Update: OK - I know 99% of corporate users are using Active Directory as their backend LDAP and 99% of those people store the DN of the manager in a user's manager attribute, so this code also looks up the manager information and populates it. This updates a custom attribute called DLPDetectionServer with the DLP server that detected the violation. I will be added Sender IP and Recipient IP as custom fields soon, because it is useful information to send to an SIEM tool.
1. Create a Custom Attribute called: DLPDetectionServer
2. Make sure the following line is in your plugins.properties file:
com.vontu.api.incident.attributes.AttributeLookup.parameters=sender,message,recipient,server
3. From the thread above, you may want to add/update the following to your scriptlookup.properties file. This will handle the case where a user has a "dangerous" character like an apostrophe in the Display Name.
stdin.filtering.enabled=true
stdout.filtering.enabled=false
4. Here is the code that includes manager lookups as well as DLPDetection Server: (THIS ASSUMES YOU HAVE THE MANGERS DN in the users manager attribute in LDAP (99% of AD users have this)
Option Explicit
On Error Resume Next
' This script is used by DLP to look up addtional information or attributes from AD and other sources
' related to a DLP incident.
' It expects key-value pairs as input via stdin and outputs the lookup values to stdout
' See the Symantec_DLP_11.1_Lookup_Plugin_Guide.pdf guide for more information.
'
Dim objRootDSE
Dim strDNSDomain
Dim strDC
Dim objConnection
Dim objCommand
Dim objRecordSet
Dim strDN
Dim strUserN
Dim i
Dim objDict
Dim myArray
Dim dictResults
Dim oOutputFile
Dim objFSO
Const ADS_SCOPE_SUBTREE = 2
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objDict = CreateObject("Scripting.Dictionary")
Set dictResults = CreateObject("Scripting.Dictionary")
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strDC = objRootDSE.Get("dnsHostName")
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
'set oOutputFile = objFSO.OpenTextFile("c:\temp\Account_Lookup.log",8,True)
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Get Arguments
'oOutputFile.WriteLine("Input Arguments to Account_Lookup.vbs = ")
For i = 0 to Wscript.Arguments.Count - 1
myArray = split(Wscript.Arguments(i),"=",-1,1)
'oOutputFile.WriteLine(Wscript.Arguments(i))
'wscript.echo Wscript.Arguments(i)
objDict.Add myArray(0),myArray(1)
Next
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
If objDict.Exists("file-owner") Then ' SEARCH AD for a LOGON ID
'oOutputFile.WriteLine("file-owner item exists")
If objDict.Item("file-owner") <> "" Then
Call File_Owner(objDict.Item("file-owner"))
Else
'oOutputFile.WriteLine "file-owner is empty"
End If
Else
'oOutputFile.WriteLine("file-owner item does NOT exist")
End If
If objDict.Exists("Employee Code") Then ' SEARCH AD for a LOGON ID
'oOutputFile.WriteLine("Employee Code item exists")
If objDict.Item("Employee Code") <> "" Then
Call File_Owner(objDict.Item("Employee Code"))
Else
'oOutputFile.WriteLine "Employee Code is empty"
End If
Else
'oOutputFile.WriteLine("Employee Code item does NOT exist")
End If
If objDict.Exists("file-created-by") Then ' SEARCH AD for a Display Name (This would be from a SharePoint Incident)
'oOutputFile.WriteLine("file-created-by item exists")
If objDict.Item("file-created-by") <> "" Then
Call File_Created_By()
Else
'oOutputFile.WriteLine "file-created-by is empty"
End If
Else
'oOutputFile.WriteLine("file-created-by item does NOT exist")
End If
If objDict.Exists("sender-email") Then ' SEARCH AD for a sender-email (This would be from a Data In Motion Incident)
'oOutputFile.WriteLine("sender-email item exists")
If objDict.Item("sender-email") <> "" Then
Call sender_email()
Else
'oOutputFile.WriteLine "sender-email is empty"
End If
Else
'oOutputFile.WriteLine("sender-email item does NOT exist")
End If
If objDict.Exists("sender-ip") Then ' Lookup the hostname for the client's IP address
'oOutputFile.WriteLine("sender-ip item exists")
If objDict.Item("sender-ip") <> "" Then
Call Get_Hostname(objDict.Item("sender-ip"),"Client PC")
Else
'oOutputFile.WriteLine "sender-ip is empty"
End If
Else
'oOutputFile.WriteLine("sender-ip item does NOT exist")
End If
If objDict.Exists("recipient-ip1") Then ' Lookup the hostname for the destination IP address
'oOutputFile.WriteLine("recipient-ip1 item exists")
If objDict.Item("recipient-ip1") <> "" Then
Call Get_Hostname(objDict.Item("recipient-ip1"),"Server Hostname")
Else
'oOutputFile.WriteLine "recipient-ip1 is empty"
End If
Else
'oOutputFile.WriteLine("recipient-ip1 item does NOT exist")
End If
If objDict.Exists("server-name") Then ' This is the DLP Server that discovered the incident
'oOutputFile.WriteLine("server-name item exists")
If objDict.Item("server-name") <> "" Then
Call Get_DLP_ServerName(objDict.Item("server-name"))
Else
'oOutputFile.WriteLine "server-name is empty"
