Data Loss Prevention

I have LiveLDAPLookup working but have 2 more "advanced questions:

1.  The value of the VARIABLE ($file-owner$) I want to use in the lookup is prepended with several characters (the domain name) e.g. "ABC\JohnDoe".  In AD, all I have is JohnDoe.  Is there a way to strip the "ABC\" from the value of the $file-owner$ variable so I find a match in AD?

2.  One of the attributes I gwt back from AD is a DN.  I want to store the DN in a temporary variable, and use it for a subsequent AD lookup.  DN is not an attribute in AD for me to match.  (If I can solve question 1 above - I could grab the CN from the DN and do a match on CN.)

Thanks for any help/advice... THANKS!

OK - I know it was a cryptic request...  but I decided to ditch the LiveLDAP lookup plug in and go with the Script Plug in.  Several reasons. 

1.  The LiveLDAP plugin is not very flexible unless AD values map very cleanly back into the fields in DLP.

2.  I can write one script to return all the attributes I want from several different data stores.

3.  No CLEAR TEXT credentials.  If you run your Vontu Services on your Enforce server using a domain service account, there is no need to hard code any credentials.  The Lookup scripts runs with the credentials of the service account (this is .\Protect if you don't change it after the Enforce install.)

4.  No chaining needed.  One script can do it all.  If I change the script, I don't even have to reload the Custom Attributes.

 

So - I have 1 script that is less than 200 lines long that can return DOZENS of attributes - for Discover Incidents from Windows servers, SharePoint, Email Incidents...  It basically limitless.

Nice work.  I've found this to be the way to go as well with many of my DLP customers where the limitations in the LiveLDAP lookup that you mention come into play. I have a perl script that I can easily reconfigure for any client based on their LDAP structure.  Also allows the possibility of doing secure LDAP if that's a requirement.

Regarding the credentials...even if you don't run the DLP services as a domain account, with the script lookups you at least have the capability of encrypting the password in the script, so it can be secured that way.

Plus, you can put any other lookups or attribute values you want into that one script.  So much better.  For instance, one that I use alot is to put in a "Day" attribute that populates the attribute with the date of the incident in the YYYY-MM-DD format.  Doesn't sound like much, but allows you to summarize incidents by day, which is hugely valuable in reporting, whereas the defaults only allow you to summarize down to week.

~Keith

One thing to keep in mind is that the script approach is not that effecient. This can cause some perfromance issuses especially when doing a large discover scan. This is cause for EVERY incident that script will need to run and can impact the performance of the server.

I prefer the CSV approach for it will load the CSV into memory and is a lot more effecient to run (similar to the LDAP).

• What I typically do is utilize LDIFDE or another program that can create an output file of the necessary AD informaiton into a CSV file.
• Utilize LogParser to then create a CSV file that is structured to be imported into the DLP system.
• With the logparser you can also prepend some of the fields with data (ie Winnt://username for bluecoat integration)
• All of this can be scheduled as tasks to be done nightly and can specifiy the user account to run the script as. Account is also hashed out.
   

Also I thiink for disciver incidents it should already strip out the domain name for the lookup. I would enable the lookup logging to see what the system is sending for the lookups.

I don't really have a significant concern about performance of the script on the Enforce server.  I'm curious as to what you've seen in the past with the LDAP Lookup or script lookups that would cause you to go through setting up a slightly more complex process with regards to using the CVS lookup.  Just seems to me there are a lot of peices in there that could break (extract, parse, massage the data, etc). I like the idea, don't get me wrong, I've just never found the lookups to be that expensive in terms of performance given the hardware we generally use, and what the Enforce server really needs to do (serve up the UI, write some stuff to the database, talk to monitors).

Regarding Discover, I definitely see your point there and have accomodated for that.  I generally don't do a lookup on Discover file system incidents at all (can control this through the protocols in the ScriptLookup.properties file).  My advice to clients is that "file-owner" is typically very inconsistent, and you really need a tool like Data Insight to determine ownership.  Sharepoint, you do get a better idea of the owner. 

