Data Loss Prevention

 View Only
  • 1.  Machine IP and Username Values from Endpoint Incident to SYSLOG

    Posted Jan 09, 2013 04:00 PM

    I have been looking around and do not see a way to send some important information from an endpoint incident via a syslog action in a response rule, namely the "Machine IP" and "User" fields.  There are a number of correlations I would like to setup in my SIEM based on these values, but I cannot find how to get them as part of the syslog message.

    My current syslog message looks like this:

    ENDPOINT $BLOCKED$, ENDPOINTMACHINE=$ENDPOINT_MACHINE$, FILENAME=$FILE_NAME$, FULLFILEPATH=$PATH$, INCIDENTID=$INCIDENT_ID$, MATCHCOUNT=$MATCH_COUNT$, POLICYNAME=$RULES$,

    Does anyone have any idea's how this can be accomplished?



  • 2.  RE: Machine IP and Username Values from Endpoint Incident to SYSLOG

    Trusted Advisor
    Posted Jan 09, 2013 05:10 PM

    When the syslog fires.. are all of those populated?

    more info: https://kb-vontu.altiris.com/display/1n/kb/article.asp?aid=47666&link=

    You can also try the following, these are from the Plugin.properties file, they may or may not work. This may require you to have some Lookups configured to use them.

    Also keep in mind about the Custom Attributes, they might be able to be added to the syslog info too. You will need to experiment with this. I do know they can be used in an Email Response, so I would assume the same for a syslog response. They are called $ATTRIBUTE_24$ $ATTRIBUTE_25$. Which can be found when you mouse over the field in an incident.

    __________________________________________________________________________________

    incident info
        date-detected
        incident-id
        protocol
    message info
        date-sent
        subject
        file-create-date
        file-access-date
        file-created-by
        file-modified-by
        file-owner
        discover-content-root-path
        discover-location
        discover-name
        discover-extraction-date
        discover-server
        discover-notes-database
        discover-notes-url
        endpoint-volume-name
        endpoint-dos-volume-name
        endpoint-application-name
        endpoint-application-path
        endpoint-file-name
        endpoint-file-path
    policy info
        policy-name
    recipient info
        recipient-emailX
        recipient-ipX
        recipient-urlX
        , where X is the unique index to distinguish between mutliple recipients,
    sender info
        sender-email
        sender-ip
        sender-port
        endpoint-user-name
        endpoint-machine-name
    server info
        server-name
    monitor info
         monitor-name
        monitor-host
        monitor-id
    status info
        incident-status
     

     



  • 3.  RE: Machine IP and Username Values from Endpoint Incident to SYSLOG

    Posted Jan 10, 2013 12:20 PM

    All the variables are populated with the correct information.  I added both "$ATTRIBUTE_24$" and  "$ATTRIBUTE_25$" to the syslog message, but it is not populating any data.

    I also tried to setup custom attributes in the past and was unsuccessful is getting the needed data.