Data Loss Prevention

Is it possible to query the oracle db for Symantec DLP to locate matched items, for example the exact SSN which was detected?

It is possible to create and XML export, but the limit is less than 10,000 incidents, and it is not so friendly, so looking for a better solution.

We currently do not have this ability. All the incidents are stored Encrypted in the DB and as such we are unable to search the DB. The only way to view the details are in an export. You could probably script this process, but Symantec does not have a way to do this currently.

Also note that exporting the incidents, since they contain SSN's, credit card #'s, etc. to a non-encrypted location would also create HIPAA/PCI/FERPA/etc. compliance issues, as data that data needs to be protected.

Thank you Ryan and Ron, very good info. But there is a possible need for this process. Since the XML export can create such a report...many clients can assume that there is a possible way for the tool to do this a more streamlined way.

I located the file to modify for the XML export size:

/opt/Vontu/Protect/config/Manager.properties

Change setting:

com.vontu.manager.maxshowallincidents=10000

and 

com.vontu.manager.maxautodistributionincidents=10000

Then 

Restart Vontu services.

We agree that there is a need for a feature to search through text in the DLP database, there just isn't an easy, safe way to do so now.  I forgot to mention I had added an Idea (feature request) here on Connect for this feature:

https://www-secure.symantec.com/connect/ideas/allow-searching-through-incidents-any-text

Please be sure to vote on it; the more people that request it, the more likely Symantec will add it.

While I found there are some tools available to parse xml that would work better, the following met my need:

1. Load Symantec xml export into Microsoft Visual Studio to reformat xml tags into newline/indented format (Edit->Advanced->Format Document)

2. Use Unix/Linux/Cygwin to search for desired pattern (regex) and or text (e.g. 4011):
$ awk -F'[<|>]' '/ns2:violationText/{print $3}' export.xml |sort | uniq |grep -v 4011 |wc -l

While not SQL the Reporting and Update API will be updated in 12.5 to add an IncidentViolations() function that will return the highlighted text from a requested incident. It requires some setup work to create a Reporing and Update client but if you need this functionality it is well worth it. Reporting and Update API clients cna be written in either Java or .Net

John,

You say, "...from a requested incident..." To me that implies you would need to know the incident ID number to be able to get this data. I'm not really clear how that would make it easier.

Aaron

John,

can you elaborate a little more on the API functionality change for DLP v12.5?

Hi ADILT,

In 12.5 there was a new feature in the API that allows one to query the details of an incident. So, if you make a report that looks for your SSNs, you can then run the report through the API and it will return the list of incidents that match your report criteria. You can also use the API to query a specific incident and now the incident details.

Try 12.5 today! :)

Best,

Ryan

Thank you for the infomation Ryan. Will try to test this new feature.