I also scripted to work around missing file-owner data...so I don't even perform the lookup if I get the ubiquitous "Administrator" back as owner.  True, the script still runs, but it bypasses the bind and search on LDAP if there's not a true user name in there.

~Keith

 

 

 

Hi By just looking at what you have done with your script lookup plugin it sounds just like what i've been searching for! Is it possible for you to post or email me what you have done? /Oscar

Any way you would be willing to share this script to the community?  Strip out everything that would be speficic to your organization and upload to Connect as a download?

OK - Here we go... everyone is always looking for free code... NO WARRANTY, implied or explicit.  USE AT YOUR OWN RISK.

1.  This is if your Enforce Server is on Windows. (this is vbScript), and you have an Active Directory LDAP directory.

2.  Create 2 custom attributes:  "Client PC" and "Server Hostname"  The script will use NSLOOKUP to populate these values off of recipient-ip1 and sender-ip.

3.  Read the vbScript below and replace "mycompany" with your companies domain name.  Save to d:\vontu\protect\plugins\ScriptLookup.vbs

4.  Edit your ScriptLookup.Properties:

# Example Script Params
script.1.command=c:/windows/system32/cscript.exe
script.1.custom.args=/nologo,d:/vontu/protect/plugins/ScriptLookup.vbs
 

5.  Edit your Plugins.Properties:

com.vontu.plugins.execution.chain=com.vontu.lookup.script.ScriptLookup
com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Directory Classes,Vontu Script Lookup
 

com.vontu.api.incident.attributes.AttributeLookup.parameters=sender,message,recipient
 

6.  Restart your Enforce Server services.

7.  If you want to see how it runs from a CMD prompt, run:

cscript ScriptLookup.vbs file-owner=<your AD account>

8.  This script will populate the following attributes in the DLP tool:

 "Business Unit"
 "Employee Code"
 "First Name"
 "Last Name"
 "Phone"
 "Sender Email"
 "Region"
 "Country"
 "Postal Code"
 "Client PC"
 "Server Hostname"

9.  If this works for you - send me a kudos and remember my name to HIRE me when all the tech jobs have been sent offshore. :-)

SAVE THE FOLLOWING AS d:\vontu\protect\plugins\ScriptLookup.vbs on your WINDOWS Enforce Server:

Option Explicit

On Error Resume Next

Dim objRootDSE
Dim strDNSDomain
Dim strDC
Dim objConnection
Dim objCommand
Dim objRecordSet
Dim strDN
Dim strUserN
Dim i
Dim objDict
Dim myArray
Dim dictResults

Const ADS_SCOPE_SUBTREE = 2
Set objDict     = CreateObject("Scripting.Dictionary")
Set dictResults = CreateObject("Scripting.Dictionary")
Set objRootDSE  = GetObject("LDAP://RootDSE")
strDNSDomain    = objRootDSE.Get("DefaultNamingContext")
strDC = objRootDSE.Get("dnsHostName")

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Get Arguments
'Wscript.echo "Input Arguments to ScriptPlugin.vbs = "
For i = 0 to Wscript.Arguments.Count - 1
 myArray = split(Wscript.Arguments(i),"=",-1,1)
 oOutputFile.WriteLine(Wscript.Arguments(i))
 objDict.Add myArray(0),myArray(1)
Next

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
If objDict.Exists("file-owner") Then  ' SEARCH AD for a LOGON ID
'Wscript.echo "file-owner item exists"
 If objDict.Item("file-owner") <> "" Then
  Call File_Owner(objDict.Item("file-owner"))
 Else
  'Wscript.echo  "file-owner is empty"
 End If
Else
 'Wscript.echo  "file-owner item does NOT exist"
End If

