Splunk implementation guide for Data Loss Prevention

book

Article ID: 171019

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

You are wanting to utilize the Splunk add-on in conjunction with Symantec Data Loss Prevention (DLP) 12.x and later.

Resolution

  1. Download the add-on from Splunkbase here: https://splunkbase.splunk.com/app/3029.
  2. Install the Splunk Add-on for Symantec DLP, a high-level overview and installation walkthroughs can be found here: http://docs.splunk.com/Documentation/AddOns/released/SymantecDLP/Install.
  3. Configure Symantec DLP to send syslog data:
    • You need to enable syslog in Symantec DLP in order to send events to the Splunk platform through syslog. You also need to use a specific format required by the Splunk add-on for Symantec DLP.

      Set up a response rule in the Symantec DLP server using the following format:

      label="$variable$"

      Specify each variable you would like to extract from your Symantec DLP system using the format above, separating each key/value pair with a comma or a space. A list of variables for specific types of detection can be found in the DLP Admin Guide under "Response Action Variables."

      Example for Symantec DLP version 14:

      incident_id="$INCIDENT_ID$", blocked="$BLOCKED$", policy="$POLICY$", recipients="$RECIPIENTS$", rules="$POLICY_RULES$", sender="$SENDER$", severity="$SEVERITY$", subject="$SUBJECT$"
      Note: You need to use the variable names that correspond with the version of Symantec DLP you are using. For example, if you are using Symantec DLP 12.0 or earlier, instead of using policy="$POLICY$" you would use policy="$POLICY_NAME$".

      For instructions on how to create response rules, see "Response rule actions" in the Symantec Data Loss Prevention Administration guide, . For instructions on configuring syslog, see "Enabling a syslog server."

  4. Configure inputs for the Splunk Add-on for Symantec DLP:

There are two ways to capture the syslog data from Symantec DLP.

  1. Create a file monitor input to monitor the syslog file generated by the Symantec DLP server or to monitor the files generated by a syslog aggregator.
  2. Create a TCP or UDP input to capture the data sent on the port you have configured in Symantec DLP.

Note: For information about timestamp processing options for syslog events, see Syslog and timestamps in Splunk Add-ons.

Monitor input

To configure the Splunk platform to monitor the syslog file generated by the Symantec DLP server, you can use either Splunk Web to create the monitor input or configure inputs.conf directly. If you use a syslog aggregator, you can create a file monitor input to monitor the files generated by the aggregator.

Configure Monitoring through Splunk Web

Configure a file monitoring input on your data collection node for the Symantec DLP syslog file.

  1. Log into Splunk Web.
  2. Select Settings > Data inputs > Files & directories.
  3. Click New.
  4. Click Browse next to the File or Directory field.
  5. Navigate to the syslog file generated by the Symantec DLP server and click Next.
  6. On the Input Settings page, next to Source type, click Select. In the Select Source Type dropdown, select Network & Security, then symantec:dlp:syslog or type symantec:dlp:syslog in the search field.
  7. Click Review.
  8. After you review the information, click Submit.

Configure inputs.conf

You can create a inputs.conf file and configure the monitor input in this file instead of using Splunk Web.

  1. Using a text editor, create a file named inputs.conf in the $SPLUNK_HOME/etc/apps/Splunk_TA_symantec-dlp/local folder.
  2. Add the following stanza and lines, replacing <path> with the actual path to the syslog file, and save the file.
    [monitor://<path>]
    sourcetype=symantec:dlp:syslog
    disabled = 0
    
  3. Restart the Splunk platform in order for the new input to take effect.

TCP/UDP input

In the Splunk platform node handling data collection, configure the TCP/UDP input to match your configurations in Symantec DLP and set your source type to symantec:dlp:syslog. The CIM mapping and dashboard panels are dependent on this source type.

For information on how to configure a Splunk forwarder or single-instance to receive a syslog input, see Get data from TCP and UDP portsin the Getting Data In manual.

Validate data collection

After you configure the input, run this search to verify you are ingesting the data you expect.

sourcetype=symantec:dlp:syslog