Data value is not being populated on Splunk
search cancel

Data value is not being populated on Splunk

book

Article ID: 260478

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor and Prevent for Email and Web

Issue/Introduction

You have response rule that doesn’t seem to be reporting into SPLUNK correctly. The data being sent to Splunk doesn't match to the custom attributes assigned. 

How do I find out what the DLP attribute number is so I can fix the message being sent to splunk?

Example: 

endpoint_user_id=$ATTRIBUTE_17$,endpoint_user_department=$ATTRIBUTE_18$,endpoint_user_email=$SENDER$,endpoint_user_phone=$ATTRIBUTE_8$

When you click on Lookup the attributes will load but the information being sent to splunk doesn't correspond to endpoint_user_phone=$ATTRIBUTE_8$ and or endpoint_user_id=$ATTRIBUTE_17$

 

 

 

Environment

Release : 15.8 

Cause

The attribute numbers $7 doesn't match the attributes in your Response Rule for the Syslog server

Click on System=>Incident Data=>Attributes

Hover your mouse to one of the Attributes and you will see at the bottom left corner the value of the assigned Attribute

javascriptedCustomeAttribute("7")

The attribute on the Enforce should match with the Attribute you have entered within the syslog message

endpoint_user_id=$ATTRIBUTE_7$,

Resolution

Search any of the incidents that has the attributes. hover over to the Attributes so you can see the value.  You will see at the bottom left corner the Attribute assigned.

Example: javascriptincidentREportbyAtytribute("13",rsanchez,"NETWORK");

In this case you must match the custom attribute to match endpoint_username= $ATTRIBUTE13$