If objDict.Exists("Employee Code") Then  ' SEARCH AD for a LOGON ID
 'Wscript.echo  "Employee Code item exists"
 If objDict.Item("Employee Code") <> "" Then
  Call File_Owner(objDict.Item("Employee Code"))
 Else
  'Wscript.echo  "Employee Code is empty"
 End If
Else
 'Wscript.echo  "Employee Code item does NOT exist"
End If

If objDict.Exists("file-created-by") Then  ' SEARCH AD for a Display Name (This would be from a SharePoint Incident)
 'Wscript.echo  "file-created-by item exists"
 If objDict.Item("file-created-by") <> "" Then
  Call File_Created_By()
 Else
  'Wscript.echo  "file-created-by is empty"
 End If
Else
 'Wscript.echo  "file-created-by item does NOT exist"
End If

 
If objDict.Exists("sender-email") Then  ' SEARCH AD for a sender-email (This would be from a Data In Motion Incident)
 'Wscript.echo  "sender-email item exists"
 If objDict.Item("sender-email") <> "" Then
  Call sender_email()
 Else
  'Wscript.echo  "sender-email is empty"
 End If
Else
 'Wscript.echo  "sender-email item does NOT exist"
End If

If objDict.Exists("sender-ip") Then  ' Lookup the hostname for the client's IP address
 'Wscript.echo  "sender-ip item exists"
 If objDict.Item("sender-ip") <> "" Then
  Call Get_Hostname(objDict.Item("sender-ip"),"Client PC")
 Else
  'Wscript.echo  "sender-ip is empty"
 End If
Else
 'Wscript.echo  "sender-ip item does NOT exist"
End If

If objDict.Exists("recipient-ip1") Then  ' Lookup the hostname for the destination IP address
 'Wscript.echo  "recipient-ip1 item exists"
 If objDict.Item("recipient-ip1") <> "" Then
  Call Get_Hostname(objDict.Item("recipient-ip1"),"Server Hostname")
 Else
  'Wscript.echo  "recipient-ip1 is empty"
 End If
Else
 'Wscript.echo  "recipient-ip1 item does NOT exist"
End If

If dictResults.Count > 0 Then
 Call DisplayResults()
End If

WScript.Quit(0)

'----------------------------------------------------------------------------------------
Sub File_Owner(strUserN)

 If InStr(lCase(strUserN),"@mycompany.com") Then
  strUserN = Mid(strUserN,1,InStr(strUserN,"@")-1)
 ElseIf InStr(lCase(strUserN),"mycompany\") Then
  strUserN = Mid(strUserN,instr(strUserN,"\")+1)
 End If
 objCommand.CommandText = _
 "SELECT distinguishedName FROM 'LDAP://" & strDNSDomain & "' " & _
 "WHERE objectCategory='user'AND sAMAccountName='" & strUserN & "'"

 Set objRecordSet = objCommand.Execute

 If objRecordSet.RecordCount < 1 Then
  objCommand.CommandText = _
  "SELECT distinguishedName FROM 'LDAP://" & strDNSDomain & "' " & _
  "WHERE objectCategory='user'AND CN='" & strUserN & "'"
  Set objRecordSet = objCommand.Execute
 End If

 If objRecordSet.RecordCount >= 1 Then
  Call GetUserDN()
 End If

End Sub

'----------------------------------------------------------------------------------------
Sub File_Created_By()

 strUserN = objDict.Item("file-created-by")
 strUserN = lCase(strUserN)
 objCommand.CommandText = _
 "SELECT distinguishedName FROM 'LDAP://" & strDNSDomain & "' " & _
 "WHERE objectCategory='user'AND displayName='" & strUserN & "'"
 Set objRecordSet = objCommand.Execute

 If objRecordSet.RecordCount >= 1 Then
  Call GetUserDN()
 End If

End Sub

'----------------------------------------------------------------------------------------
Sub sender_email()

 strUserN = objDict.Item("sender-email")
 strUserN = lCase(strUserN)
 objCommand.CommandText = _
 "SELECT distinguishedName FROM 'LDAP://" & strDNSDomain & "' " & _
 "WHERE objectCategory='user'AND mail='" & strUserN & "'"
 Set objRecordSet = objCommand.Execute

 If objRecordSet.RecordCount >= 1 Then
  Call GetUserDN()
 End If 

End Sub

'----------------------------------------------------------------------------------------
Sub Get_Hostname(strIP, strCustomField)

Dim oExec
Dim strLine
Dim myArray
Dim strHostname
Dim WshShell

 strHostname = ""
 Set WshShell = Wscript.CreateObject("WScript.Shell")
 Set oExec = WshShell.Exec("c:\windows\system32\nslookup.exe " & strIP )
 Do While Not oExec.StdOut.AtEndOfStream
  strLine = Trim(oExec.StdOut.ReadLine)
  If InStr(strLine, "Name:") Then
   myArray = split(strLine, ":")
   strHostName = trim(myArray(1))
  End If
 Loop
 dictResults.Add strCustomField, strHostName
 Set oExec = Nothing
 
End Sub

'----------------------------------------------------------------------------------------
Sub GetUserDN()
 objRecordSet.MoveFirst
 Do Until objRecordSet.EOF
  strDN = objRecordSet.Fields("distinguishedName").Value
  Call GetADUserInfo(strDN)
  objRecordSet.MoveNext
 Loop 
End Sub 

'----------------------------------------------------------------------------------------
Sub GetADUserInfo(ByVal String_distinguishedName )

 Dim objUser
 Dim strValue

 Set objUser = GetObject ("LDAP://" & String_distinguishedName)
 If objUser.department <> "" Then dictResults.Add "Business Unit", objUser.department End If
 If objUser.SAMAccountName <> "" Then dictResults.Add "Employee Code", objUser.SAMAccountName End If
 If objUser.givenName <> "" Then dictResults.Add "First Name", objUser.givenName End If
 If objUser.sn <> "" Then dictResults.Add "Last Name", objUser.sn  End If
 If objUser.telephoneNumber <> "" Then dictResults.Add "Phone", objUser.telephoneNumber End If
 If objUser.mail <> "" Then dictResults.Add "Sender Email", objUser.mail End If
 If objUser.st <> "" Then dictResults.Add "Region", objUser.st End If
 If objUser.co <> "" Then dictResults.Add "Country", objUser.co End If
 If objUser.postalCode <> "" Then dictResults.Add "Postal Code", objUser.postalCode End If
 
End Sub 

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Sub DisplayResults()

Dim myArray
Dim i
Dim strValue

 myArray = dictResults.Keys    ' Get the keys.
 For i = 0 To dictResults.Count - 1 ' Iterate the array.
  strValue = dictResults.item(myArray(i))
  'strValue = "" & strValue & ""
  wscript.echo myArray(i) & "=" & strValue
 Next
 
End Sub

 

OK - a little more information.  The above lookup script was written to handle just about any type of input given to it.  This one does LDAP lookups against AD and DNS lookups for hostnames... the possibilities are almost endless (once you get the hostname, you could query an asset management DB).  Also, if you want to update it, all you have to do is change one script.  You don't have to change any of your plugin files. 

The reason I didn't include the Manager Information - is because every company is going to store manager information in different ways in their LDAP... but I have that working as well in my installation.

Here are the inputs this one uses today:

"file-owner"  ' SEARCH AD for a LOGON ID    E.g  an Active Directory ID in the format domain\lanID or lanID@company.com or lanID
 

"Employee Code"  ' SEARCH AD for a LOGON ID    E.g. by doing this, you can MANUALLY add the lanID in the Employee Code field, click save, and click Lookup
 

"file-created-by"   ' SEARCH AD for a Display Name (This would be from a SharePoint Incident)  E.g.  firstname.lastname
 

"sender-email"      ' SEARCH AD for a sender-email (This would be from a Data In Motion Incident)  E.g. user@company.com
 

"sender-ip"    ' Lookup the hostname for the client's IP address      E.g.  To get the hostname from DNS from the sender-ip
 

"recipient-ip1"  ' Lookup the hostname for the destination IP address   E.g.  To get the hostname from DNS from the recipient-ip1
 

This is absolutely great! Bob for president!!!

