Posted: 3 Min ReadProduct Insights

Symantec DLP Gives You Power to Query and Filter Incident Data

Using the Symantec DLP RESTful API to extract and index Symantec DLP Matches

Data Loss Protection (DLP) Programs are complex. Just think about the huge volume of sensitive data, being accessed by users in many locations, across different devices and data locations (endpoint, storage, email, and cloud).  DLP Systems also create many different data incidents and being able to search for specific data is an important requirement for customers. For example, SOC engineers need to verify if Symantec DLP has previously detected specific national data identifiers (like US Social Security Numbers), credit card numbers, addresses, or other personal identifiable information (PII) data instances.

Adding to this complexity is the need to respect the various privacy regulations in force. According to Gartner, "By 2023, 65% of the World's Population Will Have Its Personal Data Covered Under Modern Privacy Regulations". With the advent of such regulations, Symantec DLP can augment our customers' ability to address data owners' requests for deletion, correction, the right-to-be-forgotten, and other business processes.

Symantec’s DLP solution, as part of Broadcom Software, has long provided customers with ways to integrate incident data.

We are proud that Symantec DLP has helped our customers detect and protect information for years, finding the needle in the haystack through our comprehensive set of detection technologies. However, as the regulatory requirements of privacy have increased, the problem has gotten harder, and customers need to be able to identify not just the needle in the haystack, but a particular needle among millions of needles.

Symantec’s DLP solution, as part of Broadcom Software, has long provided customers with ways to integrate incident data. With the release of DLP 15.7, we delivered a new set of RESTful APIs with multiple advantages over previous solutions. The APIs have been progressively improved as follows: 

  • A native, flexible, powerful, and well-documented RestAPI
  • The ability to query incidents across different types 
  • Fully-fledged filtering capabilities

(For more information, click here)

A good way to understand the capabilities of the RESTful API is through an example. does the following:

  1. Sends data to ElasticSearch or Splunk
  2. Queries across multiple incident types, with specific filters to control which incidents have been already processed.
  3. Provides telemetry for control (i.e., processed incidents, amount of matches extracted)

NOTE: While the use cases are primarily driven by the need to identify PII, the example applies to other important types of information (like, for instance, source code). The example does not provide matches for VML or image-based incidents.


  • ElasticSearch and Kibana
  • Splunk with HEC
  • Python 3.8
    • is written in Python 3.8
  • Symantec DLP 15.8 MP1
    • A user with API privileges (Example)

Before implementing this or any other similar functionality that involves extracting Symantec DLP matches, customers are strongly encouraged to:

  1. Ensure appropriate access, authentication, encryption, and data protection controls for the systems that will store the extracted DLP matches. Enterprise Search solutions provide such capabilities
  2. Test and validate that the extraction process does not adversely impact the performance of the Enforce server

NOTE: The code is a) an example and b) provided as-is, we do not know your computing environment so you need to assess the script’s function and performance before implementing it.

Symantec is excited to introduce the release of DLP 15.7, delivering a new set of RESTful APIs with multiple advantages over previous solutions.  To learn more or contact us, please visit us here.

Symantec Enterprise Blogs
You might also enjoy
2 Min Read

Symantec Email Security named Top Player by Radicati Group 2021

Once again, Symantec Email Security has been recognized as a leader in Email Security

Symantec Enterprise Blogs
You might also enjoy
6 Min Read

Symantec Security Summary – November 2021

Supply chain attacks, ransomware and government initiatives

About the Author

Alejandro Loza

Technical Director - Data Protection and Cloud - Symantec Enterprise Division of Broadcom Software

Alejandro is a Technical Director - Data Protection in Symantec, focusing on helping customers safeguard their information in a multi-cloud and hybrid world. With 20 years of experience, he is a DLP veteran, former CISO, ex- AWS and Palo Alto Networks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.