Video Screencast Help

Machine IP and Username Values from Endpoint Incident to SYSLOG

Created: 09 Jan 2013 | 2 comments

I have been looking around and do not see a way to send some important information from an endpoint incident via a syslog action in a response rule, namely the "Machine IP" and "User" fields.  There are a number of correlations I would like to setup in my SIEM based on these values, but I cannot find how to get them as part of the syslog message.

My current syslog message looks like this:

ENDPOINT $BLOCKED$, ENDPOINTMACHINE=$ENDPOINT_MACHINE$, FILENAME=$FILE_NAME$, FULLFILEPATH=$PATH$, INCIDENTID=$INCIDENT_ID$, MATCHCOUNT=$MATCH_COUNT$, POLICYNAME=$RULES$,

Does anyone have any idea's how this can be accomplished?

Discussion Filed Under:

Comments 2 CommentsJump to latest comment

DLP Solutions's picture

When the syslog fires.. are all of those populated?

more info: https://kb-vontu.altiris.com/display/1n/kb/article.asp?aid=47666&link=

You can also try the following, these are from the Plugin.properties file, they may or may not work. This may require you to have some Lookups configured to use them.

Also keep in mind about the Custom Attributes, they might be able to be added to the syslog info too. You will need to experiment with this. I do know they can be used in an Email Response, so I would assume the same for a syslog response. They are called $ATTRIBUTE_24$ $ATTRIBUTE_25$. Which can be found when you mouse over the field in an incident.

__________________________________________________________________________________

incident info
    date-detected
    incident-id
    protocol
message info
    date-sent
    subject
    file-create-date
    file-access-date
    file-created-by
    file-modified-by
    file-owner
    discover-content-root-path
    discover-location
    discover-name
    discover-extraction-date
    discover-server
    discover-notes-database
    discover-notes-url
    endpoint-volume-name
    endpoint-dos-volume-name
    endpoint-application-name
    endpoint-application-path
    endpoint-file-name
    endpoint-file-path
policy info
    policy-name
recipient info
    recipient-emailX
    recipient-ipX
    recipient-urlX
    , where X is the unique index to distinguish between mutliple recipients,
sender info
    sender-email
    sender-ip
    sender-port
    endpoint-user-name
    endpoint-machine-name
server info
    server-name
monitor info
     monitor-name
    monitor-host
    monitor-id
status info
    incident-status
 

 

Please make sure to mark this as a solution

to your problem, when possible.

 

JN_CEC's picture

All the variables are populated with the correct information.  I added both "$ATTRIBUTE_24$" and  "$ATTRIBUTE_25$" to the syslog message, but it is not populating any data.

I also tried to setup custom attributes in the past and was unsuccessful is getting the needed data.