0% found this document useful (0 votes)

174 views

Symantec™ Data Loss Prevention Incident Reporting and Update API Code Examples

Uploaded by

Stefan Stefanov

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

174 views

Symantec™ Data Loss Prevention Incident Reporting and Update API Code Examples

Uploaded by

Stefan Stefanov

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 21

Symantec™ Data Loss

Prevention Incident
Reporting and Update API
Code Examples

Version 15.5
Symantec Data Loss Prevention Incident Reporting
and Update API Examples
Documentation version: 15.5b

Legal Notice
Copyright © 2018 Symantec Corporation. All rights reserved.

Symantec, CloudSOC, Blue Coat, the Symantec Logo, the Checkmark Logo, the Blue Coat logo, and the
Shield Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S.
and other countries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is required to provide attribution
to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open
source or free software licenses. The License Agreement accompanying the Software does not alter any
rights or obligations you may have under those open source or free software licenses. Please see the
Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec
product for more information on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying, distribution,
and decompilation/reverse engineering. No part of this document may be reproduced in any form by any
means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL
DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO
CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined
in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer
Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and
Commercial Computer Software Documentation," as applicable, and any successor regulations, whether
delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government
shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043

http://www.symantec.com
Contents

Chapter 1 Introducing the Incident Reporting and Update API

Examples .......................................................................... 5

About the examples ........................................................................ 5

About updates to this guide .............................................................. 6
About documentation for the Incident Reporting and Update API ............. 6
About the Incident Reporting and Update API ...................................... 6

Chapter 2 Java examples ....................................................................... 8

About the Java examples ................................................................. 8
Building the Java examples ............................................................ 10
Running the Java examples ........................................................... 10

Chapter 3 .NET Examples ..................................................................... 15

About the .NET examples .............................................................. 15
Building the .NET examples ............................................................ 18
Running the .NET examples ........................................................... 18
Chapter 1
Introducing the Incident
Reporting and Update API
Examples
This chapter includes the following topics:

■ About the examples

■ About updates to this guide

■ About documentation for the Incident Reporting and Update API

■ About the Incident Reporting and Update API

About the examples

The code examples contained in this ZIP file demonstrate how to code Incident Reporting and
Update API Web service clients using either the Java or .NET programming languages. The
examples provide simple command-line implementations that query the incident database and
update incidents. You may use the patterns in these examples as the basis for new client
applications that use the Incident Reporting and Update API.

Note: To simplify the code, these examples use relaxed security implementations that are not
appropriate for production environments. For more information and sample code that
demonstrate securing your client applications, see "Authenticating a client with the Incident
Reporting and Update API Web Service" in the Symantec Data Loss Prevention Incident
Reporting and Update API Developers Guide.

Both the source code and complied classes are provided for the examples. For Java clients,
a build script is provided to build the examples from the source code. For .NET examples, a
Introducing the Incident Reporting and Update API Examples 6
About updates to this guide

Microsoft Visual Studio project file is provided. Instructions for running the examples, including
the required arguments are provided in this document.
To run these examples, you must have a functional installation of Symantec Data Loss
Prevention 15.5. The Enforce Server must be accessible over a network from the computer
where you run the examples.

About updates to this guide

You can find the latest version of the Symantec Data Loss Prevention Incident Reporting and
Update API Developers Guide, Symantec Data Loss Prevention Incident Reporting and Update
API Examples, and the sample clients at the following link to the Symantec Support Center:
http://www.symantec.com/docs/DOC9264.
The following table provides the history of updates to this version of the Symantec Data Loss
Prevention Incident Reporting and Update API Developers Guide:

Table 1-1
Date Description

6 September Added detailed information about the correct formats for user names.
2019

About documentation for the Incident Reporting and

Update API
The Symantec Data Loss Prevention Incident Reporting and Update API Developers Guide
contains complete documentation of the Incident Reporting and Update API. You can find it
at the Symantec Support Center: www.symantec.com/docs/DOC9264

Note: Refer to the "Troubleshooting Incident Reporting and Update API client applications"
section of the API guide for up-to-date information about implementing clients using the current
release.

