HOW-TO Simulate the way DLP Enforce calls DLP look-up script
I created a look-up script that runs with elevated credentials. It takes input in the form sender-ip=10.10.10.10 and returns userId=DOMAIN\username
However, the script will return userId=CannotAuthenticate if
(1) the elevated credentials cannot authenticate to the remote computer
(2) the WMI in the remote computer is disabled
(3) the WMI in the remote computer is turned off
I have worked with DLP engineer to configure the lookup plug in. And no matter what IP address is sent, we always get CannotAuthenticate as the userId
Here is the plugin configuration
Script Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Arguments: -NonInteractive,-ExecutionPolicy, ByPass,-InputFormat,none,-File,D:\script\current_or_last_user.ps1
Credentials File Path: D:\symantecdlp\protect\cred_file.txt
When ever we reload the plug in, we manually remove the old value for userId for an incident, i.e. we go to Edit and delete the value for userId. And today, tried unchecking Enabled stdin and then reloading the plug in as advised, but it still does not work.
This case has been going on for several weeks.
Can you tell me how DLP enforce server calls the script. Does it execute commands on a command prompt? I would like to simulate the exact conditions that DLP enforce server uses, perhaps something can be adjusted on the script side?
Any information to troubleshoot and resolve this issue is greatly appreciated!