All of a sudden the system stopped inserting the results in the attributes section. Can't figure out why...

I can do the cscript ScriptLookup.vbs file-owner=<your AD account> lookup on different values and get results but DLP doesn't seem to recieve them.

Also there has been som errors before it stopped working which i'm not sure is of value to this:

 

Message
Code	3100
Summary	Invalid Attributes detected with Script Lookup Plugin
Detail	Invalid or unsafe Attributes passed from Standard In were removed during script execution. Please check the logs for more details.

Nothing has been altered in any way. It just stopped working. 

If anyone else have run into this problem please let me know wat i can do to get it working again!

I bashed my head against the wall about 100 times before I read President Bob's note that the Vontu services needed to be run using a domain account instead of the local protect account.

I could do the whole cscript thing locally as well and Enforce wouldn't return the values.  Had a co-worker look at my notes and what I had setup and he was "you aren't running as an account w/ domain rights" 

 

So big props to BOb on this and I have to read his notes better

Check for any "special" charaters in the users "Display Name" or email address.  I did see something like this when the user had an apostrophe (single tick) in the name.  To fix it, we fired everyone with an apostrophe in their name.

Seriously, I had to turn off stdout.filtering in the ScriptLookup.Properties file.  It is supposed to be a protection from a malicous "look up script" but I believe the risk is pretty low...

 

From the ScriptLookup.Properties file in the \vontu\protect\config directory:

#-------------------------------------
# Standard In & Standard Out Filtering
#-------------------------------------
# Controls filtering of lookup script input and output.
# If enabled, input and output must be strings that are safe for windows and unix shells.
# Unsafe elements include command delimiters (semi-colon) and logical operators that could be
# expanded by the shell.
stdin.filtering.enabled=true
stdout.filtering.enabled=false

Update:  OK - I know 99% of corporate users are using Active Directory as their backend LDAP and 99% of those people store the DN of the manager in a user's manager attribute, so this code also looks up the manager information and populates it.  This updates a custom attribute called DLPDetectionServer with the DLP server that detected the violation.  I will be added Sender IP and Recipient IP as custom fields soon, because it is useful information to send to an SIEM tool.

1.  Create a Custom Attribute called: DLPDetectionServer

2.  Make sure the following line is in your plugins.properties file:

com.vontu.api.incident.attributes.AttributeLookup.parameters=sender,message,recipient,server

3.  From the thread above, you may want to add/update the following to your scriptlookup.properties file.  This will handle the case where a user has a "dangerous" character like an apostrophe in the Display Name.

stdin.filtering.enabled=true
stdout.filtering.enabled=false

4.  Here is the code that includes manager lookups as well as DLPDetection Server: (THIS ASSUMES YOU HAVE THE MANGERS DN in the users manager attribute in LDAP (99% of AD users have this)

Option Explicit

On Error Resume Next

'  This script is used by DLP to look up addtional information or attributes from AD and other sources
'  related to a DLP incident.
'  It expects key-value pairs as input via stdin and outputs the lookup values to stdout
'  See the Symantec_DLP_11.1_Lookup_Plugin_Guide.pdf guide for more information.
' 

Dim objRootDSE
Dim strDNSDomain
Dim strDC
Dim objConnection
Dim objCommand
Dim objRecordSet
Dim strDN
Dim strUserN
Dim i
Dim objDict
Dim myArray
Dim dictResults
Dim oOutputFile
Dim objFSO

