Attributes are defined in LDAP for a given user that changes their "send as" email address.
Custom Attributes do not populate.
Because the sender email is not the same as the value of the mail attribute for the user, the default LDAP lookups will not work out-of-the-box.
The Administration Guide for DLP specifies the following string as an example for an LDAP lookup string:
attr.CustomAttributeName = search_base:(search_filter=$variable$):ldapAttribute
For additional context, here are the ownership qualities for each section of that string:
attr.CustomAttributeName | This is a DLP attribute |
search_base | This is an LDAP value* |
search_filter= | This is an LDAP value |
$variable$ | This is a DLP variable |
ldapAttribute | This is an LDAP value |
*This value, if entered will be appended to the search base defined in the directory connection
Furthermore, the Administration Guide states, “In cases where multiple plug-ins are chained together, the parameter might be a variable that is passed to the LDAP Lookup Plug-In by a previous plug-in.”
To implement an LDAP Lookup Plug-In
UserEmail
Name: LDAP Lookup Plug-in 0
Description: Description for the LDAP Plug-in.
attr.UserEmail=:(targetAddress=$sender-email$):mail |
The end result will be a new custom attribute, located on the right hand side of the incident snapshot, where the sender address == UserEmail.
Example:
attr.UserEmail=cn=users:(targetAddress=$sender-email$):mail
attr.First\ Name=:(mail=$UserEmail$):givenName
attr.Last\ Name=:(mail=$UserEmail$):sn
NOTE: In cases where the sender-email is not contained in the incident eg. Endpoint incidents not from the Outlook channel, you can use the mapping below:
attr.UserEmail=:(sAMAccountName=$endpoint-user-name$):mail
attr.First\ Name=:(mail=$UserEmail$):givenName
attr.Last\ Name=:(mail=$UserEmail$):sn