What Variables can be used within Response Rules?

book

Article ID: 160621

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Whether you setup a response rule for email notification or send a notification to a syslog server, you can set up response action variables to pass incident specific data. What are these Response Action Variables?

Resolution

 

Response Action Variables

The response action variables are different for Network Monitor, Endpoint/Network Prevent and for Discover incidents. The following sections list the variables for each type of incident.

 

General incident variables

The following general variables are available for all incident types:

$APPLICATION_NAME$

Specifies the name of the application that is associated with the incident.

$ATTACHMENT_FILENAME$

Specifies the name of the attached file.

$BLOCKED$

Indication of whether or not Symantec Data Loss Prevention blocked the message (yes or no).

$DESTINATION_IP$

Specifies the destination IP address.

$INCIDENT_ID$

The unique identifier of the incident.

$INCIDENT_SNAPSHOT$

The fully qualified URL to the incident snapshot page for the incident.

$MATCH_COUNT$

The incident match count.

$OCCURED_ON$

Specifies the date on which the incident occurred. This date may be different than the date the incident was reported.

$POLICY$

The name of the policy that was violated.

$POLICY_RULES$

A comma-separated list of one or more policy rules that were violated.

$PROTOCOL$

The protocol, device type, and target type of the incident, where applicable.

$RECIPIENTS$

A comma-separated list of one or more message recipients. Includes the requested URL in web incidents

$REPORTED_ON$

Specifies the date on which the incident was reported.

$MONITOR_NAME$

Specifies the detection server or cloud detector that created the incident.

$SENDER$

The message sender.

$SEVERITY$

The severity that is assigned to incident.

$STATUS$

Specifies the remediation status of the incident.

$SUBJECT$

The subject of the message.

$URL$

Specifies the file path or location.

 

Endpoint incident variables

The following Endpoint incident variables are available:

$APPLICATION_USER$

The name of the application user.

$DATAOWNER_NAME$

The person responsible for remediating the incident. This field must be set manually, or with one of the lookup plug-ins.

Reports can automatically be sent to the data owner for remediation.

$DATAOWNER_EMAIL$

The email address of the person responsible for remediating the incident. This field can be set manually, or with one of the lookup plug-ins.

$ENDPOINT_LOCATION$

The location of the endpoint computer.

$ENDPOINT_MACHINE$

The name of the endpoint computer that generated the violation.

$ENDPOINT_USER_NAME$

The name of the endpoint user.

$MACHINE_IP$

The corporate IP address of the endpoint computer.

$USER_JUSTIFICATION$

The justification that was provided by the endpoint user.

 

Network Monitor and Network Prevent incident variables

The following Network Monitor and Network Prevent variables are available:

$DATAOWNER_NAME$

The person responsible for remediating the incident. This field must be set manually, or with one of the lookup plug-ins.

Reports can automatically be sent to the data owner for remediation.

$DATAOWNER_EMAIL$

The email address of the person responsible for remediating the incident. This field must be set manually, or with one of the lookup plug-ins.

 

Discover incident variables

The following Network Discover/Cloud Storage Discover and Network Protect incident variables are available:

$DATAOWNER_NAME$

The person responsible for remediating the incident. This field must be set manually, or with one of the lookup plug-ins.

Reports can automatically be sent to the data owner for remediation.

$DATAOWNER_EMAIL$

The email address of the person responsible for remediating the incident. This field must be set manually, or with one of the lookup plug-ins.

$ENDPOINT_MACHINE$

The name of the endpoint computer that generated the violation.

$PATH$

The full path to the file in which the incident was found.

$FILE_NAME$

The name of the file in which the incident was found.

$PARENT_PATH$

The path to the parent directory of the file in which the incident was found.

$QUARANTINE_PARENT_PATH$

The path to the parent directory in which the file was quarantined.

$SCAN_DATE$

The date of the scan that found the incident.

$TARGET$

The name of the target in which the incident was found.