Data Loss Prevention

We have created a response rule to send the incident notification to the Syslog server and over an e-mail as well. This working well, however, it does not send the Destination (to which file was uploaded or transferred). 

Below are the variables used in the response rule: (however, I tried with each and every "Insert Variable" but no luck)

Incident ID: $INCIDENT_ID$
File Name: $FILE_NAME$
File Full Path: $PATH$
Subject: $SUBJECT$
Machine Name: $ENDPOINT_MACHINE$
Sender: $SENDER$
Recipients: $RECIPIENTS$
Severity: $SEVERITY$
Match Count: $MATCH_COUNT$
Protocol: $PROTOCOL$
Policy Name: $POLICY$
Policy Rules: $RULES$
Destination: $TARGET$

Is it achievable and how?

hi,

 $TARGET$ is dedicated to discover incident and contains name of target on which document was found.

I dont think the file destination is available for notification response rule. So you may send a feature request to your symantec sales rep, or you can try to create a custom plugin which will send email notification and use lookup parameters "endpoint-file-path" which contains the file destination.

 Regards.

Rehan,

What type of incident ae refering to?

Network Monitor posts to a site?

This would be the URL, which is considered the recipient.

Good Luck

Ronak

PLEASE MARKED SOLVED WHEN POSSIBLE

facing Same issue

i am also facing this issue, i have a alert set up using the endpoint, it looks for removable media use and i want to send the destination via syslog. I can see the field i want in the symantec console but need the format/name for this field. 

i tried destination="$DESTINATION$"   but it does not work.