You have response rule that doesn’t seem to be reporting into SPLUNK correctly. The data being sent to Splunk doesn't match to the custom attributes assigned.
How do I find out what the DLP attribute number is so I can fix the message being sent to splunk?
Example:
endpoint_user_id=$ATTRIBUTE_17$,endpoint_user_department=$ATTRIBUTE_18$,endpoint_user_email=$SENDER$,endpoint_user_phone=$ATTRIBUTE_8$
When you click on Lookup the attributes will load but the information being sent to splunk doesn't correspond to endpoint_user_phone=$ATTRIBUTE_8$ and or endpoint_user_id=$ATTRIBUTE_17$
Release : 15.8
The attribute numbers $7 doesn't match the attributes in your Response Rule for the Syslog server
Click on System=>Incident Data=>Attributes
Hover your mouse to one of the Attributes and you will see at the bottom left corner the value of the assigned Attribute
javascriptedCustomeAttribute("7")
The attribute on the Enforce should match with the Attribute you have entered within the syslog message
endpoint_user_id=$ATTRIBUTE_7$,
Search any of the incidents that has the attributes. hover over to the Attributes so you can see the value. You will see at the bottom left corner the Attribute assigned.
Example: javascriptincidentREportbyAtytribute("13",rsanchez,"NETWORK");
In this case you must match the custom attribute to match endpoint_username= $ATTRIBUTE13$