Whether you setup a response rule for email notification or send a notification to a syslog server, you can set up response action variables to pass incident specific data.

The response action variables are different for Monitor/Prevent incidents than for Discover incidents. The following sections list the variables for each type of incident.

Monitor/Prevent Incidents

$BLOCKED$ – Indication of whether or not the message was blocked by the Symantec Data Loss Prevention system (yes or no).

$INCIDENT_ID$ – The ID of the incident.

$INCIDENT_SNAPSHOT$ – The fully qualified URL to the Incident Snapshot page for the incident.

$MATCH_COUNT$ – The incident match count.

$POLICY$ – The name of the policy that was violated.

$RECIPIENTS$ – A comma-separated list of one or more message recipients.

$RULES$ – A comma-separated list of one or more policy rules that were violated.

$SENDER$ - The message sender.

$SEVERITY$ – The severity assigned to incident.

$SUBJECT$ - The subject of the message.

Discover Incidents

$FILE_NAME$ – The name of the file in which the incident was found.

$INCIDENT_ID$ – The ID of the incident.

$MATCH_COUNT$ – The incident match count.

$PARENT_PATH$ – The path to the parent directory of the file in which the incident was found.

$PATH$ – The full path to the file in which the incident was found.

$POLICY$ – The name of the policy that was violated.

$RULES$ – A comma-separated list of one or more policy rules that were violated.

$QUARANTINE_PARENT_PATH$ - The path to the parent directory in which the file was quarantined.

$SCAN$ – The date of the scan that found the incident.

$SEVERITY$ – The severity assigned to incident.

$TARGET$ - The name of the target in which the incident was found.

Here is an example of the variables of the Endpoint Prevent indients.

Create a response rule to log to a Syslog Server, on the 'Message' section, input all the variables of the 'Monitor/Prevents Incidents':

When an incident generate, the content of the Syslog like this: