Video Screencast Help

Creating a look-up script for DLP

Created: 18 Jul 2013 • Updated: 24 Jul 2013 | 6 comments
This issue has been solved. See solution.

I am brand new to DLP (have been working with SEP Antivirus so far) and have been asked to create a look-up script for DLP. I can create a script, no problem, I am just trying to figure out exactly what to script.

So far, I have some understanding of the requirements, and have been asked to read Chapter 50 of Symantec DLP 11.6 Admin Guide, called "Implementing lookup plug-ins"

I'm trying to get a feel for the inner-workings of DLP, or anything that may help in general.

Can anyone point me in the right direction.

Operating Systems:

Comments 6 CommentsJump to latest comment

jjesse's picture

THis connect post: shows an example of using a script to populate a custom attribute of hostname via a pyhton script.

There is also an LDAP script floating around connect that populates Active Directory attributes via a script as well.

It all depends on what you are looking to do

Jonathan Jesse Practice Principal ITS Partners

stephane.fichet's picture


it really depends on what you have to do. If you just need to get attributes in a directory or a csv file, use existing plugin and everything works fine. If you need to add some special processing before populating custom attribute , just do it in your script.

 To be short, DLP is working like that :

- message detection

- processing message wrt to each policy

- apply response rule if message matches group and detection rules and exceptions then generate an incident.

- execute custom plugins (you can chain more than one script if needed) for each incident.

DLP will call your script  with requested variables in stdin. Then at the end you have to send to stdout a key=Value (where key is your custom attribute name).

 As it will be called for each incident, just be sure that your script dont perform some unuseful processing that could harm your enforce server (custom script will be executed on your enforce).


jjesse's picture

Were you able to get your question solved or do you still need help?

Jonathan Jesse Practice Principal ITS Partners

DLP Solutions2's picture


What are you trying to do?

There are different things you can do with scripting, but it all comes down to populating the Custom Attributes.

Is after there is an incident, the Enforce Server can run a script which will then retrive information from another source. (LDAP, DNS, IP Lookups etc.)

This information can then be used to populate the Custom Attributes for the Incident (see picture). It can also be used to retrieve information and pass it to another Plugin (daisy chanied) so it can retrieve information to be populated into the custom attributes.

Another option is to use Symantec Workflow along with DLP and other systems. You can have it pass on infformation to other systems so they can take action. For example, if DLP sees an really bad incident, it can send information to Worklfow, which will send a command to and AV system to lock that computer down.

Hope this makes sense.

If this solves your questions please marked as solved.



Please make sure to mark this as a solution

to your problem, when possible.

Sonihal's picture

I have to go through the comments, then I'll let you know if I have further questions -- have been little busy ..

Sonihal's picture

So far, we are going to get IP address generated by the Enforce server, and use a pre-populated CSV script to determine building location (buildings are assigned IP ranges).

We will also use this IP address to remote into the machine and determine the last user logged on based on event logs.

Then we will use last user logged on to determine other AD attributes.