Option Explicit On Error Resume Next ' This script is used by DLP to look up addtional information or attributes from AD and other sources ' related to a DLP incident. ' It expects key-value pairs as input via stdin and outputs the lookup values to stdout ' See the Symantec_DLP_11.1_Lookup_Plugin_Guide.pdf guide for more information. ' Dim objRootDSE Dim strDNSDomain Dim strDC Dim objConnection Dim objCommand Dim objRecordSet Dim strDN Dim strUserN Dim i Dim objDict Dim myArray Dim dictResults Dim strShortDomain Dim strFQDNDomain strShortDomain = "acme\" strFQDNDomain = "@acme.com" Const ADS_SCOPE_SUBTREE = 2 Set objDict = CreateObject("Scripting.Dictionary") Set dictResults = CreateObject("Scripting.Dictionary") Set objRootDSE = GetObject("LDAP://RootDSE") strDNSDomain = objRootDSE.Get("DefaultNamingContext") strDC = objRootDSE.Get("dnsHostName") Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection objCommand.Properties("Page Size") = 1000 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' Get Arguments For i = 0 to Wscript.Arguments.Count - 1 myArray = split(Wscript.Arguments(i),"=",-1,1) objDict.Add myArray(0),myArray(1) Next ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' If objDict.Exists("file-owner") Then ' SEARCH AD for a LOGON ID 'File-Owner item exists If objDict.Item("file-owner") <> "" Then Call File_Owner(objDict.Item("file-owner")) Else 'file-owner is empty End If Else 'file-owner item does NOT exist End If If objDict.Exists("Employee Code") Then ' SEARCH AD for a LOGON ID 'Employee Code item exists If objDict.Item("Employee Code") <> "" Then Call File_Owner(objDict.Item("Employee Code")) Else 'Employee Code is empty End If Else 'Employee Code item does NOT exist End If If objDict.Exists("file-created-by") Then ' SEARCH AD for a Display Name (This would be from a SharePoint Incident) 'file-created-by item exists If objDict.Item("file-created-by") <> "" Then Call File_Created_By() Else 'file-created-by is empty End If Else 'file-created-by item does NOT exist End If If objDict.Exists("sender-email") Then ' SEARCH AD for a sender-email (This would be from a Data In Motion Incident) 'sender-email item exists If objDict.Item("sender-email") <> "" Then Call sender_email() Else 'sender-email is empty End If Else 'sender-email item does NOT exist End If If objDict.Exists("sender-ip") Then ' Lookup the hostname for the client's IP address 'sender-ip item exists If objDict.Item("sender-ip") <> "" Then Call Get_Hostname(objDict.Item("sender-ip"),"Client PC") Else 'sender-ip is empty End If Else 'sender-ip item does NOT exist End If If objDict.Exists("recipient-ip1") Then ' Lookup the hostname for the destination IP address 'recipient-ip1 item exists If objDict.Item("recipient-ip1") <> "" Then Call Get_Hostname(objDict.Item("recipient-ip1"),"Server Hostname") Else 'recipient-ip1 is empty End If Else 'recipient-ip1 item does NOT exist End If If objDict.Exists("server-name") Then ' This is the DLP Server that discovered the incident 'server-name item exists If objDict.Item("server-name") <> "" Then Call Get_DLP_ServerName(objDict.Item("server-name")) Else 'server-name is empty End If Else 'server-name item does NOT exist End If If dictResults.Count > 0 Then Call DisplayResults() End If WScript.Quit(0) '---------------------------------------------------------------------------------------- Sub Get_DLP_ServerName(strServerName) strServerName = lCase(strServerName) dictResults.Add "Detection Server", strServerName End Sub '---------------------------------------------------------------------------------------- Sub File_Owner(strUserN) If InStr(lCase(strUserN), lcase(strFQDNDomain)) Then strUserN = Mid(strUserN,1,InStr(strUserN,"@")-1) ElseIf InStr(lCase(strUserN), lcase(strShortDomain)) Then strUserN = Mid(strUserN,len(strShortDomain)+1) End If objCommand.CommandText = _ "SELECT distinguishedName FROM 'LDAP://" & strDNSDomain & "' " & _ "WHERE objectCategory='user'AND sAMAccountName='" & strUserN & "'" Set objRecordSet = objCommand.Execute