Symantec DLP

the symantec dlp connector allows for seamless integration with swimlane turbine to automate responses to data loss prevention incidents and manage data security policies symantec dlp (data loss prevention) is a comprehensive data security solution that helps organizations prevent data breaches and secure sensitive information the symantec dlp turbine connector enables users to automate incident response and policy management tasks within the swimlane turbine platform by integrating with symantec dlp, users can retrieve detailed incident data, manage policy enforcement, and streamline compliance processes, enhancing the overall security posture and reducing manual workload limitations none to date supported versions this connector uses version 16 1 symantec dlp additional docs https //apidocs securitycloud symantec com/#/doc?id=introduction https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails configuration prerequisites to effectively utilize the symantec dlp connector within swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url endpoint url for the symantec dlp api username your symantec dlp account username password your symantec dlp account password authentication methods basic authentication url the base endpoint for the symantec dlp api username your symantec dlp account username password your symantec dlp account password capabilities this symantec dlp connector provides the following capabilities get all component matches get component data get editable incident details get form image get incident components get incident correlations get incident history get incident message body get incident original message get policy matches get static incident details update a policy get all component matches retrieves all the matches of the components for an incident ( https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get component data retrieves the data of a specified incident component based on the component id ( https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get editable incident details retrieves editable attributes of the specified incident the api only returns the attributes that the user has permissions to read ( https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get form image retrieves the form image from the database or an external disk based on the message id and violation id ( https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get incident components retrieves a list of all incident components the list contains the id, name and mime type of the components ( https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get incident correlations retrieves the correlations of the specified incident ( https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get incident history retrieves the history and notes of the specified incident ( https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get incident message body retrieves the message body of the specified incident the message body is available for download if required permissions are satisfied ( https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get incident original message retrieves the original message of the specified incident the original message is available for download if required permissions are satisfied ( https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get policy matches retrieves information of the other violated policies for the specified incident ( https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) get static incident details retrieves static attributes of the specified incident only returns the attributes that the user has permissions to read ( https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) update a policy enables or disables policies specified by the policy id ( https //apidocs securitycloud symantec com/#/doc?id=16 1 incidentdetails ) configurations symantec dlp http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get all component matches retrieve all component matches for a specified incident id in symantec dlp endpoint url /protectmanager/webservices/v2/incidents/{{id}}/components/matches method get input argument name type required description path parameters id number required the incident id input example {"path parameters" {"id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"messagecomponentid" 42,"messagecomponentname" "body","mimetype" "text/plain","originalsize" 200,"messagecomponenttypename" "body","iscomponentavailable"\ false},{"messagecomponentid" 43,"messagecomponentname" "secretfile doc","mimetype" "application/msword","originalsize" 134753,"messagecomponenttypename" "attachment","iscomponentavailable"\ true}]} get component data retrieves incident component data from symantec dlp using a specific component id provided in the path parameters endpoint url /protectmanager/webservices/v2/incidents/{{id}}/components/{{componentid}} method get input argument name type required description path parameters id number required the incident id path parameters componentid number required the message component id input example {"path parameters" {"id" 1,"componentid" 2}} output parameter type description status code number http status code of the response reason string response reason phrase file object output field file file file string output field file file file file name string name of the resource