. |
Incident Long ID | Unique ID of the Symantec DLP incident for which you want to retrieve details. |
The JSON output retrieves the details of the incident from the Symantec DLP server, based on the incident ID and other parameters you have specified.
The output contains the following populated JSON schema:
{
"ns5:incidentDetailResponse": {
"ns5:response": [
{
"ns5:incidentId": "",
"ns5:statusCode": "",
"ns5:incident": {
"ns5:machineIP": "",
"ns5:machineName": "",
"ns5:eventDate": "",
"ns5:severity": "",
"ns5:incidentCreationDate": "",
"ns5:userName": "",
"ns5:applicationName": "",
"ns5:incidentLongId": "",
"ns5:status": "",
"ns5:policy": {},
"ns5:detectionDate": "",
"ns5:incidentHistory": []
}
}
]
}
}
None
The JSON output retrieves details of custom attribute values available on the Symantec DLP server.
The output contains the following populated JSON schema:
{
"ns5:customAttributeList": {
"customAttributeName": []
}
}
Parameter | Description |
---|---|
Include Image Violations | (Optional) Select this parameter to include image violation data, for the incident you have specified using the Incident ID, along with the basic incident details. |
Incident Long ID | Unique ID of the Symantec DLP incident for which you want to retrieve violation details. |
The JSON output retrieves the details of the violations associated with the specified incident ID from the Symantec DLP server.
The output contains the following populated JSON schema:
{
"ns5:incidentViolationsResponse": {
"ns5:incidentViolation": {}
}
}
Parameter | Description |
---|---|
Incident Long ID | Unique ID of the Symantec DLP incident that you want to update. |
Incident Severity | (Optional) Severity of the incident that you want to update. Choose between High, Medium, Low, and Info. |
Incident Status | (Optional) Status Value of the incident that you want to update. Incident status values are defined using the Enforce Server administration console. |
Add Notes | Select this checkbox to add notes to the incident that you want to update. If you select this checkbox, then you must specify the following parameters:
|
Remediation Status | (Optional) Remediation status of the incident that you want to update. Remediation status is a static list that is present in Symantec DLP and its values are such as Blocked, Passed, Content_Removed, etc. |
Remediation Location | (Optional) Remediation location of the incident that you want to update. You can define the values of the Remediation location. |
Custom Attributes | (Optional) Value of custom attribute(s) associated with the incident that you want to update. For example, {"attributename1": "value1", "attributename2": "value2"} |
The JSON output retrieves details of the incident, along with the updated data, from the Symantec DLP server, based on the incident ID you have specified.
The output contains the following populated JSON schema:
{
"ns5:incidentUpdateResponse": {}
}
The Sample-Symantec DLP-2.0.0
playbook collection comes bundled with the Symantec DLP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec DLP connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the following procedure to create a saved report for an Incident Reporting and Update API Web Service client:
Incidents All
as the basis for the new report.Summarize By
menu, verify that both the <no primary summary selected>
and the <no secondary summary selected>
options are selected.Note: To determine the ID of the saved report, hover your mouse over the reportname
. The tooltip displays the report ID and the name of the report. For example, if the tooltip displays ViewReport 83, a web service client can request the incident list by passing the report ID as 83
.
Data loss prevention software detects potential data breaches or data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).
Symantec DLP (Data Loss Prevention) includes techniques for identifying confidential or sensitive information. Sometimes confused with discovery, data identification is a process by which organizations use a DLP technology to determine what to look for. Symantec DLP can discover, monitor, and protect sensitive data wherever it's used – in the office, on the road, or in the cloud. It gives you complete visibility and control across the broadest range of data loss channels: cloud apps, endpoints, data repositories, emails, and web communications.
This document provides information about the Symantec DLP connector, which facilitates automated interactions, with a Symantec DLP server using FortiSOAR™ playbooks. Add the Symantec DLP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about an incident or updating an incident on the Symantec DLP server.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 6.4.0-1555 and 6.4.1
Symantec DLP Version Tested on: 15.0 and later
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Symantec DLP connector in version 2.0.0:
From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™repository and run the yum command as a root user to install connectors:
yum install cyops-connector-symantec-dlp
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Symantec DLP connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | IP or URL of the Symantec DLP server to which you will connect and perform the automated operations. |
Username | Username to access the Symantec DLP server to which you will connect and perform the automated operations. |
Password | Password to access the Symantec DLP server to which you will connect and perform the automated operations. |
Protocol | Protocol used to remotely connect to the Symantec DLP server. Choose between http or https. By default, https is used. |
Port | Port number used to connect to the Symantec DLP server. By default, this is set to 8443. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Incident Status | Retrieves a list of custom incident status values available on the Symantec DLP server. | get_status Investigation |
Get Incident Attachments | Retrieves additional components of the message that generated an incident, such as the message header, body, and binary attachments, based on the Symantec DLP incident ID that you have specified. | get_incident_attachment Investigation |
Get Incidents IDs | Retrieves a list of all available incidents IDs stored in the Report ID that you have specified. | list_records Containment |
Get Incident Details | Retrieves details of a single Symantec DLP incident, based on the Symantec DLP incident ID that you have specified. | get_record Remediation |
Get Custom Attributes | Retrieves details of custom attribute values available on the Symantec DLP server. | list_attribute Investigation |
Get Incident Violations | Retrieves details of violations associated with the specified incident ID, based on the Symantec DLP incident ID that you have specified. | incident_violations Remediation |
Update Incident | Updates an incident record on the Symantec DLP server, based on the incident ID and other parameters you have specified. | update_record Remediation |
None
The JSON output retrieves a list of all custom incident status values available on the Symantec DLP server.
