Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Modifying Custom Attribute Fields in Exported Report

Created: 30 Mar 2012 | 8 comments

We are building DLP reports and exporting them for further manipulation.  We have numerous custom attributes that are used (over 20) and would like a way to be able to configure the export of the report to only include certain attributes and rearrange the order.

We have found that the custom attribute order that is in Enforce is not the same as in the exported report and would like to find a way to customize the order of the attributes.  Does anyone know if there is a change that can be made to a configuration file to give us the proper order for the custom attributes.

 

Thank you in advance.

Discussion Filed Under:

Comments 8 CommentsJump to latest comment

yang_zhang's picture

I don't think there will be a configuration file for this option. Maybe you can use Reporting API to export your incidents reports and choose the proper order from the Reporting API.

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
kishorilal1986's picture

Hi Monaco,

I had researched on this and found that whatever attribute lookup you had config to look up can be exported into the reports. So if you are succesfully config required attribute look plugins to lookup and visible and in incident details it highlighted/visbile then it is possible for you to same can be expoterted.

I am hopeful for this you need to identify those config to set for your custome attribute for look up.

go into System->incident data->attributes and add the attributes to incident so that you can export into the reports.but before this config those custome attribute look up plugins

Symantec Data Loss Prevention provides three types of lookup plug-in:

  • CSV Lookup Plug-In. Enables the extraction of pertinent data from a comma-separated values (CSV) file.
  • Live LDAP Lookup Plug-In. Enables the extraction of pertinent data from a live LDAP system. For example, Microsoft Active Directory, Novell LDAP, Sun LDAP, or IBM LDAP.
  • Script Lookup Plug-In. Enables you to write a custom script in scripting languages such as Perl or Python to extract the pertinent data. Scripts can extract data from sources such as proxy log files, or DNS systems.

To create custom attributes and add them to a group

On the Enforce Server, click System > Incident Data > Attributes > Custom Attributes. Note that a number of custom attributes were defined and loaded for you by the Solution Pack that you selected during installation. All existing custom attributes are listed in the Custom Attributes window.
To create a new custom attribute, click the Add option.
Type a name for the attribute in the Name box. If appropriate, check the Is Email Address box.
Select an attribute group from the Attribute Group drop-down list. If necessary, create a new attribute group. Select Create New Attribute Group from the drop-down list, and type the new group name in the text box that appears.
Click the Save option.
Generate a new incident, or view an existing incident, and verify that it contains the new custom attribute.

A. De Monaco's picture

Thank you for the response.  The custom attributes are correctly showing up in the incident snapshot but when the events are exported they are in a different order on the report than they are in the incident snapshot.  I was looking for a configuration file that may point to the order so I can rearrange them appropriately.

kishorilal1986's picture

Hi Monaco,

checl whether all attributes of incident details are exist since if related details not present in Ad then it might not reflect to Incident and in reports so sometime they found to be in different order.

A. De Monaco's picture

We are using a flat file with up to 20 attributes, using the email address as a key.  All the relavent information is present in the event but during the export the attributes are not in the same place as the attributes in the event or the custom lookup attributes.

Sounds like there is a file used for the order of the export which is what I am trying to find.

kishorilal1986's picture

Hi Monaco,

We had also faced same problem some time before, but now its working well.this happens if some initial details are missing in incident details or AD etc. so that the sequence of data missing into wrong order .I will try to do more research to give u more feedback on this later.

Erich Mueller's picture

Monaco,

 

I'm running into a very similar issue - and right now am just trying to understand where/how the order it comes up with is derrived....(then mebbe we can figure out how to manupulate it)

In some cases a newly added Attribute will appear last int he export order, no matter where you put it in the display order. But if you delete and readd an attribute from "the middle"......it goes back exactly where it came from.....

 

Has that been your experience as well?

Erich Mueller's picture

Has anyone tried manupilating the database directly to resort the export values? I could see how that might disassociate any saved reports depending on the current location of the custom attributes, but outside of that - can anyone think of other negative consequences?