Creating an SMTP response rule

You can configure an SMTP response rule in Symantec DLP.

Procedure

  1. Log in to Symantec DLP user interface.
  2. From the menu, select the Manage > Policies > Response Rules.
  3. Click Add Response Rule.
  4. Select one of the following response rule types:
    • Automated Response - Automated response rules are triggered automatically as incidents occur. It is the default value.
    • Smart Response - Smart response rules are added to the Incident Command screen and handled by an authorized Symantec DLP user.
  5. Click Next.

    Configure the following values:

  6. Rule Name - Type a name for the rule that you are creating. This name is descriptive enough for policy authors to identify the rule.
    For example, QRadar Syslog SMTP.
  7. Description - Optional. Type a description for the rule that you are creating.
  8. Click Add Condition.
  9. On the Conditions panel, select the following conditions:
    • From the first list, select Protocol or Endpoint Monitoring.
    • From the second list, select Is Any Of.
    • From the third list, select SMTP.
  10. On the Actions pane, click Add Action.
  11. From the Actions list, select All: Log to a Syslog Server.
  12. Configure the following options:
    1. Host - Type the IP address of your IBM QRadar.
  13. Port - Type 514 as the syslog port.
  14. Message -Type the following string to add a message for SMTP events.
    LEEF:2.0|Symantec|DLP|2:medium|$POLICY$|||usrName=$SENDER$|duser=$RECIPIENTS$|rules=$RULES$|matchCount=$MATCH_COUNT$|blocked=$BLOCKED$|incidentID=$INCIDENT_ID$|incidentSnapshot=$INCIDENT_SNAPSHOT$|subject=$SUBJECT$|fileName=$FILE_NAME$|parentPath=$PARENT_PATH$|path=$PATH$|quarantineParentPath=$QUARANTINE_PARENT_PATH$|scan=$SCAN$|target=$TARGET${color}
  15. Level - From this list, select 6 - Informational.
  16. Click Save.

What to do next

You can now configure your None Of SMTP response rule.