Symantec Data Loss Prevention (DLP)

This document applies to Classic/Legacy Integrations. You may continue to use these integration configurations. While no active development is happening for these integrations, we continue to provide Classic/Legacy Integrations in the product. You do not have to move to MSI Integrations. If your support engineer or TSC recommends or you choose to move to MSI Integrations, you can take advantage of the latest features and functionality. For more information, see the MSI Integration documentation in the Integrations Overview.

This integration is not remote capable.

Update Symantec DLP

To update Symantec DLP

Note what version of Symantec DLP you have.
- If your version is older than 15.7, see steps 4 and 5 below to gather required Report IDs.
- If your version is newer than 15.7, identify the time zone used for your Symantec DLP server.
Verify that there is a role with adequate permissions for the API user to inherit.
1. In Incidents section, select View and then Perform Attribute Lookup.
2. In Incidents section, go to the Incident Reporting and Update API section, and select Incident Reporting and then Incident Update.
Create a user for the integration. Setup should include the following:
1. Select password access.
2. Under Report Preferences, select Include Incident Violations in XML Export and Include Incident History in XML Export.
3. Assign the role from Step 1 to this user and make it the default role.
  This user can only be assigned one role.
  
  If you're using Active Directory to authenticate your API user, the username must be specified in a non-standard manner:
  - <Username>:<Active_Directory_Domain_In_Upper_Case>
    or
    <Role>\<Username>:<Active_Directory_Domain_In_Upper_Case>
  - Examples: svc-verodin:ACME.COM OR api-user\svc-verodin:ACME.COM
  - Reference: https://www.symantec.com/connect/forums/ad-user-authentication-dlp-reporting-and-updating-api#comment-8394101
(Optional) Log into the newly-created user account, and create a new Network Incident Report with the following settings:
1. Set the Filter Status to Equals and New.
2. Set the Filter Date to Today.
3. Click Advanced Filter & Summarization.
4. Add a Source IP filter.
5. Add a Is Any Of condition.
6. Add a comma-delimited list of Actor IP addresses.
7. Save and name the report.
(Optional) Obtain the saved report ID number .
1. In the left column of the DLP web UI, click the name of the newly created report
2. In the browser's location bar, find the report number located in the URL as ?reportID=<NUMBER>.
  Finding the Report Number

API Calls

The following API call is used by the Validation Platform.

Purpose	Call
Get incident details	`/ProtectManager/services/v2011/incidents`

Update the Validation Platform

Prerequisites

Information to gather before you start:

IP address or hostname used to access Symantec DLP.
Port for Symantec DLP communications (typically 443).
Identify the Symantec DLP user credentials.
Identify the timezone used for the Symantec DLP server.
Capture the list of Saved Report IDs.

Configuration

To add the Symantec DLP integration

Go to Settings > Integrations.
Click Add Integration > Symantec DLP.
Enter information for the Host, Port, Username, and Password.
Select the API used in your version of Symantec DLP.
1. If you selected soap, enter the Saved Report IDs identified in the steps above.
2. If you selected rest, enter the time zone of the Symantec DLP server.

Symantec DLP Integration

Expand Advanced options and update the information if necessary.
Click Submit.

Verify connectivity

To verify connectivity to Symantec DLP

Click Test to verify that:

The Director can communicate with Symantec DLP using the port specified.
User credentials are working.