Creating a None Of SMTP response rule

You can configure a None Of SMTP response rule in Symantec DLP:


  1. From the menu, select the Manage > Policies > Response Rules.
  2. Click Add Response Rule.
  3. Select one of the following response rule types:
    • Automated Response - Automated response rules are triggered automatically as incidents occur. This is the default value.
    • Smart Response - Smart response rules are added to the Incident Command screen and handled by an authorized Symantec DLP user.
  4. Click Next.

    Configure the following values:

  5. Rule Name - Type a name for the rule you are creating. This name ideally is descriptive enough for policy authors to identify the rule. For example, QRadar Syslog None Of SMTP
  6. Description - Optional. Type a description for the rule you are creating.
  7. Click Add Condition.
  8. On the Conditions pane, select the following conditions:
    • From the first list, select Protocol or Endpoint Monitoring.
    • From the second list, select Is Any Of.
    • From the third list, select None Of SMTP.
  9. On the Actions pane, click Add Action.
  10. From the Actions list, select All: Log to a Syslog Server.
  11. Configure the following options:
    1. Host - Type the IP address of your QRadar®.
  12. Port - Type 514 as the syslog port.
  13. Message -Type the following string to add a message for None Of SMTP events.
  14. Level - From this list, select 6 - Informational.
  15. Click Save.

What to do next

You are now ready to configure IBM® QRadar.