Data Loss Prevention

 View Only

  • 1.  how to populate web prevent incident attributes?

    Posted Apr 03, 2018 11:03 AM

    Hello guys,

    am writing in regards of identifying web prevent incidents, after i turn on the Https protocol i noticed that i have something like 

    Kerberos://Long domain/ad user name as a sender-email , and in that case DLP will not understand this as a sender's since we don't have lookup to match

    this kind of paramet's key  

    is there any custom script or some tweak to populate the cusom user attributes?

    thanks 



  • 2.  RE: how to populate web prevent incident attributes?
    Best Answer

    Trusted Advisor
    Posted Apr 03, 2018 03:23 PM

    Sharo,

    I have answered this question a few dozen times.. 

    You will need to create a Script Lookup plugin that runs for ONLY Web Prevent events and then have it run an LDAP lookup based on the output. You will see that there is a NEW Variable that comes from the Script that will need to be used in the LDAP lookup. ($HTTPUserName$)

    You will need to add that variable to EACH lookup line.

    attr.First\ Name =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):givenName

    https://www.symantec.com/connect/forums/using-lookup-plugin-network-prevent-web-icap?list_context_id=1681&list_context_type=sc_forum

    https://www.symantec.com/connect/forums/liveldaplookup-using-substrings?list_context_id=1681&list_context_type=sc_forum

    Good Luck,

    PLEASE MARKED SOLVED



  • 3.  RE: how to populate web prevent incident attributes?

    Posted Jun 19, 2018 06:18 AM

    Hi DLP Solution 

     

    it worked 



  • 4.  RE: how to populate web prevent incident attributes?

    Trusted Advisor
    Posted Jun 19, 2018 02:21 PM

    Glad it worked..

    PLease mark my solution as solved.. 

    Good Luck,

    Ronak