Video Screencast Help

API to pull Discovery and/or classification information on assets (data/files etc.) across Network, Enpoints etc

Created: 23 Jul 2013 • Updated: 25 Jul 2013 | 4 comments
This issue has been solved. See solution.

Hello all,

I am exploring Symantec DLP solution and researching more on the APIs that are available that I could use to integrate multiple solutions. I came across the Reporting API, and it seems like that can be used to pull Incidents from the Enforce server admin console. I am interested in pulling discovered and/or classified information such as sensitive files, assets etc. across Network, Endpoints, Storage. 

1. Is there an API that will allow me pull this Discovery or Classified information from the Endpoints themselves or from the Enforce platform? (Understandably needing proper access, auth and permissions)

2. If not, is there a way I can generate custom reports for these and export them as CSV/XLS files that I could pull data from?

Looking forward to any pointers on this.

Thanks!

Rajesh

Operating Systems:

Comments 4 CommentsJump to latest comment

jjesse's picture

The DLP API is fairly well documented in regards to what can and cannot be pulled through.  Look at the FlexResponse API document that is included w/ the Docs.zip file.

You can query and pull all kinds of information around the incident, however the API does not expose the actual violation that occurs.  So I can return all incidents that violate a policy (example:  SSN Policy) but I won't actually see the SSNs that caused the violation through the API.  The same thing occurs when you export a group of incidents as a CSV file.

But what you do get is the name of the attached file, match count, policy violated, location, attributes, etc that you have permssion for.  So I could run a query through the API or through an export of a CSV file for all the counts of a file named TOPSECRETSSN.XLS or something similar

Drop me a note if you have more questions

Jonathan Jesse Practice Principal ITS Partners

SOLUTION
rajeshvenkat's picture

Thanks, Jonathan! That was quite desriptive as to what I could obtain from an Incidents point of view. I will go through the FlexResponse API and start digging more.

I do understand that sensitive data is not exported or reported 'as-is'. My other part of the question was if I am able to obtain a list of assets - endpoints, network or storage entities that house sensitive data. I am interested in only the discovered entities that are suspect to contain sensitive data, and not the sensitive data itself. This will be more of an inventory of assets (laptops, databases, file systems etc.) that contain sensitive data. Is there a mechanism to export that from DLP either as a report or through an API?

Really appreciate your help!

Thanks,

Rajesh

jjesse's picture

It depends on the permissions of the account you are using if you can grab the information. 

So an exmaple:  I run an export to CSV (and its basically the same information that is available via the API) of all of my incidents on the endpoint and get the following column headers, which also includes all of the attributes that are part of the incident.  Then under "Type" I get if it was a copy to network drive, local drive, printer, clipboard, etc. type of incident.

The Device Instance ID is the device that generates it

Make sense?





































Type Severity Occurred On ID Policy Matches Status Destination Destination Path Source File Source File Path Machine User Device Instance ID Prevention Status Superseded Subject Recipient(s) Has Attachment Data Owner Name Data Owner Email First Name Last Name Department Location Email Address Notes Employee ID Supervisor Email Address Extended Attribute 9 Hostname Title Most Active Writer 1 Most Active User Reads 1 Most Active User Writes 1 File Last Access Date File Last Modified By TempMgrDn

Jonathan Jesse Practice Principal ITS Partners