Data Loss Prevention

Does anyone know how to capture the User Name in an Endpoint response rule?

I should add that I'm trying to configure response rules to send syslog to our SIEM.

Hello,

suser=$SENDER$ should to the job.

Best,

Morgado

Here is list of the outputs..

SENDER=$SENDER$ 

BLOCKED=$BLOCKED$

DATAOWNER_NAME=$DATAOWNER_NAME$

DATAOWNER_EMAIL=$DATAOWNER_EMAIL$

ENDPOINT_DEVICE_ID=$ENDPOINT_DEVICE_ID$

ENDPOINT_MACHINE=$ENDPOINT_MACHINE$

PATH=$PATH$ FILE_NAME=$FILE_NAME$

PARENT_PATH=$PARENT_PATH$

INCIDENT_ID=$INCIDENT_ID$

INCIDENT_SNAPSHOT=$INCIDENT_SNAPSHOT$

MATCH_COUNT=$MATCH_COUNT$

RULES=$RULES$ PROTOCOL=$PROTOCOL$

QUARANTINE_PARENT_PATH=$QUARANTINE_PARENT_PATH$

RECIPIENTS=$RECIPIENTS$

SCAN=$SCAN$

SEVERITY=$SEVERITY$

SUBJECT=$SUBJECT$

TARGET=$TARGET$

FNAME=$ATTACHMENT_NAME$

As far as I know you do not have the possibility to use Endpoint User Name in a Response Rule just like that.

You can build something custom in order to achieve this, something like:

- Create a Custom Attribute, named Endpoint User Name;

- Build a small Python script that gets the information from the "live traffic" and writes it to the Custom Attribute created above;

- The Custom Attribute will have a value of $ATTRIBUTE_XY$ (e.g.: $ATTRIBUTE_30$);

- Then, depending on your SIEM, you can add this Custom Attribute in the message sent to SIEM.

I can help if you require further assistance :).

Stefan

Are you trying to do this in a pop-up or for an email respnse?

In either cas try using $SENDER$ or $SENDER-IP$, one of them might work.

Please make sure to mark this as a solution

to your problem, when possible.