IBM Security QRadar SOAR

Has anyone gotten the Symantec Data Loss Prevention Integration to work properly? I have it configured based on the documentation in the app exchange and can see that the DLP Listener component is reaching out to my DLP server and obtaining the proper DLP incident report, but there are no Resilient incidents created based on the DLP incidents.

------------------------------
Ryan Terry
------------------------------

Hello Ryan,

We can help troubleshoot. Have you checked resilient-circuits logs? Do you see any errors there?
Resilient-circuits:

• The log is controlled in the .resilient/app.config file under the section [resilient] and the property logdir.
• The default file name is app.log.
• Each function creates progress information.
• Failures show up as errors and may contain python trace statements.

Cheers,
Tamara Zlender

------------------------------
Tamara Zlender
------------------------------

Original Message:
Sent: Fri January 03, 2020 12:18 PM
From: Ryan Terry
Subject: Symantec Data Loss Prevention Integration

Has anyone gotten the Symantec Data Loss Prevention Integration to work properly? I have it configured based on the documentation in the app exchange and can see that the DLP Listener component is reaching out to my DLP server and obtaining the proper DLP incident report, but there are no Resilient incidents created based on the DLP incidents.

------------------------------
Ryan Terry
------------------------------

Tamara,

This is what I see in the logs:

2020-01-03 15:08:23,904 INFO [dlp_incident_listener] DLP Listener Polling Event received. Checking if any previous thread is still alive
2020-01-03 15:08:23,905 DEBUG [dlp_incident_listener] dlp_thread_start: Creating a thread to poll DLP
2020-01-03 15:08:23,905 INFO [dlp_incident_listener] Now spawning a new daemon thread that DLP Listener will run inside of
2020-01-03 15:08:23,905 DEBUG [dlp_listener_component] Started Poller
2020-01-03 15:08:23,906 INFO [dlp_listener_component] Searching for Incidents which were created after 2019-12-20 15:08:23.906584
2020-01-03 15:08:24,577 INFO [dlp_listener_component] Now filtering out Incidents which already have a Resilient Incident ID
2020-01-03 15:08:24,578 INFO [dlp_listener_component] Number of Incidents before filtering: 4
2020-01-03 15:08:24,701 INFO [dlp_listener_component] Number of Incidents after filtering out any Incident which has a value for the `resilient_incident_id` custom attribute: 4
2020-01-03 15:08:24,743 DEBUG [connectionpool] https://server.mydomain.com:443 "GET /rest/orgs/201/types/incident/fields/sdlp_incident_id HTTP/1.1" 200 None
2020-01-03 15:08:24,744 INFO [dlp_listener_component] sdlp_should_search_res app.config value is False or not set. Duplicate Resilient Incidents may be created if the poller cannot update the DLP Incident with its new corresponding Resilient ID or the Resilient ID in the SDLP incident has been removed
2020-01-03 15:08:24,745 INFO [dlp_listener_component] Found no Resilient Incident with given DLP Incident ID 2795718, creating an incident.
2020-01-03 15:08:24,766 DEBUG [dlp_listener_component] {"name": "Symantec DLP Incident Id 2795718 escalated from DLP",
"description": "An incident imported using the Symantec DLP Integration",
"sdlp_incident_id": 2795718,
"sdlp_incident_url": {"format" : "html", "content" : "<a href=https://1.1.1.1:443/ProtectManager/IncidentDetail.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2795718>https://1.1.1.1:443/ProtectManager/IncidentDetail.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2795718</a>"}
"description" : {"format" : "html", "content" : "Source ipv4 Address, generated from DLP Incident with an ID of 2795718"},
"description" : {"format" : "html", "content" : "User Account of the machine that generated this incident. Includes the machine name. Generated from DLP Incident with an ID of 2795718"}},
"description" : {"format" : "html", "content" : "File Path of the application in which the incident occured. Generated from DLP Incident with an ID of 2795718"}},
"description" : {"format" : "html", "content" : "System Name of the machine that generated this incident. Includes the machine name. Generated from DLP Incident with an ID of 2795718"}},
"description" : {"format" : "html","content" : "Destination URL Identifier. Generated from DLP Incident with an ID of 2795718"},

------------------------------
Ryan Terry
------------------------------

Original Message:
Sent: Fri January 03, 2020 03:59 PM
From: Tamara Zlender
Subject: Symantec Data Loss Prevention Integration

Hello Ryan,

We can help troubleshoot. Have you checked resilient-circuits logs? Do you see any errors there?
Resilient-circuits:

• The log is controlled in the .resilient/app.config file under the section [resilient] and the property logdir.
• The default file name is app.log.
• Each function creates progress information.
• Failures show up as errors and may contain python trace statements.

Cheers,
Tamara Zlender

------------------------------
Tamara Zlender

Original Message:
Sent: Fri January 03, 2020 12:18 PM
From: Ryan Terry
Subject: Symantec Data Loss Prevention Integration

Has anyone gotten the Symantec Data Loss Prevention Integration to work properly? I have it configured based on the documentation in the app exchange and can see that the DLP Listener component is reaching out to my DLP server and obtaining the proper DLP incident report, but there are no Resilient incidents created based on the DLP incidents.

------------------------------
Ryan Terry
------------------------------

Hi Ryan,

Thank you for contacting the community forum.
These logs are helpful but they look like some is missing. The next expected logs would be the result (or error) from the API call to create the Incident. Could you gather some more logs for the polling ? 
For each polling event; the first log you will usually see is "DLP Listener Polling Event received. Checking if any previous thread is still alive"
and the last log you would see is "Finished processing all Incidents in Saved Report X"


------------------------------
Ryan Gordon
Security Software Engineer
IBM
------------------------------

Original Message:
Sent: Fri January 03, 2020 05:17 PM
From: Ryan Terry
Subject: Symantec Data Loss Prevention Integration

Tamara,

This is what I see in the logs:

2020-01-03 15:08:23,904 INFO [dlp_incident_listener] DLP Listener Polling Event received. Checking if any previous thread is still alive
2020-01-03 15:08:23,905 DEBUG [dlp_incident_listener] dlp_thread_start: Creating a thread to poll DLP
2020-01-03 15:08:23,905 INFO [dlp_incident_listener] Now spawning a new daemon thread that DLP Listener will run inside of
2020-01-03 15:08:23,905 DEBUG [dlp_listener_component] Started Poller
2020-01-03 15:08:23,906 INFO [dlp_listener_component] Searching for Incidents which were created after 2019-12-20 15:08:23.906584
2020-01-03 15:08:24,577 INFO [dlp_listener_component] Now filtering out Incidents which already have a Resilient Incident ID
2020-01-03 15:08:24,578 INFO [dlp_listener_component] Number of Incidents before filtering: 4
2020-01-03 15:08:24,701 INFO [dlp_listener_component] Number of Incidents after filtering out any Incident which has a value for the `resilient_incident_id` custom attribute: 4
2020-01-03 15:08:24,743 DEBUG [connectionpool] https://server.mydomain.com:443 "GET /rest/orgs/201/types/incident/fields/sdlp_incident_id HTTP/1.1" 200 None
2020-01-03 15:08:24,744 INFO [dlp_listener_component] sdlp_should_search_res app.config value is False or not set. Duplicate Resilient Incidents may be created if the poller cannot update the DLP Incident with its new corresponding Resilient ID or the Resilient ID in the SDLP incident has been removed
2020-01-03 15:08:24,745 INFO [dlp_listener_component] Found no Resilient Incident with given DLP Incident ID 2795718, creating an incident.
2020-01-03 15:08:24,766 DEBUG [dlp_listener_component] {"name": "Symantec DLP Incident Id 2795718 escalated from DLP",
"description": "An incident imported using the Symantec DLP Integration",
"sdlp_incident_id": 2795718,
"sdlp_incident_url": {"format" : "html", "content" : "<a href=https://1.1.1.1:443/ProtectManager/IncidentDetail.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2795718>https://1.1.1.1:443/ProtectManager/IncidentDetail.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2795718</a>"}
"description" : {"format" : "html", "content" : "Source ipv4 Address, generated from DLP Incident with an ID of 2795718"},
"description" : {"format" : "html", "content" : "User Account of the machine that generated this incident. Includes the machine name. Generated from DLP Incident with an ID of 2795718"}},
"description" : {"format" : "html", "content" : "File Path of the application in which the incident occured. Generated from DLP Incident with an ID of 2795718"}},
"description" : {"format" : "html", "content" : "System Name of the machine that generated this incident. Includes the machine name. Generated from DLP Incident with an ID of 2795718"}},
"description" : {"format" : "html","content" : "Destination URL Identifier. Generated from DLP Incident with an ID of 2795718"},

