There is no default way to configure Custom Attributes for Network Monitor Incidents.

The Custom Attributes works just fine for Endpoint Incidents, but not for Network Monitor.

N/A

Data Loss Prevention (DLP) 15.x

1. Place the attached file "ScriptLookup3.vbs" in a folder inside the Enforce Server (ex.: C:\Temp\CustomAttributes)
2. Go to System > Incident Data > Lookup Plugins
3. Click on "New Plugin" and select "Script"
   1. For the "Script Command" place:
      1. c:/windows/system32/cscript.exe
   2. For the "Argument" place (remember to change the path to the one where you placed the "ScriptLookup3.vbs" file):
      1. /nologo,C:/Temp/CustomAttributes/ScriptLookup3.vbs
   3. Select "Enable stdout" under Options
   4. Save the new configuration
4. Click on "New Plugin" and select "LDAP"
   1. As an example, you can use the following LDAP query:
      1. attr.First\ Name=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)(sAMAccountName=$HTTPUserName$)):givenName
         attr.Last\ Name=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)(sAMAccountName=$HTTPUserName$)):sn
         attr.Title=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)(sAMAccountName=$HTTPUserName$)):title
         attr.Employee\ Code=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)(sAMAccountName=$HTTPUserName$)):pager
         attr.Email=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)(sAMAccountName=$HTTPUserName$)):mail
         attr.Business\ Unit=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)(sAMAccountName=$HTTPUserName$)):department
         attr.Country=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)(sAMAccountName=$HTTPUserName$)):co
         attr.Phone=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)(sAMAccountName=$HTTPUserName$)):telephoneNumber
         attr.Mobile=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)(sAMAccountName=$HTTPUserName$)):mobile
         attr.Region=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)(sAMAccountName=$HTTPUserName$)):st
         attr.Postal\ Code=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)(sAMAccountName=$HTTPUserName$)):postalCode
         attr.Address=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)(sAMAccountName=$HTTPUserName$)):streetAddress
         attr.DName=:(|(sAMAccountName=$endpoint-user-name$)(mail=$sender-email$)(sAMAccountName=$HTTPUserName$)):manager
         attr.Manager\ First\ Name=:(distinguishedName=$DName$):givenName
         attr.Manager\ Last\ Name=:(distinguishedName=$DName$):sn
         attr.Manager\ Email=:(distinguishedName=$DName$):mail
         attr.Manager\ Phone=:(distinguishedName=$DName$):telephoneNumber
         attr.Manager\ Mobile=:(distinguishedName=$DName$):mobile
   2. Save the new lookup after adding the needed information.
5. Click on "Modify Lookup Plugin Chain" and change the Execution Sequence so that the VBS is the first one and the LDAP is the second one.
   1. Enable both by selecting the checkbox under "Dedicated Actions"
6. Click on "Lookup Parameters" and select:
   1. Incident
   2. Message
   3. Sender
7. Click on Reload Pluging

Remember to create the Attributes as needed.