We created a Response rule to send DLP alerts (Endpoint & Prevent) to AlertLogic.Alerts are going to our dashboard but the only field that is not displaying data is User.
Here is how we have defined that variable: USER=$DATAOWNER_NAME$
I also tried USER=$DATA_OWNER$, USER=$EMPLOYEE_CODE$ but am still getting N/A.
btw, we used the variable definitions listed in DLP:
Does anyone know if there is another variable I could use for User/Data Owner?
Thanks!
Chcek your LDAP lookup plugin is working fine.Is it providing user information if incident created by user.