Data Loss Prevention

Hello and thanks in advance for any assistance!

The log to a syslog server response rule does not have the date-detected attribute value from the incident available as a variable that you can add to the message string.  My company wants this value in the syslog message.

It was recommended to use the Scan Date variable $SCAN$ but the scan date is I believe for discover not web prevent and date detected is a different time stamp than scan date.  To add to the confusion a Web Prevent incident only lists "Date" in the incident details whereas it lists "Detected" in the incident history so it's not clear if these are the same or different attributes.  In a Discover incident - Incident Details lists Scan and Detection Date as two discreet values.

Until Symantec adds this as a variable has anyone come up with a workaround to get the date-detected value into a syslog message?

Symantec PM suggested using the Flexresponse API but I'm not a Java programmer and that doesn't seem like the best solution.

We can send a custom attribute value in the syslog message.

Have any of you figured out how to get the date-detected value into a custom attribute?  I'm thinking it is possible with a Script Lookup Plugin.

Thanks again!

I just confirmed the $SCAN$ variable is N/A for a Web Prevent incident

DLP_security,

This is one of those things that people have been asking for a long time.. even myself a seasoned DLP expert.

There is an internal variable that has this information: $date-detected$

You can try and see if this will get populated in the SYSlog event that you send... try and see. I am not 100% sure it is available.

So one of the things I do is create a Custom Attribute (Event Date) that is then updated with the date the incident is created. Use the following script to do this and put it into a custom attribute field.

You can then POSSIBLY use this as a variable in the SYSlog or in an Email.. it will be &ATTRIBUTE_X$

you will need to find out what X is by highlighting the filed in an incident.. it will show up when you hover the mouse over a filled field.

The nice thing about this is that it also allows me to sort based on dates that are not the same format as what is in the UI.

You can put this into a VBS script.. or create another one.

' *******************************************************************************************************
' ****************************************** DLP Settings for Lookup ************************************
' *************************** script.1.command=C:/windows/system32/cscript.exe **************************
' ************** script.1.custom.args=/nologo,D:/SymantecDLP/protect/plugins/Hostlookup.vbs *************
' ********************************** stdin.filtering.enabled=true ***************************************
' ******************************** stdout.filtering.enabled=false ***************************************
' *******************************************************************************************************

Dim StdOut : Set StdOut = Wscript.Stdout
Dim objArgs : Set objArgs = WScript.Arguments

e=0
numArgs = objArgs.Count

dim attributeList
dim attributes

' *******************************************************************************************************
' **********  This section is required to parse out all of the attributes we may want to use ************
' **********  For the many parts of this script. It will ingest the attributes and give them ************
' *****************  an attribute value number, which will be referenced in the script. *****************
' ***********  The numbers below are commented out so you can reference the number for each *************
' ************************* Attribute that is ingested along with their number **************************
' *******************************************************************************************************
' ******************* 0 ********** 1 ******* 2 *********** 3 ************* 4 *************** 5 **********

attributeList = ("sender-email,protocol,sender-ip,endpoint-user-name,date-detected,endpoint-machine-name")
attributes = split(attributeList,",")
Dim attributeValues(5)

' *******************************************************************************************************
' ************** This is a Loop to strip data right of the "=" for the attributes and it ****************
' ***** Assigns the attribute value for [x] attribute based on the attributes defined in the array *****
' *******************************************************************************************************

Do Until e = numArgs
  strEqPos = Instr(objArgs(e),"=")
  strArgName = mid(objArgs(e),1,strEqPos - 1)
  strValLen = len(objArgs(e)) - strEqPos
  strArgVal = mid(objArgs(e), strEqPos + 1, strValLen )
  x=o
  for each attribute in attributes
    if strArgName = attribute then
      attributeValues(x)=strArgVal
    end if
    x=x+1
  next
e = e+ 1
Loop

v_mth=mid(attributeValues(4),5,3)
v_day=mid(attributeValues(4),9,2)
v_year=mid(attributeValues(4),25,4)

If v_mth = "Jan" Then
  v_mthNum = "01"
ElseIf v_mth = "Feb" Then
  v_mthNum = "02"
ElseIf v_mth = "Mar" Then
  v_mthNum = "03"
ElseIf v_mth = "Apr" Then
  v_mthNum = "04"
ElseIf v_mth = "May" Then
  v_mthNum = "05"
ElseIf v_mth = "Jun" Then
  v_mthNum = "06"
ElseIf v_mth = "Jul" Then
  v_mthNum = "07"
ElseIf v_mth = "Aug" Then
  v_mthNum = "08"
ElseIf v_mth = "Sep" Then
  v_mthNum = "09"
ElseIf v_mth = "Oct" Then
  v_mthNum = "10"
ElseIf v_mth = "Nov" Then
  v_mthNum = "11"
ElseIf v_mth = "Dec" Then
  v_mthNum = "12"
End If

' *******************************************************************************************************
' *********************************** format of YYYY-MM-DD. *********************************************
' ************************This format is best for sorting in the DLP UI. ********************************
' *******************************************************************************************************
stdOut.WriteLine "Event Date="&v_year&"-"&v_mthNum&"-"&v_day

' *******************************************************************************************************
' *********************************** format of MM-DD-YYYY **********************************************
' *******************************************************************************************************
'stdOut.WriteLine "Event Date="&v_mthNum&"-"&v_day&"-"&v_year

Please make sure to mark this as a solution to your problem, when possible.

Hello DLP Solutions2,

Thanks for posting I really appreciate it.  I had tried $date_detected$ before and have just tried $date-detected$ which also did not work.  date-detected is the name of the attribute in DLP but not the name of a variable.  I'm not sure how DLP takes incident attributes and moves those values to variables - would be nice!

date_detected=[UNKNOWN VARIABLE: date-detected]

I will try you script next and let you know how that works.

Thanks again!

hello,

 There is two different parameters :

- Attribute available for lookup plugins. You could have access to (quite) all incident attribute. You have the full list in admin guide or in DLP UI plugin configuration page. (so there data-detected exists.)

- Variables available in response rule (so for email notification or syslog). This is quite limited (wrt incident information). But you have access to all your custom attributes by using $ATTRIBUTE_ID$ (where ID is the ID associated to each custom attribute).

 So, as DLP_solutions2 wrote, one way to have a link between those two (if not done by the tool automatically) is to set a custom attribute and then use it as a variables. You could uncheck this attribute in DLP roles configuration if you dont want it to be visible to DLP stakeholders.

 Regards

Hello DLP community!

It's been too long sorry for the delay I finally tested and the script worked and I was able to send the custom attribute to Splunk via the Log to a Sylog Server response rule.

However the way DLP Solutions2 formated the output strips off the time so I am now going to try to figure out how to get the time in there too.

Any suggestions are appreciated!