What Variables can be used within Response Rules?
Article ID: 160621
Updated On:
Products
Issue/Introduction
Whether you setup a response rule for email notification or send a notification to a syslog server, you can set up response action variables to pass incident specific data. What are these Response Action Variables?
NOTE:
The variables below apply to response rules executing from the Enforce server against incidents already captured.
Variables available for use in Endpoint Notification messages in pop-up dialogue boxes for users are listed in the Enforce server in the response rule configuration page, for example:
Resolution
Response Action Variables
The response action variables are different for Network Monitor, Endpoint/Network Prevent and for Discover incidents. The following sections list the variables for each type of incident.
General incident variables
The following general variables are available for all incident types:
|
$APPLICATION_NAME$ |
Specifies the name of the application that is associated with the incident. |
|
$ATTACHMENT_FILENAME$ |
Specifies the name of the attached file. |
|
$BLOCKED$ |
Indication of whether or not Symantec Data Loss Prevention blocked the message (yes or no). |
|
$DESTINATION_IP$ |
Specifies the destination IP address. |
|
$INCIDENT_ID$ |
The unique identifier of the incident. |
|
$INCIDENT_SNAPSHOT$ |
The fully qualified URL to the incident snapshot page for the incident. |
|
$MATCH_COUNT$ |
The incident match count. |
|
$OCCURED_ON$ |
Specifies the date on which the incident occurred. This date may be different than the date the incident was reported. |
|
$POLICY$ |
The name of the policy that was violated. |
|
$POLICY_RULES$ |
A comma-separated list of one or more policy rules that were violated. |
|
$PROTOCOL$ |
The protocol, device type, and target type of the incident, where applicable. |
|
$RECIPIENTS$ |
A comma-separated list of one or more message recipients. Includes the requested URL in web incidents |
|
$REPORTED_ON$ |
Specifies the date on which the incident was reported. |
|
$MONITOR_NAME$ |
Specifies the detection server or cloud detector that created the incident. |
|
$SENDER$ |
The message sender. |
|
$SEVERITY$ |
The severity that is assigned to incident. |
|
$STATUS$ |
Specifies the remediation status of the incident. |
|
$SUBJECT$ |
The subject of the message. |
|
$URL$ |
Specifies the file path or location. |
Endpoint incident variables
The following Endpoint incident variables are available:
|
$APPLICATION_USER$ |
The name of the application user. |
|
$DATAOWNER_NAME$ |
The person responsible for remediating the incident. This field must be set manually, or with one of the lookup plug-ins. Reports can automatically be sent to the data owner for remediation. |
|
$DATAOWNER_EMAIL$ |
The email address of the person responsible for remediating the incident. This field can be set manually, or with one of the lookup plug-ins. |
|
$ENDPOINT_LOCATION$ |
The location of the endpoint computer. |
|
$ENDPOINT_MACHINE$ |
The name of the endpoint computer that generated the violation. |
|
$ENDPOINT_USER_NAME$ |
The name of the endpoint user. |
|
$MACHINE_IP$ |
The corporate IP address of the endpoint computer. |
|
$USER_JUSTIFICATION$ |
The justification that was provided by the endpoint user. |
Network Monitor and Network Prevent incident variables
The following Network Monitor and Network Prevent variables are available:
|
$DATAOWNER_NAME$ |
The person responsible for remediating the incident. This field must be set manually, or with one of the lookup plug-ins. Reports can automatically be sent to the data owner for remediation. |
|
$DATAOWNER_EMAIL$ |
The email address of the person responsible for remediating the incident. This field must be set manually, or with one of the lookup plug-ins. |
Discover incident variables
The following Network Discover/Cloud Storage Discover and Network Protect incident variables are available:
|
$DATAOWNER_NAME$ |
The person responsible for remediating the incident. This field must be set manually, or with one of the lookup plug-ins. Reports can automatically be sent to the data owner for remediation. |
|
$DATAOWNER_EMAIL$ |
The email address of the person responsible for remediating the incident. This field must be set manually, or with one of the lookup plug-ins. |
|
$ENDPOINT_MACHINE$ |
The name of the endpoint computer that generated the violation. |
|
$PATH$ |
The full path to the file in which the incident was found. |
|
$FILE_NAME$ |
The name of the file in which the incident was found. |
|
$PARENT_PATH$ |
The path to the parent directory of the file in which the incident was found. |
|
$QUARANTINE_PARENT_PATH$ |
The path to the parent directory in which the file was quarantined. |
|
$SCAN_DATE$ |
The date of the scan that found the incident. |
|
$TARGET$ |
The name of the target in which the incident was found. |
Feedback
