Video Screencast Help

What Variables can be used within Response Rules

Created: 25 Feb 2012 • Updated: 27 Feb 2012 | 10 comments
Language Translations
yang_zhang's picture
+11 11 Votes
Login to vote

Whether you setup a response rule for email notification or send a notification to a syslog server, you can set up response action variables to pass incident specific data.

The response action variables are different for Monitor/Prevent incidents than for Discover incidents. The following sections list the variables for each type of incident.

Monitor/Prevent Incidents

$BLOCKED$ – Indication of whether or not the message was blocked by the Symantec Data Loss Prevention system (yes or no).

$INCIDENT_ID$ – The ID of the incident.

$INCIDENT_SNAPSHOT$ – The fully qualified URL to the Incident Snapshot page for the incident.

$MATCH_COUNT$ – The incident match count.

$POLICY$ – The name of the policy that was violated.

$RECIPIENTS$ – A comma-separated list of one or more message recipients.

$RULES$ – A comma-separated list of one or more policy rules that were violated.

$SENDER$ - The message sender.

$SEVERITY$ – The severity assigned to incident.

$SUBJECT$ - The subject of the message.

Discover Incidents

$FILE_NAME$ – The name of the file in which the incident was found.

$INCIDENT_ID$ – The ID of the incident.

$MATCH_COUNT$ – The incident match count.

$PARENT_PATH$ – The path to the parent directory of the file in which the incident was found.

$PATH$ – The full path to the file in which the incident was found.

$POLICY$ – The name of the policy that was violated.

$RULES$ – A comma-separated list of one or more policy rules that were violated.

$QUARANTINE_PARENT_PATH$ - The path to the parent directory in which the file was quarantined.

$SCAN$ – The date of the scan that found the incident.

$SEVERITY$ – The severity assigned to incident.

$TARGET$ - The name of the target in which the incident was found.

 

Here is an example of the variables of the Endpoint Prevent indients.

Create a response rule to log to a Syslog Server, on the 'Message' section, input all the variables of the 'Monitor/Prevents Incidents':

When an incident generate, the content of the Syslog like this:

Comments 10 CommentsJump to latest comment

Srikanth_Subra's picture

Thumps upyes

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

0
Login to vote
DLP Solutions's picture

There is also more information that you can use in the response rules.

 

You can also use the Custom Attributes in the response rules. This is not well documented but you can use ANY of the Custom Attribute fields within the Response Rules.

The Variable looks like this:

$ATTRIBUTE_6

$ATTRIBUTE_7$

 

The Number corresponds to the the field in the UI. The way to get the number is to go to an Incident page and then take the mouse and just hover over the Custom Attribute and you will see the name show up in the lower portion of the web browser (java Script name)

Please make sure to mark this as a solution

to your problem, when possible.

 

+2
Login to vote
new_dlp's picture

Hi, DLP Solutions,

Your information is really useful!

0
Login to vote
yang_zhang's picture

So Good!

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
0
Login to vote
seswho's picture

A couple of changes as of 11.6.1.x:

$POLICY$ is now $POLICY_NAME$

$RULES$ is now $POLICY_RULES$

You will never know the blessings you lose from “shooting the messenger”, instead of listening to or reading the message that was sent.

+1
Login to vote
ensweiler's picture

Is there a list for Endpoint too?

+1
Login to vote
rald-bw's picture

The Endpoint Username shows up as Attribute 10.

 

I would like to find the Endpoint Machine IP Address but have not found a variable for it.

 

EP User: $ATTRIBUTE_10$,

 

EP IP Address: $ ????

 

 

 

0
Login to vote
DLP Solutions's picture

What version are you working on??

 

If you are on a version before v12 then look at a config file Plugins.properties. It will outline the variables available. You will need to make sure it is going to outputt the right varibales for your use.

The make sure to update the fllwoing line with the CATEGORY of variables you want.

com.vontu.api.incident.attributes.AttributeLookup.parameters=sender,message

If you are using V12 or higher, you can see the list in the UI under the Plugins Confuguration page (settings Section).

you will see the list under the a section there and you will need to select the Category of Variables you want to enable and it has a list of the Variables there.

Ronak

CLOSE THIS  QUESTION IF I HAVE ANSERED YOUR QUESTION

Please make sure to mark this as a solution

to your problem, when possible.

 

0
Login to vote
rald-bw's picture

This is DLP V11.

 

I do not see the Endpoint IP Address in the properties file.

 

These are the only ones that look like Endpoint values.

# endpoint-volume-name
# endpoint-dos-volume-name
# endpoint-application-name
# endpoint-application-path
# endpoint-file-name
# endpoint-file-path

# endpoint-user-name
# endpoint-machine-name

 

 

0
Login to vote
DLP Solutions's picture

Try the Sender Ip address variable..it may be the same field.

Please make sure to mark this as a solution

to your problem, when possible.

 

0
Login to vote