Creating a None Of SMTP response rule
You can configure a None Of SMTP response rule in Symantec DLP:
Procedure
- From the menu, select the Manage > Policies > Response Rules.
- Click Add Response Rule.
- Select one of the following response rule types:
- Automated Response - Automated response rules are triggered automatically as incidents occur. This is the default value.
- Smart Response - Smart response rules are added to the Incident Command screen and handled by an authorized Symantec DLP user.
- Click Next.
Configure the following values:
- Rule Name - Type a name for the
rule you are creating. This name ideally is descriptive enough for
policy authors to identify the rule. For example,
QRadar Syslog None Of SMTP - Description - Optional. Type a description for the rule you are creating.
- Click Add Condition.
- On the Conditions pane, select the
following conditions:
- From the first list, select Protocol or Endpoint Monitoring.
- From the second list, select Is Any Of.
- From the third list, select None Of SMTP.
- On the Actions pane, click Add Action.
- From the Actions list, select All: Log to a Syslog Server.
- Configure the following options:
- Host - Type the IP address of your QRadar®.
- Port - Type 514 as the syslog port.
- Message -Type the following string
to add a message for None Of SMTP events.
LEEF:1.0|Symantec|DLP|2:medium|$POLICY$|src=$SENDER$|dst=$RECIPIENTS$|rules=$RULES$|matchCount=$MATCH_COUNT$|blocked=$BLOCKED$|incidentID=$INCIDENT_ID$|incidentSnapshot=$INCIDENT_SNAPSHOT$|subject=$SUBJECT$|fileName=$FILE_NAME$|parentPath=$PARENT_PATH$|path=$PATH$|quarantineParentPath=$QUARANTINE_PARENT_PATH$|scan=$SCAN$|target=$TARGET$ - Level - From this list, select 6 - Informational.
- Click Save.