The output contains the following populated JSON schema:
{
"ns5:incidentStatusList": {
"incidentStatusName": []
}
}
Parameter | Description |
---|---|
Incident Long ID | Unique Symantec DLP incident ID whose associated attachments such as message headers etc you want to retrieve from Symantec DLP. |
Include All Components | If you select this check box, then the Web Service will include all the message components (for example, headers and file attachments) in the response document retrieved from Symantec DLP. |
Include Original Message | If you select this check box, then the Web Service will include the original message in the response document retrieved from Symantec DLP. |
The output contains the following populated JSON schema:
{
"ns5:incidentBinariesResponse": {
"@xmlns:ns2": "",
"@xmlns:ns3": "",
"@xmlns:ns4": "",
"@xmlns:ns5": "",
"@xmlns:ns6": "",
"ns5:Component": [
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"file": [],
"size": "",
"@type": "",
"@context": "",
"filename": "",
"mimeType": "",
"uploadDate": ""
},
"name": "",
"type": "",
"@type": "",
"@context": "",
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": "",
"description": ""
}
],
"ns5:incidentId": "",
"ns5:incidentLongId": "",
"ns5:originalMessage": ""
}
}
Parameter | Description |
---|---|
Report ID | ID of the saved report that you want to execute on the Enforce Server. You must have created this report using the Enforce Server administration console before executing the Web Service call. The incidents are retrieved using this Report ID. |
Creation Date Greater Than (YYYY-MM-DD) | Constrains the list of returned incident IDs to include only those Symantec DLP incidents that were created after the date you specify, in the YYYY-MM-DD format, in this parameter.If you do not specify any date then this operation will not retrieve any reports. |
Note: For this operation to work, you must generate the report using the Enforce Server administration console and you must pass the ID of this report to the Symantec DLP API, using the Report ID parameter. The procedure for creating a report using the Enforce Server administration console, see the Creating reports using the Enforce Server administration console section.
The JSON output retrieves a list of all available incidents IDs stored on the Symantec DLP server, based on the Report ID you have specified.
The output contains the following populated JSON schema:
{
"ns5:incidentListResponse": {
"ns5:incidentId": [],
"ns5:incidentLongId": []
&nbnbsp; }
}
Parameter | Description |
---|---|
Include Violations | (Optional) Select this parameter to include policy violation data, for the incident you have specified using the Incident ID, along with the basic incident details. |
Include History | (Optional) Select this parameter to include historical information, for the incident you have specified using the Incident ID, along with the basic incident details. |
Incident Long ID | Unique ID of the Symantec DLP incident for which you want to retrieve details. |
The JSON output retrieves the details of the incident from the Symantec DLP server, based on the incident ID and other parameters you have specified.
The output contains the following populated JSON schema:
{
"ns5:incidentDetailResponse": {
"ns5:response": [
{
"ns5:incidentId": "",
"ns5:statusCode": "",
"ns5:incident": {
"ns5:machineIP": "",
"ns5:machineName": "",
"ns5:eventDate": "",
"ns5:severity": "",
"ns5:incidentCreationDate": "",
"ns5:userName": "",
"ns5:applicationName": "",
"ns5:incidentLongId": "",
"ns5:status": "",
"ns5:policy": {},
"ns5:detectionDate": "",
"ns5:incidentHistory": []
}
}
]
}
}
None
The JSON output retrieves details of custom attribute values available on the Symantec DLP server.
The output contains the following populated JSON schema:
{
"ns5:customAttributeList": {
"customAttributeName": []
}
}
Parameter | Description |
---|---|
Include Image Violations | (Optional) Select this parameter to include image violation data, for the incident you have specified using the Incident ID, along with the basic incident details. |
Incident Long ID | Unique ID of the Symantec DLP incident for which you want to retrieve violation details. |
The JSON output retrieves the details of the violations associated with the specified incident ID from the Symantec DLP server.
The output contains the following populated JSON schema:
{
"ns5:incidentViolationsResponse": {
"ns5:incidentViolation": {}
}
}
Parameter | Description |
---|---|
Incident Long ID | Unique ID of the Symantec DLP incident that you want to update. |
Incident Severity | (Optional) Severity of the incident that you want to update. Choose between High, Medium, Low, and Info. |
Incident Status | (Optional) Status Value of the incident that you want to update. Incident status values are defined using the Enforce Server administration console. |
Add Notes | Select this checkbox to add notes to the incident that you want to update. If you select this checkbox, then you must specify the following parameters:
|
Remediation Status | (Optional) Remediation status of the incident that you want to update. Remediation status is a static list that is present in Symantec DLP and its values are such as Blocked, Passed, Content_Removed, etc. |
Remediation Location | (Optional) Remediation location of the incident that you want to update. You can define the values of the Remediation location. |
Custom Attributes | (Optional) Value of custom attribute(s) associated with the incident that you want to update. For example, {"attributename1": "value1", "attributename2": "value2"} |
The JSON output retrieves details of the incident, along with the updated data, from the Symantec DLP server, based on the incident ID you have specified.
The output contains the following populated JSON schema:
{
"ns5:incidentUpdateResponse": {}
}
The Sample-Symantec DLP-2.0.0
playbook collection comes bundled with the Symantec DLP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec DLP connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the following procedure to create a saved report for an Incident Reporting and Update API Web Service client:
Incidents All
as the basis for the new report.Summarize By
menu, verify that both the <no primary summary selected>
and the <no secondary summary selected>
options are selected.Note: To determine the ID of the saved report, hover your mouse over the reportname
. The tooltip displays the report ID and the name of the report. For example, if the tooltip displays ViewReport 83, a web service client can request the incident list by passing the report ID as 83
.