Data Loss Prevention

 View Only
  • 1.  DLP Events to syslog

    Posted Jun 17, 2013 10:40 AM

    We created a Response rule to send DLP alerts (Endpoint & Prevent) to AlertLogic.Alerts are going to our dashboard but the only field that is not displaying data is User.

    Here is how we have defined that variable:
    USER=$DATAOWNER_NAME$

    I also tried USER=$DATA_OWNER$, USER=$EMPLOYEE_CODE$ but am still getting N/A.

    btw,  we used the variable definitions listed in DLP:

     

    Insert Variable
    Blocked
    Data Owner
    Data Owner Email
    Device Instance ID
    Endpoint Machine
    File Full Path
    File Name
    File Parent Directory Path
    Incident ID
    Incident Snapshot
    Match Count
    Policy Name
    Policy Rules
    Protocol / Device Type / Target Type
    Quarantine Parent Directory Path
    Recipients
    Scan Date
    Sender
    Severity
    Subject
    Target

    Does anyone know if there is another variable I could use for User/Data Owner?

    Thanks!



  • 2.  RE: DLP Events to syslog

    Posted Jul 02, 2013 08:58 AM

    frown



  • 3.  RE: DLP Events to syslog

    Posted Jul 04, 2013 02:39 PM

    Chcek your LDAP lookup plugin is working fine.Is it providing user information if incident created by user.