Hello,
We are trying to pull the username from the IP Address (for HTTP/HTTPS Incidents) using custom scripts that basically use WMI Calls. We have a Perl script that does this job and works perfect.
In order to integrate the Perl script with DLP (11.6.2) we are using Python. The Python script looks like this:
#!/usr/bin/python
import sys, socket, subprocess, re
args = sys.argv[1:]
ip = re.findall("(?:[0-9]{1,3}\.){3}[0-9]{1,3}", str(args))
pipe = subprocess.Popen(["perl", "/home/protect/MyScript.pl", ip[0]], stdout=subprocess.PIPE)
result = pipe.stdout.read()
sys.stdout.write ('IPUsername='); print result
Basically, the Python script uses the input from DLP, looks for IP Address, passes that information to Perl script, Perl returns the required information to Python via pipe.stdout.read() and then it should write that information to IPUsername DLP field.
Running the Python script manually with all the input from DLP works as it should. See below:
/usr/bin/python /home/protect/MyScript.py discover-repository-location=null, Employee Notified=null, Manager Title=null, date-detected=Tue Jul 07 03:43:53 PDT 2015, endpoint-machine-name=null, incident-id=1728, sender-ip=10.245.4.217, Machine Name=MyPC, sender-email=10.245.4.217, Assigned To=null, Business Unit=null, sender-port=-2147483648, endpoint-domain-name=null, endpoint-dos-volume-name=null, file-access-date=null, date-sent=Tue Jul 07 03:43:53 PDT 2015, Comment=null, Review=null, Email Blocked=null, endpoint-file-name=null, Manager Notified=null, file-modified-by=null, Manager Email=null, Comment 2=null, plugin-chain-id=4, discover-server=null, data-owner-name=null, Last Name=null, First Name=null, Phone=null, Business Event Reviewer Email=null, subject=HTTP incident, Risk Steward Email=null, Policy Owner Email=null, Manager Location=null, endpoint-user-name=null, endpoint-volume-name=null, discover-name=null, discover-content-root-path=null, data-owner-email=null, file-create-date=null, endpoint-application-name=null, Manager First Name=null, path=null, Event Date=Tue Jul 07 03:43:53 PDT 2015, Manager Last Name=null, endpoint-application-path=null, discover-location=null, Policy Name=TempTestPolicy, protocol=HTTP, Resolution=null, Risk Steward=null, Email Released=null, file-owner=null, Employee Type=null, Location=null, Email Quarantined=null, endpoint-file-path=null, discover-extraction-date=null, Title=null, Manager Business Unit=null, Manager Phone=null, policy-name=TempTestPolicy, Policy Owner=null, file-created-by=null, Functional Area=null, Email Address=null, Web Hostname=null, Office Name=null, Manager Functional Area=null, file-owner-domain=null
IPUsername=Domain\scanteie
I have edited parts of the text, but you get the idea.
Using this script in DLP, it does not work. The field is blank and the log files read: Failed to process IPUsername= as it does not conform to standard key/value pair format.
And, now I am out of ideas. Any help or input is appreciated! :)
Thanks, Stefan