Data Loss Prevention

 View Only

  • 1.  AD Attribute lookup

    Posted Sep 21, 2017 03:26 AM

    Hello guys,

    I have done DLP 14.6 installation and had also integrated Active Directory with Symantec DLP.

    Now I want to create custome attributes and want to map it in symantec DLP

    How can I achive that.?

    How to create attribute mapping script from AD in symantec DLP console?

    EX. attr.LDAP\ givenName=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):givenName
    attr.LDAP\ telephoneNumber=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):telephoneNumber

    Could any one help me with the explanation of above script.

    Thanks

    Kunal S



  • 2.  RE: AD Attribute lookup

    Trusted Advisor
    Posted Sep 21, 2017 04:13 PM

    Here is what I use for my LDAP.. 

     

    attr.First\ Name =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):givenName
    attr.Last\ Name =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):sn
    attr.Username =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$Hostname2$)):sAMAccountName
    attr.Sender\ Email =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):mail
    attr.Department =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):department
    attr.Title =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):title
    attr.Phone =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):telephoneNumber
    attr.Division =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):physicalDeliveryOfficeName
    attr.City =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):l
    attr.TempManager =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):manager
    attr.Manager\ First\ Name =:(distinguishedname=$TempManager$):givenName
    attr.Manager\ Last\ Name =:(distinguishedname=$TempManager$):sn
    attr.Manager\ Email =:(distinguishedName=$TempManager$):mail
    attr.Manager\ Title =:(distinguishedName=$TempManager$):title
    attr.Manager\ Department =:(distinguishedName=$TempManager$):department
    attr.Manager\ Phone =:(distinguishedName=$TempManager$):telephoneNumber

     

     

     

    Good Luck,

    Ronak

    Please marked solved.. 



  • 3.  RE: AD Attribute lookup
    Best Answer

    Posted Sep 26, 2017 12:40 PM

    DLP Solutions2,

    In the following post you add this information: https://www.symantec.com/connect/forums/dlp-and-ad-intergration

    ------------------------------------------------------------------------------------------------------------------------------------------

    DIM: Data in motion

    DAR: Data at Rest

    DAE: Data at the Endpoint

    I was referring to the LDAP Lookup Plugin, which will populate the custom attributes section in the incident snapshot. This is outlined in the Symantec_DLP_10.5_Lookup_Plugin_Guide. This requires modification to the following items:

    Adding/Organinzing the Custom Attributes in the Enforce UI.
    Plugin.properties file
    LiveLdapLookup.properties
    The AD authentication is the one that uses the krb5.ini file and requires a change in the Enforce UI under system Settings.

    Which one do you need help with?

    -------------------------------------------------------------------------------------------------------------------------------------------

    I am tried to use the custom attribute as well without suceess.

    The General screen of de Active directory show the follow information about the user:

    First name: givenName
    Last name:sn
    Display name:displayName
    Description:description
    Office:physicalDeliveryOfficeName

    Telephone number:telephoneNumber
    E-mail:mail

    In this case in System/Incident Data/Lookup Plugins I have to add a New LDAP plugin , and add in Attribute Mapping the next:

    attr.First\ name=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):givenName
    attr.Last\ name=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):sm
    attr.Display\ name=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):displayName
    attr.Description=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):description
    attr.Office=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):physicalDeliveryOfficeName
    attr.Telephone\ number=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):telephoneNumber
    attr.Email=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):mail

    This step and configuration are correct?

    The Plugin.properties file no has any configuration, I have to add this?

    attr.First\ name=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):givenName
    attr.Last\ name=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):sm
    attr.Display\ name=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):displayName
    attr.Description=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):description
    attr.Office=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):physicalDeliveryOfficeName
    attr.Telephone\ number=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):telephoneNumber
    attr.Email=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):mail

    The LiveLdapLookup.properties not exist

    And the "Adding/Organinzing the Custom Attributes in the Enforce UI"

    The custom attribute to add are the follow? 

    First name
    Last name
    Display name
    Description
    Office

    Telephone number
    Email

    Thank you very much for your assistance



  • 4.  RE: AD Attribute lookup

    Trusted Advisor
    Posted Sep 26, 2017 12:40 PM

    Your entries are wrong!! You need to remove "LDAP\ "

    also when there is a space in the custom attribute, you need to add the \

    attr.LDAP\ First name=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):givenName

     

    This is the correct format!!

    attr.First\ Name =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)):givenName

    Also make sure you have configured the LDAP Connection and tested it.



  • 5.  RE: AD Attribute lookup

    Posted Sep 26, 2017 01:06 PM

    I remove the .LDAP\ and change to:

    attr.First\ name=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):givenName
    attr.Last\ name=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):sm
    attr.Display\ name=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):displayName
    attr.Description=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):description
    attr.Office=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):physicalDeliveryOfficeName
    attr.Telephone\ number=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):telephoneNumber
    attr.Email=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)):mail

    But in the incident Attributes the information Its not refresh ,attach some image from the configuration

     

     



  • 6.  RE: AD Attribute lookup

    Posted Sep 26, 2017 01:32 PM

    This setting I forgot and the information is refresh in the Incident :D

     



  • 7.  RE: AD Attribute lookup

    Trusted Advisor
    Posted Sep 26, 2017 01:35 PM

    Great..

    Good Luck,

    Ronak

    Please marked solved.. 



  • 8.  RE: AD Attribute lookup

    Posted Sep 26, 2017 03:27 PM
    In reference to this configuration I have some questions because I have one server for testing and another for production .
     
    In the test server (Single Tier) in the attribute the option "Lookup" and "Edit" are available and I have to do a "click" in the Lookup boton form the information is refresh. For the other side in the production server (Three tier) only the the option "Edit" is available, assume to the information automatically appear , is correct ?
     
    And this change in the production servers automatically refresh in all incidents ? All ready I have 60.0000 Incidents approx. this impact on the size of Oracle Database ? Is to much to considered?