Cloud Detection Service for REST API with error for Scan Filter is not receiving detection requests
Article ID: 193702
Updated On:
Products
Issue/Introduction
You are not seeing any detection requests from Web Isolation or Zero Trust Network Access (aka ZTNA, or Secure Access Cloud / SAC), in your DLP Cloud Detector.
When configuring the DLP Cloud Detector with another product integration, such as ZTNA or Web Isolation, you are required to add 3 details:
- Detector ID: This refers to the DetectorID as provisioned, and should have been sent with your Enrollment Bundle in the Welcome Email.
- Detector FQDN: E.g., https://<DetectorID>.ds.dlp.protect.broadcom.com/v2.0/DetectionRequests" - also sent in Welcome Email.
- Filter ID: aka a REST Scan Filter GUID.
For item #3, this KB contains steps to follow to obtain this Filter ID.
Environment
Release : 16.x-25.1
Component :
DLP Cloud Detection Service for REST (aka a "REST CDS")
Plus one other Custom REST integration point:
- Web Isolation
- Zero Trust Network Access (ZTNA - formerly known as Secure Access Cloud or SAC).
Cause
The products which integrate with the DLP Cloud Detection Service need to be configured with a Filter ID (aka the REST Scan Filter GUID), to allow the CDS to correctly assign requests for detection.
Resolution
For on-premise managed detector:
- After enrolling your REST CDS for your integrated product in the Enforce Server, go to Manage > Application Detection in the UI.
- If you do not have that listed in your login to Enforce, see this article for enabling it: New RBAC options for managing Cloud Detection Server (CDS) as well as for viewing Cloud incidents (broadcom.com)
- Click the plus icon for a "New configuration".
- The correct "type" of application for a REST CDS is "Cloud Detection API Service". See the screenshot below for exact detail.
- If that is not set correctly, change the configuration as above.
- The "Application" name can be anything for this type of configuration, but a name is required in this field.
- Save the configuration.
- In the list of configured apps, click back into the link that was just saved or created.
- There will now be an "ID" listed in the first field in the configuration window. THAT is the Filter ID required - i.e., REST Scan Filter GUID. If you are configuring ZTNA or Web Isolation, copy this ID for use in that product configuration:
For cloud managed detector:
- After you confirmed that your detector shows up under Settings > Data Loss Prevention, go to Protect > Policies > Policies.
- Click on New > Cloud DLP API Detection and create your policy assigned to your CDS for WI/ZTNA detector.
- Save a policy and then open it again. Under the Filter ID you will find equivalent of the REST Connector GUID.
Additional Information
To confirm, different types of REST Cloud Detectors require different steps for integration:
Method for integration with CASB, aka CloudSOC:
- Use the token from your Welcome Email.
- No additional certificate is required.
- Scan Filter IDs are sent automatically to CASB when Policy Groups are assigning for Application Detection via Enforce.
Method for Zero Trust Network Access (ZTNA - formerly known as Secure Access Cloud or SAC) - for more information also see Symantec DLP Integration with ZTNA:
- Use the token from your Welcome Email.
- No additional certificate is required.
- Follow the steps above to copy the Filter IDs from Enforce to the ZTNA/Secure Access Cloud portal.
Method for Web Isolation:
- Web Isolation requires a client certificate, instructions for which are included in the Welcome Email.
- No token is utlized.
- Follow the steps above to copy the Filter IDs from Enforce to Web Isolation portal.
The Token used in both CloudSOC and SAC to registering a DLP CDS is not the same as the Filter ID (or Rest Scan Filter). Using the token will cause the following error returned to your client:
External scanning service error: Symantec Data Loss Prevention returned the following statusCode 428, responseBody:{"messageId":"
Attachments
Feedback
