Is there a way to create a custom variable for string violating the policy to be included in automated email sent to sender and/or manager? We are looking for a way to automate the incident remediation workflow without giving out access to Vontu to large population and would like to include more incident information in the notification (SMTP & HTTP) alerts, but not including original message.
Wehn you create a response rule for 'Send Email Notification' I believe you have an option for inserting one of several pre-defined variables into the message so you don't have to include the offending content.
There is an article in the KB that is close.. but a little wrong..
There is a way to use custom attributes as variables in an email response rule. This function is not well-documented, but it is available. The way to do it is as follows:
Note: To add a gray status bar at the bottom of the I.E. Window, Select "View from the Internet Explorer toolbar menu and make sure "Status Bar" is checked.
1. Log on to Symantec Data Loss Prevention as an administrator.
2. Go to an incident page.
3. For each custom attribute that you would like to add to the notification email, mouse over it or left click on it to reveal its properties. The properties may show up in a bar at the bottom of the screen or in a pop-up box. You are looking for the number of the custom attribute. The attribute numbers may appear in parentheses. For example, FirstName may reveal ("24") and LastName may reveal ("25"). Copy each attribute name and corresponding number for all the custom attributes that will be added to the notification email.
4. Under Policy, navigate to Response Rules, add an email notification response rule, and set up the email response. Wherever the custom attribute should appear, enter $ATTRIBUTE_<attribute number>$. For example, using the custom attributes FirstName and LastName, the email salutation in the rule email would appear as follows:
Dear $ATTRIBUTE_24$ $ATTRIBUTE_25$,
which would yield Dear Joe Smith in the email notification to Joe Smith, if Joe Smith was the policy violator.
5. Please note that deletion of any of the custom attributes used in the email notifications, or problems with the initial attribute lookup, will prevent email notifications from working properly.
Thanks, but is there a way to include offending string/keyword in the notification? I'm looking for a solution to allow the manager/notification recipient to see what was violated, without going to the application. Looking for solution to automate the incident workflow, without giving access to the application.
Unfortuately there is not a way to add the highlited information...this is the type of information that you do not want to spread outside of the system.
You can insert the violated policy name and the match count.. that should give them enough info to be able to correlate it to what was violated. I am not sure but the Rule Name may be a field to use also...try it out and see if anything comes in the email.
Is there a way to include user justification for Endpoint alerts in the body of email notification? Are there any additional incident info that can be custom- inserted into the manager's notification that would help remediate the alert?
...the User Justification Response isn't included as an available attribute in the response rules. You'd have to do a custom plugin whereby you look up that response directly in the DLP database, and populate a custom attribute, which you could then use in the response.
From what I know if it, even this won't work. My understanding is that the plugins are executing BEFORE the incident is written to the database. So that lookup would be trying to lookup data for an incident that isn't even commited to the database yet. Hence, you would not be able to get the response.