Consolidating Symantec DLP audit trail events

Symantec’s customers operate in some of the world’s most stringent audit and compliance environments, where not only do they need to keep information safe, they are held accountable and need to demonstrate how they do this.  How they configure and operate Symantec DLP is subject to meticulous and continuous reviews, all to ensure their data protection program adheres to various compliance and regulation frameworks. The Symantec DLP Audit Log contains thorough, detailed traces of administrative activities surrounding policies, users and roles, service configurations, incident access, remediation, and structured and unstructured configuration profiles.

Customers love being able to use our audit capabilities, and we continually work with them to find ways to make them even better.  In DLP 16 RU1 we did just that as Audit information is now available both in the Enforce UI, and a new RESTful API. With this enhancement, Symantec DLP directly addresses the need for greater transparency and control over crucial DLP activities. Audit information is easily accessed by compliance teams to track and manage administrative activities related to their data protection program. For example, the compliance team can find who created or modified a policy, providing a useful record of key system changes.

I’ve written an example of sending the Audit trail events to Splunk for consolidation, reporting, correlation, long-term archival, and other relevant use cases. One of the API's benefits is that you can configure the number of records to pull if you want to control and track data being extracted from DLP.  In the script, you control it with the variable dlpAuditPageSize. The code is available here. 

By default, the script pulls 10,000 incidents—starting with the older ones—and sends them in a batch to Splunk through the HTTP Event Collector (HEC). The prerequisites for the script are below.

Prerequisites

• Symantec DLP 16 RU1
• A Symantec DLP user with API and Administrative privileges 
• audit2Splunk.py is written in Python 3.8
• Python 3.8 Modules: json, requests, logging, datetime, timedelta 
• Splunk with HEC 

NOTE: The code is a) an example and b) provided as-is: we do not know your computing environment, so you need to assess the script’s function and performance before implementing it.

How to learn more?

Symantec is committed to delivering APIs to provide our customers with opportunities to automate and build deeper integrations for their data security needs. Symantec will continue to add new APIs as well as improve functionality and performance of  existing APIs.

Please read the DLP API technical guide for a deeper understanding of the RESTful API. The documentation has code examples (cURL, Java, Python, PHP, and Rubi), a comprehensive Postman collection, and an example REST client.

For different applications and examples of how DLP APIs can help, read our blogs “Symantec DLP Gives You Power to Query and Filter Incident Data,” “Finding DLP Incidents That Have Not Been Responded to in Time,” and “Extend DLP Policies to Home-Grown Apps.”