------------------------------
Ryan Terry

Original Message:
Sent: Fri January 03, 2020 03:59 PM
From: Tamara Zlender
Subject: Symantec Data Loss Prevention Integration

Hello Ryan,

We can help troubleshoot. Have you checked resilient-circuits logs? Do you see any errors there?
Resilient-circuits:

• The log is controlled in the .resilient/app.config file under the section [resilient] and the property logdir.
• The default file name is app.log.
• Each function creates progress information.
• Failures show up as errors and may contain python trace statements.

Cheers,
Tamara Zlender

------------------------------
Tamara Zlender

Original Message:
Sent: Fri January 03, 2020 12:18 PM
From: Ryan Terry
Subject: Symantec Data Loss Prevention Integration

Has anyone gotten the Symantec Data Loss Prevention Integration to work properly? I have it configured based on the documentation in the app exchange and can see that the DLP Listener component is reaching out to my DLP server and obtaining the proper DLP incident report, but there are no Resilient incidents created based on the DLP incidents.

------------------------------
Ryan Terry
------------------------------

Here is a larger log excerpt, but I can reply privately with my entire log file if you need it. I never see a log entry with "Finished processing all Incidents in Saved Report"



2020-01-07 14:42:48,050 INFO [dlp_incident_listener] DLP Listener Polling Event received. Checking if any previous thread is still alive
2020-01-07 14:42:48,051 DEBUG [dlp_incident_listener] dlp_thread_start: Creating a thread to poll DLP
2020-01-07 14:42:48,052 INFO [dlp_incident_listener] Now spawning a new daemon thread that DLP Listener will run inside of
2020-01-07 14:42:48,052 DEBUG [dlp_listener_component] Started Poller
2020-01-07 14:42:48,053 INFO [dlp_listener_component] Searching for Incidents which were created after 2019-12-24 14:42:48.053344
2020-01-07 14:42:48,055 DEBUG [transports] HTTP Post to https://1.1.1.1:443/ProtectManager/services/v2011/incidents:
<?xml version='1.0' encoding='utf-8'?>
<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Action>incidentList</wsa:Action><wsa:MessageID>urn:uuid:5ee90095-8c2f-45b9-84d6-c782317b29a5</wsa:MessageID><wsa:To>https://1.1.1.1:443/ProtectManager/services/v2011/incidents</wsa:To></soap-env:Header><soap-env:Body><ns0:incidentListRequest xmlns:ns0="http://www.vontu.com/v2011/enforce/webservice/incident/schema"><ns0:savedReportId>28173</ns0:savedReportId><ns0:incidentCreationDateLaterThan>2019-12-24T14:42:48.053344</ns0:incidentCreationDateLaterThan></ns0:incidentListRequest></soap-env:Body></soap-env:Envelope>
2020-01-07 14:42:48,056 DEBUG [connectionpool] Resetting dropped connection: 1.1.1.1
2020-01-07 14:42:48,529 DEBUG [connectionpool] https://1.1.1.1:443 "POST /ProtectManager/services/v2011/incidents HTTP/1.1" 200 None
2020-01-07 14:42:48,531 DEBUG [transports] HTTP Response from https://1.1.1.1:443/ProtectManager/services/v2011/incidents (status: 200):1.1.1.1
<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><ns5:incidentListResponse xmlns:ns2="http://www.vontu.com/v2011/enforce/webservice/incident/common/schema" xmlns:ns3="http://www.vontu.com/enforce/export/incident/common/schema" xmlns:ns4="http://www.vontu.com/enforce/export/incident/schema" xmlns:ns5="http://www.vontu.com/v2011/enforce/webservice/incident/schema" xmlns:ns6="http://www.vontu.com/v2011/enforce/webservice/incident"><ns5:incidentId>2795718</ns5:incidentId><ns5:incidentId>2795719</ns5:incidentId><ns5:incidentId>2795717</ns5:incidentId><ns5:incidentId>2795730</ns5:incidentId><ns5:incidentLongId>2795718</ns5:incidentLongId><ns5:incidentLongId>2795719</ns5:incidentLongId><ns5:incidentLongId>2795717</ns5:incidentLongId><ns5:incidentLongId>2795730</ns5:incidentLongId></ns5:incidentListResponse></S:Body></S:Envelope>
2020-01-07 14:42:48,532 DEBUG [transports] HTTP Post to https://1.1.1.1:443/ProtectManager/services/v2011/incidents:
<?xml version='1.0' encoding='utf-8'?>
<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Action>incidentDetail</wsa:Action><wsa:MessageID>urn:uuid:b7bebf0e-2189-4d24-8508-8929ef0e0cf4</wsa:MessageID><wsa:To>https://1.1.1.1:443/ProtectManager/services/v2011/incidents</wsa:To></soap-env:Header><soap-env:Body><ns0:incidentDetailRequest xmlns:ns0="http://www.vontu.com/v2011/enforce/webservice/incident/schema"><ns0:incidentId>2795718</ns0:incidentId><ns0:incidentId>2795719</ns0:incidentId><ns0:incidentId>2795717</ns0:incidentId><ns0:incidentId>2795730</ns0:incidentId></ns0:incidentDetailRequest></soap-env:Body></soap-env:Envelope>
--
2020-01-07 14:42:48,920 INFO [dlp_listener_component] Now filtering out Incidents which already have a Resilient Incident ID
2020-01-07 14:42:48,920 INFO [dlp_listener_component] Number of Incidents before filtering: 4
2020-01-07 14:42:48,921 DEBUG [transports] HTTP Post to https://1.1.1.1:443/ProtectManager/services/v2011/incidents:
<?xml version='1.0' encoding='utf-8'?>
<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Action>listCustomAttributes</wsa:Action><wsa:MessageID>urn:uuid:4724f681-532f-42d1-ac2d-c447fd2518b6</wsa:MessageID><wsa:To>https://1.1.1.1:443/ProtectManager/services/v2011/incidents</wsa:To></soap-env:Header><soap-env:Body/></soap-env:Envelope>
2020-01-07 14:42:49,042 DEBUG [connectionpool] https://1.1.1.1:443 "POST /ProtectManager/services/v2011/incidents HTTP/1.1" 200 None
2020-01-07 14:42:49,043 DEBUG [transports] HTTP Response from https://1.1.1.1:443/ProtectManager/services/v2011/incidents (status: 200):
<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><ns5:customAttributeList xmlns:ns2="http://www.vontu.com/v2011/enforce/webservice/incident/common/schema" xmlns:ns3="http://www.vontu.com/enforce/export/incident/common/schema" xmlns:ns4="http://www.vontu.com/enforce/export/incident/schema" xmlns:ns5="http://www.vontu.com/v2011/enforce/webservice/incident/schema" xmlns:ns6="http://www.vontu.com/v2011/enforce/webservice/incident"><customAttributeName>File_Last_Access_Date</customAttributeName><customAttributeName>Data_User_Last_Access</customAttributeName><customAttributeName>Most_Active_User_Writes_1</customAttributeName><customAttributeName>Most_Active_Writer_3</customAttributeName><customAttributeName>Incident Classification</customAttributeName><customAttributeName>Business_Owner</customAttributeName><customAttributeName>Custodian_Folder_1</customAttributeName><customAttributeName>File_Access_History_Start_Date</customAttributeName><customAttributeName>File_Total_Reads</customAttributeName><customAttributeName>Most_Active_Reader_1</customAttributeName><customAttributeName>Most_Active_Reader_2</customAttributeName><customAttributeName>Most_Active_User_Reads_1</customAttributeName><customAttributeName>Most_Active_Writer_2</customAttributeName><customAttributeName>resilient_incident_url</customAttributeName><customAttributeName>Assigned To</customAttributeName><customAttributeName>Employee Code</customAttributeName><customAttributeName>First Name</customAttributeName><customAttributeName>Last Name</customAttributeName><customAttributeName>Manager Last Name</customAttributeName><customAttributeName>Manager First Name</customAttributeName><customAttributeName>Manager Phone</customAttributeName><customAttributeName>Country</customAttributeName><customAttributeName>Resolution</customAttributeName><customAttributeName>Dismissal Reason</customAttributeName><customAttributeName>Business Unit</customAttributeName><customAttributeName>Phone</customAttributeName><customAttributeName>Sender Email</customAttributeName><customAttributeName>Manager Email</customAttributeName><customAttributeName>Region</customAttributeName><customAttributeName>Postal Code</customAttributeName><customAttributeName>Data_User</customAttributeName><customAttributeName>Custodian_1</customAttributeName><customAttributeName>Data_User_Reads</customAttributeName><customAttributeName>Data_User_Writes</customAttributeName><customAttributeName>File_Last_Modified_By</customAttributeName><customAttributeName>File_Total_Writes</customAttributeName><customAttributeName>Most_Active_User_1</customAttributeName><customAttributeName>Most_Active_Writer_1</customAttributeName><customAttributeName>User_Last_Access</customAttributeName><customAttributeName>resilient_incident_id</customAttributeName></ns5:customAttributeList></S:Body></S:Envelope>
2020-01-07 14:42:49,046 DEBUG [actions_component] Reset idle timer
2020-01-07 14:42:49,046 INFO [dlp_listener_component] Number of Incidents after filtering out any Incident which has a value for the `resilient_incident_id` custom attribute: 4
2020-01-07 14:42:49,048 DEBUG [connectionpool] Resetting dropped connection: resilient.iso.utah.edu
2020-01-07 14:42:49,088 DEBUG [connectionpool] https://resilient.iso.utah.edu:443 "GET /rest/orgs/201/types/incident/fields/sdlp_incident_id HTTP/1.1" 200 None
2020-01-07 14:42:49,090 INFO [dlp_listener_component] sdlp_should_search_res app.config value is False or not set. Duplicate Resilient Incidents may be created if the poller cannot update the DLP Incident with its new corresponding Resilient ID or the Resilient ID in the SDLP incident has been removed
2020-01-07 14:42:49,090 INFO [dlp_listener_component] Found no Resilient Incident with given DLP Incident ID 2795718, creating an incident.
2020-01-07 14:42:49,110 DEBUG [dlp_listener_component] {"name": "Symantec DLP Incident Id 2795718 escalated from DLP",
"description": "An incident imported using the Symantec DLP Integration",
"discovered_date":1578040408757,
"incident_type_ids": [16],
"severity_code": "Low","start_date": 1578040081261,
"properties": {
"sdlp_incident_id": 2795718,
"sdlp_incident_url": {"format" : "html", "content" : "<a href=https://1.1.1.1:443/ProtectManager/IncidentDetail.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2795718>https://1.1.1.1:443/ProtectManager/IncidentDetail.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2795718</a>"}
},

"artifacts": [
{"type": {"name": "IP Address"}, "value": "1.1.1.1",
"description" : {"format" : "html", "content" : "Source ipv4 Address, generated from DLP Incident with an ID of 2795718"},
"properties": [{"name": "source", "value": true}]},
{"type": {"name": "User Account"}, "value": "AD\\userid",
"description" : {"format" : "html", "content" : "User Account of the machine that generated this incident. Includes the machine name. Generated from DLP Incident with an ID of 2795718"}},
{"type": {"name": "File Path"}, "value": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe",
"description" : {"format" : "html", "content" : "File Path of the application in which the incident occured. Generated from DLP Incident with an ID of 2795718"}},
{"type": {"name": "System Name"}, "value": "userid",
"description" : {"format" : "html", "content" : "System Name of the machine that generated this incident. Includes the machine name. Generated from DLP Incident with an ID of 2795718"}},
{"type": {"name": "URL"}, "value": "https://saas-bbw.userreplay.net/",
"description" : {"format" : "html","content" : "Destination URL Identifier. Generated from DLP Incident with an ID of 2795718"},
"properties": []}],
"comments": []
}
2020-01-07 14:42:49,259 DEBUG [client] Received heart-beat
2020-01-07 14:42:49,351 DEBUG [connectionpool] https://resilient.iso.utah.edu:443 "POST /rest/orgs/201/incidents HTTP/1.1" 400 None
2020-01-07 14:43:04,292 DEBUG [client] Received heart-beat
2020-01-07 14:43:19,243 DEBUG [client] Received heart-beat
2020-01-07 14:43:34,287 DEBUG [client] Received heart-beat
2020-01-07 14:43:49,286 DEBUG [client] Received heart-beat
2020-01-07 14:44:04,292 DEBUG [client] Received heart-beat

------------------------------
Ryan Terry
------------------------------

Original Message:
Sent: Mon January 06, 2020 07:56 AM
From: Ryan Gordon
Subject: Symantec Data Loss Prevention Integration

Hi Ryan,

Thank you for contacting the community forum.
These logs are helpful but they look like some is missing. The next expected logs would be the result (or error) from the API call to create the Incident. Could you gather some more logs for the polling ? 
For each polling event; the first log you will usually see is "DLP Listener Polling Event received. Checking if any previous thread is still alive"
and the last log you would see is "Finished processing all Incidents in Saved Report X"


------------------------------
Ryan Gordon
Security Software Engineer
IBM

Original Message:
Sent: Fri January 03, 2020 05:17 PM
From: Ryan Terry
Subject: Symantec Data Loss Prevention Integration

Tamara,

This is what I see in the logs:

2020-01-03 15:08:23,904 INFO [dlp_incident_listener] DLP Listener Polling Event received. Checking if any previous thread is still alive
2020-01-03 15:08:23,905 DEBUG [dlp_incident_listener] dlp_thread_start: Creating a thread to poll DLP
2020-01-03 15:08:23,905 INFO [dlp_incident_listener] Now spawning a new daemon thread that DLP Listener will run inside of
2020-01-03 15:08:23,905 DEBUG [dlp_listener_component] Started Poller
2020-01-03 15:08:23,906 INFO [dlp_listener_component] Searching for Incidents which were created after 2019-12-20 15:08:23.906584
2020-01-03 15:08:24,577 INFO [dlp_listener_component] Now filtering out Incidents which already have a Resilient Incident ID
2020-01-03 15:08:24,578 INFO [dlp_listener_component] Number of Incidents before filtering: 4
2020-01-03 15:08:24,701 INFO [dlp_listener_component] Number of Incidents after filtering out any Incident which has a value for the `resilient_incident_id` custom attribute: 4
2020-01-03 15:08:24,743 DEBUG [connectionpool] https://server.mydomain.com:443 "GET /rest/orgs/201/types/incident/fields/sdlp_incident_id HTTP/1.1" 200 None
2020-01-03 15:08:24,744 INFO [dlp_listener_component] sdlp_should_search_res app.config value is False or not set. Duplicate Resilient Incidents may be created if the poller cannot update the DLP Incident with its new corresponding Resilient ID or the Resilient ID in the SDLP incident has been removed
2020-01-03 15:08:24,745 INFO [dlp_listener_component] Found no Resilient Incident with given DLP Incident ID 2795718, creating an incident.
2020-01-03 15:08:24,766 DEBUG [dlp_listener_component] {"name": "Symantec DLP Incident Id 2795718 escalated from DLP",
"description": "An incident imported using the Symantec DLP Integration",
"sdlp_incident_id": 2795718,
"sdlp_incident_url": {"format" : "html", "content" : "<a href=https://1.1.1.1:443/ProtectManager/IncidentDetail.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2795718>https://1.1.1.1:443/ProtectManager/IncidentDetail.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2795718</a>"}
"description" : {"format" : "html", "content" : "Source ipv4 Address, generated from DLP Incident with an ID of 2795718"},
"description" : {"format" : "html", "content" : "User Account of the machine that generated this incident. Includes the machine name. Generated from DLP Incident with an ID of 2795718"}},
"description" : {"format" : "html", "content" : "File Path of the application in which the incident occured. Generated from DLP Incident with an ID of 2795718"}},
"description" : {"format" : "html", "content" : "System Name of the machine that generated this incident. Includes the machine name. Generated from DLP Incident with an ID of 2795718"}},
"description" : {"format" : "html","content" : "Destination URL Identifier. Generated from DLP Incident with an ID of 2795718"},

------------------------------
Ryan Terry

Original Message:
Sent: Fri January 03, 2020 03:59 PM
From: Tamara Zlender
Subject: Symantec Data Loss Prevention Integration

Hello Ryan,

We can help troubleshoot. Have you checked resilient-circuits logs? Do you see any errors there?
Resilient-circuits:

• The log is controlled in the .resilient/app.config file under the section [resilient] and the property logdir.
• The default file name is app.log.
• Each function creates progress information.
• Failures show up as errors and may contain python trace statements.

Cheers,
Tamara Zlender

------------------------------
Tamara Zlender

Original Message:
Sent: Fri January 03, 2020 12:18 PM
From: Ryan Terry
Subject: Symantec Data Loss Prevention Integration

Has anyone gotten the Symantec Data Loss Prevention Integration to work properly? I have it configured based on the documentation in the app exchange and can see that the DLP Listener component is reaching out to my DLP server and obtaining the proper DLP incident report, but there are no Resilient incidents created based on the DLP incidents.

------------------------------
Ryan Terry
------------------------------

Hi Ryan,
Thank you for the response. 
This log in particular is what I was looking for :
/rest/orgs/201/incidents HTTP/1.1" 400 None. It looks like the payload being sent to Resilient is malformed slightly. 

Could I ask you to open a support case for this as Symantec DLP is a supported extension. I will reply privately to you also.

------------------------------
Ryan Gordon
Security Software Engineer
IBM
------------------------------

Original Message:
Sent: Tue January 07, 2020 04:55 PM
From: Ryan Terry
Subject: Symantec Data Loss Prevention Integration

Here is a larger log excerpt, but I can reply privately with my entire log file if you need it. I never see a log entry with "Finished processing all Incidents in Saved Report"



2020-01-07 14:42:48,050 INFO [dlp_incident_listener] DLP Listener Polling Event received. Checking if any previous thread is still alive
2020-01-07 14:42:48,051 DEBUG [dlp_incident_listener] dlp_thread_start: Creating a thread to poll DLP
2020-01-07 14:42:48,052 INFO [dlp_incident_listener] Now spawning a new daemon thread that DLP Listener will run inside of
2020-01-07 14:42:48,052 DEBUG [dlp_listener_component] Started Poller
2020-01-07 14:42:48,053 INFO [dlp_listener_component] Searching for Incidents which were created after 2019-12-24 14:42:48.053344
2020-01-07 14:42:48,055 DEBUG [transports] HTTP Post to https://1.1.1.1:443/ProtectManager/services/v2011/incidents:
<?xml version='1.0' encoding='utf-8'?>
<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Action>incidentList</wsa:Action><wsa:MessageID>urn:uuid:5ee90095-8c2f-45b9-84d6-c782317b29a5</wsa:MessageID><wsa:To>https://1.1.1.1:443/ProtectManager/services/v2011/incidents</wsa:To></soap-env:Header><soap-env:Body><ns0:incidentListRequest xmlns:ns0="http://www.vontu.com/v2011/enforce/webservice/incident/schema"><ns0:savedReportId>28173</ns0:savedReportId><ns0:incidentCreationDateLaterThan>2019-12-24T14:42:48.053344</ns0:incidentCreationDateLaterThan></ns0:incidentListRequest></soap-env:Body></soap-env:Envelope>
2020-01-07 14:42:48,056 DEBUG [connectionpool] Resetting dropped connection: 1.1.1.1
2020-01-07 14:42:48,529 DEBUG [connectionpool] https://1.1.1.1:443 "POST /ProtectManager/services/v2011/incidents HTTP/1.1" 200 None
2020-01-07 14:42:48,531 DEBUG [transports] HTTP Response from https://1.1.1.1:443/ProtectManager/services/v2011/incidents (status: 200):1.1.1.1
<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><ns5:incidentListResponse xmlns:ns2="http://www.vontu.com/v2011/enforce/webservice/incident/common/schema" xmlns:ns3="http://www.vontu.com/enforce/export/incident/common/schema" xmlns:ns4="http://www.vontu.com/enforce/export/incident/schema" xmlns:ns5="http://www.vontu.com/v2011/enforce/webservice/incident/schema" xmlns:ns6="http://www.vontu.com/v2011/enforce/webservice/incident"><ns5:incidentId>2795718</ns5:incidentId><ns5:incidentId>2795719</ns5:incidentId><ns5:incidentId>2795717</ns5:incidentId><ns5:incidentId>2795730</ns5:incidentId><ns5:incidentLongId>2795718</ns5:incidentLongId><ns5:incidentLongId>2795719</ns5:incidentLongId><ns5:incidentLongId>2795717</ns5:incidentLongId><ns5:incidentLongId>2795730</ns5:incidentLongId></ns5:incidentListResponse></S:Body></S:Envelope>
2020-01-07 14:42:48,532 DEBUG [transports] HTTP Post to https://1.1.1.1:443/ProtectManager/services/v2011/incidents:
<?xml version='1.0' encoding='utf-8'?>
<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Action>incidentDetail</wsa:Action><wsa:MessageID>urn:uuid:b7bebf0e-2189-4d24-8508-8929ef0e0cf4</wsa:MessageID><wsa:To>https://1.1.1.1:443/ProtectManager/services/v2011/incidents</wsa:To></soap-env:Header><soap-env:Body><ns0:incidentDetailRequest xmlns:ns0="http://www.vontu.com/v2011/enforce/webservice/incident/schema"><ns0:incidentId>2795718</ns0:incidentId><ns0:incidentId>2795719</ns0:incidentId><ns0:incidentId>2795717</ns0:incidentId><ns0:incidentId>2795730</ns0:incidentId></ns0:incidentDetailRequest></soap-env:Body></soap-env:Envelope>
--
2020-01-07 14:42:48,920 INFO [dlp_listener_component] Now filtering out Incidents which already have a Resilient Incident ID
2020-01-07 14:42:48,920 INFO [dlp_listener_component] Number of Incidents before filtering: 4
2020-01-07 14:42:48,921 DEBUG [transports] HTTP Post to https://1.1.1.1:443/ProtectManager/services/v2011/incidents:
<?xml version='1.0' encoding='utf-8'?>
<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Action>listCustomAttributes</wsa:Action><wsa:MessageID>urn:uuid:4724f681-532f-42d1-ac2d-c447fd2518b6</wsa:MessageID><wsa:To>https://1.1.1.1:443/ProtectManager/services/v2011/incidents</wsa:To></soap-env:Header><soap-env:Body/></soap-env:Envelope>
2020-01-07 14:42:49,042 DEBUG [connectionpool] https://1.1.1.1:443 "POST /ProtectManager/services/v2011/incidents HTTP/1.1" 200 None
2020-01-07 14:42:49,043 DEBUG [transports] HTTP Response from https://1.1.1.1:443/ProtectManager/services/v2011/incidents (status: 200):
<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><ns5:customAttributeList xmlns:ns2="http://www.vontu.com/v2011/enforce/webservice/incident/common/schema" xmlns:ns3="http://www.vontu.com/enforce/export/incident/common/schema" xmlns:ns4="http://www.vontu.com/enforce/export/incident/schema" xmlns:ns5="http://www.vontu.com/v2011/enforce/webservice/incident/schema" xmlns:ns6="http://www.vontu.com/v2011/enforce/webservice/incident"><customAttributeName>File_Last_Access_Date</customAttributeName><customAttributeName>Data_User_Last_Access</customAttributeName><customAttributeName>Most_Active_User_Writes_1</customAttributeName><customAttributeName>Most_Active_Writer_3</customAttributeName><customAttributeName>Incident Classification</customAttributeName><customAttributeName>Business_Owner</customAttributeName><customAttributeName>Custodian_Folder_1</customAttributeName><customAttributeName>File_Access_History_Start_Date</customAttributeName><customAttributeName>File_Total_Reads</customAttributeName><customAttributeName>Most_Active_Reader_1</customAttributeName><customAttributeName>Most_Active_Reader_2</customAttributeName><customAttributeName>Most_Active_User_Reads_1</customAttributeName><customAttributeName>Most_Active_Writer_2</customAttributeName><customAttributeName>resilient_incident_url</customAttributeName><customAttributeName>Assigned To</customAttributeName><customAttributeName>Employee Code</customAttributeName><customAttributeName>First Name</customAttributeName><customAttributeName>Last Name</customAttributeName><customAttributeName>Manager Last Name</customAttributeName><customAttributeName>Manager First Name</customAttributeName><customAttributeName>Manager Phone</customAttributeName><customAttributeName>Country</customAttributeName><customAttributeName>Resolution</customAttributeName><customAttributeName>Dismissal Reason</customAttributeName><customAttributeName>Business Unit</customAttributeName><customAttributeName>Phone</customAttributeName><customAttributeName>Sender Email</customAttributeName><customAttributeName>Manager Email</customAttributeName><customAttributeName>Region</customAttributeName><customAttributeName>Postal Code</customAttributeName><customAttributeName>Data_User</customAttributeName><customAttributeName>Custodian_1</customAttributeName><customAttributeName>Data_User_Reads</customAttributeName><customAttributeName>Data_User_Writes</customAttributeName><customAttributeName>File_Last_Modified_By</customAttributeName><customAttributeName>File_Total_Writes</customAttributeName><customAttributeName>Most_Active_User_1</customAttributeName><customAttributeName>Most_Active_Writer_1</customAttributeName><customAttributeName>User_Last_Access</customAttributeName><customAttributeName>resilient_incident_id</customAttributeName></ns5:customAttributeList></S:Body></S:Envelope>
2020-01-07 14:42:49,046 DEBUG [actions_component] Reset idle timer
2020-01-07 14:42:49,046 INFO [dlp_listener_component] Number of Incidents after filtering out any Incident which has a value for the `resilient_incident_id` custom attribute: 4
2020-01-07 14:42:49,048 DEBUG [connectionpool] Resetting dropped connection: resilient.iso.utah.edu
2020-01-07 14:42:49,088 DEBUG [connectionpool] https://resilient.iso.utah.edu:443 "GET /rest/orgs/201/types/incident/fields/sdlp_incident_id HTTP/1.1" 200 None
2020-01-07 14:42:49,090 INFO [dlp_listener_component] sdlp_should_search_res app.config value is False or not set. Duplicate Resilient Incidents may be created if the poller cannot update the DLP Incident with its new corresponding Resilient ID or the Resilient ID in the SDLP incident has been removed
2020-01-07 14:42:49,090 INFO [dlp_listener_component] Found no Resilient Incident with given DLP Incident ID 2795718, creating an incident.
2020-01-07 14:42:49,110 DEBUG [dlp_listener_component] {"name": "Symantec DLP Incident Id 2795718 escalated from DLP",
"description": "An incident imported using the Symantec DLP Integration",
"discovered_date":1578040408757,
"incident_type_ids": [16],
"severity_code": "Low","start_date": 1578040081261,
"properties": {
"sdlp_incident_id": 2795718,
"sdlp_incident_url": {"format" : "html", "content" : "<a href=https://1.1.1.1:443/ProtectManager/IncidentDetail.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2795718>https://1.1.1.1:443/ProtectManager/IncidentDetail.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2795718</a>"}
},

"artifacts": [
{"type": {"name": "IP Address"}, "value": "1.1.1.1",
"description" : {"format" : "html", "content" : "Source ipv4 Address, generated from DLP Incident with an ID of 2795718"},
"properties": [{"name": "source", "value": true}]},
{"type": {"name": "User Account"}, "value": "AD\\userid",
"description" : {"format" : "html", "content" : "User Account of the machine that generated this incident. Includes the machine name. Generated from DLP Incident with an ID of 2795718"}},
{"type": {"name": "File Path"}, "value": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe",
"description" : {"format" : "html", "content" : "File Path of the application in which the incident occured. Generated from DLP Incident with an ID of 2795718"}},
{"type": {"name": "System Name"}, "value": "userid",
"description" : {"format" : "html", "content" : "System Name of the machine that generated this incident. Includes the machine name. Generated from DLP Incident with an ID of 2795718"}},
{"type": {"name": "URL"}, "value": "https://saas-bbw.userreplay.net/",
"description" : {"format" : "html","content" : "Destination URL Identifier. Generated from DLP Incident with an ID of 2795718"},
"properties": []}],
"comments": []
}
2020-01-07 14:42:49,259 DEBUG [client] Received heart-beat
2020-01-07 14:42:49,351 DEBUG [connectionpool] https://resilient.iso.utah.edu:443 "POST /rest/orgs/201/incidents HTTP/1.1" 400 None
2020-01-07 14:43:04,292 DEBUG [client] Received heart-beat
2020-01-07 14:43:19,243 DEBUG [client] Received heart-beat
2020-01-07 14:43:34,287 DEBUG [client] Received heart-beat
2020-01-07 14:43:49,286 DEBUG [client] Received heart-beat
2020-01-07 14:44:04,292 DEBUG [client] Received heart-beat

------------------------------
Ryan Terry

Original Message:
Sent: Mon January 06, 2020 07:56 AM
From: Ryan Gordon
Subject: Symantec Data Loss Prevention Integration

Hi Ryan,

Thank you for contacting the community forum.
These logs are helpful but they look like some is missing. The next expected logs would be the result (or error) from the API call to create the Incident. Could you gather some more logs for the polling ? 
For each polling event; the first log you will usually see is "DLP Listener Polling Event received. Checking if any previous thread is still alive"
and the last log you would see is "Finished processing all Incidents in Saved Report X"


------------------------------
Ryan Gordon
Security Software Engineer
IBM

Original Message:
Sent: Fri January 03, 2020 05:17 PM
From: Ryan Terry
Subject: Symantec Data Loss Prevention Integration

Tamara,

This is what I see in the logs:

2020-01-03 15:08:23,904 INFO [dlp_incident_listener] DLP Listener Polling Event received. Checking if any previous thread is still alive
2020-01-03 15:08:23,905 DEBUG [dlp_incident_listener] dlp_thread_start: Creating a thread to poll DLP
2020-01-03 15:08:23,905 INFO [dlp_incident_listener] Now spawning a new daemon thread that DLP Listener will run inside of
2020-01-03 15:08:23,905 DEBUG [dlp_listener_component] Started Poller
2020-01-03 15:08:23,906 INFO [dlp_listener_component] Searching for Incidents which were created after 2019-12-20 15:08:23.906584
2020-01-03 15:08:24,577 INFO [dlp_listener_component] Now filtering out Incidents which already have a Resilient Incident ID
2020-01-03 15:08:24,578 INFO [dlp_listener_component] Number of Incidents before filtering: 4
2020-01-03 15:08:24,701 INFO [dlp_listener_component] Number of Incidents after filtering out any Incident which has a value for the `resilient_incident_id` custom attribute: 4
2020-01-03 15:08:24,743 DEBUG [connectionpool] https://server.mydomain.com:443 "GET /rest/orgs/201/types/incident/fields/sdlp_incident_id HTTP/1.1" 200 None
2020-01-03 15:08:24,744 INFO [dlp_listener_component] sdlp_should_search_res app.config value is False or not set. Duplicate Resilient Incidents may be created if the poller cannot update the DLP Incident with its new corresponding Resilient ID or the Resilient ID in the SDLP incident has been removed
2020-01-03 15:08:24,745 INFO [dlp_listener_component] Found no Resilient Incident with given DLP Incident ID 2795718, creating an incident.
2020-01-03 15:08:24,766 DEBUG [dlp_listener_component] {"name": "Symantec DLP Incident Id 2795718 escalated from DLP",
"description": "An incident imported using the Symantec DLP Integration",
"sdlp_incident_id": 2795718,
"sdlp_incident_url": {"format" : "html", "content" : "<a href=https://1.1.1.1:443/ProtectManager/IncidentDetail.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2795718>https://1.1.1.1:443/ProtectManager/IncidentDetail.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2795718</a>"}
"description" : {"format" : "html", "content" : "Source ipv4 Address, generated from DLP Incident with an ID of 2795718"},
"description" : {"format" : "html", "content" : "User Account of the machine that generated this incident. Includes the machine name. Generated from DLP Incident with an ID of 2795718"}},
"description" : {"format" : "html", "content" : "File Path of the application in which the incident occured. Generated from DLP Incident with an ID of 2795718"}},
"description" : {"format" : "html", "content" : "System Name of the machine that generated this incident. Includes the machine name. Generated from DLP Incident with an ID of 2795718"}},
"description" : {"format" : "html","content" : "Destination URL Identifier. Generated from DLP Incident with an ID of 2795718"},

------------------------------
Ryan Terry

Original Message:
Sent: Fri January 03, 2020 03:59 PM
From: Tamara Zlender
Subject: Symantec Data Loss Prevention Integration

Hello Ryan,

We can help troubleshoot. Have you checked resilient-circuits logs? Do you see any errors there?
Resilient-circuits:

• The log is controlled in the .resilient/app.config file under the section [resilient] and the property logdir.
• The default file name is app.log.
• Each function creates progress information.
• Failures show up as errors and may contain python trace statements.

Cheers,
Tamara Zlender

------------------------------
Tamara Zlender

Original Message:
Sent: Fri January 03, 2020 12:18 PM
From: Ryan Terry
Subject: Symantec Data Loss Prevention Integration

Has anyone gotten the Symantec Data Loss Prevention Integration to work properly? I have it configured based on the documentation in the app exchange and can see that the DLP Listener component is reaching out to my DLP server and obtaining the proper DLP incident report, but there are no Resilient incidents created based on the DLP incidents.

------------------------------
Ryan Terry
------------------------------

I got this working properly after some help from support and some customization on my part, but now I am wondering if the integration can be setup to pull DLP incidents from more than just one Saved DLP Report ID?

------------------------------
Ryan Terry
------------------------------

Original Message:
Sent: Wed January 08, 2020 03:09 AM
From: Ryan Gordon
Subject: Symantec Data Loss Prevention Integration

Hi Ryan,
Thank you for the response. 
This log in particular is what I was looking for :
/rest/orgs/201/incidents HTTP/1.1" 400 None. It looks like the payload being sent to Resilient is malformed slightly. 

Could I ask you to open a support case for this as Symantec DLP is a supported extension. I will reply privately to you also.

------------------------------
Ryan Gordon
Security Software Engineer
IBM

Original Message:
Sent: Tue January 07, 2020 04:55 PM
From: Ryan Terry
Subject: Symantec Data Loss Prevention Integration

Here is a larger log excerpt, but I can reply privately with my entire log file if you need it. I never see a log entry with "Finished processing all Incidents in Saved Report"



