Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey and tell us about your satisfaction level using Symantec Connect. One lucky winner will receive 500 Connect points!* Take the survey.

What Variables can be used within Response Rules

Created: 25 Feb 2012 • Updated: 27 Feb 2012 | 15 comments
Language Translations
yang_zhang's picture
+11 11 Votes
Login to vote

Whether you setup a response rule for email notification or send a notification to a syslog server, you can set up response action variables to pass incident specific data.

The response action variables are different for Monitor/Prevent incidents than for Discover incidents. The following sections list the variables for each type of incident.

Monitor/Prevent Incidents

$BLOCKED$ – Indication of whether or not the message was blocked by the Symantec Data Loss Prevention system (yes or no).

$INCIDENT_ID$ – The ID of the incident.

$INCIDENT_SNAPSHOT$ – The fully qualified URL to the Incident Snapshot page for the incident.

$MATCH_COUNT$ – The incident match count.

$POLICY$ – The name of the policy that was violated.

$RECIPIENTS$ – A comma-separated list of one or more message recipients.

$RULES$ – A comma-separated list of one or more policy rules that were violated.

$SENDER$ - The message sender.

$SEVERITY$ – The severity assigned to incident.

$SUBJECT$ - The subject of the message.

Discover Incidents

$FILE_NAME$ – The name of the file in which the incident was found.

$INCIDENT_ID$ – The ID of the incident.

$MATCH_COUNT$ – The incident match count.

$PARENT_PATH$ – The path to the parent directory of the file in which the incident was found.

$PATH$ – The full path to the file in which the incident was found.

$POLICY$ – The name of the policy that was violated.

$RULES$ – A comma-separated list of one or more policy rules that were violated.

$QUARANTINE_PARENT_PATH$ - The path to the parent directory in which the file was quarantined.

$SCAN$ – The date of the scan that found the incident.

$SEVERITY$ – The severity assigned to incident.

$TARGET$ - The name of the target in which the incident was found.

Here is an example of the variables of the Endpoint Prevent indients.

Create a response rule to log to a Syslog Server, on the 'Message' section, input all the variables of the 'Monitor/Prevents Incidents':

When an incident generate, the content of the Syslog like this:

Comments 15 CommentsJump to latest comment

Srikanth_Subra's picture

Thumps upyes

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

0
Login to vote
DLP Solutions2's picture

There is also more information that you can use in the response rules.

You can also use the Custom Attributes in the response rules. This is not well documented but you can use ANY of the Custom Attribute fields within the Response Rules.

The Variable looks like this:

$ATTRIBUTE_6

$ATTRIBUTE_7$

The Number corresponds to the the field in the UI. The way to get the number is to go to an Incident page and then take the mouse and just hover over the Custom Attribute and you will see the name show up in the lower portion of the web browser (java Script name)

Please make sure to mark this as a solution

to your problem, when possible.

+2
Login to vote
new_dlp's picture

Hi, DLP Solutions,

Your information is really useful!

0
Login to vote
yang_zhang's picture

So Good!

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
0
Login to vote
seswho's picture

A couple of changes as of 11.6.1.x:

$POLICY$ is now $POLICY_NAME$

$RULES$ is now $POLICY_RULES$

You will never know the blessings you lose from “shooting the messenger”, instead of listening to or reading the message that was sent.

+1
Login to vote
ensweiler's picture

Is there a list for Endpoint too?

+1
Login to vote
rald-bw's picture

The Endpoint Username shows up as Attribute 10.

I would like to find the Endpoint Machine IP Address but have not found a variable for it.

EP User: $ATTRIBUTE_10$,

EP IP Address: $ ????

0
Login to vote
DLP Solutions2's picture

What version are you working on??

If you are on a version before v12 then look at a config file Plugins.properties. It will outline the variables available. You will need to make sure it is going to outputt the right varibales for your use.

The make sure to update the fllwoing line with the CATEGORY of variables you want.

com.vontu.api.incident.attributes.AttributeLookup.parameters=sender,message

If you are using V12 or higher, you can see the list in the UI under the Plugins Confuguration page (settings Section).

you will see the list under the a section there and you will need to select the Category of Variables you want to enable and it has a list of the Variables there.

