IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Symantec DLP Integration Configuration

  • 1.  Symantec DLP Integration Configuration

    Posted Mon January 27, 2020 11:38 AM
    I am wondering if anyone has done any kind of setup like what I am trying to do below. I would like to not have 1 incident per incident within our DLP system, but instead pull from the system once per day with a datatable of all incidents based on type and user. Details below.

    We have 2 sections Endpoint and Network (primarily email). I need to pull incidents from our Network section hitting a certain policy. I then need to take all of these DLP incidents and create 1 Resilient incident for each user with a datatable of all the DLP incidents that the user caused. Then I need to do the same thing in the Endpoint section.

    Example:
           Nick Mumaw caused 312 DLP incidents in the last 24 hours violating policy "SSNs" in the Network section of DLP. Resilient incident 1234 was created with datatable containing 312 DLP incidents with the name "Nick Mumaw - SSNs - Network".

    The reason we need to do it this was is because as we are working on changing business practices, we are getting sometimes hundreds of incidents from some people. We just need a way to track the amount of incidents we are dealing with by tracking them and even handling them within Resilient.

    I hope this is possible. Thanks!

    ------------------------------
    Nick Mumaw
    ------------------------------


  • 2.  RE: Symantec DLP Integration Configuration

    Posted Thu January 30, 2020 06:16 AM
    Hi Nick, 
    Thank you for raising this in the community. 

    We currently have a Symantec DLP Integration but it is as you note designed to create Resilient Incidents based on DLP ones which meet some criteria. Included with the package is a function used to update an existing DLP Incident.

    What you seem to be looking for is either a function or another polling component which will let you pull certain incidents, aggregate them and then create 1 incident with all the aggregated incidents collected in a Data Table, per person. This is not supported by the DLP integration out of the box today but is an interesting use case nonetheless. I would be interested in hearing if others use a similar workflow for DLP Incidents. 

    Experimenting with DLP Reports which the Integration pulls incidents from may get you close to your desired use case. For example having a report which is specific to certain users or groups. Additionally the IncidentDTO which is used to create each Incident is done use Jinja templating meaning its fully customisable and could support your want for an additional note.

    Let me know if this is helpful.

    ------------------------------
    Ryan Gordon
    Security Software Engineer
    IBM
    ------------------------------