How to resolve custom attributes from a macOS Endpoint incident
search cancel

How to resolve custom attributes from a macOS Endpoint incident

book

Article ID: 371485

calendar_today

Updated On:

Products

Data Loss Prevention Core Package

Issue/Introduction

You are using LDAP custom attribute lookup plugin and it works fine with Endpoint incidents generated from Windows machines. It does not work though for incidents generated by the macOS endpoints. 

Environment

Endpoints on macOS (any version). 

Cause

It may happen that the value of the Sender built-in attribute of a macOS Endpoint incident follows a different syntax than in the Windows incidents. A Windows Endpoint incident will usually have a Sender value that follows the below syntax:

DOMAIN\username

However macOS Endpoint incidents may have a Sender value that follows a different syntax:

DOMAIN\e-mail address (in format [email protected])

The reason why the lookups are failing for the macOS incidents is because the LDAP Lookup Plugin was very likely defined with the following syntax (example single line from a LDAP Lookup Plugin definition):

attr.First\ Name =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):givenName


With that definition, the lookup plugin uses the following search criteria joined with an OR:

-LDAP attribute mail is equal to the Sender attribute (used by Network incidents)

-LDAP attribute sAMAccountName is equal to the File Owner attribute (used by Discover incidents)

-LDAP attribute sAMAccountName is equal to the User attribute (used by Endpoint incidents)

-LDAP attribute sAMAccountName is equal to a custom attribute HTTPUserName (which is most likely returned by a Script plugin chained with the LDAP plugin)

As a result, the plugin will not be able to find an LDAP record which matches the value of User that is an e-mail address instead of a login, as sAMAccountName will likely never contain an e-mail address.

Resolution

Modify the LDAP Lookup Plugin definition as per the below example, in which the line in the above paragraph has an additional search condition added:

attr.First\ Name =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)(mail=$endpoint-user-name$)):givenName


This adds an additional OR'd LDAP search condition, which is:

-LDAP attribute mail is equal to the User attribute

Make that change to all lines in the plugin definition which follow that same pattern and use built-in incident attributes to pull values from the LDAP directory. 

As a result, the LDAP Lookup Plugin should now be able to find the corresponding entry in the directory and populate the custom attributes. 

Additional Information

NOTE: for Endpoint incidents, Enforce should strip away the 'domain\' portion of the User attribute and only use what follows it for the LDAP search. 

For more details on how to set up an LDAP Lookup Plugin, see below documentation:

Configuring LDAP Lookup Plug-Ins

Mapping attributes to LDAP data

LDAP Lookup Plug-In tutorial

Attribute mapping examples for LDAP

Powered by Wolken Software