If you are using Web Prevent for monitor Outlook Web Access (OWA) traffic, you probably were unlucky to find out any user account information in such incidents.
Good news! After inspecting a "Message body" part of such incidents, I found out that it contains a string with user SID from Active Directory. Using this entry you can fetch any user's information from your Active Directory.
And even better! You can use it in your Lookup Plugins as well. With a little trick. As you may know, Lookup Plugins can not directly deal with incident's attachments, message and so on. But if you leveraging any script language for Lookup Plugin, you can easily get around this limitation. There is another place where you can get any incident's component - Incident Reporting and Update API.
I prefer to write Lokkup Plugins with Python for it's simplicity. If you do so, I recommend using SUDS to deal with API.
Incident Update and Reporting API is a way for external access to the incidents and its content. You can find more info in the Developers Guide:
https://support.symantec.com/en_US/article.DOC9264.html
See above
Hey Xand,
- Per above, did you mean after inspecting "Message header" rather than "body"? I thought the header contained the metadata. Do you have a screen-shot you could redact to show as an example - very interested.
- Per above, where do I find (novice user) the "Incident Reporting" and/or "Update API"? Is this in the administrator view only?
- P.S. I only have policy admin/reporting/remediation but no system admin level access yet...that may explain why I can't see "Incident Reporting" and/or "Update API"?