Symantec DLP

The IBM® QRadar® Symantec Data Loss Prevention Custom Properties content extension adds new custom event properties for Symantec DLP.

About the Symantec DLP extension

Use the IBM Security QRadar Symantec DLP Custom Properties content extension to normalize specific event data from a log source. Custom event properties can make important data more visible in your system searches and reports.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Symantec DLP Content Extension 1.0.0

The following table shows the custom properties that are new in IBM Security QRadar Symantec DLP Content Extension 1.0.0.

Table 1. Custom Properties in IBM Security QRadar Symantec DLP Content Extension 1.0.0.
Name	Optimized	Capture Group	Regex
Blocked	No	1	BLOCKED\\|(.?)\\| blocked=(.?)\\|
File Directory	Yes	1	PARENT_PATH\\|(.?)\\| parentPath=(.?)\\|
File Path	No	1	PATH\\|(.?)\\| path=(.?)\\|
Filename	Yes	1	fileName=(.?)\\| FILE_NAME\\|(.?)\\|
Icident Detail	No	1	incidentSnapshot=(.?)\\| INCIDENT_SNAPSHOT\\|(.?)\\|
MessageID	Yes	1	incidentID=(.?)\\| INCIDENT_ID\\|(.?)\\|
Rule Details	Yes	1	rules=(.?)\\| RULES\\|(.?)\\|
Subject	Yes	1	subject=(.?)\\| SUBJECT\\|(.?)\\|
Target Details	Yes	1	TARGET\\|(.?)(?:\\|\|$) target=(.?)(?:\\|\|$)