If objRecordSet.RecordCount < 1 Then objCommand.CommandText = _ "SELECT distinguishedName FROM 'LDAP://" & strDNSDomain & "' " & _ "WHERE objectCategory='user'AND CN='" & strUserN & "'" Set objRecordSet = objCommand.Execute End If If objRecordSet.RecordCount >= 1 Then Call GetUserDN() End If End Sub '---------------------------------------------------------------------------------------- Sub File_Created_By() strUserN = objDict.Item("file-created-by") strUserN = lCase(strUserN) objCommand.CommandText = _ "SELECT distinguishedName FROM 'LDAP://" & strDNSDomain & "' " & _ "WHERE objectCategory='user'AND displayName='" & strUserN & "'" Set objRecordSet = objCommand.Execute If objRecordSet.RecordCount >= 1 Then Call GetUserDN() End If End Sub '---------------------------------------------------------------------------------------- Sub sender_email() strUserN = objDict.Item("sender-email") strUserN = lCase(strUserN) objCommand.CommandText = _ "SELECT distinguishedName FROM 'LDAP://" & strDNSDomain & "' " & _ "WHERE objectCategory='user'AND mail='" & strUserN & "'" Set objRecordSet = objCommand.Execute If objRecordSet.RecordCount >= 1 Then Call GetUserDN() End If End Sub '---------------------------------------------------------------------------------------- Sub Get_Hostname(strIP, strCustomField) Dim oExec Dim strLine Dim myArray Dim strHostname Dim WshShell strHostname = "" Set WshShell = Wscript.CreateObject("WScript.Shell") Set oExec = WshShell.Exec("c:\windows\system32\nslookup.exe " & strIP ) Do While Not oExec.StdOut.AtEndOfStream strLine = Trim(oExec.StdOut.ReadLine) If InStr(strLine, "Name:") Then myArray = split(strLine, ":") strHostName = trim(myArray(1)) End If Loop dictResults.Add strCustomField, strHostName Set oExec = Nothing End Sub '---------------------------------------------------------------------------------------- Sub GetUserDN() objRecordSet.MoveFirst Do Until objRecordSet.EOF strDN = objRecordSet.Fields("distinguishedName").Value Call GetADUserInfo(strDN) objRecordSet.MoveNext Loop End Sub '---------------------------------------------------------------------------------------- Sub GetADUserInfo(ByVal String_distinguishedName ) Dim objUser Dim strValue Set objUser = GetObject ("LDAP://" & String_distinguishedName) If objUser.SAMAccountName <> "" Then dictResults.Add "Employee Code", lCase(objUser.SAMAccountName) End If If objUser.givenName <> "" Then dictResults.Add "First Name", objUser.givenName End If If objUser.sn <> "" Then dictResults.Add "Last Name", objUser.sn End If If objUser.department <> "" Then dictResults.Add "Business Unit", objUser.department End If If objUser.telephoneNumber <> "" Then dictResults.Add "Phone", objUser.telephoneNumber End If If objUser.mail <> "" Then dictResults.Add "Sender Email", objUser.mail End If If objUser.st <> "" Then dictResults.Add "Region", objUser.st End If If objUser.co <> "" Then dictResults.Add "Country", objUser.co End If If objUser.postalCode <> "" Then dictResults.Add "Postal Code", objUser.postalCode End If ' If objUser.employeeType <> "" Then dictResults.Add "Employee Type", objUser.employeeType End If Call GetManagerName(objUser.manager) End Sub ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Sub GetManagerName(ByVal String_distinguishedName) Dim objMgrU Dim strValue Set objMgrU = GetObject ("LDAP://" & String_distinguishedName) If objMgrU.givenName <> "" Then dictResults.Add "Manager First Name", objMgrU.givenName End If If objMgrU.sn <> "" Then dictResults.Add "Manager Last Name", objMgrU.sn End If If objMgrU.telephoneNumber <> "" Then dictResults.Add "Manager Phone", objMgrU.telephoneNumber End If If objMgrU.mail <> "" Then dictResults.Add "Manager Email", objMgrU.mail End If End Sub ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Sub DisplayResults() Dim myArray Dim i Dim strValue myArray = dictResults.Keys ' Get the keys. For i = 0 To dictResults.Count - 1 ' Iterate the array. strValue = dictResults.item(myArray(i)) wscript.echo myArray(i) & "=" & strValue Next End Sub