Data Loss Prevention

Hi everyone!

Does anyone know if there is an add-on or option in Splunk to trigger a third-party DLP (Symantec, IDLP, ...)? Or is it also possible to configure Splunk Alert Actions (or custom scripts) to perform a DLP function?

The flow should be like this:
Collecting all the client actions(changes on files, copying of files etc.), portable media logs (USB drives, CD-roms etc), and e-mail server actions, analysing and correlating the collected data based on the rules (which are going to be defined by us), in case of an anomaly detection, creating an alert and triggering triggering the DLP solution to block session.

Duygu,

I am going to try and simplify this a bit.. you are trying to take logs from Splunk Data collection and feed it to the DLP system to then take action against the feed? (Block etc)

This may be possible, but it would require a ton of work to be able to feed the information to the DLP system. The DLP system will require the feed to be in a specific protocol or format.. it will not just take a diect log feed. Though you could dump Files into a folder for inspection. If the inspection matches some DLP policies looking for Keywords etc, it will then create an Event

If so the only really useful action is going to create and event and then the DLP system can send emails or run a script (Flex Response) after the fact. So it will not be real time.

This is an odd way of doing things for you should be able to deply the DLP agent with its own set of policies based on Content/Context/Destination and then have the DLP agent create the event and do some real time blocking, then send a SNMP alert to splunk with the event inforamtion.

Good Luck

Ronak

PLEASE MARKED SOLVED WHEN POSSIBLE