All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Adding additional Fields?

zombag
New Member
‎12-16-2013 06:33 PM

Is there a way to add additional fields like File Owner or File Creation Date? Having difficulty finding the field names from DLP. Any help would be greatly appreciated.

0 Karma
Reply

pickerin
Path Finder
‎08-19-2015 03:16 AM

Yep, you can add additional fields. You have to do it at the Symantec DLP itself in the "Message" variable on the Response.

Monitor/Prevent Incidents
$BLOCKED$ – Indication of whether or not the message was blocked by the Symantec Data Loss Prevention system (yes or no).
$INCIDENT_ID$ – The ID of the incident.
$INCIDENT_SNAPSHOT$ – The fully qualified URL to the Incident Snapshot page for the incident.
$MATCH_COUNT$ – The incident match count.
$POLICY_NAME$ – The name of the policy that was violated.
$RECIPIENTS$ – A comma-separated list of one or more message recipients.
$POLICY_RULES$ – A comma-separated list of one or more policy rules that were violated.
$SENDER$ - The message sender.
$SEVERITY$ – The severity assigned to incident.
$SUBJECT$ - The subject of the message.

Discover Incidents
$FILE_NAME$ – The name of the file in which the incident was found.
$INCIDENT_ID$ – The ID of the incident.
$MATCH_COUNT$ – The incident match count.
$PARENT_PATH$ – The path to the parent directory of the file in which the incident was found.
$PATH$ – The full path to the file in which the incident was found.
$POLICY_NAME$ – The name of the policy that was violated.
$POLICY_RULES$ – A comma-separated list of one or more policy rules that were violated.
$QUARANTINE_PARENT_PATH$ - The path to the parent directory in which the file was quarantined.
$SCAN$ – The date of the scan that found the incident.
$SEVERITY$ – The severity assigned to incident.
$TARGET$ - The name of the target in which the incident was found.

Once you've updated the message contents on the DLP, they will start appearing in the Event within Splunk.

E.g. the example Message contents from the documentation has you add this:
ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$

If you wanted to also include the URL link to the Incident, you'd just add it like this:
ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$, URL: $INCIDENT_SNAPSHOT$

-Rob

0 Karma
Reply

m_hashmi
New Member
‎03-24-2015 05:34 AM

Even I had the same question whether we can additional fields like url link of Incident snapshot, Violated Rule etc.

Can anyone help in this ..?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...