Symantec DLP

the symantec dlp connector allows for seamless integration with swimlane turbine to automate responses to data loss prevention incidents and manage data security policies symantec dlp (data loss prevention) is a comprehensive data security solution that helps organizations prevent data breaches and secure sensitive information the symantec dlp turbine connector enables users to automate incident response and policy management tasks within the swimlane turbine platform by integrating with symantec dlp, users can retrieve detailed incident data, manage policy enforcement, and streamline compliance processes, enhancing the overall security posture and reducing manual workload limitations none to date supported versions this connector uses version 16 1 symantec dlp additional docs authentication https //apidocs securitycloud symantec com/#/doc?id=introductionapi documentation https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails configuration prerequisites to effectively utilize the symantec dlp connector within swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url endpoint url for the symantec dlp api username your symantec dlp account username password your symantec dlp account password authentication methods basic authentication url the base endpoint for the symantec dlp api username your symantec dlp account username password your symantec dlp account password capabilities this symantec dlp connector provides the following capabilities get all component matches get component data get editable incident details get form image get incident components get incident correlations get incident history get incident message body get incident original message get policy matches get static incident details update a policy get all component matches retrieves all the matches of the components for an incident ( click here https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get component data retrieves the data of a specified incident component based on the component id ( click here https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get editable incident details retrieves editable attributes of the specified incident the api only returns the attributes that the user has permissions to read ( click here https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get form image retrieves the form image from the database or an external disk based on the message id and violation id ( click here https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get incident components retrieves a list of all incident components the list contains the id, name and mime type of the components ( click here https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get incident correlations retrieves the correlations of the specified incident ( click here https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get incident history retrieves the history and notes of the specified incident ( click here https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get incident message body retrieves the message body of the specified incident the message body is available for download if required permissions are satisfied ( click here https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get incident original message retrieves the original message of the specified incident the original message is available for download if required permissions are satisfied ( click here https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get policy matches retrieves information of the other violated policies for the specified incident ( click here https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get static incident details retrieves static attributes of the specified incident only returns the attributes that the user has permissions to read ( click here https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) update a policy enables or disables policies specified by the policy id ( click here https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) configurations symantec dlp http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get all component matches retrieve all component matches for a specified incident id in symantec dlp endpoint url /protectmanager/webservices/v2/incidents/{{id}}/components/matches method get input argument name type required description id number required the incident id output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" \[ {}, {} ] } ] get component data retrieves incident component data from symantec dlp using a specific component id provided in the path parameters endpoint url /protectmanager/webservices/v2/incidents/{{id}}/components/{{componentid}} method get input argument name type required description id number required the incident id componentid number required the message component id output parameter type description status code number http status code of the response reason string response reason phrase file object output field file file string output field file file name string name of the resource example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "file" { "file" "string", "file name" "example name" } } ] get editable incident details retrieve editable attributes of a specified incident in symantec dlp, including user permissions verification endpoint url /protectmanager/webservices/v2/incidents/{{id}}/history method get input argument name type required description id number required the incident id output parameter type description status code number http status code of the response reason string response reason phrase incidentid number unique identifier infomap object output field infomap preventorprotectstatusid number unique identifier incidentstatusname string unique identifier ishidingnotallowed boolean unique identifier severityid number unique identifier incidentstatusid number unique identifier ishidden boolean unique identifier customattributegroups array output field customattributegroups name string name of the resource customattributes array output field customattributes name string name of the resource index number output field index displayorder number output field displayorder email boolean output field email nameinternationalized boolean name of the resource example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "incidentid" 1, "infomap" {}, "customattributegroups" \[] } } ] get form image retrieves the form image for a given message and violation id from symantec dlp, requiring path parameters id, messageid, and violationid endpoint url /protectmanager/webservices/v2/incidents/{{id}}/message/{{messageid}}/violation/{{violationid}}/image method get input argument name type required description id number required the incident id messageid number required the message id violationid number required the violation condition id output parameter type description status code number http status code of the response reason string response reason phrase file object output field file file string output field file file name string name of the resource example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "file" { "file" "string", "file name" "example name" } } ] get incident components retrieves all components of a symantec dlp incident, such as id, name, and mime type, using the given incident id endpoint url /protectmanager/webservices/v2/incidents/{{id}}/components method get input argument name type required description id number required the incident id output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" \[ {}, {} ] } ] get incident correlations retrieve correlations for a specified incident in symantec dlp using the unique identifier provided endpoint url /protectmanager/webservices/v2/incidents/{{id}}/correlations method get input argument name type required description id number required the incident id output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" \[ { "variable" "incident sender", "label" "sender", "correlationvalues" \[ { "value" "janedoe\@gmail com", "countsevendays" 0, "countthirtydays" 0, "countalldays" 24 } ] }, { "variable" "incident recipient", "label" "recipient", "correlationvalues" \[ { "value" "bobdoe\@gmail com", "countsevendays" 0, "countthirtydays" 0, "countalldays" 24 } ] }, { "variable" "incident message subject", "label" "subject", "correlationvalues" \[ { "value" "secret", "countsevendays" 0, "countthirtydays" 0, "countalldays" 24 } ] } ] } ] get incident history retrieves the history and notes for a specified incident in symantec dlp using the provided incident id endpoint url /protectmanager/webservices/v2/incidents/{{id}}/history method get input argument name type required description id number required the incident id output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" \[ { "incidenthistorydate" "2022 08 26t15 17 37 369", "dlpusername" "administrator", "incidenthistoryaction" "set status", "incidenthistorydetail" "new", "policygroupid" 1, "detectionservername" "vontu monitor one", "incidentid" 1, "messagesource" "network", "messagedate" "2017 07 27t16 08 09", "incidenthistoryactionstring" "status changed" }, { "incidenthistorydate" "2022 08 26t15 17 23 19", "dlpusername" "administrator", "incidenthistoryaction" "message not retained", "policygroupid" 1, "detectionservername" "vontu monitor one", "incidentid" 1, "messagesource" "network", "messagedate" "2017 07 27t16 08 09", "incidenthistoryactionstring" "the original message content was not retained due to default retention behavior or due to the limit incident data retention response rule action" }, { "incidenthistorydate" "2022 08 26t15 17 23 186", "dlpusername" "administrator", "incidenthistoryaction" "set severity", "incidenthistorydetail" "high", "policygroupid" 1, "detectionservername" "vontu monitor one", "incidentid" 1, "messagesource" "network", "messagedate" "2017 07 27t16 08 09", "incidenthistoryactionstring" "severity changed" } ] } ] get incident message body retrieves the message body of a specified incident from symantec dlp, requiring an 'id' path parameter for access endpoint url /protectmanager/webservices/v2/incidents/{{id}}/messagebody method get input argument name type required description id number required the incident id output parameter type description status code number http status code of the response reason string response reason phrase file object output field file file string output field file file name string name of the resource example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "file" { "file" "string", "file name" "example name" } } ] get incident original message retrieves the original message of a specified incident in symantec dlp using the incident id endpoint url /protectmanager/webservices/v2/incidents/{{id}}/originalmessage method get input argument name type required description id number required the incident id output parameter type description status code number http status code of the response reason string response reason phrase file object output field file file string output field file file name string name of the resource example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "file" { "file" "string", "file name" "example name" } } ] get policy matches retrieve detailed policy violation information for a given incident id in symantec dlp endpoint url /protectmanager/webservices/v2/incidents/{{id}}/policymatches method get input argument name type required description id number required the incident id output parameter type description status code number http status code of the response reason string response reason phrase violatedrules array output field violatedrules rulename string name of the resource ruletypei18nkey string type of the resource matches number output field matches policyname string name of the resource otherpoliciesviolated array output field otherpoliciesviolated policyid number unique identifier incidentid number unique identifier policyname string name of the resource preventorprotectstatusid number unique identifier matches number output field matches example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "violatedrules" \[], "policyname" "symantec", "otherpoliciesviolated" \[], "matches" 3 } } ] get static incident details retrieve static attributes for a specified incident in symantec dlp, ensuring compliance with user permissions endpoint url /protectmanager/webservices/v2/incidents/{{id}}/staticattributes method get input argument name type required description id number required the incident id output parameter type description status code number http status code of the response reason string response reason phrase incidentid number unique identifier infomap object output field infomap attachmentinfo array output field attachmentinfo messagecomponentname string name of the resource messagecomponentid number unique identifier wascracked boolean output field wascracked documentformat string output field documentformat messagecomponenttype number type of the resource originalsize string output field originalsize attachmentsize string output field attachmentsize messageoriginatorid number unique identifier filecreatedate string date value uniquemessageid string unique identifier fileaccessdate string date value messagetype string type of the resource endpointfilepath string output field endpointfilepath endpointapplicationpath string output field endpointapplicationpath senderipaddress string output field senderipaddress endpointvolumename string name of the resource filecreatedby string output field filecreatedby domainusername string name of the resource policyid number unique identifier policyname string name of the resource example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "incidentid" 1, "infomap" {} } } ] update a policy enable or disable a specific symantec dlp policy by using the provided policy id required inputs include 'policyid' and 'enable' endpoint url /protectmanager/webservices/v2/policy/{{policyid}} method put input argument name type required description policyid number required the policy id enable boolean required set true when you want to activate the policy, set false when you want to deactivate the policy output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" "policy is updated successfully " } ] response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt