Video Screencast Help

Script Lookup, DLP 11.5

Created: 29 Jan 2013 • Updated: 05 Feb 2013 | 4 comments
This issue has been solved. See solution.

Hey all.  I've been researching this issue for a few weeks and have yet to find an answer to my specific problem.  Our environment includes Bluecoat proxies.  As you know, Bluecoats use ICAP functions that return a very specific string of information back to DLP.  My problem is this:  for Network Prevent incidents, the default "Sender" field is populated with "WinNT://"DOMAIN"/"username".  I found a thread started by "bob_b" that outlined a script that would use this information for LDAP lookups.  My problem is that I need to use that information for a CSV lookup.  So, his script, while very impressive, won't work for my particular case.  However, I think it's very close.  My current script, which is written in Python (which I'm not well versed in, nor am I tied to it in any way) almost works.  Attributes are passed to the script properly and are validated, according to the log.  The main attribute I am concerned with is "sender-email".  I just need to be able to strip everything from the aforementioned string and pass just the username to my CSVLookup and I'll be good to go. (Thankfully, that part works great!)  I realize that bob_b's script can lookup via IP, but that won't work for me since we have different IP address schemes for wireless and VPN users.  I've attached a portion of a log file that shows what's happening.  Can anyone help me out? 

Any and all help is much appreciated!



Discussion Filed Under:

Comments 4 CommentsJump to latest comment

Jsneed's picture

We had a similar problem and we ended up just changing the CSV to match the field that DLP is reporting.  You don't seem to be able to modify the internal DLP fields and pass them to the plugin.  You could use a custom identifier to pass between the plugins.


turturici's picture

Hey Jsneed.

That was the first thing I tried to fix.  Unfortunately, the field that I'm trying to key off of is the "sender" attribute.  Normally, this field is populated with an email address.  So, my CSV uses that field for email address lookups on network (email in transit) incidents.  For HTTP Network events, this field gets populated with ICAP data back from our Bluecoat proxies.  So, I couldn't use that.  The only thing I could figure out to do was to use a script to strip out everything except the user name so I could forward that to my CSV and LDAP lookups.  Actually, in the interim, bob_b helped me out and we now have a vbscript that strips out that data and leaves the username.  You can then forward that to whatever field you want to use as a key for another lookup in the execution chain.  Here's the script:

Option Explicit

On Error Resume Next

Dim i
Dim objDict
Dim myArray
Dim dictResults

Set objDict     = CreateObject("Scripting.Dictionary")
Set dictResults = CreateObject("Scripting.Dictionary")

' Get Arguments
For i = 0 to Wscript.Arguments.Count - 1
 myArray = split(Wscript.Arguments(i),"=",-1,1)
 objDict.Add myArray(0),myArray(1)

If objDict.Exists("sender-email") Then
 If objDict.Item("sender-email") <> "" Then
 'Sample input data
#This next line is where the magic happens.  "File Owner" is a custom attribute that I built in to DLP and have in my CSV file.  You can use whatever you want.  You just have to create the attribute and make sure it's in the correct properties files.  The output gets used as the key in the next lookup in the chain, which in my case is a CSV lookup.
  dictResults.Add "File Owner", Mid(objDict.Item("sender-email"),InstrRev(objDict.Item("sender-email"),"/")+1)
  'oOutputFile.WriteLine "sender-email is empty"
 End If
 'oOutputFile.WriteLine("sender-email item does NOT exist")
End If

If dictResults.Count > 0 Then
 Call DisplayResults()
End If

Sub DisplayResults()

Dim myArray
Dim i
Dim strValue

 myArray = dictResults.Keys    ' Get the keys.
 For i = 0 To dictResults.Count - 1 ' Iterate the array.
  strValue = dictResults.item(myArray(i))
  'strValue = "" & strValue & ""
  wscript.echo myArray(i) & "=" & strValue
End Sub

So, this script will strip away "WinNT://DOMAIN/username" and leave you with "File Owner=username".  Again, you can change the attribute "File Owner" to whatever you wish.  Just keep in mind that it will be used as the key for the next lookup.  Many thanks are directed to bob_b.  He really hammered this one home.

Good luck!