About the connector
Data loss prevention software detects potential data breaches or data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).
Symantec DLP (Data Loss Prevention) includes techniques for identifying confidential or sensitive information. Sometimes confused with discovery, data identification is a process by which organizations use a DLP technology to determine what to look for. Symantec DLP can discover, monitor, and protect sensitive data wherever it's used – in the office, on the road, or in the cloud. It gives you complete visibility and control across the broadest range of data loss channels: cloud apps, endpoints, data repositories, emails, and web communications.
This document provides information about the Symantec DLP connector, which facilitates automated interactions, with a Symantec DLP server using FortiSOAR™ playbooks. Add the Symantec DLP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about an incident or updating an incident on the Symantec DLP server.
Version information
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 6.4.0-1555 and 6.4.1
Symantec DLP Version Tested on: 15.0 and later
Authored By: Fortinet
Certified: Yes
Release Notes for version 2.0.0
Following enhancements have been made to the Symantec DLP connector in version 2.0.0:
- Added support for executing actions in a segmented network environment using FSR Agents.
- Added a new parameter named 'Port' to the Configuration Parameters.
- Added a new operation and playbook named "Get Incident Attachments".
- Updated the "Update Incident" operation as follows:
- Removed parameters 'Custom Attribute Name' and 'Batch ID'.
- Added a new parameter named 'Add Notes'.
- Renamed the 'Custom Attribute Value' parameter to 'Custom Attributes' and enhanced this attribute to allow you to update multiple custom attributes.
Installing the connector
From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™repository and run the yum command as a root user to install connectors:
yum install cyops-connector-symantec-dlp
Prerequisites to configuring the connector
- You must have the URL of the Symantec DLP server to which you will connect and perform the automated operations and the credentials (username-password pair and port) to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, click the Symantec DLP connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter |
Description |
| Server URL |
IP or URL of the Symantec DLP server to which you will connect and perform the automated operations. |
| Username |
Username to access the Symantec DLP server to which you will connect and perform the automated operations. |
| Password |
Password to access the Symantec DLP server to which you will connect and perform the automated operations. |
| Protocol |
Protocol used to remotely connect to the Symantec DLP server. Choose between http or https.
By default, https is used. |
| Port |
Port number used to connect to the Symantec DLP server.
By default, this is set to 8443. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Get Incident Status |
Retrieves a list of custom incident status values available on the Symantec DLP server. |
get_status
Investigation |
| Get Incident Attachments |
Retrieves additional components of the message that generated an incident, such as the message header, body, and binary attachments, based on the Symantec DLP incident ID that you have specified. |
get_incident_attachment
Investigation |
| Get Incidents IDs |
Retrieves a list of all available incidents IDs stored in the Report ID that you have specified. |
list_records
Containment |
| Get Incident Details |
Retrieves details of a single Symantec DLP incident, based on the Symantec DLP incident ID that you have specified. |
get_record
Remediation |
| Get Custom Attributes |
Retrieves details of custom attribute values available on the Symantec DLP server. |
list_attribute
Investigation |
| Get Incident Violations |
Retrieves details of violations associated with the specified incident ID, based on the Symantec DLP incident ID that you have specified. |
incident_violations
Remediation |
| Update Incident |
Updates an incident record on the Symantec DLP server, based on the incident ID and other parameters you have specified. |
update_record
Remediation |
operation: Get Incident Status
Input parameters
None
Output
The JSON output retrieves a list of all custom incident status values available on the Symantec DLP server.
The output contains the following populated JSON schema:
{
"ns5:incidentStatusList": {
"incidentStatusName": []
}
}
operation: Get Incident Attachments
Input parameters
| Parameter |
Description |
| Incident Long ID |
Unique Symantec DLP incident ID whose associated attachments such as message headers etc you want to retrieve from Symantec DLP. |
| Include All Components |
If you select this check box, then the Web Service will include all the message components (for example, headers and file attachments) in the response document retrieved from Symantec DLP. |
| Include Original Message |
If you select this check box, then the Web Service will include the original message in the response document retrieved from Symantec DLP. |
Output
The output contains the following populated JSON schema:
{
"ns5:incidentBinariesResponse": {
"@xmlns:ns2": "",
"@xmlns:ns3": "",
"@xmlns:ns4": "",
"@xmlns:ns5": "",
"@xmlns:ns6": "",
"ns5:Component": [
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"file": [],
"size": "",
"@type": "",
"@context": "",
"filename": "",
"mimeType": "",
"uploadDate": ""
},
"name": "",
"type": "",
"@type": "",
"@context": "",
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": "",
"description": ""
}
],
"ns5:incidentId": "",
"ns5:incidentLongId": "",
"ns5:originalMessage": ""
}
}
operation: Get Incidents IDs
Input parameters
| Parameter |
Description |
| Report ID |
ID of the saved report that you want to execute on the Enforce Server. You must have created this report using the Enforce Server administration console before executing the Web Service call.
The incidents are retrieved using this Report ID. |
| Creation Date Greater Than (YYYY-MM-DD) |
Constrains the list of returned incident IDs to include only those Symantec DLP incidents that were created after the date you specify, in the YYYY-MM-DD format, in this parameter.
If you do not specify any date then this operation will not retrieve any reports. |
Note: For this operation to work, you must generate the report using the Enforce Server administration console and you must pass the ID of this report to the Symantec DLP API, using the Report ID parameter. The procedure for creating a report using the Enforce Server administration console, see the Creating reports using the Enforce Server administration console section.
