Video Screencast Help

Sending Incident Email to Manager

Created: 14 Jan 2013 | 17 comments
DLP Enthusiast's picture

Hi guys ! ..

I'm using Endpoint Discover & Prevent at a client site. I need to to automate Incident Response in such a way that the concerned Manager gets an Email whenever there is a violation.

The problem is :

1. We have Active Directory in Sync with the DLP for Employee Details and there is no Information about the Dept and the Manager.

2. There is also an option to Edit the Lookup where we can manually enter the Manager Name, Email and all other details. But they want it to be automated.

Please help me with this. I urgently need a solution to it .

Thanks !

Comments 17 CommentsJump to latest comment

Artem's picture


You should to configure LDAP Lookup Plugin for the auto resolve Manager Name, Email and other details from Microsoft AD. You can see the chapter "Configuring LDAP Lookup Plug-Ins" in the Administration Guide.

But if AD hasn't information about Manager, you can create a csv-file with the necessary information and configure CSV Lookup Plug-In

Best regards,

DLP Enthusiast's picture

Dear Artem ,

Its okay creating a CSV file but from where would the DLP fetch Manager details from ?  because there are no entries in the Active Directory ..

please help..

Mike S.'s picture

this thread helped me. You just need to setup the custom attributes.

Go under System, and then Lookup Plugins. From there an LDAP connection needs to be created. Then the most important part is setting the attribute mapping. Attribute mapping will look similar if not identical to this.

attr.Manager\ Name=:(distinguishedName=$TempManager$):name
attr.Employee\ Dept=:(distinguishedName=$TempEmployee$):department
attr.Manager\ Email=:(distinguishedName=$TempManager$):mail
attr.Employee\ Email=:(distinguishedName=$TempEmployee$):mail
attr.Employee\ Office=:(distinguishedName=$TempEmployee$):physicalDeliveryOfficeName
attr.Manager\ Title=:(distinguishedName=$TempManager$):title
attr.Employee\ Name=:(distinguishedName=$TempEmployee$):name
attr.Employee\ Title=:(distinguishedName=$TempEmployee$):title
attr.Manager\ Phone=:(distinguishedName=$TempManager$):telephoneNumber
attr.Employee\ Phone=:(distinguishedName=$TempEmployee$):telephoneNumber
attr.Employee\ Phone=:(distinguishedName=$TempEmployee$):telephoneNumber

JR17520's picture

I had a somewhat similar situation where desired employee information was not stored in the AD user record. Here's how I got around it for Vontu version 11.1:

In my case, the employee ID number and telephone extension is already stored in the AD user record. I get a .CSV file daily of additional employee data, including the employee ID number of the employee's supervisor. DLP custom attributes include the employee-ID-number, employee telephone extension, supervisor employee-ID-number, supervisor email address, and supervisor telephone extension.

In accordance with the DLP Lookup Plug-In Guide, I have a lookup chain that includes:

LiveLdapLookup --> CsvLookup --> LiveLdapLookup

LdapLookup (pass-1) finds employee AD record based on Windows username or email sender name and stores the employee's ID Number and telephone extension.

CsvLookup uses stored employee ID number to find corresponding CSV record and stores supervisor's employee ID number.

LdapLookup (pass-2) finds supervisor AD record based on stored supervisor employee ID number and stores the supervisor's email address and telephone extension

The absence of information in the documentation about a second-pass LdapLookup may lead you to believe that a second-pass LdapLookup is not possible in the lookup chain.  But it is working in my installation. 

You could also use a Script Lookup instead of a second-pass of the LdapLookup.

DLP Enthusiast's picture

@ Mike S : I did come to know about the Custom Attributes but I failed to understand the idea behind it . In the environment I'm working in has an Active Directory with no entries of Manager Details . If its not the Active Directory, then who will supply the Manager Information to the DLP ?.. If its a CSV file, where will i get it from and who will create it ? ..What is a CSV file first of all ??..

DLP Enthusiast's picture

@JR17520 :

In my case I have Employee Name, Telephone and Extension. I had earlier configured LiveLDAP with this script:

attr.First\ Name=:(sAMAccountName=$endpoint-user-name$):givenName
attr.Last\ Name=:(sAMAccountName=$endpoint-user-name$):sn
attr.Business\ Unit=:(sAMAccountName=$endpoint-user-name$):department
attr.Sender\ Email=:(sAMAccountName=$endpoint-user-name$):mail
attr.Manager\ Email=:(distinguishedName=$tempmanager$):mail
attr.Manager\ First\ Name=:(distinguishedName=$tempmanager$):givenName
attr.Manager\ Last\ Name=:(distinguishedName=$tempmanager$):sn
attr.Manager\ Phone=:(distinguishedName=$tempmanager$):telephoneNumber

Now if its not the Active Directory whose supplying User Info to DLP, U guys said its the CSV file . Where do i get that CSV file ? .. and the problem is this Client Company is huge and with several departments and several managers. Will that CSV file consist of all the Information ? ..

Artem's picture

Dear Muzammil,

Your AD hasn't information about relations between employees and managers, but AD has information about all users. Is it right?

If yes:

1. You get information about user from AD (used LDAP Lookup Plugin).
2. You get manager name or id from prepared CSV-file with relations (used CSV Lookup Plug-In)
For example in the csv you should to fill a table:

UserLogin - ManagerLogin
Mike      - Bob
Emily     - Jacob
Michael   - Bob
Andrew    - Abigail

3. You get information about manager from AD (used LDAP Lookup Plugin).

JR17520 said that chain LiveLdapLookup --> CsvLookup --> LiveLdapLookup is not supported. Maybe - I didn't try this variant. But in this case you can get ManagerLogin before get information about user from AD. After that you can get information about user and manager from one LDAP Lookup Plugin. This variant requires more information for the csv-file (an email for incidents from Network Monitor, a login name for incidents from Endpoint or Discover). For example:

UserInfo         - ManagerLogin
Mike             - Bob    - Bob
Emily     - Jacob   - Jacob
Michael   - Bob - Bob
Andrew    - Abigail  - Abigail

Or you can:
1) get information about user from AD (with LDAP Lookup Plugin)
2) get manager name or id from prepaired CSV-file with relations (with CSV Lookup Plug-In)
3) You get information about manager from AD (with Script Lookup Plugin).
In this case you also should to use a script for get information about a manager from AD.

And one more, if you have relations between employees and managers in other systems (for example in a database table), you can get this information directly from that system.

DLP Enthusiast's picture

@ Artem .. U said get a CSV file prepared with the Mangers Information with relations  ..

can that be applicable to large organizations with over 5000 Employees ? ..

Moreover Im trying to create a CSV file from the Address Book of Outlook so that I get the designations of the Employees and their concerned Dept Names . But Exporting Address Book from Outlook seems like one more Impossible task. Still searching for a method to export it.

 Im trying to find out about any kind of organised file which has relations in it .I doubt ill get that .

Regarding chaining of the Lookups in concerned , it all can be possible only when we have "WHO reports to WHOM" data. The DLP should accurately send Email to the concerned manager only !..

Guys please help !

JR17520's picture

In my organization, the source of the CSV file is an export from the company Human Resources Information System (HRIS) database.  WIth HR approval, the HRIS administrator prepared a database query to extract the needed information on each employee. The extract is stored in .CSV form and copied onto the DLP Enforce server in the default location documented in the Lookup Plugin Guide. A scheduled task is set up within the HRIS system to automate this process to run daily (overnight).

With over 5000 employees, your organization will very likely be running some sort of HRIS system or other employee database system. The key will be finding the right contact within your organization who manages the HRIS or other employee database system. Be specific about the information you want to receive because there will be salary and other senstivie information in the employee database they will not want to provide.

If you can get the missing employee-to-manager relationship and contact information on this .CSV file, then you could populate the remaining custom attributes within the CsvLookup plugin.

Don't let my description of a second-pass LdapLookup or a script lookup distract you. There would be no need for additional plug-ins if you can get all the custom attributes populated with the CsvLookup and/or the LdapLookup as others have contributed above.

DLP Enthusiast's picture

@ JR : That was a very simplified explanation. Thank you for that.

In all the discussion we made on this topic, the most important factor is "Employee-Manager" relationship which the DLP has to recognise. Is it important that this data is in " Who reports to who format " or it is enough if we have the Manager Information like "Department" . In my case , I can see the department names of all the Employees through the Lookup.

For Example : There is a violation, the DLP fetches Information Employee name, Employee id, Dept Name and telephone no . Is there a possibility that the Active Directory provides the Manager's Information through the "Department" value only ? .. Because there is no direct value entered for an employee's Manager.

JR17520's picture

Regarding your question: Is it important that this data is in " Who reports to who format " or it is enough if we have the Manager Information like "Department"?

