Collect Symantec DLP logs

Supported in:

This document explains how to collect Symantec DLP logs by using Bindplane. The parser code first attempts to parse the incoming Symantec DLP log data as XML. If the XML parsing fails, it assumes a SYSLOG + KV (CEF) format and uses a combination of grok and kv filters to extract key-value pairs and map them to the unified data model (UDM).

Before you begin

  • Ensure that you have a Google Security Operations instance.
  • Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
  • If running behind a proxy, ensure firewall ports are open.
  • Ensure that you have privileged access to the Symantec DLP.

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

  1. Open the Command Prompt or PowerShell as an administrator.
  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
    

Linux installation

  1. Open a terminal with root or sudo privileges.
  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
    

Additional installation resources

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

  1. Access the configuration file:

    1. Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
    2. Open the file using a text editor (for example, nano, vi, or Notepad).
  2. Edit the config.yaml file as follows:

    receivers:
        tcplog:
            # Replace the port and IP address as required
            listen_address: "0.0.0.0:54525"
    
    exporters:
        chronicle/chronicle_w_labels:
            compression: gzip
            # Adjust the path to the credentials file you downloaded in Step 1
            creds: '/path/to/ingestion-authentication-file.json'
            # Replace with your actual customer ID from Step 2
            customer_id: <customer_id>
            endpoint: malachiteingestion-pa.googleapis.com
            # Add optional ingestion labels for better organization
            ingestion_labels:
                log_type: SYSLOG
                namespace: symantec_dlp
                raw_log_field: body
    
    service:
        pipelines:
            logs/source0__chronicle_w_labels-0:
                receivers:
                    - tcplog
                exporters:
                    - chronicle/chronicle_w_labels
    
  3. Replace the port and IP address as required in your infrastructure.

  4. Replace <customer_id> with the actual customer ID.

  5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

  • To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart bindplane-agent
    
  • To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

    net stop BindPlaneAgent && net start BindPlaneAgent
    

Configure Symantec DLP

  1. Sign in to the Symantec Server administration console.
  2. Select Manage > Policies > Response rules.
  3. Select Configure response rule and enter a rule name.
  4. Provide the following details:

    • Actions: select Log to a syslog server.
    • Host: enter the Bindplane IP address.
    • Port: enter the Bindplane port number.
    • Message: enter the following message:

          |symcdlpsys|APPLICATION_NAME|$APPLICATION_NAME$|APPLICATION_USER|$APPLICATION_USER$|ATTACHMENT_FILENAME|$ATTACHMENT_FILENAME$|BLOCKED|$BLOCKED$|DATAOWNER_NAME|$DATAOWNER_NAME$|DATAOWNER_EMAIL|$DATAOWNER_EMAIL$|DESTINATION_IP|$DESTINATION_IP$|ENDPOINT_DEVICE_ID|$ENDPOINT_DEVICE_ID$|ENDPOINT_LOCATION|$ENDPOINT_LOCATION$|ENDPOINT_MACHINE|$ENDPOINT_MACHINE$|ENDPOINT_USERNAME|$ENDPOINT_USERNAME$|PATH|$PATH$|FILE_NAME|$FILE_NAME$|PARENT_PATH|$PARENT_PATH$|INCIDENT_ID|$INCIDENT_ID$|INCIDENT_SNAPSHOT|$INCIDENT_SNAPSHOT$|MACHINE_IP|$MACHINE_IP$|MATCH_COUNT|$MATCH_COUNT$|OCCURRED_ON|$OCCURRED_ON$|POLICY|$POLICY$|RULES|$RULES$|PROTOCOL|$PROTOCOL$|QUARANTINE_PARENT_PATH|$QUARANTINE_PARENT_PATH$|RECIPIENTS|$RECIPIENTS$|REPORTED_ON|$REPORTED_ON$|SCAN|$SCAN$|SENDER|$SENDER$|MONITOR_NAME|$MONITOR_NAME$|SEVERITY|$SEVERITY$|STATUS|$STATUS$|SUBJECT|$SUBJECT$|TARGET|$TARGET$|URL|$URL$|USER_JUSTIFICATION|$USER_JUSTIFICATION$|
      
    • Debugging: select Level 4.

