ContentIQ Deprecation, and Changes to CloudSOC Content Inspection

CASB Gateway

6 more products


01 October 2020

17 August 2020

Update history:

October 1, 2020 Added link to step-by-step guide at the Broadcom Tech Docs Portal
September 11, 2020 Added comparative information about Global Detector and Enforce Server policies; added Data Loss Prevention system requirements.


Symantec is making significant changes to the CloudSOC ContentIQ component and to CloudSOC content inspection capabilities. The following FAQ explains the reasons for the changes and provides details about what the changes mean for your CloudSOC deployment.


Q: What changes is Symantec making to CloudSOC ContentIQ?

A: Symantec is streamlining user experience, and focusing investment in DLP engines, by unifying on-premises and cloud DLP in one engine for content inspection and violation remediation. Going forward, Symantec Data Loss Prevention will be the sole policy-driven content inspection and remediation engine for Symantec Information Security products. 


Q: Does this mean ContentIQ and the current content inspection capabilities are deprecated in CloudSOC?

A: Yes. ContentIQ and the current CloudSOC content inspection capabilities will be removed and migrated as needed in two phases: first, for customers that already use the Symantec Cloud Detection Service (for Symantec Data Loss Prevention integration with CloudSOC); and second, for customers that exclusively use ContentIQ for content inspection. 


Q: What are the advantages?

A: Symantec will focus on a unified DLP engine across on-premises and cloud-based use cases.  This change will enhance information protection through a common policy framework across cloud, network, email, and endpoint. In addition, processing of violation detection and remediation will benefit from enhanced performance.


Q: If I don’t have Symantec Data Loss Prevention, do I need to deploy that immediately?

A:  No. If you use ContentIQ exclusively for policy-driven content inspection, you will be able to use a Global Detector, which provides three different built-in policies that you can apply to critical use cases for content inspection.


Q: Are the built-in DLP policies intended to be a replacement for ContentIQ?

A:  No. The built-in DLP policies address common risk types like PCI, PII, and HIPAA. They are not intended to replace ContentIQ policies. All customers are encouraged to integrate CloudSOC with Symantec Data Loss Prevention using the Cloud Detection Service, which provides an extensive range of built-in policies and policy customization options.


Q: What are the advantages of the Symantec DLP Cloud Detection Service (CDS)?

A: Symantec DLP Cloud Detection Service inspects content extracted from cloud app and web traffic, and automatically enforces sensitive data policies. It offers enhanced cloud-to-cloud communication with Symantec CloudSOC, the industry-leading cloud access security broker solution, to protect data in motion (more than 200 apps) and data at rest across cloud apps such as Office 365, G-Suite, Box, Amazon S3, Slack, ServiceNow, and Salesforce. The combination of CloudSOC and Symantec Data Loss Prevention enable unified DLP policies across cloud apps, network, web, and email.


Q: How do the PCI, PII and HIPAA policies compare between the built-in Global Detector policies and the Data Loss Prevention Enforce Server policies available through the DLP Cloud Detection Service?

A: The following table compares the Global Detector policies and those of the Enforce Server available though the DLP Cloud Detection Service. 


Global Detector built-in DLP

Enforce Server with DLP Cloud Detection Service


Same as the Enforce Server template

Template + Customization


Same as the Enforce Server template

Template + Customization


North American social security numbers and driver’s licenses numbers

Hundreds of PII data identifiers and over 50 templates for PII regulations such as GDPR


Q: What are the operating system and database requirements for the Data Loss Prevention Enforce Server?

A: Symantec Data Loss Prevention supports the following 64-bit operating systems for Enforce Server computers:

  • Microsoft Windows Server 2012 R2, Datacenter Edition with patches
  • Microsoft Windows Server 2012 R2, Standard Edition with patches
  • Microsoft Windows Server 2016, Standard Edition
  • Microsoft Windows Server 2016, Datacenter Edition
  • Red Hat Enterprise Linux 6.8, 6.9, and 6.10
  • Red Hat Enterprise Linux 7.3 through 7.8
  • Oracle Linux 7.3 and 7.6

Symantec Data Loss Prevention Enforce Server requires Oracle. The following Oracle database versions are supported:

  • Oracle 19c Enterprise (
  • Oracle 19c Standard Edition (
  • Oracle 12c Enterprise Edition ( and
  • Oracle 12c Standard Edition 2 (12c SE2) (
  • Oracle 12c Standard Edition 2 Release 2 (12c SE2 R2) (

Note: While Oracle 12c is currently supported, both Oracle and Symantec strongly recommend updating to Oracle 19c.

For more details, see Symantec DLP System Requirements Guide


Q: When will the change happen?

A: Customers will be able to use the built-in Global Detector starting the second week of September 2020. Customers moving to the Cloud Detection Service to integrate CloudSOC with Symantec Data Loss Prevention, which enables you to create policies and manage cloud application content inspection using the Enforce Server, can switch to this service at any time.


Q: Are any other capabilities deprecated as a part of this effort?

A: Yes. In addition to ContentIQ, support for malicious URLs (DeepSight) and IP addresses (WebPulse) will no longer be available. 


Q: What features and user interface components will be removed in CloudSOC?

A: Features and user interface components that will  be removed from CloudSOC include the following:

CloudSOC Component

Features Removed


Content inspection enable/disabled (button)

Content inspection risk types (all checkboxes)

Content inspection content types (all checkboxes)

Store excerpts on Amazon S3 enable/disable (button)

Redacted risky data in the excerpts enable/disable (button)


Profile Policies

  • ContentIQ Profiles
  • Training Profiles
  • Dictionaries

Content Inspection enabled/disabled indicator under Policies

Rules ContentIQ column in the table under Policies



  • Top Risk Types panel
  • Top Content Types panel

Filter panels

  • ContentIQ Profile
  • Risk Type
  • Malicious URL


Preferences Incident Detectors 

--Threshold Based

  • Encrypted files detector

--Threats Based

  • File type mismatch detector
  • Malicious URL detector


Q: Does this change impact threat protection for Malware, Dynamic Analysis (sandboxing), and VBA Macros?

A: No. Malware scanning is not part of ContentIQ. Customers can continue to create policies for malware and VBA Macros detection and remediation. 


Q: What if I have ContentIQ events remaining in my tenant prior to setting up Symantec Data Loss Prevention or the Global Detector?

A: Customers can access any remaining ContentIQ data in their tenant using the Investigate console. The data retention period is unchanged (three months using the Investigate console and archived for 12 months).


Q: Where can I find additional details?

A: Step-by-step details for making the transition are provided in several topics in Transitioning from ContentIQ to Symantec DLP at the Broadcom Tech Docs Portal.