End If
Else
'oOutputFile.WriteLine("server-name item does NOT exist")
End If
If dictResults.Count > 0 Then
Call DisplayResults()
End If
WScript.Quit(0)
'oOutputFile.Close
'----------------------------------------------------------------------------------------
Sub Get_DLP_ServerName(strServerName)
'wscript.echo strServerName
strServerName = lCase(strServerName)
dictResults.Add "DLPDetectionServer", strServerName
End Sub
'----------------------------------------------------------------------------------------
Sub File_Owner(strUserN)
If InStr(lCase(strUserN),"@mycompany.com") Then
strUserN = Mid(strUserN,1,InStr(strUserN,"@")-1)
ElseIf InStr(lCase(strUserN),"mycompany\") Then
strUserN = Mid(strUserN,5)
End If
objCommand.CommandText = _
"SELECT distinguishedName FROM 'LDAP://" & strDNSDomain & "' " & _
"WHERE objectCategory='user'AND sAMAccountName='" & strUserN & "'"
Set objRecordSet = objCommand.Execute
If objRecordSet.RecordCount < 1 Then
objCommand.CommandText = _
"SELECT distinguishedName FROM 'LDAP://" & strDNSDomain & "' " & _
"WHERE objectCategory='user'AND CN='" & strUserN & "'"
Set objRecordSet = objCommand.Execute
End If
If objRecordSet.RecordCount >= 1 Then
Call GetUserDN()
End If
End Sub
'----------------------------------------------------------------------------------------
Sub File_Created_By()
strUserN = objDict.Item("file-created-by")
strUserN = lCase(strUserN)
objCommand.CommandText = _
"SELECT distinguishedName FROM 'LDAP://" & strDNSDomain & "' " & _
"WHERE objectCategory='user'AND displayName='" & strUserN & "'"
Set objRecordSet = objCommand.Execute
If objRecordSet.RecordCount >= 1 Then
Call GetUserDN()
End If
End Sub
'----------------------------------------------------------------------------------------
Sub sender_email()
strUserN = objDict.Item("sender-email")
strUserN = lCase(strUserN)
objCommand.CommandText = _
"SELECT distinguishedName FROM 'LDAP://" & strDNSDomain & "' " & _
"WHERE objectCategory='user'AND mail='" & strUserN & "'"
Set objRecordSet = objCommand.Execute
If objRecordSet.RecordCount >= 1 Then
Call GetUserDN()
End If
End Sub
'----------------------------------------------------------------------------------------
Sub Get_Hostname(strIP, strCustomField)
Dim oExec
Dim strLine
Dim myArray
Dim strHostname
Dim WshShell
strHostname = ""
Set WshShell = Wscript.CreateObject("WScript.Shell")
Set oExec = WshShell.Exec("c:\windows\system32\nslookup.exe " & strIP )
Do While Not oExec.StdOut.AtEndOfStream
strLine = Trim(oExec.StdOut.ReadLine)
If InStr(strLine, "Name:") Then
myArray = split(strLine, ":")
strHostName = trim(myArray(1))
End If
Loop
dictResults.Add strCustomField, strHostName
Set oExec = Nothing
End Sub
'----------------------------------------------------------------------------------------
Sub GetUserDN()
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strDN = objRecordSet.Fields("distinguishedName").Value
Call GetADUserInfo(strDN)
objRecordSet.MoveNext
Loop
End Sub
'----------------------------------------------------------------------------------------
Sub GetADUserInfo(ByVal String_distinguishedName )
Dim objUser
Dim strValue
Set objUser = GetObject ("LDAP://" & String_distinguishedName)
If objUser.SAMAccountName <> "" Then dictResults.Add "Employee Code", lCase(objUser.SAMAccountName) End If
If objUser.givenName <> "" Then dictResults.Add "First Name", objUser.givenName End If
If objUser.sn <> "" Then dictResults.Add "Last Name", objUser.sn End If
If objUser.department <> "" Then dictResults.Add "Business Unit", objUser.department End If
If objUser.telephoneNumber <> "" Then dictResults.Add "Phone", objUser.telephoneNumber End If
If objUser.mail <> "" Then dictResults.Add "Sender Email", objUser.mail End If
If objUser.st <> "" Then dictResults.Add "Region", objUser.st End If
If objUser.co <> "" Then dictResults.Add "Country", objUser.co End If
If objUser.postalCode <> "" Then dictResults.Add "Postal Code", objUser.postalCode End If
Call GetManagerName(objUser.manager)
End Sub
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Sub GetManagerName(ByVal String_distinguishedName)
Dim objMgrU
Dim strValue
Set objMgrU = GetObject ("LDAP://" & String_distinguishedName)
If objMgrU.givenName <> "" Then dictResults.Add "Manager First Name", objMgrU.givenName End If
If objMgrU.sn <> "" Then dictResults.Add "Manager Last Name", objMgrU.sn End If
If objMgrU.telephoneNumber <> "" Then dictResults.Add "Manager Phone", objMgrU.telephoneNumber End If
If objMgrU.mail <> "" Then dictResults.Add "Manager Email", objMgrU.mail End If
End Sub
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Sub DisplayResults()
Dim myArray
Dim i
Dim strValue
myArray = dictResults.Keys ' Get the keys.
For i = 0 To dictResults.Count - 1 ' Iterate the array.
strValue = dictResults.item(myArray(i))
'strValue = "" & strValue & ""
wscript.echo myArray(i) & "=" & strValue
Next
End Sub