  5. Click Apply.

UDM Mapping Table

Log field UDM mapping Logic
act security_result.action If act is Passed, set to ALLOW. If act is Modified, set to ALLOW_WITH_MODIFICATION. If act is Blocked, set to BLOCK. Otherwise, set to UNKNOWN_ACTION.
application_name target.application Directly mapped.
asset_ip principal.ip, principal.asset.ip Directly mapped.
asset_name principal.hostname, principal.asset.hostname Directly mapped.
attachment_name security_result.about.file.full_path Directly mapped.
blocked security_result.action_details Directly mapped.
calling_station_id principal.mac, principal.asset.mac If calling_station_id is a MAC address, map it directly after replacing - with : and converting to lowercase.
called_station_id target.mac, target.asset.mac If called_station_id is a MAC address, extract the MAC address part before the : and map it directly after replacing - with : and converting to lowercase.
category1 security_result.detection_fields Create a label with key category1 and value from category1.
category2 security_result.detection_fields Create a label with key category2 and value from category2.
category3 security_result.detection_fields Create a label with key category3 and value from category3.
client_friendly_name target.user.userid Directly mapped.
dataowner_mail principal.user.email_addresses Directly mapped if it's a valid email address.
description metadata.description Directly mapped.
dest_location target.location.country_or_region Directly mapped if it's not RED.
deviceId target.asset_id Mapped as ID:%{deviceId}.
device_version metadata.product_version Directly mapped.
dhost network.http.referral_url Directly mapped.
dlp_type security_result.detection_fields Create a label with key dlp_type and value from dlp_type.
DLP_EP_Incident_ID security_result.threat_id, security_result.detection_fields Directly mapped to threat_id. Also, create a label with key Incident ID and value from DLP_EP_Incident_ID.
domain principal.administrative_domain Directly mapped.
dst target.ip, target.asset.ip Directly mapped if it's a valid IP address.
endpoint_machine target.ip, target.asset.ip Directly mapped if it's a valid IP address.
endpoint_user_department target.user.department Directly mapped.
endpoint_user_email target.user.email_addresses Directly mapped.
endpoint_user_manager target.user.managers Create a manager object with user_display_name from endpoint_user_manager.
endpoint_user_name target.user.user_display_name Directly mapped.
endpoint_user_title target.user.title Directly mapped.
event_description metadata.description Directly mapped.
event_id metadata.product_log_id Directly mapped.
event_source target.application Directly mapped.
event_timestamp metadata.event_timestamp Directly mapped.
file_name security_result.about.file.full_path Directly mapped.
filename target.file.full_path, src.file.full_path Directly mapped to target.file.full_path. If has_principal is true, also map to src.file.full_path and set event_type to FILE_COPY.
host src.hostname, principal.hostname, principal.asset.hostname If cef_data contains CEF, map to all three fields. Otherwise, map to principal.hostname and principal.asset.hostname.
incident_id security_result.threat_id, security_result.detection_fields Directly mapped to threat_id. Also, create a label with key Incident ID and value from incident_id.
location principal.resource.attribute.labels Create a label with key Location and value from location.
match_count security_result.detection_fields Create a label with key Match Count and value from match_count.
monitor_name additional.fields Create a label with key Monitor Name and value from monitor_name.
nas_id target.hostname, target.asset.hostname Directly mapped.
occurred_on principal.labels, additional.fields Create a label with key Occurred On and value from occurred_on for both principal.labels and additional.fields.
policy_name sec_result.detection_fields Create a label with key policy_name and value from policy_name.
policy_rule security_result.rule_name Directly mapped.
policy_severity security_result.severity Mapped to severity after converting to uppercase. If policy_severity is INFO, map it as INFORMATIONAL. If policy_severity is not one of HIGH, MEDIUM, LOW, or INFORMATIONAL, set severity to UNKNOWN_SEVERITY.
policy_violated security_result.summary Directly mapped.
Protocol network.application_protocol, target.application, sec_result.description If Protocol is not FTP or Endpoint, map it to network.application_protocol after parsing it using the parse_app_protocol.include file. If Protocol is FTP, map it to target.application. If Protocol is Endpoint, set sec_result.description to Protocol=%{Protocol}.
recipient target.user.email_addresses, about.user.email_addresses For each email address in recipient, map it to both target.user.email_addresses and about.user.email_addresses.
recipients network.http.referral_url, target.resource.attribute.labels Directly mapped to network.http.referral_url. Also, create a label with key recipients and value from recipients.
reported_on additional.fields Create a label with key Reported On and value from reported_on.
rules security_result.detection_fields Create a label with key Rules and value from rules.
sender network.email.from, target.resource.attribute.labels If sender is a valid email address, map it to network.email.from. Also, create a label with key sender and value from sender.
server target.application Directly mapped.
Severity security_result.severity See policy_severity for mapping logic.
src principal.ip, principal.asset.ip Directly mapped if it's a valid IP address.
status principal.labels, additional.fields Create a label with key Status and value from status for both principal.labels and additional.fields.
subject target.resource.attribute.labels, network.email.subject Create a label with key subject and value from subject. Also, map subject to network.email.subject.
target_type target.resource.attribute.labels Create a label with key Target Type and value from target_type.
timestamp metadata.event_timestamp Directly mapped after parsing it using the date filter.
url target.url Directly mapped.
user target.user.userid Directly mapped.
user_id principal.user.userid Directly mapped.
username principal.user.userid Directly mapped.
N/A metadata.product_name Set to SYMANTEC_DLP.
N/A metadata.vendor_name Set to SYMANTEC.
N/A metadata.event_type If event_type is not empty, map it directly. Otherwise, if host is not empty and has_principal is true, set to SCAN_NETWORK. Otherwise, set to GENERIC_EVENT.
N/A metadata.product_event_type If policy_violated contains -NM- or data contains DLP NM, set to Network Monitor. If policy_violated contains -EP- or data contains DLP EP, set to Endpoint.
N/A metadata.log_type Set to SYMANTEC_DLP.

