Whether you setup a response rule for email notification or send a notification to a syslog server, you can set up response action variables to pass incident specific data. The response action variables are different for Monitor/Prevent incidents than for Discover incidents. The following sections list the variables for each type of incident. Monitor/Prevent Incidents $BLOCKED$ – Indication of whether or not the message was blocked by the Symantec Data Loss Prevention system (yes or no). $INCIDENT_ID$ – The ID of the incident. $INCIDENT_SNAPSHOT$ – The fully qualified URL to the Incident Snapshot page for the incident. $MATCH_COUNT$ – The incident match count. $POLICY$ – The name of the policy that was violated. $RECIPIENTS$ – A comma-separated list of one or more message recipients. $RULES$ – A comma-separated list of one or more policy rules that were violated. $SENDER$ - The message sender. $SEVERITY$ – The severity assigned to incident. $SUBJECT$ - The subject of the message.
Discover Incidents $FILE_NAME$ – The name of the file in which the incident was found. $INCIDENT_ID$ – The ID of the incident. $MATCH_COUNT$ – The incident match count. $PARENT_PATH$ – The path to the parent directory of the file in which the incident was found. $PATH$ – The full path to the file in which the incident was found. $POLICY$ – The name of the policy that was violated. $RULES$ – A comma-separated list of one or more policy rules that were violated. $QUARANTINE_PARENT_PATH$ - The path to the parent directory in which the file was quarantined. $SCAN$ – The date of the scan that found the incident. $SEVERITY$ – The severity assigned to incident. $TARGET$ - The name of the target in which the incident was found.
Here is an example of the variables of the Endpoint Prevent indients.
Create a response rule to log to a Syslog Server, on the 'Message' section, input all the variables of the 'Monitor/Prevents Incidents':
When an incident generate, the content of the Syslog like this:
If the $ENDPOINT_USER_NAME$ does not work, than there is nothing else.
Not all of the Variables can be used for Syslog notifications.
Any idea on how to populate the End User Name and/or the Machine IP in a response rule to forward to a syslog server? I've used this below, but the $ENDPOINT_USER_NAME$ field doesn't give me a value in the syslog event. This is for an Endpoint Incident.
CEF:0|Vontu|Monitor|11|$POLICY$|$POLICY$|5|app=$PROTOCOL$ src=$SENDER$ dst=$RECIPIENTS$ duser=$RECIPIENTS$ dhost=$ENDPOINT_MACHINE$ msg=$RULES$ cn1=$MATCH_COUNT$ cn1Label=MatchCount externalId=$INCIDENT_ID$ cs1=$INCIDENT_ID$ cs1Label=IncidentID cs2=$SEVERITY$ cs2Label=DLPSeverity cs3=$TARGET$ cs3Label=Target cs4=$FILE_NAME$ csLabel=File Name cs5=$PROTOCOL$ cs5Label=Channel
Thank you for your response. I'm fairly new to DLP and my goal is to configure the Response Rules to forward syslog to our SIEM and to include the Endpoint User Name in the event. This is what I have so far:
Would I add this to include the User - $cs6=$ENDPOINT_USER_NAME$ ?
Thanks again for the help!
$endpoint-user-name$ is the name of the variable.
Here is how to look it up as part of the ldap lookup and populate the attributes.
attr.First\ Name =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):givenName attr.Last\ Name =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):sn attr.Username =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$Hostname2$)):sAMAccountName attr.Sender\ Email =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):mail attr.Department =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):department attr.Title =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):title attr.Phone =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):telephoneNumber attr.Division =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):physicalDeliveryOfficeName attr.City =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):l attr.TempManager =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):manager attr.Manager\ First\ Name =:(distinguishedname=$TempManager$):givenName attr.Manager\ Last\ Name =:(distinguishedname=$TempManager$):sn attr.Manager\ Email =:(distinguishedName=$TempManager$):mail attr.Manager\ Title =:(distinguishedName=$TempManager$):title attr.Manager\ Department =:(distinguishedName=$TempManager$):department attr.Manager\ Phone =:(distinguishedName=$TempManager$):telephoneNumber
I couldn't get the Endpoint User Name to show- has anyone had success with this?
Try the Sender Ip address variable..it may be the same field.
This is DLP V11.
I do not see the Endpoint IP Address in the properties file.
These are the only ones that look like Endpoint values.
# endpoint-volume-name # endpoint-dos-volume-name # endpoint-application-name # endpoint-application-path # endpoint-file-name # endpoint-file-path
# endpoint-user-name # endpoint-machine-name
What version are you working on??
If you are on a version before v12 then look at a config file Plugins.properties. It will outline the variables available. You will need to make sure it is going to outputt the right varibales for your use.
The make sure to update the fllwoing line with the CATEGORY of variables you want.
com.vontu.api.incident.attributes.AttributeLookup.parameters=sender,message
If you are using V12 or higher, you can see the list in the UI under the Plugins Confuguration page (settings Section).
you will see the list under the a section there and you will need to select the Category of Variables you want to enable and it has a list of the Variables there.
Ronak
CLOSE THIS QUESTION IF I HAVE ANSERED YOUR QUESTION
The Endpoint Username shows up as Attribute 10.
I would like to find the Endpoint Machine IP Address but have not found a variable for it.
EP User: $ATTRIBUTE_10$,
EP IP Address: $ ????
So Good!
Is there a list for Endpoint too?
Hi, DLP Solutions,
Your information is really useful!
There is also more information that you can use in the response rules.
You can also use the Custom Attributes in the response rules. This is not well documented but you can use ANY of the Custom Attribute fields within the Response Rules.
The Variable looks like this:
$ATTRIBUTE_6
$ATTRIBUTE_7$
The Number corresponds to the the field in the UI. The way to get the number is to go to an Incident page and then take the mouse and just hover over the Custom Attribute and you will see the name show up in the lower portion of the web browser (java Script name)
Thumps up