Creating an SMTP response rule
You can configure an SMTP response rule in Symantec DLP.
Procedure
- Log in to Symantec DLP user interface.
- From the menu, select the Manage > Policies > Response Rules.
- Click Add Response Rule.
- Select one of the following response rule types:
- Automated Response - Automated response rules are triggered automatically as incidents occur. It is the default value.
- Smart Response - Smart response rules are added to the Incident Command screen and handled by an authorized Symantec DLP user.
- Click Next.
Configure the following values:
- Rule Name - Type a name for the rule that you are creating. This
name is descriptive enough for policy authors to identify the rule. For example,
QRadar Syslog SMTP
. - Description - Optional. Type a description for the rule that you are creating.
- Click Add Condition.
- On the Conditions panel, select the following conditions:
- From the first list, select Protocol or Endpoint Monitoring.
- From the second list, select Is Any Of.
- From the third list, select SMTP.
- On the Actions pane, click Add Action.
- From the Actions list, select All: Log to a Syslog Server.
- Configure the following options:
- Host - Type the IP address of your IBM QRadar.
- Port - Type 514 as the syslog port.
- Message -Type the following string to add a message for SMTP
events.
LEEF:2.0|Symantec|DLP|2:medium|$POLICY$|||usrName=$SENDER$|duser=$RECIPIENTS$|rules=$RULES$|matchCount=$MATCH_COUNT$|blocked=$BLOCKED$|incidentID=$INCIDENT_ID$|incidentSnapshot=$INCIDENT_SNAPSHOT$|subject=$SUBJECT$|fileName=$FILE_NAME$|parentPath=$PARENT_PATH$|path=$PATH$|quarantineParentPath=$QUARANTINE_PARENT_PATH$|scan=$SCAN$|target=$TARGET${color}
- Level - From this list, select 6 - Informational.
- Click Save.