Data Loss Prevention

 View Only
  • 1.  Sample Syslog format of symantec DLP

    Broadcom Employee
    Posted Mar 12, 2014 02:23 AM

    Hi Friends

     

     I am  looking for a sample syslog / its format  to integrate wth a SIEM product which is generated from Symantec DLP 

     

    Thanks in advance



  • 2.  RE: Sample Syslog format of symantec DLP

    Broadcom Employee
    Posted Mar 12, 2014 08:13 AM

    hei Guys

    Please reply



  • 3.  RE: Sample Syslog format of symantec DLP
    Best Answer

    Broadcom Employee
    Posted Mar 13, 2014 02:26 AM

    Hello,

    If you want to send Symantec DLP incidents to SIEM, you need create an automated response rule. The template of a syslog message format is set in the response rule. The created response rule you need add to the corresponding policies.

    I integrated Symantec DLP with ArcSight. The following is the example of the automated response rule for that integration:

    Rule Name: Send Alert to ArcSight
    Conditions: <empty>
    Actions:  Log to a Syslog Server
    Host: <address of the arcsight syslog>
    Port: <port number>
    Message: CEF:0|Symantec|DLP|12.0.1|ruleID|$POLICY$|5|BLOCKED=$BLOCKED$ DATAOWNER_NAME=$DATAOWNER_NAME$ DATAOWNER_EMAIL=$DATAOWNER_EMAIL$ ENDPOINT_DEVICE_ID=$ENDPOINT_DEVICE_ID$ ENDPOINT_MACHINE=$ENDPOINT_MACHINE$ PATH=$PATH$ FILE_NAME=$FILE_NAME$ PARENT_PATH=$PARENT_PATH$ INCIDENT_ID=$INCIDENT_ID$ INCIDENT_SNAPSHOT=$INCIDENT_SNAPSHOT$ MATCH_COUNT=$MATCH_COUNT$ RULES=$RULES$ PROTOCOL=$PROTOCOL$ QUARANTINE_PARENT_PATH=$QUARANTINE_PARENT_PATH$ RECIPIENTS=$RECIPIENTS$ SCAN=$SCAN$ SENDER=$SENDER$ SEVERITY=$SEVERITY$ SUBJECT=$SUBJECT$ TARGET=$TARGET$ FNAME=$ATTACHMENT_NAME$
    Level: 4-Warning

    ---
    Best regards, Artem.



  • 4.  RE: Sample Syslog format of symantec DLP

    Broadcom Employee
    Posted Mar 13, 2014 05:35 AM

    Hi Artem

    Thanks for your response

    This is ok and i found it from its admin guide,but what i want you to clarify is The sample syslog format for creating the rules in SIEM which is generated by the same settings .

    Thanks in advance



  • 5.  RE: Sample Syslog format of symantec DLP

    Posted Mar 13, 2014 05:38 AM

    Hi Sahabam

    Please refer below

    If the line is uncommented without any changes, the notification messagesare sent in the format:

    [server name] summary - details. The format variables are:


    ■ {0} - the name of the server on which the event occurred
    ■ {1} - the event summary
    ■ {2} - the event detail


    For example, the following configuration specifies that Severe system event notifications are sent to a syslog host named server1 which uses port 600.


    systemevent.syslog.host=server1
    systemevent.syslog.port=600
    systemevent.syslog.format= [{0}] {1} - {2}


    Using this example, a low disk space event notification from an Enforce Server on a host named dlp-1 would look like:


    dlp-1 Low disk space - Hard disk space for
    incident data storage server is low. Disk usage is over 82%. 



  • 6.  RE: Sample Syslog format of symantec DLP

    Broadcom Employee
    Posted Mar 13, 2014 08:53 AM

    ok 

    Thanks for your comment

       Is this sample syslog will be generated in the real world??,for the same event  (for "Low disk space")??

    if so i can proceed with that ,otherwise please provide me the real one.

     

    Thanks in advance



  • 7.  RE: Sample Syslog format of symantec DLP



  • 8.  RE: Sample Syslog format of symantec DLP

    Broadcom Employee
    Posted Mar 14, 2014 09:47 AM

    Dear Sharma

    Thanks alot for showing interest 

    Can you give me a example based on this sample or what each of these sample indiacates???

        Sample message field entry is below which will include a Hyperlink in the ArcSight event so your responder can log into the DLP console and go right to the correct DLP incident.

    CEF:0|Symantec|DataLossPrevention|11.5|$POLICY$|$POLICY$|5|cs1Label=Sender cs1=$SENDER$ cs2Label=Recipient cs2=$RECIPIENTS$ msg=$RULES$ cn1=$MATCH_COUNT$ cn1Label=MatchCount cs3Label=IncidentSnapshot cs3=$INCIDENT_SNAPSHOT$ cs4Label=DLPSeverity cs4=$SEVERITY$ suid=$Employee Code$

     

    Thanks in advance



  • 9.  RE: Sample Syslog format of symantec DLP

    Posted Mar 17, 2014 08:05 AM

    Hi Sahaba,

    Please refer below for response rule: $POLICY$^^$INCIDENT_ID$^^$SUBJECT$^^$SEVERITY$^^$MATCH_COUNT$^^$RULES$^^$SENDER$^^$RECIPIENTS$^^$BLOCKED$^^$FILE_NAME$^^$PARENT_PATH$^^$SCAN$^^$TARGET$^^$PROTOCOL$^^$INCIDENT_SNAPSHOT$