Symantec Data Loss Prevention (DLP)
The Symantec Data Loss Protection (DLP) DSM for JSA accepts events from a Symantec DLP appliance by using syslog.
Before you configure JSA, you must configure response rules on your Symantec DLP. The response rule allows the Symantec DLP appliance to forward syslog events to JSA when a data loss policy violation occurs. Integrating Symantec DLP requires you to create two protocol response rules (SMTP and None of SMTP) for JSA. These protocol response rules create an action to forward the event information, using syslog, when an incident is triggered.
To configure Symantec DLP with JSA, take the following steps:
Create an SMTP response rule.
Create a None of SMTP response rule.
Configure a log source in JSA.
Map Symantec DLP events in JSA.
Creating an SMTP Response Rule
You can configure an SMTP response rule in Symantec DLP.
Log in to your Symantec DLP user interface.
From the menu, select the Manage >Policies >Response Rules.
Click Add Response Rule.
Select one of the following response rule types:
Automated Response Automated response rules are triggered automatically as incidents occur. This is the default value.
Smart Response Smart response rules are added to the Incident Command screen and handled by an authorized Symantec DLP user.
Click Next.
Configure the following values:
Rule Name Type a name for the rule you are creating. This name ideally is descriptive enough for policy authors to identify the rule. For example,
JSA Syslog SMTP.Description Optional. Type a description for the rule you are creating.
Click Add Condition.
On the Conditions panel, select the following conditions:
From the first list, select Protocol or Endpoint Monitoring.
From the second list, select Is Any Of.
From the third list, select SMTP.
On the Actions pane, click Add Action.
From the Actions list, select All: Log to a Syslog Server.
Configure the following options:
Host Type the IP address of your JSA.
Port Type 514 as the syslog port.
MessageType the following string to add a message for SMTP events.
LEEF:1.0|Symantec|DLP|2:medium|$POLICY$ |usrName=$SENDER$|duser=$RECIPIENTS$|rules=$RULES$ |matchCount=$MATCH_COUNT$|blocked=$BLOCKED$ |incidentID=$INCIDENT_ID$|incidentSnapshot=$INCIDENT_SNAPSHOT$ |subject=$SUBJECT$|fileName=$FILE_NAME$|parentPath=$PARENT_PATH$ |path=$PATH$|quarantineParentPath=$QUARANTINE_PARENT_PATH$ |scan=$SCAN$|target=$TARGET$
Level From this list, select 6 - Informational.
Click Save.
You can now configure your None Of SMTP response rule.
Creating a None Of SMTP Response Rule
You can configure a None Of SMTP response rule in Symantec DLP:
From the menu, select the Manage >Policies >Response Rules.
Click Add Response Rule.
Select one of the following response rule types:
Automated Response Automated response rules are triggered automatically as incidents occur. This is the default value.
Smart Response Smart response rules are added to the Incident Command screen and handled by an authorized Symantec DLP user.
Click Next.
Configure the following values:
Rule Name Type a name for the rule you are creating. This name ideally is descriptive enough for policy authors to identify the rule. For example,
JSA Syslog None Of SMTPDescription Optional. Type a description for the rule you are creating.
Click Add Condition.
On the Conditions pane, select the following conditions:
From the first list, select Protocol or Endpoint Monitoring.
From the second list, select Is Any Of.
From the third list, select None Of SMTP.
On the Actions pane, click Add Action.
From the Actions list, select All: Log to a Syslog Server.
Configure the following options:
Host Type the IP address of your JSA.
Port - Type 514 as the syslog port.
MessageType the following string to add a message for None Of SMTP events.
LEEF:1.0|Symantec|DLP|2:medium|$POLICY$| src=$SENDER$|dst=$RECIPIENTS$|rules=$RULES$|matchCount=$MATCH_COUNT$| blocked=$BLOCKED$|incidentID=$INCIDENT_ID$| incidentSnapshot=$INCIDENT_SNAPSHOT$|subject=$SUBJECT$| fileName=$FILE_NAME$|parentPath=$PARENT_PATH$|path=$PATH$| quarantineParentPath=$QUARANTINE_PARENT_PATH$|scan=$SCAN$|target=$TARGET$
Level From this list, select 6 - Informational.
Click Save.
You are now ready to configure JSA.
Configuring a Log Source
You can configure the log source in JSA to receive events from a Symantec DLP appliance.
JSA automatically detects syslog events for the SMTP and None of SMTP response rules that you create. However, if you want to manually configure JSAto receive events from a Symantec DLP appliance:
From the Log Source Type list, select the Symantec DLP option.
For more information about Symantec DLP, see your vendor documentation.
Event Map Creation for Symantec DLP Events
Event mapping is required for a number of Symantec DLP events. Due to the customizable nature of policy rules, most events, except the default policy events do not contain a predefined JSA Identifier (QID) map to categorize security events.
You can individually map each event for your device to an event category in JSA. Mapping events allows JSA to identify, coalesce, and track reoccurring events from your network devices. Until you map an event, all events that are displayed in the Log Activity tab for Symantec DLP are categorized as unknown. Unknown events are easily identified as the Event Name column and Low Level Category columns display Unknown.
Discovering Unknown Events
As your device forwards events to JSA, it can take time to categorize all of the events for a device, as some events might not be generated immediately by the event source appliance or software.
It is helpful to know how to quickly search for unknown events. When you know how to search for unknown events, it is suggested you repeat this search until you are comfortable that you can identify most of your events.
Log in to JSA.
Click the Log Activity tab.
Click Add Filter.
From the first list, select Log Source.
From the Log Source Group list, select the log source group or Other.
Log sources that are not assigned to a group are categorized as Other.
From the Log Source list, select your Symantec DLP log source.
Click Add Filter.
The Log Activity tab is displayed with a filter for your log source.
From the View list, select Last Hour.
Any events that are generated by the Symantec DLP DSM in the last hour are displayed. Events that are displayed as unknown in the Event Name column or Low Level Category column require event mapping in JSA.
Note:You can save your existing search filter by clicking Save Criteria.
You can now modify the event map.
Modifying the Event Map
Modifying an event map gives you the option to manually categorize events to a JSA Identifier (QID) map.
Any event that is categorized to a log source can be remapped to a new JSA Identifier (QID).
Events that do not have a defined log source cannot be mapped to an event. Events without a log source display SIM Generic Log in the Log Source column.
On the Event Name column, double-click an unknown event for Symantec DLP.
The detailed event information is displayed.
Click Map Event.
From the Browse for QID pane, select any of the following search options to narrow the event categories for a JSA Identifier (QID):
From the High-Level Category list, select a high-level event categorization.
For a full list of high-level and low-level event categories or category definitions, see the Event Categories section of the Juniper Secure Analytics Administration Guide.
From the Low-Level Category list, select a low-level event categorization.
From the Log Source Type list, select a log source type.
The Log Source Type list gives you the option to search for QIDs from other log sources. Searching for QIDs by log source is useful when events are similar to another existing network device. For example, Symantec provides policy and data loss prevention events, you might select another product that likely captures similar events.
To search for a QID by name, type a name in the QID/Name field.
The QID/Name field gives you the option to filter the full list of QIDs for a specific word, for example, policy.
Click Search.
A list of QIDs are displayed.
Select the QID you want to associate to your unknown event.
Click OK.
Maps any additional events that are forwarded from your device with the same QID that matches the event payload. The event count increases each time that the event is identified by JSA.
If you update an event with a new JSA Identifier (QID) map, past events that are stored in JSA are not updated. Only new events are categorized with the new QID.