output example {"file" {"file" "string","file name" "example name"}} get editable incident details retrieve editable attributes of a specified incident in symantec dlp, including user permissions verification endpoint url /protectmanager/webservices/v2/incidents/{{id}}/history method get input argument name type required description path parameters id number required the incident id input example {"path parameters" {"id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase incidentid number unique identifier infomap object output field infomap infomap preventorprotectstatusid number unique identifier infomap incidentstatusname string unique identifier infomap ishidingnotallowed boolean unique identifier infomap severityid number unique identifier infomap incidentstatusid number unique identifier infomap ishidden boolean unique identifier customattributegroups array output field customattributegroups customattributegroups name string name of the resource customattributegroups customattributes array output field customattributegroups customattributes customattributegroups customattributes name string name of the resource customattributegroups customattributes index number output field customattributegroups customattributes index customattributegroups customattributes displayorder number output field customattributegroups customattributes displayorder customattributegroups customattributes email boolean output field customattributegroups customattributes email customattributegroups nameinternationalized boolean name of the resource output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"incidentid" 1,"infomap" {"preventorprotectstatusid" 0,"incidentstatusname" "incident status new","ishidingnotallowed"\ false,"severityid" 1,"incidentstatusid" 1,"ishidden"\ false},"customattributegroups" \[{}]}} get form image retrieves the form image for a given message and violation id from symantec dlp, requiring path parameters id, messageid, and violationid endpoint url /protectmanager/webservices/v2/incidents/{{id}}/message/{{messageid}}/violation/{{violationid}}/image method get input argument name type required description path parameters id number required the incident id path parameters messageid number required the message id path parameters violationid number required the violation condition id input example {"path parameters" {"id" 1,"messageid" 2,"violationid" 3}} output parameter type description status code number http status code of the response reason string response reason phrase file object output field file file file string output field file file file file name string name of the resource output example {"file" {"file" "string","file name" "example name"}} get incident components retrieves all components of a symantec dlp incident, such as id, name, and mime type, using the given incident id endpoint url /protectmanager/webservices/v2/incidents/{{id}}/components method get input argument name type required description path parameters id number required the incident id input example {"path parameters" {"id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"messagecomponentid" 42,"messagecomponentname" "body","mimetype" "text/plain","originalsize" 200,"messagecomponenttypename" "body","iscomponentavailable"\ false},{"messagecomponentid" 43,"messagecomponentname" "secretfile doc","mimetype" "application/msword","originalsize" 134753,"messagecomponenttypename" "attachment","iscomponentavailable"\ true}]} get incident correlations retrieve correlations for a specified incident in symantec dlp using the unique identifier provided endpoint url /protectmanager/webservices/v2/incidents/{{id}}/correlations method get input argument name type required description path parameters id number required the incident id input example {"path parameters" {"id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"variable" "incident sender","label" "sender","correlationvalues" \[{"value" "janedoe\@gmail com","countsevendays" 0,"countthirtydays" 0,"countalldays" 24}]},{"variable" "incident recipient","label" "recipient","correlationvalues" \[{"value" "bobdoe\@gmail com","countsevendays" 0,"countthirtydays" 0,"countalldays" 24}]},{"variable" "incident message subject","label" "subject","correlationvalues" \[{"value" "secret","countsevendays" get incident history retrieves the history and notes for a specified incident in symantec dlp using the provided incident id endpoint url /protectmanager/webservices/v2/incidents/{{id}}/history method get input argument name type required description path parameters id number required the incident id input example {"path parameters" {"id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"incidenthistorydate" "2022 08 26t15 17 37 369","dlpusername" "administrator","incidenthistoryaction" "set status","incidenthistorydetail" "new","policygroupid" 1,"detectionservername" "vontu monitor one","incidentid" 1,"messagesource" "network","messagedate" "2017 07 27t16 08 09","incidenthistoryactionstring" "status changed"},{"incidenthistorydate" "2022 08 26t15 17 23 19","dlpusername" "administrator","incidenthistoryaction" get incident message body retrieves the message body of a specified incident from symantec dlp, requiring an 'id' path parameter for access endpoint url /protectmanager/webservices/v2/incidents/{{id}}/messagebody method get input argument name type required