About the Incident Reporting and Update API

The Symantec Data Loss Prevention Incident Reporting and Update API enables a Web
Services developer to create applications that retrieve and update incident data that is stored
in a Symantec Data Loss Prevention deployment. You can use this API to integrate incident
data with other applications or systems to provide dynamic reporting, create a custom incident
Introducing the Incident Reporting and Update API Examples 7
About the Incident Reporting and Update API

remediation process, or to support business processes that rely on Symantec Data Loss
Prevention incidents.
A Symantec Data Loss Prevention incident records all of the details that are associated with
a message that violated a Data Loss Prevention policy. A message in this context may refer
to an email message, an instant message, a file transfer, a copy or a print operation, an HTTP
request, or any other protocol message that you have configured Symantec Data Loss
Prevention to monitor. The data that is recorded in an incident includes the time the violation
occurred, the severity of the violation, and information about the originator and recipient of the
message that triggered the violation. Incidents also record data such as the text and headers
of the original message and files that were attached to the original message. Finally, an incident
may also contain historical data that is associated with efforts to remediate the incident in the
Enforce Server administration console. This historical data includes changes to the incident
severity or status and a list of any actions that were performed to help resolve or manage the
incident.
For example, you can use the API to correlate Symantec Data Loss Prevention incident data
with logs of the message sender’s telephone calls or network usage. Or, you can create
dashboard applications that integrate Symantec Data Loss Prevention incident data with data
from other systems, such as intrusion detection systems. By using the update functionality of
the API, you can create applications that perform custom remediation actions and then update
the results of the remediation in the Symantec Data Loss Prevention incident database. The
combined information from third-party systems and Symantec Data Loss Prevention, and the
ability to update the status of incidents, can provide valuable information to security experts
who are tasked with analyzing the data or with remediating security incidents.
The Incident Reporting and Update API is implemented as a Web Service that resides on the
Enforce Server. The Web Service conforms to the Simple Object Access Protocol (SOAP) 1.1
standard, and it advertises all available operations using a Web Services Description Language
(WSDL) document. You can use the WSDL document with compatible Web Services
development frameworks to generate certain client code automatically. Generated proxy code
for Java clients is also provided with your Symantec Data Loss Prevention installation.
Chapter 2
Java examples
This chapter includes the following topics:

■ About the Java examples

■ Building the Java examples

■ Running the Java examples

About the Java examples

The Java examples demonstrate the reporting and update capabilities of the Incident Reporting
and Update API. The example code includes a reporting client application that retrieves incident
data and an update client that updates incident data. Although both sample clients only support
Discover and Network incident types, the API supports all incidents types.
System requirements for Java examples:
■ A functional installation of Symantec Data Loss Prevention 15.5. The Enforce Server must
be accessible by the sample clients over a network.
For more information see the Symantec Data Loss Prevention Installation Guide for your
platform (Windows or Linux).
■ Java SDK version 1.7
■ Apache Ant version 1.6 or later
Table 2-1 describes the files that are included in the ZIP file that contains the code examples.
Extract this file to a working directory on the computer where you will run the examples.

Table 2-1 Java example files

File Description

SampleClients\Java\ReportingAPISample\build.xml Ant build file for the Reporting

client.
Java examples 9
About the Java examples

Table 2-1 Java example files (continued)

File Description

SampleClients\Java\ReportingAPISample\SampleReportingAPI-2.0.jar A compiled version of the

Reporting client.

You may run the examples

using only this file.

SampleClients\Java\ReportingAPISample\lib\incidentapi-2011-generated.jar Generated proxy classes for

accessing the Incident
Reporting and Update API
WSDL.

SampleClients\Java\ReportingAPISample\src\*.java Java source files for the

Reporting client.
The source files are contained in the following subdirectories:
The file Program.java
■ Binaries—retrieves binary attachments
contains the main method for
■ Client—handles authentication and Web service initialization
the Reporting client.
■ List—retrieves incident IDs
■ Details—retrieves incident details for Network and Discover incident types

SampleClients\Java\UpdateAPISample\build.xml Ant build file for the Update

client.

SampleClients\Java\UpdateAPISample\SampleUpdateAPI-2.0.jar A compiled version of the

Update client.

You may execute the

examples using only this file.

SampleClients\Java\UpdateAPISample\lib\incidentapi-2011-generated.jar Generated proxy classes for

accessing the Incident
Reporting and Update API
WSDL.

SampleClients\Java\UpdateAPISample\src\*.java Java source files for the

Update client.
The source files are contained in the following subdirectories:
The file Program.java
■ Client—handles authentication and Web service initialization
contains the main method for
■ Fetch—retrieves custom attribute names and custom status names
the Update client.
■ Update—updates incident details

Table 2-2 describes where to find Java implementations of the various Web service methods
that are defined by the Incident Reporting and Update API WSDL.
Java examples 10
Building the Java examples

Table 2-2 Web service methods implemented in Java classes

Web service method Description Class

incidentList() Returns a list of incident IDs by executing a saved IncidentList.java

report on the Enforce Server.

incidentDetail() Requests the details of a specified incident. IncidentDetails.java

incidentBinaries() Retrieves additional components of the message IncidentBinaries.java

that generated an incident, such as the message
header, body, and binary attachments.

listCustomAttributes() Returns a list of all custom attribute names defined IncidentParamFetcher.java

in the Symantec Data Loss Prevention
deployment.

listIncidentStatus() Returns a list of the custom status values defined IncidentParamFetcher.java

in the Symantec Data Loss Prevention
deployment.

updateIncidents() Updates incident details for one or more incidents. UpdateIncident.java

Building the Java examples

Note: You must install the Java SDK and Apache Ant to build the examples.

To build the Reporting client, switch to the \SampleClients\Java\ReportingAPISample

directory and run the following command:
ant build

To build the Update client, switch to the \SampleClients\Java\UpdateAPISample directory

and run the following command:
ant build

Running the Java examples

To run the Reporting client Java program, run the following command, and add additional
arguments from Table 2-3 as required.
java -jar SampleReportingAPI-2.0.jar URL =
Enforce_Server/ProtectManager/services/v2011/incidents?wsdl USER=user
PASSWORD=password
Java examples 11
Running the Java examples

The command outputs incident data and returns a status message to standard out.
To run the Update client Java program, run the following command, and add additional
arguments from Table 2-4 as required.
java -jar SampleReportingAPI-2.0.jar URL =
Enforce_Server/ProtectManager/services/v2011/incidents?wsdl USER=user
PASSWORD=password

The command updates the incident data and returns a status message to standard out.
For example, the following command line updates the NOTE_TEXT field for the incident whose
ID is 2:
java -jar SampleReportingAPI-2.0.jar URL=
Enforce_Server/ProtectManager/services/v2011/incidents?wsdl USER=user
PASSWORD=password INCIDENT_ID=2 NOTE_TEXT="My note"

Table 2-3 Reporting client arguments

Operation Argument Description

WSDL connection URL URL for the WSDL hosted on the Enforce Server:

https://Enforce_Server
/ProtectManager/services/v2011/incidents?wsdl

WSDL connection USER User name with permission to perform the requested
operation. The correct user formats are as follows:

■ The format for a user with a specified role using

Active Directory credentials:
<role>\<username>:<domain>. For example,
IncidentReporting\bsmith:company.com
■ The format for a user with their default role using
Active Directory credentials:
<username>:<domain>. For example,
bsmith:company.com.
■ The format for a user with a specified role using DLP
User authentication rather than Active Directory
credentials: <role>\<username>. For example,
IncidentReporting\bsmith.
■ The format for a user with their default role using
DLP User authentication: <username>. For
example, bsmith.

WSDL connection PASSWORD Password for the specified user.

Java examples 12
Running the Java examples

Table 2-3 Reporting client arguments (continued)

Operation Argument Description

Read incident list REPORT_ID Specifies the ID of the saved report to execute on the
Enforce Server. Created this report using the Enforce
Server administration console before you execute the
Web Service call.

Read incident list DATE_LATER_THAN Constrains the list of returned incident IDs to include
only incidents created after this date.

Read incident details INCIDENT_ID Incident ID number.

Read incident details GET_HISTORY When set to TRUE, returns incident history details.

Read incident details GET_VIOLATIONS When set to TRUE, returns incident violation details.

Read incident message INCIDENT_ID Incident ID number.

and binary attachments

Read incident message GET_ALL_COMPONENTS When set to TRUE, returns all incident components
and binary attachments (optional).

