Chicago (Midwest) Data Loss Prevention User Group

Does anyone have a solid and working script to pull back the loggedin user for web incidents using powershell? We have been trying to get something working with python to no avail as well as powershell. We have a powershell script that works when you manually do the 'lookup' but does not work automatically when new incidents are generated. if you have anything working and are willing to share we would be very appreciative.

Appreciate if you could provide more clarity on your requirement. I assume, you're talking about Web Prevent? If you enable authentication on Proxy, you could achive this with the default functionality as well. Is that not the case for your environment?

we are not yet using web prevent only monitor... so we are trying to get a script that will take the IP address of the sender-email (internal ip address used for http events) and perform the lookup to populate a custom attribute field (UserID for example) with the logged on user. This way we can then chain the rest of the lookup to perform the LDAP lookup for the rest of the attributes we want. Make sense? thanks!

In v14 there is a DC agent that does this without scripting for HTTP, HTTPS, and FTP events. The domain controller agent queries Windows Events in the Microsoft Active Directory Security Event Log of the domain controller. Symantec Data Loss Prevention associates these Windows Events with user data in your database.

hello carly

 if you use WMI in your powershell script to identify looged on user based on IP address, most common issue is that custom plugin are executed from enforce server using protect account (the one used by vontu services and tomcat). By default this account has some local admin rights but not domain admin privilege which are necessary to perform WMI request on any workstation.

 You wrote that it work when you do lookup manually, is that using DLP UI or just executing script manually ? If it is first one, it should also work when it is executed automatically and so you should activate debug log for custom script in order to get more information on why it does not work.

 Regards

Ok, some information... we are currently on 12.5.2 where we will likely be for a while.

stephane "if you use WMI in your powershell script to identify looged on user based on IP address, most common issue is that custom plugin are executed from enforce server using protect account (the one used by vontu services and tomcat). By default this account has some local admin rights but not domain admin privilege which are necessary to perform WMI request on any workstation."

---  We are using a domain service level account for the Vontu Manager service so the account that is authenticating to the workstation has the appropriate permissions to run.

"You wrote that it work when you do lookup manually, is that using DLP UI or just executing script manually ? If it is first one, it should also work when it is executed automatically and so you should activate debug log for custom script in order to get more information on why it does not work." Yes, when we do a "Lookup" from within the counsel it runs and returns the logged on user however when it runs automatically it errors and returns "cannot authenticate" this error trap is after the ping of the workstation, so the script does run, it pings the workstation but there it fails and does not return the logged on user ID. I'm wondering if it perhaps has something to do with a timeout issue??? Not really sure how to troubleshoot it further.

thanks!

Carly

Ok, Here is a good update. If you have been having issues with credentials not being passed for your scripts in 12.5.2 and possible 12.5.x then the reason for this is due to the "Enable credentials" checkbox in the Script Lookup Plugins properties page not working. It does not in fact pass credentials. For "Automatic" script lookups, DLP is passing the credentials as set in the service logon properties for the "Vontu Incident Persister"service. When you manually lookup incident attributes using the "Lookup" button in the incident details page the lookup is passing credentials from the  "Vontu Manager" service as set in the authentication properties for the service itself. Never does it pass the encrypted credentials. I have attached our script which we are using that was borrowed from another forum member and edited for our use. This script is a powershell script which parses the ip address from the sender-email field for HTTP monitor incidents (sender-email is the originating ip for us and source-ip is our proxy server ip). The script takes the IP makes a WMI connection and pulls back the userID and populates the attribute "userID" and then the AD Lookup runs and pulls back the rest of the attributes we ask. I have also included what our AD connection attributes page is pulling back for those incidents listed in the Attribute Matching for your ease. Enjoy!

attr.First\ Name=:(|(mail=$sender-email$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)(sAMAccountName=$userID$)):givenName
attr.Last\ Name=:(|(mail=$sender-email$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)(sAMAccountName=$userID$)):sn
attr.Account=:(|(mail=$sender-email$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)(sAMAccountName=$userID$)):sAMAccountName
attr.EmployeeCode=:(|(mail=$sender-email$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)(sAMAccountName=$userID$)):AllAccountType
attr.State=:(|(mail=$sender-email$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)(sAMAccountName=$userID$)):st
attr.City=:(|(mail=$sender-email$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)(sAMAccountName=$userID$)):l
attr.Office=:(|(mail=$sender-email$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)(sAMAccountName=$userID$)):physicalDeliveryOfficeName
attr.Department=:(|(mail=$sender-email$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)(sAMAccountName=$userID$)):department
attr.BusinessUnit=:(|(mail=$sender-email$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)(sAMAccountName=$userID$)):allHROrganizationalUnit
attr.Company=:(|(mail=$sender-email$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)(sAMAccountName=$userID$)):company
attr.Manager=:(|(mail=$sender-email$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)(sAMAccountName=$userID$)):manager
attr.Sender\ Email=:(|(mail=$sender-email$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)(sAMAccountName=$userID$)):mail
attr.Telephone=:(|(mail=$sender-email$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)(sAMAccountName=$userID$)):telephoneNumber
attr.Title=:(|(mail=$sender-email$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)(sAMAccountName=$userID$)):title
attr.Description=:(|(mail=$sender-email$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)(sAMAccountName=$userID$)):description
attr.Manager\ Email = :(distinguishedName=$Manager$):mail
attr.Manager\ First\ Name = :(distinguishedName=$Manager$):givenName
attr.Manager\ Last\ Name = :(distinguishedName=$Manager$):sn
attr.Manager\ Account = :(distinguishedName=$Manager$):sAMAccountName
attr.Manager\ Telephone = :(distinguishedName=$Manager$):telephoneNumber
attr.Manager\ Title = :(distinguishedName=$Manager$):title
attr.DataOwner = :(sAMAccountName=$data-owner-name$):sAMAccountName
attr.Data\ Owner\ First\ Name = :(distinguishedName=$DataOwner$):givenName
attr.Data\ Owner\ Last\ Name = :(distinguishedName=$DataOwner$):sn

Attachment(s)

current_or_last_user.ps1__0.txt   3 KB 1 version