Const ADS_SCOPE_SUBTREE = 2
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objDict     = CreateObject("Scripting.Dictionary")
Set dictResults = CreateObject("Scripting.Dictionary")
Set objRootDSE  = GetObject("LDAP://RootDSE")
strDNSDomain    = objRootDSE.Get("DefaultNamingContext")
strDC = objRootDSE.Get("dnsHostName")

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

'set oOutputFile = objFSO.OpenTextFile("c:\temp\Account_Lookup.log",8,True)

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Get Arguments
'oOutputFile.WriteLine("Input Arguments to Account_Lookup.vbs = ")
For i = 0 to Wscript.Arguments.Count - 1
 myArray = split(Wscript.Arguments(i),"=",-1,1)
 'oOutputFile.WriteLine(Wscript.Arguments(i))
 'wscript.echo Wscript.Arguments(i)
 objDict.Add myArray(0),myArray(1)
Next

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
If objDict.Exists("file-owner") Then  ' SEARCH AD for a LOGON ID
 'oOutputFile.WriteLine("file-owner item exists")
 If objDict.Item("file-owner") <> "" Then
  Call File_Owner(objDict.Item("file-owner"))
 Else
  'oOutputFile.WriteLine "file-owner is empty"
 End If
Else
 'oOutputFile.WriteLine("file-owner item does NOT exist")
End If

If objDict.Exists("Employee Code") Then  ' SEARCH AD for a LOGON ID
 'oOutputFile.WriteLine("Employee Code item exists")
 If objDict.Item("Employee Code") <> "" Then
  Call File_Owner(objDict.Item("Employee Code"))
 Else
  'oOutputFile.WriteLine "Employee Code is empty"
 End If
Else
 'oOutputFile.WriteLine("Employee Code item does NOT exist")
End If

If objDict.Exists("file-created-by") Then  ' SEARCH AD for a Display Name (This would be from a SharePoint Incident)
 'oOutputFile.WriteLine("file-created-by item exists")
 If objDict.Item("file-created-by") <> "" Then
  Call File_Created_By()
 Else
  'oOutputFile.WriteLine "file-created-by is empty"
 End If
Else
 'oOutputFile.WriteLine("file-created-by item does NOT exist")
End If

 
If objDict.Exists("sender-email") Then  ' SEARCH AD for a sender-email (This would be from a Data In Motion Incident)
 'oOutputFile.WriteLine("sender-email item exists")
 If objDict.Item("sender-email") <> "" Then
  Call sender_email()
 Else
  'oOutputFile.WriteLine "sender-email is empty"
 End If
Else
 'oOutputFile.WriteLine("sender-email item does NOT exist")
End If

If objDict.Exists("sender-ip") Then  ' Lookup the hostname for the client's IP address
 'oOutputFile.WriteLine("sender-ip item exists")
 If objDict.Item("sender-ip") <> "" Then
  Call Get_Hostname(objDict.Item("sender-ip"),"Client PC")
 Else
  'oOutputFile.WriteLine "sender-ip is empty"
 End If
Else
 'oOutputFile.WriteLine("sender-ip item does NOT exist")
End If

If objDict.Exists("recipient-ip1") Then  ' Lookup the hostname for the destination IP address
 'oOutputFile.WriteLine("recipient-ip1 item exists")
 If objDict.Item("recipient-ip1") <> "" Then
  Call Get_Hostname(objDict.Item("recipient-ip1"),"Server Hostname")
 Else
  'oOutputFile.WriteLine "recipient-ip1 is empty"
 End If
Else
 'oOutputFile.WriteLine("recipient-ip1 item does NOT exist")
End If

If objDict.Exists("server-name") Then  ' This is the DLP Server that discovered the incident
 'oOutputFile.WriteLine("server-name item exists")
 If objDict.Item("server-name") <> "" Then
  Call Get_DLP_ServerName(objDict.Item("server-name"))
 Else
  'oOutputFile.WriteLine "server-name is empty"
 End If
Else
 'oOutputFile.WriteLine("server-name item does NOT exist")
End If

