Symantec DLP¶
About¶
Symantec Data Loss Prevention (DLP) delivers the highest level of protection to mitigate data breach and compliance risks. Symantec DLP can perform local scanning, detection, and real-time monitoring; monitor confidential data that is being downloaded, copied, or transmitted; monitor and protect your data in motion; inspect corporate email for confidential data; and notify users with an an-screen, pop-up window or block specific actions.
Product Details¶
Vendor URL: Symantec DLP
Product Type: DLP
Product Tier: Tier II
Integration Method: Webhook
Parser Details¶
Log Format: SYSLOG + KV (CEF), XML
Expected Normalization Rate: 95-100%
Data Label: SYMANTEC_DLP
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| acct_session_id | network.session_id |
| app_protocol_output | network.application_protocol |
| asset_name | principal.hostname |
| attachment_name | sec_result.about.file.full_path |
| calling_station_id | principal.mac |
| description | metadata.description |
| dest_location | target.location.country_or_region |
| device_version | metadata.product_version |
| deviceId | target.asset_id |
| dhost | network.http.referral_url |
| DLP_EP_Incident_ID | sec_result.threat_id |
| domain | principal.administrative_domain |
| event_source | target.application |
| host | observer.hostname |
| INCIDENT_ID | metadata.product_log_id |
| INCIDENT_SNAPSHOT | sec_result.url_back_to_product |
| mac_address | target.mac |
| match_count | count.value |
| policy_rule | sec_result.rule_name |
| policy_severity | sec_result.severity |
| policy_violated | sec_result.summary |
| Protocol | sec_result.description |
| SENDER | network.email.from |
| SEVERITY | severity_details |
| username | principal.user.userid |
| x_cat | product_event_type |
| x_recipients | target.url |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Default | GENERIC_EVENT |
| Network Scan | SCAN_NETWORK |
| Host Scan | SCAN_HOST |
| Copied File | FILE_COPY |
Log Sample¶
<13>May 30 19:33:29 host.name CEF:0|Symantec|DLP|12.5.0|ruleID|Copy 1 of EMDI_EPIC MRN|5|BLOCKED=Passed INCIDENT_ID=12345678 INCIDENT_SNAPSHOT=https://host.name/ProtectManager/RestIncidentDetail.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=12345678 MATCH_COUNT=100 PROTOCOL=DAR Connector RECIPIENTS=Unknown SENDER=sender.name@email.com SUBJECT=N/A SEVERITY=2:Medium FILE_NAME=N/A
Sample Parsing¶
metadata.event_timestamp.seconds = 1685475209
metadata.event_timestamp.nanos = 0
metadata.log_type = "SYMANTEC_DLP"
metadata.product_event_type = "Copy 1 of EMDI_EPIC MRN"
network.email.from = "sender.name@email.com"
network.email.subject = "N/A"
observer.hostname = "host.name"
principal.user.email_addresses = "sender.name@email.com"
security_result.action_details = "Passed"
security_result.action = "ALLOW"
security_result.category_details = "DAR Connector"
security_result.detection_fields.key = "MATCH_COUNT"
security_result.detection_fields.value = "100"
security_result.severity = "MEDIUM"
security_result.severity_details = "2:Medium"
target.file.names = "N/A"
Rules¶
Coming Soon