Changes

2025-02-04

Enhancement:

  • Added support for SYSLOG logs.

2025-01-08

Enhancement:

  • Mapped ATTACHMENT_FILENAME to principal.file.full_path.
  • When DATAOWNER_NAME is present, then mapped DATAOWNER_NAME to principal.user.userid.
  • When DATAOWNER_NAME is not present, then mapped ENDPOINT_USERNAME to principal.user.userid.

2024-12-27

Enhancement:

  • Added support to parse the new log format.

2024-12-04

Enhancement:

  • Added support to parse the new log format.

2024-11-11

Enhancement:

  • Added support to parse the new log format.

2024-09-05

Enhancement:

  • Added support to parse the new log format.

2024-06-17

Enhancement:

  • Added support to parse the new format of field recipients.

2024-06-14

Enhancement:

  • Added support for CEF Logs.

2024-05-16

Enhancement:

  • Mapped dlp_type to security_result.detection_fields.

2024-04-26

Bug fix:

  • Mapped recipients to target.user.email_addresses.

2024-03-10

Enhancement:

  • Added new Grok patterns to parse logs of new SYSLOG formats.
  • Mapped server to target.application.
  • Mapped url to target.url.
  • Mapped dataowner_mail to principal.user.email_addresses.
  • Mapped reported_on and monitor_name to additional.fields.
  • Mapped sender to network.email.from.
  • Mapped subject to network.email.subject.

2024-02-20

Enhancement:

  • Mapped blocked to security_result.action_details and security_result.action.

2024-01-12

Enhancement:

  • Mapped incident_id and DLP_EP_Incident_ID to security_result.detection_fields.
  • Added a Grok pattern to parse logs of new SYSLOG formats.
  • Mapped location to principal.resource.attribute.labels.
  • Mapped target_type to target.resource.attribute.labels.

2023-12-06

Enhancement:

  • Added a Grok pattern to parse logs of new formats.
  • Mapped application to principal.application.
  • Mapped application_name to target.application.
  • Mapped policy_name to security_result.detection_fields.

2023-09-02

Enhancement:

  • Added support to parse failing logs and mapped the fields accordingly.

2023-08-17

Enhancement:

  • Mapped Occurred on to principal.labels.
  • When act is Modified, set security_result.action to ALLOW_WITH_MODIFICATION.
  • Mapped status to principal.labels.

Need more help? Get answers from Community members and Google SecOps professionals.