Data Loss Prevention

Dear all

We are running DLP Network Prevent for web for several years. We do receive via ICAP the users IP address information from the web proxy and have it shown in the DLP web incidents. We would also like to see the actual user names in such incidents. We are working to get the proxy team to send that information within their ICAP traffic to the Network Prevent scanners. What do I have to do on the Broadcom DLP side to receive that information and to see it listed in the DLP Incidents? There is no such thing as a field mapping or ICAP field configuration.

Thanks for your help.

What you are looking for is the DLP Domain Controller Agent. 

You can find more information at: https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/16-1/install-dlp/installing-the-domain-controller-agent-to-identify-users-i/about-the-domain-controller-agent.html

(From Techdocs)

You can identify specific users in Symantec Data Loss Prevention Network Prevent for Web incidents by installing the Symantec Data Loss Prevention domain controller agent. The domain controller agent enables you to resolve user names from IPv4 address and associates the IP addresses in those incidents with user names in the User Risk Summary. The domain controller agent queries Windows Events in the Microsoft Active Directory security event log of the domain controller. Symantec Data Loss Prevention associates these Windows Events with user data in your database. See Working with the User Risk Summary.

The domain controller agent runs only on Windows Server 2012 and later operating systems. For specific supported version information, see Minimum System Requirements for Symantec Data Loss Prevention Servers. Symantec recommends installing the domain controller agent on a dedicated server. The domain controller agent can connect to multiple domain controllers.

------------------------------
Jesse Gonzales
Technical Trainer/Education Services
Symantec by Broadcom
Data Loss Prevention, CloudSOC, Cloud SWG, Web Isolation, Endpoint Encryption, ITMS
------------------------------

Original Message:
Sent: Jan 07, 2025 05:21 AM
From: Andre Iseli
Subject: Configuring User Information in DLP Network Prevent for web

Dear all

We are running DLP Network Prevent for web for several years. We do receive via ICAP the users IP address information from the web proxy and have it shown in the DLP web incidents. We would also like to see the actual user names in such incidents. We are working to get the proxy team to send that information within their ICAP traffic to the Network Prevent scanners. What do I have to do on the Broadcom DLP side to receive that information and to see it listed in the DLP Incidents? There is no such thing as a field mapping or ICAP field configuration.

Thanks for your help.