Symantec Data Loss Prevention (DLP)
The Symantec Data Loss Protection (DLP) DSM for IBM QRadar accepts events from a Symantec DLP appliance by using syslog.
Before you configure QRadar, you must configure response rules on your Symantec DLP. The response rule allows the Symantec DLP appliance to forward syslog events to QRadar when a data loss policy violation occurs. Integrating Symantec DLP requires you to create two protocol response rules (SMTP and None of SMTP) for QRadar. These protocol response rules create an action to forward the event information, using syslog, when an incident is triggered.
To configure Symantec DLP with QRadar, take the following steps:
- Create an SMTP response rule.
- Create a None of SMTP response rule.
- Configure a log source in QRadar.
- Map Symantec DLP events in QRadar.