Cloud Detection Service for REST API with error for Scan Filter is not receiving detection requests
Article ID: 193702
Updated On:
Products
Issue/Introduction
You are not seeing any detection requests from Web Isolation or Zero Trust Network Access (aka ZTNA, or Secure Access Cloud / SAC), in your DLP Cloud Detector.
When configuring the DLP Cloud Detector with another product integration, such as ZTNA or Web Isolation, you are required to add 3 details:
- Detector ID: This refers to the DetectorID as provisioned, and should have been sent with your Enrollment Bundle in the Welcome Email.
- Detector FQDN: E.g., https://<DetectorID>.ds.dlp.protect.broadcom.com/v2.0/DetectionRequests" - also sent in Welcome Email.
- Filter ID: aka a REST Scan Filter GUID.
For item #3, this KB contains steps to follow to obtain this Filter ID.
Environment
Release : 16.x-25.1
Component :
DLP Cloud Detection Service for REST (aka a "REST CDS")
Plus one other Custom REST integration point:
- Web Isolation
- Zero Trust Network Access (ZTNA - formerly known as Secure Access Cloud or SAC).
Cause
The products which integrate with the DLP Cloud Detection Service need to be configured with a Filter ID (aka the REST Scan Filter GUID), to allow the CDS to correctly assign requests for detection.
Resolution
- After enrolling your REST CDS for your integrated product in the Enforce Server, go to Manage > Application Detection in the UI.
- If you do not have that listed in your login to Enforce, see this article for enabling it: New RBAC options for managing Cloud Detection Server (CDS) as well as for viewing Cloud incidents (broadcom.com)
- Click the plus icon for a "New configuration".
- The correct "type" of application for a REST CDS is "Cloud Detection API Service". See the screenshot below for exact detail.
- If that is not set correctly, change the configuration as above.
- The "Application" name can be anything for this type of configuration, but a name is required in this field.
- Save the configuration.
- In the list of configured apps, click back into the link that was just saved or created.
- There will now be an "ID" listed in the first field in the configuration window. THAT is the Filter ID required - i.e., REST Scan Filter GUID. If you are configuring ZTNA or Web Isolation, copy this ID for use in that product configuration:
Additional Information
To confirm, different types of REST Cloud Detectors require different steps for integration:
Method for integration with CASB, aka CloudSOC:
- Use the token from your Welcome Email.
- No additional certificate is required.
- Scan Filter IDs are sent automatically to CASB when Policy Groups are assigning for Application Detection via Enforce.
Method for Zero Trust Network Access (ZTNA - formerly known as Secure Access Cloud or SAC) - for more information also see Symantec DLP Integration with ZTNA:
- Use the token from your Welcome Email.
- No additional certificate is required.
- Follow the steps above to copy the Filter IDs from Enforce to the ZTNA/Secure Access Cloud portal.
Method for Web Isolation:
- Web Isolation requires a client certificate, instructions for which are included in the Welcome Email.
- No token is utlized.
- Follow the steps above to copy the Filter IDs from Enforce to Web Isolation portal.
The Token used in both CloudSOC and SAC to registering a DLP CDS is not the same as the Filter ID (or Rest Scan Filter). Using the token will cause the following error returned to your client:
External scanning service error: Symantec Data Loss Prevention returned the following statusCode 428, responseBody:{"messageId":"
Attachments
Feedback