Your opening question indicates you want to get a message to the manager upon a violation. DLP will need to obtain or derive an email address in order to sent the notification. If your company issues departmental mailboxes and the manager uses that mailbox, you may be able to work with the "Department" value to generate the correct departmental email address within a script plugin. Otherwise you will need the explicit email address for the manager so you can configure the DLP auto-response to use the manager's email address.

In all likelihood, someone in your organization is already maintaining current "who reports to whom" information for each employee. Take advantage of their work!  It will save you time and be more up-to-date and accurate. Find a way to get that data into DLP and your DLP auto-response configuration task will be much easier to set up and will take little effort to maintain for the longer term. 

You may be able to hard-code a script plugin to store a specific manager email address for each department name. But then you will need to maintain that script code for every manager change, department reorganization, and any number of other organizational changes at the company. Good luck with that!  This should be a 'last resort' for your sake.

DLP Enthusiast's picture

@ JR .. I will try finding out whether someone in this organization was upto some deeds of recording the "Who reports to who" information.

Thank you guys for all ur help and valuable advises and suggestions ..  I really appreciate it !!

kishorilal1986's picture

plz refer below


1. Go to System > Settings > General and click Configure.

2. In the Reports and Alerts section, select one of the following distribution methods:

- Send reports as links, logon is required to view
- Send report data with emails

3. Enter the Enforce Server domain name or IP address in the Fully Qualified Manager Name field. If you send reports as links, Symantec Data Loss Prevention uses the Domain name as the basis of the URL in the report email. Do not specify a port number unless you have modified the Enforce Server to run on a port other than the default of 443.

4. If you want alert recipients to see any correlated incidents, check the Correlations Enabled box. When correlations are enabled, users see them on the Incident Snapshot screen.

5. In the SMTP section, identify the SMTP server to use for sending out alerts and reports.

Enter the relevant information in the following fields:
- Server: The fully qualified hostname or IP address of the SMTP server that Symantec Data Loss Prevention uses to deliver system events and scheduled reports.

- System email: The email address for the alert sender. Symantec Data Loss Prevention specifies this yesemail address as the sender of all outgoing email messages. Your IT department may require the system email to be a valid
email address on your SMTP server.

- User ID: If your SMTP server requires it, type a valid user name for accessing the server. For example, enter DOMAIN\bsmith.

- Password: If your SMTP server requires it, enter the password for the User ID.

6. Click Save.

After completing the configuration described here, you can schedule the sending of specific reports and create specific system alerts

DLP Enthusiast's picture

@ K S Sharma , Thanks for the information but this is a basic configuration for sending reports via email. If you could read the whole discussion , you would get an idea of what we actually were discussing .

And if you have the solution or encountered the same kind of problem, then i would be obliged to receive help from you .


Mike S.'s picture

ok so this thread now has me thinking about the csv file. Right now I am using the LDAP plugin but I have big problems with it and my companies AD. We have 30,000 people in our enterprise that consists of 4 different domains that I monitor. Our AD was setup many, many years ago with each domain having their own provisioning team and creating AD accounts as they saw fit. Now we have consolidated the provisioning under one team but we implemented DLP a few years ago. The problems I am faced with is I have users in different domains that can have the same name, example, jsmith. there can be domain1\jsmith, domain2\jsmith, domain3\jsmith and domain4\jsmith. DLP gets confused when emails need to be sent to the correct manager. It makes it worse because I have DLP setup to warn an employees manager each time they print a document with sensitive information in it. Mainly because of our payroll department. So I have emails going to managers in other departments and it really causes a pain.

Our AD will take too much to clean up so that is not an option at this point. Our HR dept uses peoplesoft so that has me wondering if I could use the names from peoplesoft that are input into a csv file and use the csv plugin if this will help? Or is it possible to tell DLP to not look at user names in the violations but to look at the domain name and the user login name? I try to understand this as in the incidents I can clearly see the domain and user name but DLP will not report on the full domain name. Only the user name. Keep in mind that my company does a lot of hiring and firing so keeping up with a csv file could become cumbersome.

Any help is appreciated as I need to make sure that reporting is correct.

jgt10's picture

As of version 9 (I think) there is the ability to chain lookup plugins. It is possible to multiple AD lookups with different configurations. I'm pretty sure it is covered in the looku plugin guide.

Also check ou the following article.


John G. Thompson

kishorilal1986's picture

Hi Muzami,

Please refer below also u can custom lugin script to enter the Manager Name, Email and all other details. But they want it to be automated.

yes, It is possible for this. u must need to integrate the DLP with AD and activate smart responce rule to send email notifiaction to manager. This u  will find at policy rule in manage>Policy list ......

Please refer below link u will get better idea.