Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

DLP CSV Lookup

Created: 02 Mar 2012 • Updated: 05 Mar 2012 | 4 comments
This issue has been solved. See solution.

Hi,

I am trying to implement a CSV lookup in Symanted DLP v11.  This is to be used on the incidents created from Network Discover scans.

So far I have managed to activate the lookup so that it interrogates a .csv file (ldap dump). But I have to manually fill in the key field and then click the lookup button to fill in other fields such as Sender Email.

My issue is:  I want to be able to specify the Incident Detail "File Owner" as the key to search on.  This field is currently populated once a scan has been done, in the format domain\username, I want to link this to the domain\username column in .csv file and then specify this as the key.

As at the moment I only seem to be able to link custom attribute field s and not fileds from the incident details pain.

Is this possible?

Thanks

Discussion Filed Under:

Comments 4 CommentsJump to latest comment

DLP Solutions2's picture

This is possible, though there are some nuances to the CSV Lookup Files.

First of all make sure that you have set the Plugin.properties file so that you can lokup against the File Owner.

In the Plugins.properties file you will need to make sure that the 'message' attributes are being passed to the lookup plugin. You will need to add 'message' to the lookup paramters list.

com.vontu.api.incident.attributes.AttributeLookup.parameters=sender,message

After that the lookup will pass the File onwer information to the plugin.

If you turn on the Lookup logging in the UI (under logs settings) you should see the File Owner information being passed when you do a lookup. This will be visible in the log files, and you will be able to see the format and content of the fields.

You will then need to make sure that there is a column in the CSV that has the same imformation of the File Owner in a column, to search against it.

Hope this helps..

Please make sure to mark this as a solution

to your problem, when possible.

SOLUTION
ralphg33's picture

Hi DLP Solutions,

So far so good, I have amended the plugins.properties file to inlude message for the attributeLookup.parameters.

I have double checked that within the CsvLookup.properties file the keys are:

keys = FILEOWNER:ADNAME

the FILEOWNER column of the csv file is in the format "domain\username" and the ADNAME column is in the format "username"

Still not successfully performing a lookup, I do get the green bar stating that the lookup has completed, which suggest to me that at present it is still trying to perform a lookup using the custom attributes rather than the message attributes.

Below is a sextion from the CsvLookup.properties

# The first row in the .csv file contains the column names
# if the attribute name contains any white space characters
# for eg. a space or tab please prepend each instance of the whitespace
# character with a backslash.
#
#For example:
#
# attr.First\ Name = firstname
# attr.Last\ Name = lastname
  attr.Email = MAIL
  attr.File\ Owner = FILEOWNER
  attr.Data\ Owner\ Email = MAIL
  attr.Sender\ Email = MAIL
  attr.Manager\ Email = MANAGER

is the attr:File\ Owner linking the Incident Details attribute File Owner to the CSV file column FILEOWNER... or as the prefix suggest is it linking the custom attribute File Owner to the CSV column FILEOWNER... does this need to be amended?

I can't find the log that showing which information the lookup is being passed.

I have gone to the logs, clicked on configuration, then for the Enforce server I have amended the Diagnostic Logging Setting to Custom Attribute Lookup Logging and then clicked configure logs... should that create an additional log which will be downloaded with others or is the information appended to an existing log?

Thaniks for your help

ralphg33's picture

Hi DLP Solutions,

Sorted, thanks for your help.  The log files helped to discover that the file-owner although displayed as domain\username actually have a value of username and therefore I simply amended the column to search so that it linked to username rather than the column with domain\username.

Thanks.

DLP Solutions2's picture

Ralphg..

Glad you got it sorted.. the log files shed a lot of light on the plugins!

Also.. I think this is still correct, but the Key 'column' used inthe CSVplugin file CANNOT be used to populate a custom attribute, so you may need to duplicate a column if you need it to also be used to populate a custom attrtibute.

-Ronak

Please make sure to mark this as a solution

to your problem, when possible.