2020-01-07 14:42:48,050 INFO [dlp_incident_listener] DLP Listener Polling Event received. Checking if any previous thread is still alive
2020-01-07 14:42:48,051 DEBUG [dlp_incident_listener] dlp_thread_start: Creating a thread to poll DLP
2020-01-07 14:42:48,052 INFO [dlp_incident_listener] Now spawning a new daemon thread that DLP Listener will run inside of
2020-01-07 14:42:48,052 DEBUG [dlp_listener_component] Started Poller
2020-01-07 14:42:48,053 INFO [dlp_listener_component] Searching for Incidents which were created after 2019-12-24 14:42:48.053344
2020-01-07 14:42:48,055 DEBUG [transports] HTTP Post to https://1.1.1.1:443/ProtectManager/services/v2011/incidents:
<?xml version='1.0' encoding='utf-8'?>
<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Action>incidentList</wsa:Action><wsa:MessageID>urn:uuid:5ee90095-8c2f-45b9-84d6-c782317b29a5</wsa:MessageID><wsa:To>https://1.1.1.1:443/ProtectManager/services/v2011/incidents</wsa:To></soap-env:Header><soap-env:Body><ns0:incidentListRequest xmlns:ns0="http://www.vontu.com/v2011/enforce/webservice/incident/schema"><ns0:savedReportId>28173</ns0:savedReportId><ns0:incidentCreationDateLaterThan>2019-12-24T14:42:48.053344</ns0:incidentCreationDateLaterThan></ns0:incidentListRequest></soap-env:Body></soap-env:Envelope>
2020-01-07 14:42:48,056 DEBUG [connectionpool] Resetting dropped connection: 1.1.1.1
2020-01-07 14:42:48,529 DEBUG [connectionpool] https://1.1.1.1:443 "POST /ProtectManager/services/v2011/incidents HTTP/1.1" 200 None
2020-01-07 14:42:48,531 DEBUG [transports] HTTP Response from https://1.1.1.1:443/ProtectManager/services/v2011/incidents (status: 200):1.1.1.1
<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><ns5:incidentListResponse xmlns:ns2="http://www.vontu.com/v2011/enforce/webservice/incident/common/schema" xmlns:ns3="http://www.vontu.com/enforce/export/incident/common/schema" xmlns:ns4="http://www.vontu.com/enforce/export/incident/schema" xmlns:ns5="http://www.vontu.com/v2011/enforce/webservice/incident/schema" xmlns:ns6="http://www.vontu.com/v2011/enforce/webservice/incident"><ns5:incidentId>2795718</ns5:incidentId><ns5:incidentId>2795719</ns5:incidentId><ns5:incidentId>2795717</ns5:incidentId><ns5:incidentId>2795730</ns5:incidentId><ns5:incidentLongId>2795718</ns5:incidentLongId><ns5:incidentLongId>2795719</ns5:incidentLongId><ns5:incidentLongId>2795717</ns5:incidentLongId><ns5:incidentLongId>2795730</ns5:incidentLongId></ns5:incidentListResponse></S:Body></S:Envelope>
2020-01-07 14:42:48,532 DEBUG [transports] HTTP Post to https://1.1.1.1:443/ProtectManager/services/v2011/incidents:
<?xml version='1.0' encoding='utf-8'?>
<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Action>incidentDetail</wsa:Action><wsa:MessageID>urn:uuid:b7bebf0e-2189-4d24-8508-8929ef0e0cf4</wsa:MessageID><wsa:To>https://1.1.1.1:443/ProtectManager/services/v2011/incidents</wsa:To></soap-env:Header><soap-env:Body><ns0:incidentDetailRequest xmlns:ns0="http://www.vontu.com/v2011/enforce/webservice/incident/schema"><ns0:incidentId>2795718</ns0:incidentId><ns0:incidentId>2795719</ns0:incidentId><ns0:incidentId>2795717</ns0:incidentId><ns0:incidentId>2795730</ns0:incidentId></ns0:incidentDetailRequest></soap-env:Body></soap-env:Envelope>
--
2020-01-07 14:42:48,920 INFO [dlp_listener_component] Now filtering out Incidents which already have a Resilient Incident ID
2020-01-07 14:42:48,920 INFO [dlp_listener_component] Number of Incidents before filtering: 4
2020-01-07 14:42:48,921 DEBUG [transports] HTTP Post to https://1.1.1.1:443/ProtectManager/services/v2011/incidents:
<?xml version='1.0' encoding='utf-8'?>
<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Action>listCustomAttributes</wsa:Action><wsa:MessageID>urn:uuid:4724f681-532f-42d1-ac2d-c447fd2518b6</wsa:MessageID><wsa:To>https://1.1.1.1:443/ProtectManager/services/v2011/incidents</wsa:To></soap-env:Header><soap-env:Body/></soap-env:Envelope>
2020-01-07 14:42:49,042 DEBUG [connectionpool] https://1.1.1.1:443 "POST /ProtectManager/services/v2011/incidents HTTP/1.1" 200 None
2020-01-07 14:42:49,043 DEBUG [transports] HTTP Response from https://1.1.1.1:443/ProtectManager/services/v2011/incidents (status: 200):
<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><ns5:customAttributeList xmlns:ns2="http://www.vontu.com/v2011/enforce/webservice/incident/common/schema" xmlns:ns3="http://www.vontu.com/enforce/export/incident/common/schema" xmlns:ns4="http://www.vontu.com/enforce/export/incident/schema" xmlns:ns5="http://www.vontu.com/v2011/enforce/webservice/incident/schema" xmlns:ns6="http://www.vontu.com/v2011/enforce/webservice/incident"><customAttributeName>File_Last_Access_Date</customAttributeName><customAttributeName>Data_User_Last_Access</customAttributeName><customAttributeName>Most_Active_User_Writes_1</customAttributeName><customAttributeName>Most_Active_Writer_3</customAttributeName><customAttributeName>Incident Classification</customAttributeName><customAttributeName>Business_Owner</customAttributeName><customAttributeName>Custodian_Folder_1</customAttributeName><customAttributeName>File_Access_History_Start_Date</customAttributeName><customAttributeName>File_Total_Reads</customAttributeName><customAttributeName>Most_Active_Reader_1</customAttributeName><customAttributeName>Most_Active_Reader_2</customAttributeName><customAttributeName>Most_Active_User_Reads_1</customAttributeName><customAttributeName>Most_Active_Writer_2</customAttributeName><customAttributeName>resilient_incident_url</customAttributeName><customAttributeName>Assigned To</customAttributeName><customAttributeName>Employee Code</customAttributeName><customAttributeName>First Name</customAttributeName><customAttributeName>Last Name</customAttributeName><customAttributeName>Manager Last Name</customAttributeName><customAttributeName>Manager First Name</customAttributeName><customAttributeName>Manager Phone</customAttributeName><customAttributeName>Country</customAttributeName><customAttributeName>Resolution</customAttributeName><customAttributeName>Dismissal Reason</customAttributeName><customAttributeName>Business Unit</customAttributeName><customAttributeName>Phone</customAttributeName><customAttributeName>Sender Email</customAttributeName><customAttributeName>Manager Email</customAttributeName><customAttributeName>Region</customAttributeName><customAttributeName>Postal Code</customAttributeName><customAttributeName>Data_User</customAttributeName><customAttributeName>Custodian_1</customAttributeName><customAttributeName>Data_User_Reads</customAttributeName><customAttributeName>Data_User_Writes</customAttributeName><customAttributeName>File_Last_Modified_By</customAttributeName><customAttributeName>File_Total_Writes</customAttributeName><customAttributeName>Most_Active_User_1</customAttributeName><customAttributeName>Most_Active_Writer_1</customAttributeName><customAttributeName>User_Last_Access</customAttributeName><customAttributeName>resilient_incident_id</customAttributeName></ns5:customAttributeList></S:Body></S:Envelope>
2020-01-07 14:42:49,046 DEBUG [actions_component] Reset idle timer
2020-01-07 14:42:49,046 INFO [dlp_listener_component] Number of Incidents after filtering out any Incident which has a value for the `resilient_incident_id` custom attribute: 4
2020-01-07 14:42:49,048 DEBUG [connectionpool] Resetting dropped connection: resilient.iso.utah.edu
2020-01-07 14:42:49,088 DEBUG [connectionpool] https://resilient.iso.utah.edu:443 "GET /rest/orgs/201/types/incident/fields/sdlp_incident_id HTTP/1.1" 200 None
2020-01-07 14:42:49,090 INFO [dlp_listener_component] sdlp_should_search_res app.config value is False or not set. Duplicate Resilient Incidents may be created if the poller cannot update the DLP Incident with its new corresponding Resilient ID or the Resilient ID in the SDLP incident has been removed
2020-01-07 14:42:49,090 INFO [dlp_listener_component] Found no Resilient Incident with given DLP Incident ID 2795718, creating an incident.
2020-01-07 14:42:49,110 DEBUG [dlp_listener_component] {"name": "Symantec DLP Incident Id 2795718 escalated from DLP",
"description": "An incident imported using the Symantec DLP Integration",
"discovered_date":1578040408757,
"incident_type_ids": [16],
"severity_code": "Low","start_date": 1578040081261,
"properties": {
"sdlp_incident_id": 2795718,
"sdlp_incident_url": {"format" : "html", "content" : "<a href=https://1.1.1.1:443/ProtectManager/IncidentDetail.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2795718>https://1.1.1.1:443/ProtectManager/IncidentDetail.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2795718</a>"}
},

"artifacts": [
{"type": {"name": "IP Address"}, "value": "1.1.1.1",
"description" : {"format" : "html", "content" : "Source ipv4 Address, generated from DLP Incident with an ID of 2795718"},
"properties": [{"name": "source", "value": true}]},
{"type": {"name": "User Account"}, "value": "AD\\userid",
"description" : {"format" : "html", "content" : "User Account of the machine that generated this incident. Includes the machine name. Generated from DLP Incident with an ID of 2795718"}},
{"type": {"name": "File Path"}, "value": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe",
"description" : {"format" : "html", "content" : "File Path of the application in which the incident occured. Generated from DLP Incident with an ID of 2795718"}},
{"type": {"name": "System Name"}, "value": "userid",
"description" : {"format" : "html", "content" : "System Name of the machine that generated this incident. Includes the machine name. Generated from DLP Incident with an ID of 2795718"}},
{"type": {"name": "URL"}, "value": "https://saas-bbw.userreplay.net/",
"description" : {"format" : "html","content" : "Destination URL Identifier. Generated from DLP Incident with an ID of 2795718"},
"properties": []}],
"comments": []
}
2020-01-07 14:42:49,259 DEBUG [client] Received heart-beat
2020-01-07 14:42:49,351 DEBUG [connectionpool] https://resilient.iso.utah.edu:443 "POST /rest/orgs/201/incidents HTTP/1.1" 400 None
2020-01-07 14:43:04,292 DEBUG [client] Received heart-beat
2020-01-07 14:43:19,243 DEBUG [client] Received heart-beat
2020-01-07 14:43:34,287 DEBUG [client] Received heart-beat
2020-01-07 14:43:49,286 DEBUG [client] Received heart-beat
2020-01-07 14:44:04,292 DEBUG [client] Received heart-beat

------------------------------
Ryan Terry

Original Message:
Sent: Mon January 06, 2020 07:56 AM
From: Ryan Gordon
Subject: Symantec Data Loss Prevention Integration

Hi Ryan,

Thank you for contacting the community forum.
These logs are helpful but they look like some is missing. The next expected logs would be the result (or error) from the API call to create the Incident. Could you gather some more logs for the polling ? 
For each polling event; the first log you will usually see is "DLP Listener Polling Event received. Checking if any previous thread is still alive"
and the last log you would see is "Finished processing all Incidents in Saved Report X"


------------------------------
Ryan Gordon
Security Software Engineer
IBM

Original Message:
Sent: Fri January 03, 2020 05:17 PM
From: Ryan Terry
Subject: Symantec Data Loss Prevention Integration

Tamara,

This is what I see in the logs:

2020-01-03 15:08:23,904 INFO [dlp_incident_listener] DLP Listener Polling Event received. Checking if any previous thread is still alive
2020-01-03 15:08:23,905 DEBUG [dlp_incident_listener] dlp_thread_start: Creating a thread to poll DLP
2020-01-03 15:08:23,905 INFO [dlp_incident_listener] Now spawning a new daemon thread that DLP Listener will run inside of
2020-01-03 15:08:23,905 DEBUG [dlp_listener_component] Started Poller
2020-01-03 15:08:23,906 INFO [dlp_listener_component] Searching for Incidents which were created after 2019-12-20 15:08:23.906584
2020-01-03 15:08:24,577 INFO [dlp_listener_component] Now filtering out Incidents which already have a Resilient Incident ID
2020-01-03 15:08:24,578 INFO [dlp_listener_component] Number of Incidents before filtering: 4
2020-01-03 15:08:24,701 INFO [dlp_listener_component] Number of Incidents after filtering out any Incident which has a value for the `resilient_incident_id` custom attribute: 4
2020-01-03 15:08:24,743 DEBUG [connectionpool] https://server.mydomain.com:443 "GET /rest/orgs/201/types/incident/fields/sdlp_incident_id HTTP/1.1" 200 None
2020-01-03 15:08:24,744 INFO [dlp_listener_component] sdlp_should_search_res app.config value is False or not set. Duplicate Resilient Incidents may be created if the poller cannot update the DLP Incident with its new corresponding Resilient ID or the Resilient ID in the SDLP incident has been removed
2020-01-03 15:08:24,745 INFO [dlp_listener_component] Found no Resilient Incident with given DLP Incident ID 2795718, creating an incident.
2020-01-03 15:08:24,766 DEBUG [dlp_listener_component] {"name": "Symantec DLP Incident Id 2795718 escalated from DLP",
"description": "An incident imported using the Symantec DLP Integration",
"sdlp_incident_id": 2795718,
"sdlp_incident_url": {"format" : "html", "content" : "<a href=https://1.1.1.1:443/ProtectManager/IncidentDetail.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2795718>https://1.1.1.1:443/ProtectManager/IncidentDetail.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2795718</a>"}
"description" : {"format" : "html", "content" : "Source ipv4 Address, generated from DLP Incident with an ID of 2795718"},
"description" : {"format" : "html", "content" : "User Account of the machine that generated this incident. Includes the machine name. Generated from DLP Incident with an ID of 2795718"}},
"description" : {"format" : "html", "content" : "File Path of the application in which the incident occured. Generated from DLP Incident with an ID of 2795718"}},
"description" : {"format" : "html", "content" : "System Name of the machine that generated this incident. Includes the machine name. Generated from DLP Incident with an ID of 2795718"}},
"description" : {"format" : "html","content" : "Destination URL Identifier. Generated from DLP Incident with an ID of 2795718"},

------------------------------
Ryan Terry

Original Message:
Sent: Fri January 03, 2020 03:59 PM
From: Tamara Zlender
Subject: Symantec Data Loss Prevention Integration

Hello Ryan,

We can help troubleshoot. Have you checked resilient-circuits logs? Do you see any errors there?
Resilient-circuits:

• The log is controlled in the .resilient/app.config file under the section [resilient] and the property logdir.
• The default file name is app.log.
• Each function creates progress information.
• Failures show up as errors and may contain python trace statements.

Cheers,
Tamara Zlender

------------------------------
Tamara Zlender

Original Message:
Sent: Fri January 03, 2020 12:18 PM
From: Ryan Terry
Subject: Symantec Data Loss Prevention Integration

Has anyone gotten the Symantec Data Loss Prevention Integration to work properly? I have it configured based on the documentation in the app exchange and can see that the DLP Listener component is reaching out to my DLP server and obtaining the proper DLP incident report, but there are no Resilient incidents created based on the DLP incidents.

------------------------------
Ryan Terry
------------------------------