Output
The JSON output retrieves a list of all available incidents IDs stored on the Symantec DLP server, based on the Report ID you have specified.
The output contains the following populated JSON schema:
{
"ns5:incidentListResponse": {
"ns5:incidentId": [],
"ns5:incidentLongId": []
&nbnbsp; }
}
operation: Get Incident Details
Input parameters
| Parameter |
Description |
| Include Violations |
(Optional) Select this parameter to include policy violation data, for the incident you have specified using the Incident ID, along with the basic incident details. |
| Include History |
(Optional) Select this parameter to include historical information, for the incident you have specified using the Incident ID, along with the basic incident details. |
| Incident Long ID |
Unique ID of the Symantec DLP incident for which you want to retrieve details. |
Output
The JSON output retrieves the details of the incident from the Symantec DLP server, based on the incident ID and other parameters you have specified.
The output contains the following populated JSON schema:
{
"ns5:incidentDetailResponse": {
"ns5:response": [
{
"ns5:incidentId": "",
"ns5:statusCode": "",
"ns5:incident": {
"ns5:machineIP": "",
"ns5:machineName": "",
"ns5:eventDate": "",
"ns5:severity": "",
"ns5:incidentCreationDate": "",
"ns5:userName": "",
"ns5:applicationName": "",
"ns5:incidentLongId": "",
"ns5:status": "",
"ns5:policy": {},
"ns5:detectionDate": "",
"ns5:incidentHistory": []
}
}
]
}
}
operation: Get Custom Attributes
Input parameters
None
Output
The JSON output retrieves details of custom attribute values available on the Symantec DLP server.
The output contains the following populated JSON schema:
{
"ns5:customAttributeList": {
"customAttributeName": []
}
}
operation: Get Incident Violations
Input parameters
| Parameter |
Description |
| Include Image Violations |
(Optional) Select this parameter to include image violation data, for the incident you have specified using the Incident ID, along with the basic incident details. |
| Incident Long ID |
Unique ID of the Symantec DLP incident for which you want to retrieve violation details. |
Output
The JSON output retrieves the details of the violations associated with the specified incident ID from the Symantec DLP server.
The output contains the following populated JSON schema:
{
"ns5:incidentViolationsResponse": {
"ns5:incidentViolation": {}
}
}
operation: Update Incident
Input parameters
| Parameter |
Description |
| Incident Long ID |
Unique ID of the Symantec DLP incident that you want to update. |
| Incident Severity |
(Optional) Severity of the incident that you want to update.
Choose between High, Medium, Low, and Info. |
| Incident Status |
(Optional) Status Value of the incident that you want to update.
Incident status values are defined using the Enforce Server administration console. |
| Add Notes |
Select this checkbox to add notes to the incident that you want to update.
If you select this checkbox, then you must specify the following parameters:
- Note Creation Time: Time the note was added to the incident that you want to update.
- Note Text: Content of the note that you want to add to the incident that you want to update.
|
| Remediation Status |
(Optional) Remediation status of the incident that you want to update.
Remediation status is a static list that is present in Symantec DLP and its values are such as Blocked, Passed, Content_Removed, etc. |
| Remediation Location |
(Optional) Remediation location of the incident that you want to update.
You can define the values of the Remediation location. |
| Custom Attributes |
(Optional) Value of custom attribute(s) associated with the incident that you want to update.
For example, {"attributename1": "value1", "attributename2": "value2"} |
Output
The JSON output retrieves details of the incident, along with the updated data, from the Symantec DLP server, based on the incident ID you have specified.
The output contains the following populated JSON schema:
{
"ns5:incidentUpdateResponse": {}
}
Included playbooks
The Sample-Symantec DLP-2.0.0 playbook collection comes bundled with the Symantec DLP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec DLP connector.
- Get Custom Attributes
- Get Incident Attachments
- Get Incident Details
- Get Incidents IDs
- Get Incident Status
- Get Incident Violations
- Update Incident
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Creating reports using the Enforce Server administration console
Use the following procedure to create a saved report for an Incident Reporting and Update API Web Service client:
- Log on to the Enforce Server administration console as the Incident Reporting and Update API Web Service user.
Note: The saved report must be accessible to the Incident Reporting and Update API Web Service user.
- Select Incidents > Incident Reports.
- Select an existing incident list from the list of available reports.
You can select a system-defined incident list, such as, Incidents All as the basis for the new report.
- (Optional) Use the Filter and Severity controls on the report to limit the incident IDs that the report returns.
- Click Advanced Filters & Summarization.
- In the
Summarize By menu, verify that both the <no primary summary selected> and the <no secondary summary selected> options are selected.
You cannot access a summary report using the Incident Reporting and Update API Web Service.
- (Optional) Click Add Filter and add one or more advanced filters to limit the incident IDs that the report returns.
Note: Role-based access privileges might further limit the results that are returned from the Incident Reporting and Update API Web Service.
- Select Report > SaveAs.
- Type a name for the report in the Name field, and optionally type the description for the report in the Description field.
- Click Save.
The new saved report appears under the Saved Reports heading in the left pane.
Note: To determine the ID of the saved report, hover your mouse over the reportname. The tooltip displays the report ID and the name of the report. For example, if the tooltip displays ViewReport 83, a web service client can request the incident list by passing the report ID as 83.
