Whether you setup a response rule for email notification or send a notification to a syslog server, you can set up response action variables to pass incident specific data.
The response action variables are different for Monitor/Prevent incidents than for Discover incidents. The following sections list the variables for each type of incident.
Monitor/Prevent Incidents
$BLOCKED$– Indication of whether or not the message was blocked by the Symantec Data Loss Prevention system (yes or no).
$INCIDENT_ID$– The ID of the incident.
$INCIDENT_SNAPSHOT$– The fully qualified URL to the Incident Snapshot page for the incident.
$MATCH_COUNT$– The incident match count.
$POLICY$– The name of the policy that was violated.
$RECIPIENTS$– A comma-separated list of one or more message recipients.
$RULES$– A comma-separated list of one or more policy rules that were violated.
$SENDER$ - The message sender.
$SEVERITY$ – The severity assigned to incident.
$SUBJECT$ - The subject of the message.
Discover Incidents
$FILE_NAME$– The name of the file in which the incident was found.
$INCIDENT_ID$– The ID of the incident.
$MATCH_COUNT$– The incident match count.
$PARENT_PATH$– The path to the parent directory of the file in which the incident was found.
$PATH$ – The full path to the file in which the incident was found.
$POLICY$– The name of the policy that was violated.
$RULES$– A comma-separated list of one or more policy rules that were violated.
$QUARANTINE_PARENT_PATH$ - The path to the parent directory in which the file was quarantined.
$SCAN$ – The date of the scan that found the incident.
$SEVERITY$– The severity assigned to incident.
$TARGET$ - The name of the target in which the incident was found.
Here is an example of the variables of the Endpoint Prevent indients.
Create a response rule to log to a Syslog Server, on the 'Message' section, input all the variables of the 'Monitor/Prevents Incidents':
When an incident generate, the content of the Syslog like this:
