You can use the User Risk Based detection feature if you do not use Symantec Information Centric Analytics (ICA). Instead of running ICA, you can use the user and entity behavior analytics (UEBA) solution of your choice to push user risk scores to the Enforce Server.

This integration supports all detection features that the User Risk Based detection feature provides.

You can integrate your UEBA solution starting with Symantec Data Loss Prevention version 16.0.1. 

See “Introducing User Risk Based Detection” in the latest version of the Symantec Data Loss Prevention help for information on using User Risk Based detection.

DLP versions after 16.0.1

Steps to integrate a UEBA solution with the Enforce Server

Complete the following steps to integrate your UEBA solution with the Enforce Server: 

1. Stand up a REST-based API server. Confirm that the endpoint uses the following  required settings:
   • pageSize: size of the records that each API call retrieves
   • pageIndex: index of the page
     
     The following is an example URL that uses each parameter:
     
     https://<machine ip address>/ica?query=&pageSize=%d&pageIndex=%d
     
     Review the following example output to confirm that your REST server is set up correctly:
     
     

     "Data": [

     {

     "FirstName":"Abhishek", //this field is mandatory

     "LastName":"Lopez", //this field is mandatory

     "StreetAddress":"101 California St",

     "City":"San Francisco",

     "PostalCode":"95432",

     "State":"CA",

     "PhoneNumber":"11111",

     "Country":"USA",

     "JobTitle":"Program Manager",

     "Department":"DLP",

     "DateCreated":"2023-05-11T05:06:51.452+00:00", //this field is mandatory

     "DateModified":"2023-05-11T05:06:51.452+00:00", //this field is mandatory

     "Email":"[email protected]", 

     "AccountName":"abhishek.lopez", //this field is mandatory

     "NetBIOSDomain":"ICA", //this field is mandatory

     "RiskScore":"80", //this field is mandatory

     "UserID":"1"  //this field is mandatory

     },

     {

     "FirstName":"Abhishek",

     "LastName":"Sharma",

     "StreetAddress":"101 Sutter St",

     "City":"San Francisco",

     "PostalCode":"95432",

     "State":"CA",

     "PhoneNumber":"11111",

     "Country":"USA",

     "JobTitle":"Program Manager",

     "Department":"DLP",

     "DateCreated":"2023-05-11T05:06:51.452+00:00",

     "DateModified":"2023-05-11T05:06:51.452+00:00",

     "Email":"[email protected]",

     "AccountName":"abhishek.sharma",

     "NetBIOSDomain":"ICA",

     "RiskScore":"80",

     "UserID":"2"

     }

     ]

     }

     Note: The RiskScore value is a percentage and accepts values between 1-100.
     
     
2. Locate the Enforce.properties file based on your platform:
   
   
   • Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer\vv.uu\Protect\config
   • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/vv.uu/Protect/config
     
     Where vv.uu indicates the DLP version.
     
     
3. Edit the following two properties to include the listed values: 
   

   • com.vontu.manager.ica.rest.endpoint.url = https://<machine-name or ip address>/ica?query=&pageSize=%d&pageIndex=%d

     Note: Replace <machine-name or ip address> with information specific to the Enforce Server in your environment.

   • com.vontu.manager.ica.api.pageSize = 10000

4. Restart the Symantec DLP Manager service.
5. Log in to the Enforce Server and go to System > Users > Data Sources, and click Add, ICA Data Source.
6. Add the URL to the REST-based API server you created in step 1 in the ICA Base URL field. The URL syntax is
    
   • https://<machine-name or ip address>
     
     
7. Select the ICA credentials or create one if none exists.
8. Click Import to import the data source users.

Display Additional User Details in the Incident Snapshot

Incident details display the User Risk Score provided by the UEBA portal. You can configure DLP to display a URL that points to additional user details at the UEBA portal. To configure DLP to provide a URL to the UEBA portal, you must update the Manager.properties file.

Complete the following steps to update the Manager.properties file:

1. Locate the Manager.properties file based on your platform:
   
   
   • Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer\vv.uu\Protect\config
   • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/vv.uu/Protect/config
     
     Where vv.uu indicates the DLP version.
     
     
2. Edit the following properties to include the listed values:
   
   
   • # URL suffix to prepare user details deep link for ICA console
   • com.vontu.manager.ica.userDetailsUrl.suffix = /#/entities/users/%s/detail
     
     Where %s represents the UserID field that is a part of the JSON output)
     
     
3. Save your changes.

Troubleshooting

If you experience issues after completing the steps to integrate a UEBA solution, review the following troubleshooting items:

• Confirm that the API server is online and producing data in the expected format. Use Curl or any other REST API client to test the output. 
• Review errors in the localhost*.log file. Locate this file at ..\ProgramData\Symantec\DataLossPrevention\EnforceServer\<version>\logs\tomcat.