Data Loss Prevention

I have been tasked with enriching the User attributes/details in the Attributes section by integrating LDAP and present to the Incident Response team details of the User. The challenge is identifying the User using the dynamic IP in case of a web upload event.

Has any in this forum overcome this challenege and what was the solution.

Does the Proxy have the authentication feature enabled for users in order to get to the Web?

If this feature is turned on, then then DLP incidents will have a username, but probably has the Domain in the field (Domian\username). This way EVERY incident will have a username that can be used to do a further lookup. You would need to script a process to remove the Domain information and then do an LDAP lookup with the username information. Otherwise you will have some that have a username and some that don't, which I believe is what you have now.

This could be further scripted using one of the methods below:

https://www.symantec.com/connect/forums/lookup-ip-sender-email-or-sender-ip-logged-user

or

https://www.symantec.com/connect/downloads/dlp-vontu-custom-script-lookup-network-incident-hostnames

Hope this helps!

hello,

 If you are using web prevent, user identification should be available in ICAP headers sent by your proxy, so you may be able to get userID and use it in a custom pluging and then get access to custom attribute you want.

If you are using network monitor, since 14.5 (i think), there is a new way to identify user based on Ip address. It is called "User identification" and configuration is available in "Systems / Incident data / User identification".

 Regards

Hi,

Thank you Leadvue and Stephane for the information. Very valuable. We currently have 12.x running. Hope you dont mind if I do have follow up questions for you.

Regards.