Data Loss Prevention

We're trying to connect the DLP system to Exabeam.  For the most part, it works well.  However, we can't seem to find the variable name for the value shown under User shown in an incident record.  Does anyone know the name of this variable?

JDW7,

How are you getting the information to ExaBeam? Is this via Email or a SNMP event?

In either case, that would probably be sender or the following ones. These are the variables that are used when we do an LDAP lookup, but should be the same.

Email: $sender-email$

File: $file-owner$

Endpoint: $endpoint-user-name$

If you get these populated into the Custom Attributes on the right side, you can then add these to any email that is sent out and those can be parsed by ExaBeam if possible. See the enclosed file on the settings for the LDAP lookup.

Once they are in the system you can add them to the emails.. You will din the variable Number when you put the mouse over the filled attributes and look at the link at the bottom of your browser page.

$ATTRIBUTE_1$
$ATTRIBUTE_2$
$ATTRIBUTE_3$

Good Luck

Ronak

PLEASE MARKED SOLVED

Attachment(s)

LDAPAttributeMapping.txt   1 KB 1 version

We are moving the incidents to the Exabeam server through a response rule (Log Incidents to Syslog Server).  The Exabeam server is the host and the data is sent via a message (see below).  Exabeam is then taking the data and parsing it into the form they desire.

LEEF:1.0|Symantec|DLP|2:medium|$POLICY$|usrFirstName=$First Name$|usrLastName=$Last NAME$|duser=$RECIPIENTS$|src=$SENDER$|dst=$RECIPIENTS$|rules=$RULES$|matchCount=$MATCH_COUNT$|blocked=$BLOCKED$|incidentID=$INCIDENT_ID$|incidentSnapshot=$INCIDENT_SNAPSHOT$|subject=$SUBJECT$|fileName=$FILE_NAME$|parentPath=$PARENT_PATH$|path=$PATH$|quarantineParentPath=$QUARANTINE_PARENT_PATH$|scan=$SCAN$|target=$TARGET$|dataOwnerName=$DATAOWNER_NAME$|dataOwnerEmail=$DATAOWNER_EMAIL$|endpointDeviceId=$ENDPOINT_DEVICE_ID$|endpointMachine=$ENDPOINT_MACHINE$|protocol=$PROTOCOL$|severity=$SEVERITY$|attachmentName=$ATTACHMENT_NAME$

I will try the $endpoint-user-name$ variable to see it that works.

Hope this worked..

Good Luck

Ronak

PLEASE MARKED SOLVED

Ronak, unfortunately that didn't work.  In talking to Symantec support, it looks like that variable is not available in version 14.0.  We are planning an upgrade to 14.6 (or maybe 15) for later this year.  The variable we need is available in that version.