Data Loss Prevention

 View Only
  • 1.  DLP - How to include attachment name(s) in csv export

    Posted Jul 25, 2016 12:48 PM

    In DLP 12.5 or later, does anyone know of a way to automatically add the attachment name (if there was one) from an incident to a custom attribute? If I create an "Attachment" attribute and manually populate that field with the filename, that comes out in the csv extract as expected. What I'd like to do is accomplish this automatically, by using the attachment-nameX attribute lookup key perhaps. As I understand it those keys are generally used to match data with an external source though (like LDAP). Is there a way, either by leveraging that key or otherwise, to pull the attachment name into it's own attribute so it can be searched and reported on?



  • 2.  RE: DLP - How to include attachment name(s) in csv export

    Trusted Advisor
    Posted Jul 26, 2016 02:15 AM

    hello,

     you can create a custom plugin script (in python, powershell,...) which will use "attachment-nameX " to populate a dedicated custom attribute.

    But you may face some issues if there is many attachment in an email (E.g. if there is an archive as attchment-name as it wont be archive name but name of each file in the archive).

     regards



  • 3.  RE: DLP - How to include attachment name(s) in csv export
    Best Answer

    Posted Jul 26, 2016 06:49 AM

    Hello,

     

    Not sure if I missed your point, but the attachment name violating the policy is by default available in the CSV report.

    Fields:

    Source File

    OR

    Destination

     

     

    Cheers, Morgado



  • 4.  RE: DLP - How to include attachment name(s) in csv export

    Posted Jul 26, 2016 09:11 AM

    Thanks Stephane. Do you have an example script you could post that would accomplish this?

     

    Morgado - Is that in version 14 perhaps? I don't see that in 12.5.2. I'm referring to Network incidents as well which I failed to mention. I know for Discover incidents I can get the file name in the extract from the Location field.

     

    Rich



  • 5.  RE: DLP - How to include attachment name(s) in csv export

    Posted Jul 26, 2016 02:57 PM

    Just tried this out and @Morgado is right. The attachment name is visible in the csv. Along with path saved.



  • 6.  RE: DLP - How to include attachment name(s) in csv export
    Best Answer

    Trusted Advisor
    Posted Jul 28, 2016 02:36 AM

    hello,

     attachment name is only available in endpoint and discover (if i remember it well) but not for network incident. I think it is because of potential issue listed below (potentially many attachment in network incident)

    You may find some sample script and information in this forum, for example :

    https://www.symantec.com/connect/forums/part-ii-how-does-dlp-enforce-server-invoke-powershell-lookup-script

    https://www.symantec.com/connect/downloads/dlp-vontu-custom-script-lookup-network-incident-hostnames

     

    this is quite old post and now configuration is much easier but script works.

     

     regards.