If dictResults.Count > 0 Then
 Call DisplayResults()
End If

WScript.Quit(0)
 
'oOutputFile.Close 

'----------------------------------------------------------------------------------------
Sub Get_DLP_ServerName(strServerName)
 'wscript.echo strServerName
 strServerName = lCase(strServerName)
 dictResults.Add "DLPDetectionServer", strServerName
End Sub

'----------------------------------------------------------------------------------------
Sub File_Owner(strUserN)

 If InStr(lCase(strUserN),"@mycompany.com") Then
  strUserN = Mid(strUserN,1,InStr(strUserN,"@")-1)
 ElseIf InStr(lCase(strUserN),"mycompany\") Then
  strUserN = Mid(strUserN,5)
 End If
 objCommand.CommandText = _
 "SELECT distinguishedName FROM 'LDAP://" & strDNSDomain & "' " & _
 "WHERE objectCategory='user'AND sAMAccountName='" & strUserN & "'"

 Set objRecordSet = objCommand.Execute

 If objRecordSet.RecordCount < 1 Then
  objCommand.CommandText = _
  "SELECT distinguishedName FROM 'LDAP://" & strDNSDomain & "' " & _
  "WHERE objectCategory='user'AND CN='" & strUserN & "'"
  Set objRecordSet = objCommand.Execute
 End If

 If objRecordSet.RecordCount >= 1 Then
  Call GetUserDN()
 End If

End Sub

'----------------------------------------------------------------------------------------
Sub File_Created_By()

 strUserN = objDict.Item("file-created-by")
 strUserN = lCase(strUserN)
 objCommand.CommandText = _
 "SELECT distinguishedName FROM 'LDAP://" & strDNSDomain & "' " & _
 "WHERE objectCategory='user'AND displayName='" & strUserN & "'"
 Set objRecordSet = objCommand.Execute

 If objRecordSet.RecordCount >= 1 Then
  Call GetUserDN()
 End If

End Sub

'----------------------------------------------------------------------------------------
Sub sender_email()

 strUserN = objDict.Item("sender-email")
 strUserN = lCase(strUserN)
 objCommand.CommandText = _
 "SELECT distinguishedName FROM 'LDAP://" & strDNSDomain & "' " & _
 "WHERE objectCategory='user'AND mail='" & strUserN & "'"
 Set objRecordSet = objCommand.Execute

 If objRecordSet.RecordCount >= 1 Then
  Call GetUserDN()
 End If 

End Sub

'----------------------------------------------------------------------------------------
Sub Get_Hostname(strIP, strCustomField)

Dim oExec
Dim strLine
Dim myArray
Dim strHostname
Dim WshShell

 strHostname = ""
 Set WshShell = Wscript.CreateObject("WScript.Shell")
 Set oExec = WshShell.Exec("c:\windows\system32\nslookup.exe " & strIP )
 Do While Not oExec.StdOut.AtEndOfStream
  strLine = Trim(oExec.StdOut.ReadLine)
  If InStr(strLine, "Name:") Then
   myArray = split(strLine, ":")
   strHostName = trim(myArray(1))
  End If
 Loop
 dictResults.Add strCustomField, strHostName
 Set oExec = Nothing
 
End Sub

'----------------------------------------------------------------------------------------
Sub GetUserDN()
 objRecordSet.MoveFirst
 Do Until objRecordSet.EOF
  strDN = objRecordSet.Fields("distinguishedName").Value
  Call GetADUserInfo(strDN)
  objRecordSet.MoveNext
 Loop 
End Sub 

'----------------------------------------------------------------------------------------
Sub GetADUserInfo(ByVal String_distinguishedName )

 Dim objUser
 Dim strValue

 Set objUser = GetObject ("LDAP://" & String_distinguishedName)
 If objUser.SAMAccountName <> "" Then dictResults.Add "Employee Code", lCase(objUser.SAMAccountName) End If
 If objUser.givenName <> "" Then dictResults.Add "First Name", objUser.givenName End If
 If objUser.sn <> "" Then dictResults.Add "Last Name", objUser.sn  End If
 If objUser.department <> "" Then dictResults.Add "Business Unit", objUser.department End If
 If objUser.telephoneNumber <> "" Then dictResults.Add "Phone", objUser.telephoneNumber End If
 If objUser.mail <> "" Then dictResults.Add "Sender Email", objUser.mail End If
 If objUser.st <> "" Then dictResults.Add "Region", objUser.st End If
 If objUser.co <> "" Then dictResults.Add "Country", objUser.co End If
 If objUser.postalCode <> "" Then dictResults.Add "Postal Code", objUser.postalCode End If
 
 Call GetManagerName(objUser.manager)
 
End Sub 

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Sub GetManagerName(ByVal String_distinguishedName)
 Dim objMgrU
 Dim strValue
 
 Set objMgrU = GetObject ("LDAP://" & String_distinguishedName)
 If objMgrU.givenName <> "" Then dictResults.Add "Manager First Name", objMgrU.givenName End If
 If objMgrU.sn <> "" Then dictResults.Add "Manager Last Name", objMgrU.sn End If
 If objMgrU.telephoneNumber <> "" Then dictResults.Add "Manager Phone", objMgrU.telephoneNumber End If
 If objMgrU.mail <> "" Then dictResults.Add "Manager Email", objMgrU.mail End If
 
End Sub
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Sub DisplayResults()

Dim myArray
Dim i
Dim strValue

 myArray = dictResults.Keys    ' Get the keys.
 For i = 0 To dictResults.Count - 1 ' Iterate the array.
  strValue = dictResults.item(myArray(i))
  'strValue = "" & strValue & ""
  wscript.echo myArray(i) & "=" & strValue
 Next
 
End Sub

 

 

Guys - a few more things to tell you about this if you haven't already figured it out.

1.  You don't need to reload attributes or start/stop services if you are only changing the .vbs  If you change the properties files, then restart your services.

2.  Find an incident where no custom data is populuated.  Manually edit the custom data by entering a users "Employee Code" and put their LAN ID in the field.  Click Save and then click lookup.  All attributes will be populated.

3.  Step 2 can be done IN BULK.  Let's say you have a bunch of similar incidents and the DLP tool didn't find the owner.  But after a little invesitgation, you know who is responsible for the incident.  Make a filter so you have all of those similar incidents displayed.  Select ALL those incidents, You can use: Incident Actions, Set Attributes to manually set the Employee Code on all of those similar incidents.  Then, do a Incident attributes, Lookup Attributes and ALL of those incidents Custom Data field will be populated.  Now your reports based on Manager Email, Sender Email will not be "Uknown"

4.  ANY OF THE CUSTOM ATTRIBUTES can be used in variables in Response Rules.  This means they can be included in emails OR sent to an SIEM tool as well.  So the ones we have created, Client PC... can be used like $CLIENT PC$  (Easiest way to test this is creating a Smart Response Rule that just sends you all the variables and their values.

Hope this helps,

Bob Blank

Thanks guys!

I'll try whay you have suggested and get back to you!

And Bob! Nice work!

Nice one :)

So changed the services login to a domain account and it works. Also set stdout to false.

Now i can also see why it gives me the error above. In the Swedish alphabet we have the characters: å, ä, ö. 

And the problem is that this is in almost every sentence, name, surname, department aso.

Is there any way i can fix this or do i have to setup a alert rule to never tell me about these errors?

I have made a few updates to the Get-Custom-Attributes.vbs script, so I attached it to the thread.  Also included a copy of the Plugins.Properties and ScriptLookup.Properites. 

Tahnks Bob for all the hard work

It was brought to my attention I posted the wrong file for Plugins.Properties above.  Sorry for any confusion.  I grabbed the wrong file from my demo machine.  Re-posting the right file.

 

Bob.