description path parameters id number required the incident id input example {"path parameters" {"id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase file object output field file file file string output field file file file file name string name of the resource output example {"file" {"file" "string","file name" "example name"}} get incident original message retrieves the original message of a specified incident in symantec dlp using the incident id endpoint url /protectmanager/webservices/v2/incidents/{{id}}/originalmessage method get input argument name type required description path parameters id number required the incident id input example {"path parameters" {"id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase file object output field file file file string output field file file file file name string name of the resource output example {"file" {"file" "string","file name" "example name"}} get policy matches retrieve detailed policy violation information for a given incident id in symantec dlp endpoint url /protectmanager/webservices/v2/incidents/{{id}}/policymatches method get input argument name type required description path parameters id number required the incident id input example {"path parameters" {"id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase violatedrules array output field violatedrules violatedrules rulename string name of the resource violatedrules ruletypei18nkey string type of the resource violatedrules matches number output field violatedrules matches policyname string name of the resource otherpoliciesviolated array output field otherpoliciesviolated otherpoliciesviolated policyid number unique identifier otherpoliciesviolated incidentid number unique identifier otherpoliciesviolated policyname string name of the resource otherpoliciesviolated preventorprotectstatusid number unique identifier matches number output field matches output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"violatedrules" \[{}],"policyname" "symantec","otherpoliciesviolated" \[{"policyid" 28476,"incidentid" 2147525031,"policyname" "blockbatnewdlpkeywords","preventorprotectstatusid" 0},{"policyid" 28314,"incidentid" 2147525029,"policyname" "ep block","preventorprotectstatusid" 0},{"policyid" 28355,"incidentid" 2147525030,"policyname" "qurantine edar policy","preventorprotectstatusid" 0}],"matches" 3}} get static incident details retrieve static attributes for a specified incident in symantec dlp, ensuring compliance with user permissions endpoint url /protectmanager/webservices/v2/incidents/{{id}}/staticattributes method get input argument name type required description path parameters id number required the incident id input example {"path parameters" {"id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase incidentid number unique identifier infomap object output field infomap infomap attachmentinfo array output field infomap attachmentinfo infomap attachmentinfo messagecomponentname string name of the resource infomap attachmentinfo messagecomponentid number unique identifier infomap attachmentinfo wascracked boolean output field infomap attachmentinfo wascracked infomap attachmentinfo documentformat string output field infomap attachmentinfo documentformat infomap attachmentinfo messagecomponenttype number type of the resource infomap attachmentinfo originalsize string output field infomap attachmentinfo originalsize infomap attachmentinfo attachmentsize string output field infomap attachmentinfo attachmentsize infomap messageoriginatorid number unique identifier infomap filecreatedate string date value infomap uniquemessageid string unique identifier infomap fileaccessdate string date value infomap messagetype string type of the resource infomap endpointfilepath string output field infomap endpointfilepath infomap endpointapplicationpath string output field infomap endpointapplicationpath infomap senderipaddress string output field infomap senderipaddress infomap endpointvolumename string name of the resource infomap filecreatedby string output field infomap filecreatedby infomap domainusername string name of the resource infomap policyid number unique identifier infomap policyname string name of the resource output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"incidentid" 1,"infomap" {"attachmentinfo" \[],"messageoriginatorid" 1,"filecreatedate" "2019 06 26t17 33 06 71","uniquemessageid" "f1472cc7 cf59 405c 9f12 ce428b112978","fileaccessdate" "2019 06 26t00 00 00","messagetype" "endpointusb","endpointfilepath" "e \\\ftpme txt","endpointapplicationpath" "\\\device\\\harddiskvolume1\\\windows\\\explorer exe","senderipaddress" "10 66 221 73","endpointvolumename" "\\\device\\\harddisk1\\\dp(1)0 0 update a policy enable or disable a specific symantec dlp policy by using the provided policy id required inputs include 'policyid' and 'enable' endpoint url /protectmanager/webservices/v2/policy/{{policyid}} method put input argument name type required description path parameters policyid number required the policy id enable boolean optional set true when you want to activate the policy, set false when you want to deactivate the policy input example {"json body" {"enable"\ true},"path parameters" {"policyid" 1}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" "policy is updated successfully "} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt