Data Loss Prevention

When on the Enforce box: D:\Vontu\Protect\plugins -> ManualQuaratine.properties

Is there a way to "pull" the date and time that the marker file was created to give the user some idea of when the marker file was left to give the user some idea how long they have before the original  file will be deleted?

Example in bold (The best I could come up with):

# The marker text to be inserted in marker files. The marker text can contain placeholders for 

# runtime information.

marker-text = Company X Data Loss Prevention Team\r\n\

Incident number: $INCIDENT_ID$\r\n\

File name: $FILE_NAME$\r\n\

*Marker File Creation Date: $DATE_TIME$\r\n\

This file has been identified as possibly containing private data as defined by Company X.\r\n\

For assistance retreiving this file, contact the IT Service Center. 1-800-300-XXXX (XXXX).\r\n\

Note: This original file will be purged 90 days after the Marker file creation date\r\n

Thank you\r\n\

Data Loss Prevention Team\r\n\

 

Thanks for any help you can provide.

While we dont support the exact date and time the incident is created you could use $SCAN_DATE$ which is the date the discover scan that resulted in the marker file started. This of course becomes less acceptable the longer your discover scans run.

I am not sure if this will work for filling the content of a Marker file, but you can write a Lookup Script that will run on the Enforce Server after the incident is created that will populate a Custom Attribute Field with the current data and time.

You MIGHT be able to then have that custom attribute be part of the content of that file. It would be referenced by $ATTRIBUTE_9$ in the file.(number will vary)

I have done this before, but not to populate a marker file.

Hope this makes sense.

If this solves your questions please marked as solved.

Ronak

Thanks for the suggestions. Would it be better to just setup some kind of email notification via DLP? I really didn't want to do this because I would then run into the problem of users "pretending" to use files they haven't looked at for months or even years, which kind of defeats the purpose.

Does your company have a data retention policy? If not, have your Governance committee pitch in to help create and publish one. Ideally, you could set the response rule to archive according to the policy, leave the marker file, and skip the up front email to the user.

Have done this exact thing before, so yes, it can be done.  Following Ronak's suggestion, you CAN use custom attributes in the parameters you pass into the marker text.

What I've done is this, which works:

1. Create a new Custom Attribute called "Quarantine Date".
2. Create your Smart Response Rule, which has 2 actions:
   1. Populates the  custom attribute "Quarantine Date", which will effectively prompt your operator to enter a date (I set the default value for this to something like "<ENTER QUARANTINE DATE>", so that I know I've told my operator to enter the date they are manually quarantining this file.
   2. Invokes the Manual Quarantine flex response.
3. Edit the marker text in the ManualQuarantine.properties file to include the attribute $Quarantine Date$.

Done, that's it. 

If you wanted to extend this to work with the Automatic Quarantine response rule, you'd need to create a lookup plugin that populates the "Quarantine Date" with the current date, then use that same attribute in your configured marker text in the response rule.  However, you wouldn't really be able to use that data to report on, as it's going to set that attribute for all of your Discover incidents (if you configure your lookup correctly, that is).

~Keith