Hi everyone!
Does anyone know if there is an add-on or option in Splunk to trigger a third-party DLP (Symantec, IDLP, ...)? Or is it also possible to configure Splunk Alert Actions (or custom scripts) to perform a DLP function?
The flow should be like this:
Collecting all the client actions(changes on files, copying of files etc.), portable media logs (USB drives, CD-roms etc), and e-mail server actions, analysing and correlating the collected data based on the rules (which are going to be defined by us), in case of an anomaly detection, creating an alert and triggering the DLP solution to block session.
For the Symantec DLP you can use Incident Reporting & Update API.
https://support.symantec.com/en_US/article.DOC9264.html
For example, I'm using Python with 'suds' library to export any data from DLP