symantec DLP

aliroumani — Wed, 02 Nov 2016 06:57:22 GMT

Dear Sirs,
in symantec dlp we have different policies consider it as (1,2,3,...etc) and when i user violate any policy we will receive logs showing that,
another case is when a user violate 2 policies at the same time (like 1 and 2 together) still the dlp showing each event as a seperate one.
my question is, how can i write a search in splunk that will show me if two policies violated at the same time by the same user.
for example, sending external e-mail is a policy and sending confidential documents is a policy, so in case someone send external email with confidential documents in it this is violation for 2 policies in same time, and thats what i'm looking for.
regards

Re: symantec DLP

DMohn — Wed, 02 Nov 2016 09:27:30 GMT

The easiest (yet not most elegant) way would be using the transaction command. Depending on the amount of events to search, this command may pr pretty "expensive" to run - so keep this in mind if you experience performance issues.

Assuming you have the username as field user, and the violation events are within less than 5 seconds, your search could be something like this:

 <base search that returns violations events> | transaction user maxpause=5s | where linecount > 1

This will group the violation events together and only keep those where more than 1 violation occurred within 5s.

Hope this helps!

topic symantec DLP in Splunk Search

symantec DLP

Re: symantec DLP