Video Screencast Help

DLP and AD intergration

Created: 10 Oct 2010 • Updated: 16 Oct 2010 | 8 comments
JJ58's picture
This issue has been solved. See solution.

Hello

i have achieved the training last week and it was quite ueseful,still some questions one of them is about DLP and AD integration,

i have read in the admin guide how to perform the integration but the idea of what to get is not clear,in other meaning ,does this integration will get me the users with theire names ,last name ,email ?

do i need to modify another file ?

Please clarify

Appreciate your feedbacks

Regards

Comments 8 CommentsJump to latest comment

Naor Penso's picture

You should keep in mind that at all times that Symantec DLP can show any piece of information you would like to see. Symantec DLP queries the AD for an entity and pulls out attributes of that person. when you integrate Symantec DLP and AD you decide which attributes you would like to pull from the AD, that is done on the Symantec DLP AD Integration plugin.

Keep in mind that Symantec DLP can not give you information that does not exist. If your AD does not contain information regarding an employees manager (for example), Symantec DLP would not be able to produce such information.

I am attaching  a small paragraph about the integration with AD and the attributes. I would advise that if you are not familiar with LDAP (on the query basic level), you try and consult with someone that does because LDAP query is a bit messy.

 

## ----- Custom Attribute Mappings ------------
#
#  In the following section custom attributes in the Vontu Enforce server can be assigned
#  an LDAP query.  The format for this mapping is the following:
#
#        attr.VontuCustomAttributeName = searchbase:(searchfilter=$variable$):ldapAttribute
#
#  If the VontuCustomAttributeName requires a space character you should escape it with a backslash.
#
#  You can assign queries to temporary variables and use those variables in subsequent
#  queries.  For example:
#               attr.TemporaryVariable = <query here>
#  This would declare a variable called TemporaryVariable.  The value stored in this variable can
#  be referenced using $Temporary$ in subsequent queries.
#
attr.Title = ou=Users:(mail=$sender-email$):title
attr.Telephone\ Number = ou=Users:(mail=$sender-email$):telephoneNumber
attr.Country = ou=Users:(mail=$sender-email$):c
attr.Department = ou=Users:(mail=$sender-email$):department
attr.Manager = ou=Users:(mail=$sender-email$):manager
attr.Manager\ Email = ou=Users:(distinguishedName=$Manager$):mail

The syntax of the attribute string is as follows:

 

Before the equal sign is 'attr.' followed by the name of the custom attribute as configured on the DLP enforce server. The custom attribute names (e.g. 'attr.Title') MUST match custom attributes that already exist. Any spaces must be escaped with backslashes, as shown in the example above. Note that the complete string is also case-sensitive, including the 'attr.' prefix as well as the attribute name.

After the equal sign, the first section (before the first colon) is the location in the LDAP tree where the search for this attribute will be performed ('ou=Users' in this example). If the search will be done from the base DN, you should omit this part.

The second section (between the two colons) is the LDAP search filter. In this example, we are searching for any object whose 'mail' attribute matches the 'sender-email' variable retrieved from the incident.

The third section (after the last colon) is the LDAP attribute that will be searched for, and populated into the DLP custom attribute.

 

Kind Regards,

Naor Penso

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

JJ58's picture

hello

thank you for your reply,actually i'm a little bit lost in this subject,

what i know is that we do the integration to be able to get all the users seen by DLP and include or exclude users from policies is that right ??

regarding customer attributes wich you have attached ,please explain more about customer attributes meaning and from which file all these syntaxes like  attr.TemporaryVariable = <query here> exist to be changed ??

Regards
 

UpNorth's picture

AD Authentication and a LDAP query are two different things.  To perform an AD authentication you need to configure the krb5.ini file (windows) or the krb5.conf file (Linux).  then run a command.  See the admin guide for DLP 10.5 and search for krb5 and it will take you to the page for AD Authentication. 

 

A LDAP query populates custom attributes in SMTP incidents only.  These attributes are mapped out in System - Overview - Attributes - Custom Attributes.  The files that need to be configured to enable this functionality are the plugins.properties file and the LiveLdapLookup.properties file located in <drive>:\\Vontu\Protect\Config

The admin guide can help with AD authentication, the Lookup Plugin Guide can be helpful when configuring the LDAP query. 

SOLUTION
Naor Penso's picture

you are confusing 2 deferent things regarding Active Directory and Symantec DLP.

What you have  asked about is the population of information regarding the offenders in the incidents. This could be done by attributes(as I explained in my earlier post).
Just to add to what said by UpNorth, you could populate offender information on SMTP and Endpoint events (if they where made by a domain user) and Network protect incidents (data owners).

Now,

Enforcing AD rules (meaning you could choose users/security groups and create policies for them, is much easier and it is done like UpNorth mentioned. This integration would also allow you to authenticate into the DLP console with domain users.

 

Kind Regards,

Naor Penso

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

JJ58's picture

great ,thank you all for your great help,now i'm on the track

Regards

DLP Solutions's picture

@upnorth and all..

 

Ths statement is incorrect:

A LDAP query populates custom attributes in SMTP incidents only.

 

You can actually populate all incidents with LDAP information from DAR, DAE, and DIM.

 

DAR: Would lookup based on the owner fo the file

DAE: Would lookup based on thes username who caused the violation

DIM:

SMTP is by email

FTP/HTTP is populated either with Username from a authenticated proxy or if there is a way to script a lookup with an IP address and then correlate that lookup to something in AD that can lookup based on the laptop/desktop name

 

This is what the file would look like.

attr.Sender\ Email = dc=domain:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)):mail

 

Please make sure to mark this as a solution

to your problem, when possible.

 

JJ58's picture

hello

please expand more about  DAR, DAE, and DIM .\.

what i know is  that from  krb5.conf change i got the user to be able to authenticate and changing the LiveLdapLookup.properties  get me the attributes to be populated when i open an incident  ?

 

could you please expand your point of view ,what exactly should be done in a real implementation ?

Regards

DLP Solutions's picture

JJ58,

DIM: Data in motion

DAR: Data at Rest

DAE: Data at the Endpoint

 

I was referring to the LDAP Lookup Plugin, which will populate the custom attributes section in the incident snapshot. This is outlined in the Symantec_DLP_10.5_Lookup_Plugin_Guide. This requires modification to the following items:

  • Adding/Organinzing the Custom Attributes in the Enforce UI.
  • Plugin.properties file
  • LiveLdapLookup.properties

 

The AD authentication is the one that uses the krb5.ini file and requires a change in the Enforce UI under system Settings.

 

Which one do you need help with?

Please make sure to mark this as a solution

to your problem, when possible.