Hey all. I've been researching this issue for a few weeks and have yet to find an answer to my specific problem. Our environment includes Bluecoat proxies. As you know, Bluecoats use ICAP functions that return a very specific string of information back to DLP. My problem is this: for Network Prevent incidents, the default "Sender" field is populated with "WinNT://"DOMAIN"/"username". I found a thread started by "bob_b" that outlined a script that would use this information for LDAP lookups. My problem is that I need to use that information for a CSV lookup. So, his script, while very impressive, won't work for my particular case. However, I think it's very close. My current script, which is written in Python (which I'm not well versed in, nor am I tied to it in any way) almost works. Attributes are passed to the script properly and are validated, according to the log. The main attribute I am concerned with is "sender-email". I just need to be able to strip everything from the aforementioned string and pass just the username to my CSVLookup and I'll be good to go. (Thankfully, that part works great!) I realize that bob_b's script can lookup via IP, but that won't work for me since we have different IP address schemes for wireless and VPN users. I've attached a portion of a log file that shows what's happening. Can anyone help me out?
Any and all help is much appreciated!
Thanks!
turturici