New York Data Loss Prevention User Group

 View Only
  • 1.  Sender Notification Content

    Posted Apr 20, 2011 03:56 PM

    Is there a way to create a custom variable for string violating the policy to be included in automated email sent to sender and/or manager?  We are looking for a way to automate the incident remediation workflow without giving out access to Vontu to large population and would like to include more incident information in the notification (SMTP & HTTP) alerts, but not including original message.



  • 2.  RE: Sender Notification Content

    Posted Apr 20, 2011 04:30 PM

    Wehn you create a response rule for 'Send Email Notification' I believe you have an option for inserting one of several pre-defined variables into the message so you don't have to include the offending content.



  • 3.  RE: Sender Notification Content

    Trusted Advisor
    Posted Apr 20, 2011 06:25 PM

    There is an article in the KB that is close.. but a little wrong..

    Article ID:43010

     

     

    There is a way to use custom attributes as variables in an email response rule. This function is not well-documented, but it is available. The way to do it is as follows:

    Note: To add a gray status bar at the bottom of the I.E. Window, Select "View from the Internet Explorer toolbar menu and make sure "Status Bar" is checked.

    1. Log on to Symantec Data Loss Prevention as an administrator.

    2. Go to an incident page.

    3. For each custom attribute that you would like to add to the notification email, mouse over it or left click on it to reveal its properties. The properties may show up in a bar at the bottom of the screen or in a pop-up box. You are looking for the number of the custom attribute. The attribute numbers may appear in parentheses. For example, FirstName may reveal ("24") and LastName may reveal ("25"). Copy each attribute name and corresponding number for all the custom attributes that will be added to the notification email.

    4. Under Policy, navigate to Response Rules, add an email notification response rule, and set up the email response. Wherever the custom attribute should appear, enter $ATTRIBUTE_<attribute number>$. For example, using the custom attributes FirstName and LastName, the email salutation in the rule email would appear as follows:  

    Dear $ATTRIBUTE_24$ $ATTRIBUTE_25$,  

     which would yield Dear Joe Smith in the email notification to Joe Smith, if Joe Smith was the policy violator.

    5. Please note that deletion of any of the custom attributes used in the email notifications, or problems with the initial attribute lookup, will prevent email notifications from working properly.



  • 4.  RE: Sender Notification Content

    Posted Apr 21, 2011 07:20 AM

    Thanks, but is there a way to include offending string/keyword in the notification?  I'm looking for a solution to allow the manager/notification recipient to see what was violated, without going to the application.  Looking for solution to automate the incident workflow, without giving access to the application.



  • 5.  RE: Sender Notification Content

    Trusted Advisor
    Posted Apr 21, 2011 12:35 PM

    Unfortuately there is not a way to add the highlited information...this is the type of information that you do not want to spread outside of the system.

    You can insert the violated policy name and the match count.. that should give them enough info to be able to correlate it to what was violated. I am not sure but the Rule Name may be a field to use also...try it out and see if anything comes in the email.

    Ronak



  • 6.  RE: Sender Notification Content

    Posted May 02, 2011 11:05 AM

    Is there a way to include user justification for Endpoint alerts in the body of email notification?  Are there any additional incident info that can be custom- inserted into the manager's notification that would help remediate the alert?



  • 7.  RE: Sender Notification Content

    Posted May 03, 2011 08:18 PM

    ...the User Justification Response isn't included as an available attribute in the response rules.  You'd have to do a custom plugin whereby you look up that response directly in the DLP database, and populate a custom attribute, which you could then use in the response.

    From what I know if it, even this won't work.  My understanding is that the plugins are executing BEFORE the incident is written to the database.  So that lookup would be trying to lookup data for an incident that isn't even commited to the database yet.  Hence, you would not be able to get the response.

    Keith