Data Loss Prevention

 View Only

  • 1.  Sending Incidents as Syslogs

    Posted Mar 22, 2015 10:39 AM

    Dear All,

    We are integrating DLP with SIEM Solution (Splunk). I need the Incidents to be sent to Splunk as Syslogs for which i configured a syslog response rule with the hostname, port and the syslog message required by Splunk.

    I created a Test policy with the "Log to a Syslog Server" response rule and created test incidents.

    I am not able to recieve any incidents/traffic from splunk even after checking the following:

    1. Firewall Access for syslog port from Enforce Server to Splunk server.

    2. Response rule is being triggered in Incident History

    I need information/help on the following:

    1. Is there a specific pattern of the hostname and port no should be wirtten in the Response Rule..?

    2. Is there any changes to be done on the Enforce Server (Windows) to be able to produce syslogs..?

    3. Is there a way I can check whether the syslog is being generated on Enforce Server and sent to splunk..?

     



  • 2.  RE: Sending Incidents as Syslogs

    Posted Mar 24, 2015 01:00 AM
    Dear DLP, Please refre below There is a Splunk App (http://apps.splunk.com/app/1314/) fo DLP specifically and they have an example ofwhat the documentation looks like. This is the sample text Host = IP address for the indexer Port = Listening udp port on the indexer Message = ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$ Level = 7 - Debugging https://www-secure.symantec.com/connect/forums/dlp-event-message-import-syslog-server https://www-secure.symantec.com/connect/forums/sample-syslog-dlp


  • 3.  RE: Sending Incidents as Syslogs

    Posted Mar 24, 2015 08:22 AM

    Dear Kishorilal,

    I've modified the message a bit on Splunk Consultant's request.

    blocked=$BLOCKED$, src=$ENDPOINT_MACHINE$, filename=$FILE_NAME$, id=$INCIDENT_ID$, policy=$POLICY$, protocol=$PROTOCOL$, dest=$RECIPIENT$, sender=$SENDER$, severity=$SEVERITY$, subject=$SUBJECT$, target=$TARGET$, violations=$MATCH_COUNTS$, app=symantec:dlp

    Now, the problem is that two message feilds are not getting resolved:

    1. dest=

    2. violations=

    See below example event:

    Mar 23 16:56:07 abc.abc.com  abc.abc.com blocked=None, src=abcmachine, filename=N/A, id=275122, policy=Splunk Test Policy, protocol=Endpoint Email/SMTP, dest=[UNKNOWN VARIABLE: RECIPIENT], sender=abc@abc.com, severity=1:High, subject=FW: , target=N/A, violations=[UNKNOWN VARIABLE: MATCH_COUNTS], app=symantec:dlp

    Is there anything I need to change in the message as the values are not getting fetched by the message.



  • 4.  RE: Sending Incidents as Syslogs

    Trusted Advisor
    Posted Jul 09, 2015 09:51 PM

    DLP.

    Your variable name is wrong.. you need to make sure is it is plural or NOT.

    RECIPIENTS=$RECIPIENTS

    MATCH_COUNT=$MATCH_COUNT$

    Ronak

    Please marked as Solved..

     



  • 5.  RE: Sending Incidents as Syslogs

    Trusted Advisor
    Posted Jul 29, 2015 12:45 PM

    Please marked as Solved..