Charles Beierle

Symantec DLP 10.x

Discussion created by Charles Beierle on May 3, 2010
Latest reply on Jun 14, 2010 by Charles Beierle

With the 10.0 update to Symantec DLP (formerly Vontu) you can syslog a relevant amount of information about detected events. I have attached a VERY small XML to add with the instructions below. I have to assume you are aware of how to create policies and a syslog response rule in DLP to keep this explanation short.

 

For my XML to work your syslog string needs to be:

BLOCKED|unknown|INCIDENT_ID|$INCIDENT_ID$|RECIPIENTS|$RECIPIENTS$|SENDER|$SENDER$|RULES|$RULES$|SEVERITY|Unknown|MATCH_COUNT|$MATCH_COUNT$|POLICY|$POLICY$|SUBJECT|$SUBJECT$|FILE_NAME|$FILE_NAME$|PARENT_PATH|$PARENT_PATH$|PATH|$PATH$|QUARANTINE_PARENT_PATH|$QUARANTINE_PARENT_PATH$|SCAN|$SCAN$|TARGET|$TARGET$

 

The general format of the message is PARAMETER|VALUE. You will notice some have hardcoded values. This is an unfortunate issue with DLP 10.0 that causes the syslog sender to crash if you supply a variable for the blocked or severity parameters. Look for that to be fixed soon if not already in 10.5.

 

I also removed the parameter supplying a url to the specific incident as that is relatively useless from within envision and takes up space in the IPDB. Don't worry the incident ID is parsed into the POLICYID field. Word of Advice: keep your policy and rule names short and meaningful if you want your envision reports to look nice. Try REGS-PCI, REGS-GLBA, RULE-CUSTDATA, RULE-IP

 

I will add some work on the system-generated messages as time goes on.

 

 

 

Attachments

Outcomes