Video Screencast Help

Custom Reporting

Created: 21 Apr 2010 • Updated: 23 Oct 2010 | 6 comments

Hey Everyone --

I'm trying to get some custom reporting out of Enforcer. I scanned an Oracle database and trying to generate a report with the match area so the database administrators can see easily what is a false positive and an actual hit. The Enforcer reporting features doesn't allow it to be exported.

I've started to look at the underlying Oracle tables for the protect database. I've noticed that the Message tables have what I'm looking for. I can pretty much use the MessageID or MessageComponentID as primary keys and attach everything I need. The one piece of data I can't export is the messagebody that I see on the web reporting. I'm positive it's in the MessageComponentLOB table under one of columns. It looks to be encrypted or in some kind of binary form.

Has anyone tried to do what I'm looking to complete and have any suggestions on doing it or seeing what's in the MessageComponentLOB column?

Thanks!

Comments 6 CommentsJump to latest comment

Naor Penso's picture

What do you mean when you say: "Match Area" ?

Did you look in the incident snapshot?

Kind regards,
Naor Penso

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

matt082's picture

Thanks for the response.

By "match area", I mean the area surrounding the PII match. So if you're in Discover, and you drill further into an incident you'll see the Matches in the center column. I would like to see that in a report as well as the "message body" on the left hand side below "Incident details" &  "Policy Matches". For me, the "Message Body" is the full row.

There's data inside the "Message Body" I can grab and using a few Microsoft Excel tricks on that I can make a report my DBAs can use for remediation.

-Matt

Naor Penso's picture

If I understand correctly, you wish to extend the message body in the incident snapshot.
If I understood correctly, I am positive that there is a configuration in which you define what would be the size of the message body.
Even if i discover how it's done, I am pretty sure it would be unsupported because I have not seen any reference in the knowledge base.

I will notify if i find anything.

Kind Regards,
Naor Penso

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

Naor Penso's picture

Unfortunately,
I have not found anything in the documentation as well.

the only reference is:


Incident snapshot matches section
In the Matches section, Symantec Data Loss Prevention displays the content (if applicable) and the matches that caused the incident.
 
Matches are highlighted in yellow. This section shows the match total and displays the matches in the order in which they appear in the original content. To view the rule that triggered a match, click on the highlighted match.

Update:
I have found the setting for the encryption of the message box:


IncidentWriter.ShouldEncryptContent -  If true, the monitor will encrypt the body of every message, message component and cracked component before writing to disk or sending to Enforce.
 

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

Naor Penso's picture

Here is the setting:


EDM.SimpleTextProximityRadius - (default is 35)
Number of tokens to the left and to the right of the current token that are evaluated together when the proximity check is enabled. 

It is found under the detection server settings.

Update:
I don't think its the answer, sorry for misleading, I still think you might want to try and check the server settings.

Kind Regards,
Naor Penso


 

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

matt082's picture

Thanks for your help, I really appreciate it.

I'd actually prefer the items to be encrypted since it's on an Oracle server that is sometimes shared with other instances. What I'm really trying to find is a way to decrypt or unpackage the messagecomponentlob table so I can build some custom reports for my DBAs.