Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Change attributes displayed in Incident Snapshot?

Created: 11 Apr 2013 | 2 comments

We're got our LDAP lookup working and pulling custom attributes from AD. Now I'd like to change the attributes displayed in the incident snapshot (see first screenshot), including attirbutes like Job Title (see second screenshot) in the right sidebar. Running 11.6.2000.21103 on a 3-tier setup all 2008r2 x64.

 

Thanks! 

Dlp Attribs1.png

Dlp Attribs2.png

 

Operating Systems:

Comments 2 CommentsJump to latest comment

kishorilal1986's picture

Hi Tburke,

Please refer below

Purpose: Configuration steps for setting up Live LDAP Lookup.

Step 1 - Update Plugins.properties

\Vontu\Protect\config\Plugins.properties:

# Plugin Execution Chain.
# A comma-separated list of attribute lookup plug-ins to be executed in sequence.
# Example: com.vontu.lookup.script.ScriptLookup, com.vontu.lookup.xls.ExcelLookup, com.vontu.lookup.script.ScriptLookup
# This example will execute Script Lookup #1 -> ExcelLookup -> Script Lookup #2
# Even if there is only one plugin in the chain, it must be listed here.
com.vontu.plugins.execution.chain=com.vontu.lookup.liveldap.LiveLdapLookup
# Plugin JAR manifests to enable Live LDAP lookups -- Note: "Vontu Directory Classes" (directory.jar) must be specified to enable LDAP lookups
com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Directory Classes,Vontu Live LDAP Lookup
# Live LDAP lookup configuration file
com.vontu.lookup.liveldap.LiveLdapLookup.properties = LiveLdapLookup.properties

Step 2 - Update LiveLdapLookup.properties

\Vontu\Protect\config\LiveLdapLookup.properties:

servername = <LDAPSERVERNAME> (e.g. oak.vontu.corp)
port = 389
basedn = <base distinguished name> (e.g. DC=vontu,DC=corp)
authtype = simple
username = <username w/ read access) (e.g. Vontu\<your Windows login>)
password = <password for your username)

You will also need to define Custom Attribute Mappings.  Here's an example:

## ----- Custom Attribute Mappings ------------
#
#  In the following section custom attributes in the Vontu Enforce server can be assigned
#  an LDAP query.  The format for this mapping is the following:
#
#        attr.VontuCustomAttributeName = searchbase:(searchfilter=$variable$):ldapAttribute
#
#  If the VontuCustomAttributeName requires a space character you should escape it with a backslash.
#
#  You can assign queries to temporary variables and use those variables in subsequent
#  queries.  For example:
#               attr.TemporaryVariable = <query here>
#  This would declare a variable called TemporaryVariable.  The value stored in this variable can
#  be referenced using $Temporary$ in subsequent queries.
#
attr.Title = ou=Users:(mail=$sender-email$):title
attr.Telephone\ Number = ou=Users:(mail=$sender-email$):telephoneNumber
attr.Country = ou=Users:(mail=$sender-email$):c
attr.Department = ou=Users:(mail=$sender-email$):department
attr.Manager = ou=Users:(mail=$sender-email$):manager
attr.Manager\ Email = ou=Users:(distinguishedName=$Manager$):mail

 

 

The syntax of the attribute string is as follows:

Before the equal sign is 'attr.' followed by the name of the custom attribute as configured on the DLP enforce server. The custom attribute names (e.g. 'attr.Title') MUST match custom attributes that already exist. Any spaces must be escaped with backslashes, as shown in the example above. Note that the complete string is also case-sensitive, including the 'attr.' prefix as well as the attribute name.

After the equal sign, the first section (before the first colon) is the location in the LDAP tree where the search for this attribute will be performed ('ou=Users' in this example). If the search will be done from the base DN, you should omit this part.

The second section (between the two colons) is the LDAP search filter. In this example, we are searching for any object whose 'mail' attribute matches the 'sender-email' variable retrieved from the incident.

The third section (after the last colon) is the LDAP attribute that will be searched for, and populated into the DLP custom attribute.

Steps to follow once the properties files are updated:

1. Restart Vontu Manager service on the Enforce server, whenever Plugins.properties has been modified. (For version 10 and later, you must also restart the Vontu Incident Persister service.)
2. Navigate to Custom Attributes page and click Reload Lookup Plug-ins. Make sure you get a green success message.
3. Navigate to an incident snapshot and click Lookup to retrieve custom attributes. Verify that attribute values are populated.

Ethan M.'s picture

DLP 11.6 does not have a LiveLdapLookup.properties file in the config folder. Directory Connection (to LDAP) and setting attributes to display in Custom Attributes is all done in the Enforce console. As long as you have LDAP attributes mapped correctly, it doesn't matter if the same order is not reflected in your Custom Attributes.