Ronak

CLOSE THIS  QUESTION IF I HAVE ANSERED YOUR QUESTION

Please make sure to mark this as a solution

to your problem, when possible.

0
Login to vote
rald-bw's picture

This is DLP V11.

I do not see the Endpoint IP Address in the properties file.

These are the only ones that look like Endpoint values.

# endpoint-volume-name
# endpoint-dos-volume-name
# endpoint-application-name
# endpoint-application-path
# endpoint-file-name
# endpoint-file-path

# endpoint-user-name
# endpoint-machine-name

0
Login to vote
DLP Solutions2's picture

Try the Sender Ip address variable..it may be the same field.

Please make sure to mark this as a solution

to your problem, when possible.

0
Login to vote
bncecu02's picture

I couldn't get the Endpoint User Name to show- has anyone had success with this?

0
Login to vote
DLP Solutions2's picture

$endpoint-user-name$ is the name of the variable. 

Here is how to look it up as part of the ldap lookup and populate the attributes.

attr.First\ Name =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):givenName
attr.Last\ Name =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):sn
attr.Username =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$Hostname2$)):sAMAccountName
attr.Sender\ Email =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):mail
attr.Department =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):department
attr.Title =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):title
attr.Phone =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):telephoneNumber
attr.Division =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):physicalDeliveryOfficeName
attr.City =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):l
attr.TempManager =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):manager
attr.Manager\ First\ Name =:(distinguishedname=$TempManager$):givenName
attr.Manager\ Last\ Name =:(distinguishedname=$TempManager$):sn
attr.Manager\ Email =:(distinguishedName=$TempManager$):mail
attr.Manager\ Title =:(distinguishedName=$TempManager$):title
attr.Manager\ Department =:(distinguishedName=$TempManager$):department
attr.Manager\ Phone =:(distinguishedName=$TempManager$):telephoneNumber

Please make sure to mark this as a solution

to your problem, when possible.

0
Login to vote
bncecu02's picture

Any idea on how to populate the End User Name and/or the Machine IP in a response rule to forward to a syslog server? I've used this below, but the $ENDPOINT_USER_NAME$ field doesn't give me a value in the syslog event. This is for an Endpoint Incident.

CEF:0|Vontu|Monitor|11|$POLICY$|$POLICY$|5|app=$PROTOCOL$  src=$SENDER$ dst=$RECIPIENTS$ duser=$RECIPIENTS$ dhost=$ENDPOINT_MACHINE$   msg=$RULES$ cn1=$MATCH_COUNT$ cn1Label=MatchCount externalId=$INCIDENT_ID$   cs1=$INCIDENT_ID$ cs1Label=IncidentID cs2=$SEVERITY$ cs2Label=DLPSeverity cs3=$TARGET$ cs3Label=Target cs4=$FILE_NAME$ csLabel=File Name cs5=$PROTOCOL$ cs5Label=Channel

0
Login to vote
bncecu02's picture

Thank you for your response. I'm fairly new to DLP and my goal is to configure the Response Rules to forward syslog to our SIEM and to include the Endpoint User Name in the event.  This is what I have so far:

CEF:0|Vontu|Monitor|11|$POLICY$|$POLICY$|5|app=$PROTOCOL$  src=$SENDER$ dst=$RECIPIENTS$ duser=$RECIPIENTS$ dhost=$ENDPOINT_MACHINE$   msg=$RULES$ cn1=$MATCH_COUNT$ cn1Label=MatchCount externalId=$INCIDENT_ID$   cs1=$INCIDENT_ID$ cs1Label=IncidentID cs2=$SEVERITY$ cs2Label=DLPSeverity cs3=$TARGET$ cs3Label=Target cs4=$FILE_NAME$ csLabel=File Name cs5=$PROTOCOL$ cs5Label=Channel

Would I add this to include the User - $cs6=$ENDPOINT_USER_NAME$ ?

Thanks again for the help!

0
Login to vote
DLP Solutions2's picture

If the $ENDPOINT_USER_NAME$ does not work, than there is nothing else.

Not all of the Variables can be used for Syslog notifications.

Please make sure to mark this as a solution

to your problem, when possible.

0
Login to vote