Data Loss Prevention

Hi Friends

 I am  looking for a sample syslog / its format  to integrate wth a SIEM product which is generated from Symantec DLP 

Thanks in advance

hei Guys

Please reply

Hello,

If you want to send Symantec DLP incidents to SIEM, you need create an automated response rule. The template of a syslog message format is set in the response rule. The created response rule you need add to the corresponding policies.

I integrated Symantec DLP with ArcSight. The following is the example of the automated response rule for that integration:

Rule Name: Send Alert to ArcSight
Conditions: <empty>
Actions:  Log to a Syslog Server
Host: <address of the arcsight syslog>
Port: <port number>
Message: CEF:0|Symantec|DLP|12.0.1|ruleID|$POLICY$|5|BLOCKED=$BLOCKED$ DATAOWNER_NAME=$DATAOWNER_NAME$ DATAOWNER_EMAIL=$DATAOWNER_EMAIL$ ENDPOINT_DEVICE_ID=$ENDPOINT_DEVICE_ID$ ENDPOINT_MACHINE=$ENDPOINT_MACHINE$ PATH=$PATH$ FILE_NAME=$FILE_NAME$ PARENT_PATH=$PARENT_PATH$ INCIDENT_ID=$INCIDENT_ID$ INCIDENT_SNAPSHOT=$INCIDENT_SNAPSHOT$ MATCH_COUNT=$MATCH_COUNT$ RULES=$RULES$ PROTOCOL=$PROTOCOL$ QUARANTINE_PARENT_PATH=$QUARANTINE_PARENT_PATH$ RECIPIENTS=$RECIPIENTS$ SCAN=$SCAN$ SENDER=$SENDER$ SEVERITY=$SEVERITY$ SUBJECT=$SUBJECT$ TARGET=$TARGET$ FNAME=$ATTACHMENT_NAME$
Level: 4-Warning

---
Best regards, Artem.

Hi Artem

Thanks for your response

This is ok and i found it from its admin guide,but what i want you to clarify is The sample syslog format for creating the rules in SIEM which is generated by the same settings .

Thanks in advance

Hi Sahabam

Please refer below

If the line is uncommented without any changes, the notification messagesare sent in the format:

[server name] summary - details. The format variables are:

■ {0} - the name of the server on which the event occurred
■ {1} - the event summary
■ {2} - the event detail

For example, the following configuration specifies that Severe system event notifications are sent to a syslog host named server1 which uses port 600.

systemevent.syslog.host=server1
systemevent.syslog.port=600
systemevent.syslog.format= [{0}] {1} - {2}

Using this example, a low disk space event notification from an Enforce Server on a host named dlp-1 would look like:

dlp-1 Low disk space - Hard disk space for
incident data storage server is low. Disk usage is over 82%. 

ok 

Thanks for your comment

   Is this sample syslog will be generated in the real world??,for the same event  (for "Low disk space")??

if so i can proceed with that ,otherwise please provide me the real one.

Thanks in advance

Hi Sahaba above is just for explaination bur real one you need to follow below thred steps.

https://www-secure.symantec.com/connect/forums/dlp-events-syslog

https://www-secure.symantec.com/connect/forums/syslog-incident-data

https://www-secure.symantec.com/connect/forums/sample-syslog-format-symantec-dlp

Dear Sharma

Thanks alot for showing interest 

Can you give me a example based on this sample or what each of these sample indiacates???

    Sample message field entry is below which will include a Hyperlink in the ArcSight event so your responder can log into the DLP console and go right to the correct DLP incident.

CEF:0|Symantec|DataLossPrevention|11.5|$POLICY$|$POLICY$|5|cs1Label=Sender cs1=$SENDER$ cs2Label=Recipient cs2=$RECIPIENTS$ msg=$RULES$ cn1=$MATCH_COUNT$ cn1Label=MatchCount cs3Label=IncidentSnapshot cs3=$INCIDENT_SNAPSHOT$ cs4Label=DLPSeverity cs4=$SEVERITY$ suid=$Employee Code$

Thanks in advance

Hi Sahaba,

Please refer below for response rule: $POLICY$^^$INCIDENT_ID$^^$SUBJECT$^^$SEVERITY$^^$MATCH_COUNT$^^$RULES$^^$SENDER$^^$RECIPIENTS$^^$BLOCKED$^^$FILE_NAME$^^$PARENT_PATH$^^$SCAN$^^$TARGET$^^$PROTOCOL$^^$INCIDENT_SNAPSHOT$