DLP Events to syslog
We created a Response rule to send DLP alerts (Endpoint & Prevent) to AlertLogic.Alerts are going to our dashboard but the only field that is not displaying data is User.
Here is how we have defined that variable:
I also tried USER=$DATA_OWNER$, USER=$EMPLOYEE_CODE$ but am still getting N/A.
btw, we used the variable definitions listed in DLP:
Does anyone know if there is another variable I could use for User/Data Owner?