Video Screencast Help

How to Configure the CSV Lookup in Symantec DLP

Created: 31 Jan 2012 • Updated: 01 Feb 2012
yang_zhang's picture
+2 2 Votes
Login to vote

The CSV Lookup Plug-In extracts data from a delimited comma-separated values (CSV) file stored on the DLP Enforce Server. The plug-in uses that data to populate custom attributes for an incident at the time the incident is generated.

The process works as follows: The CSV Lookup Plug-In receives a group of lookup parameters that contain data about an incident from the DLP Enforce Server. One or more of the lookup parameters in the group are mapped to column heads in a CSV file. For example, the sender-email lookup parameter might be mapped to the Email column in the CSV file. The value in the lookup parameter is used as a key to find a matching value in the corresponding CSV column. When a match is found, the CSV row that contains the matching value provides the data that is returned to the DLP Enforce Server. The DLP Enforce Server uses the data in that row to populate the custom attributes for that incident. For example, if the sender-email lookup parameter contains the value dlp01@dlp.local, the plug-in searches the Email column for a row that contains dlp01@dlp.local. That row is then used to provide the data to populate the custom attributes for the incident.

1. Firstly, you need to define the Custom Attributes for your incident. In this example, we created 7 custom attributes, as the screenshot below:

2. Modify the that located on \Vontu\Protect\config. (note: make a backup of this configuration file before the modification)

For the 'attributes mapping':

the name on the left of the equals are the Custom Attributes that created on step1, and the name on the right of the equals are the column name of the CSV file.

3. Modify the that located on \Vontu\Protect\config. (note: make a backup of this configuration file before the modification)

    Enable the following parameters (i.e. make sure they are not commented out):

     –  com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Csv Lookup
        (this is the type of lookup to be performed)

     –  com.vontu.api.incident.attributes.AttributeLookup.parameters=sender
         (this is the unique key used in the input file)

     –  com.vontu.plugins.execution.chain=com.vontu.lookup.csv.CsvLookup

         (the physical name of the file with the lookup specification)

4. Create or copy the senders.csv to this location: \Vontu\Protect\plugins

    In this example, the content of the senders.csv file look like this:

After an incident of the dlp01@dlp.local triggered, the custom attributes on the incident detail page should look like this: