All Apps and Add-ons

Adding additional Fields?

zombag
New Member

Is there a way to add additional fields like File Owner or File Creation Date? Having difficulty finding the field names from DLP. Any help would be greatly appreciated.

0 Karma

pickerin
Path Finder

Yep, you can add additional fields. You have to do it at the Symantec DLP itself in the "Message" variable on the Response.

Monitor/Prevent Incidents
$BLOCKED$ – Indication of whether or not the message was blocked by the Symantec Data Loss Prevention system (yes or no).
$INCIDENT_ID$ – The ID of the incident.
$INCIDENT_SNAPSHOT$ – The fully qualified URL to the Incident Snapshot page for the incident.
$MATCH_COUNT$ – The incident match count.
$POLICY_NAME$ – The name of the policy that was violated.
$RECIPIENTS$ – A comma-separated list of one or more message recipients.
$POLICY_RULES$ – A comma-separated list of one or more policy rules that were violated.
$SENDER$ - The message sender.
$SEVERITY$ – The severity assigned to incident.
$SUBJECT$ - The subject of the message.

Discover Incidents
$FILE_NAME$ – The name of the file in which the incident was found.
$INCIDENT_ID$ – The ID of the incident.
$MATCH_COUNT$ – The incident match count.
$PARENT_PATH$ – The path to the parent directory of the file in which the incident was found.
$PATH$ – The full path to the file in which the incident was found.
$POLICY_NAME$ – The name of the policy that was violated.
$POLICY_RULES$ – A comma-separated list of one or more policy rules that were violated.
$QUARANTINE_PARENT_PATH$ - The path to the parent directory in which the file was quarantined.
$SCAN$ – The date of the scan that found the incident.
$SEVERITY$ – The severity assigned to incident.
$TARGET$ - The name of the target in which the incident was found.

Once you've updated the message contents on the DLP, they will start appearing in the Event within Splunk.

E.g. the example Message contents from the documentation has you add this:
ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$

If you wanted to also include the URL link to the Incident, you'd just add it like this:
ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$, URL: $INCIDENT_SNAPSHOT$

-Rob

0 Karma

m_hashmi
New Member

Even I had the same question whether we can additional fields like url link of Incident snapshot, Violated Rule etc.

Can anyone help in this ..?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...