All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Adding additional Fields?

zombag
New Member
‎12-16-2013 06:33 PM

Is there a way to add additional fields like File Owner or File Creation Date? Having difficulty finding the field names from DLP. Any help would be greatly appreciated.

0 Karma
Reply

pickerin
Path Finder
‎08-19-2015 03:16 AM

Yep, you can add additional fields. You have to do it at the Symantec DLP itself in the "Message" variable on the Response.

Monitor/Prevent Incidents
$BLOCKED$ – Indication of whether or not the message was blocked by the Symantec Data Loss Prevention system (yes or no).
$INCIDENT_ID$ – The ID of the incident.
$INCIDENT_SNAPSHOT$ – The fully qualified URL to the Incident Snapshot page for the incident.
$MATCH_COUNT$ – The incident match count.
$POLICY_NAME$ – The name of the policy that was violated.
$RECIPIENTS$ – A comma-separated list of one or more message recipients.
$POLICY_RULES$ – A comma-separated list of one or more policy rules that were violated.
$SENDER$ - The message sender.
$SEVERITY$ – The severity assigned to incident.
$SUBJECT$ - The subject of the message.

Discover Incidents
$FILE_NAME$ – The name of the file in which the incident was found.
$INCIDENT_ID$ – The ID of the incident.
$MATCH_COUNT$ – The incident match count.
$PARENT_PATH$ – The path to the parent directory of the file in which the incident was found.
$PATH$ – The full path to the file in which the incident was found.
$POLICY_NAME$ – The name of the policy that was violated.
$POLICY_RULES$ – A comma-separated list of one or more policy rules that were violated.
$QUARANTINE_PARENT_PATH$ - The path to the parent directory in which the file was quarantined.
$SCAN$ – The date of the scan that found the incident.
$SEVERITY$ – The severity assigned to incident.
$TARGET$ - The name of the target in which the incident was found.

Once you've updated the message contents on the DLP, they will start appearing in the Event within Splunk.

E.g. the example Message contents from the documentation has you add this:
ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$

If you wanted to also include the URL link to the Incident, you'd just add it like this:
ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$, URL: $INCIDENT_SNAPSHOT$

-Rob

0 Karma
Reply

m_hashmi
New Member
‎03-24-2015 05:34 AM

Even I had the same question whether we can additional fields like url link of Incident snapshot, Violated Rule etc.

Can anyone help in this ..?

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...