The default value is FALSE.

Read incident message GET_ORIGINAL_MESSAGE When set to TRUE, returns the original message of the
and binary attachments incident (optional).

The default value is FALSE.

Read incident message COMPONENT_ID ID number of a component to retrieve. Only applicable

and binary attachments when GET_ALL_COMPONENTS is set to FALSE.

Read image violations GET_IMAGE_VIOLATIONS When set to TRUE, returns all image violations (optional).

Table 2-4 Update client arguments

Operation Argument Description

WSDL connection URL URL for the WSDL hosted on the Enforce Server:

https://Enforce_Server
/ProtectManager/services/v2011/incidents?wsdl
Java examples 13
Running the Java examples

Table 2-4 Update client arguments (continued)

Operation Argument Description

WSDL connection USER User name with permission to perform the requested
operation. The correct user formats are as follows:

■ The format for a user with a specified role using

WSDL connection PASSWORD Password for the specified user.

Update incident details INCIDENT_ID Incident ID number.

Update incident details STATUS_ID Sets the status ID.

Update incident details STATUS Sets the status value.

Update incident details SEVERITY Sets the severity value.

Update incident details REMEDIATION_LOCATION Sets the remediation location value.

Update incident details REMEDIATION_STATUS Sets the remediation status value.

Update incident details NOTE_TEXT Sets the Note Text value.

Update incident details NOTE_TEXT_1 Sets the Note Text 1 value.

Update incident details NOTE_TEXT_2 Sets the Note Text 2 value.

Update incident details DATA_OWNER_NAME Sets the data owner name value.

Update incident details DATA_OWNER_EMAIL Sets the data owner email value.
Java examples 14
Running the Java examples

Table 2-4 Update client arguments (continued)

Operation Argument Description

Update the value of a CUSTOM_custom sets the value of a named custom attribute. Use the
custom attribute attribute_name following form:

CUSTOM_myAtttributeName=myValue

Retrieve list of custom FETCH_PARAM To retrieve a list of custom attributes, set the value to:
attributes
CUSTOM_ATTRIBUTES

To retrieve a list of custom status values, set the value

to:

INCIDENT_STATUSES
Chapter 3
.NET Examples
This chapter includes the following topics:

■ About the .NET examples

■ Building the .NET examples

■ Running the .NET examples

About the .NET examples

The examples demonstrate the reporting and update capabilities of the Incident Reporting and
Update API. The example code includes a reporting client application that retrieves incident
data and an update client that updates incident data. Although both sample clients only support
Discover and Network incident types, the API supports all incidents types.
System requirements for .NET examples:
■ A functional installation of Symantec Data Loss Prevention 15.5. The Enforce Server must
be accessible by the sample clients over a network.
For more information see the Symantec Data Loss Prevention Installation Guide for your
platform (Windows or Linux).
■ Microsoft .NET Framework version 4.5 or 4.6
■ Microsoft Visual Studio, version 2012 or later
Table 3-1 describes the files that are included in the ZIP file that contains the code examples.
Extract this file to a working directory on the computer where you will run the examples.
.NET Examples 16
About the .NET examples

Table 3-1 .NET example files

File Description

SampleClients\dot_net\ReportingAPISample\ This proxy class is required to

ReportingAPISample\src\IncidentServices.cs interact with the Web service. The
proxy class is generated using the
executable svcutil.exe which
is available in the Microsoft .NET
SDK installed folder. You must
pass the WSDL file as a
parameter.

SampleClients\dot_net\ReportingAPISample\ Microsoft Visual Studio project file.

ReportingAPISample.sln

SampleClients\dot_net\ReportingAPISample\ A compiled version of the

ReportingAPISample\ReportingAPI.exe Reporting client.

You may run the examples using

only this file.

SampleClients\dot_net\ReportingAPISample\ File used by Microsoft Visual

ReportingAPISample\ReportingAPISample.csproj Studio.

SampleClients\dot_net\ReportingAPISample\ .NET source files for the Reporting

ReportingAPISample\src\*.cs client.

The source files are contained in the following subdirectories:

■ Binaries—retrieves binary attachments

■ Client—handles authentication and Web service initialization
■ List—retrieves incident IDs
■ Details—retrieves incident details for Network and Discover incident types.

The file Program.cs is the main class for the Update client.

SampleClients\dot_net\ReportingAPISample\ This proxy class is required to

SampleClients\dot_net\UpdateAPISample\ UpdateAPISample.sln Microsoft Visual Studio project file.

.NET Examples 17
About the .NET examples

Table 3-1 .NET example files (continued)

File Description

SampleClients\dot_net\UpdateAPISample\ A compiled version of the Update

UpdateAPISample\UpdateAPI.exe client.

You may execute the examples

using only this file.

SampleClients\dot_net\UpdateAPISample\ File used by Microsoft Visual

UpdateAPISample\UpdateAPISample.csproj Studio.

SampleClients\dot_net\UpdateAPISample\src\*.cs .NET source files for the Update

client.
The source files are contained in the following subdirectories:

■ Client—handles authentication and Web service initialization

■ Fetch—retrieves custom attribute names and custom status names
■ Update—updates incident details.

The file Program.cs is the main class for the Update client.

Table 3-2 describes where to find .NET implementations of the various Web service methods
that are defined by the Incident Reporting and Update API WSDL.

Table 3-2 Web service methods implemented in .NET classes

Web service method Description Class

incidentList() Returns a list of incident IDs by executing a saved IncidentList.cs

report on the Enforce Server.

incidentDetail() Requests the details of a specified incident. IncidentDetails.cs

incidentBinaries() Retrieves additional components of the message IncidentBinaries.cs

that generated an incident, such as the message
header, body, and binary attachments.

listCustomAttributes() Returns a list of all custom attribute names defined IncidentParamFetcher.cs

in the Symantec Data Loss Prevention
deployment.

listIncidentStatus() Returns a list of the custom status values defined IncidentParamFetcher.cs

in the Symantec Data Loss Prevention
deployment.

updateIncidents() Updates incident details for one or more incidents. UpdateIncident.cs

.NET Examples 18
Building the .NET examples

Building the .NET examples

To build the .NET examples, open one of the following Microsoft Visual Studio project files in
Microsoft Visual Studio and use Visual Studio to build the project:
■ Reporting client:
\SampleClients\dot_net\ReportingAPISample\ReportingAPISample.sln

■ Update client:
\SampleClients\dot_net\UpdateAPISample\UpdateAPISample.sln

Running the .NET examples

To run the Reporting client .NET program, run the following command, and add additional
arguments from Table 3-3 as required.
C:\Sample_Clients\Sample Clients\dot_net\ReportingAPISample\ReportingAPI.exe
URL=Enforce_Server/ProtectManager/services/v2011/incidents USER=user
PASSWORD=password

The command outputs incident data and returns a status message to standard out.
To run the Update client .NET program, run the following command, and add additional
arguments from Table 3-4 as required.
C:\Sample_Clients\Sample Clients\dot_net\UpdateAPISample\UpdateAPI.exe
URL=Enforce_Server/ProtectManager/services/v2011/incidents USER=user
PASSWORD=password

The command updates the incident data and returns a status message to standard out.
For example, the following command line updates the NOTE_TEXT field for the incident whose
ID is 2:
C:\Sample_Clients\Sample Clients\dot_net\UpdateAPISample\UpdateAPI.exe
URL=Enforce_Server/ProtectManager/services/v2011/incidents USER=user
PASSWORD=password INCIDENT_ID=2 NOTE_TEXT="My note"

Table 3-3 Reporting client arguments

Operation Argument Description

WSDL connection URL URL for the WSDL hosted on the Enforce Server:

https://Enforce_Server
/ProtectManager/services/v2011/incidents
.NET Examples 19
Running the .NET examples

Table 3-3 Reporting client arguments (continued)

Operation Argument Description

WSDL connection USER User name with permission to perform the requested
operation. The correct user formats are as follows:

■ The format for a user with a specified role using

WSDL connection PASSWORD Password for the specified user.

Read incident list REPORT_ID Specifies the ID of the saved report to execute on the
Enforce Server. Create this report with the Enforce
Server administration console before you execute the
Web Service call.

Read incident list DATE_LATER_THAN Constrains the list of returned incident IDs to include
only incidents that were created after this date.