Skip to content

Endpoint Protector DLP

Endpoint Protector DLP

About

Discover, monitor, and protect your sensitive data with Endpoint Protector’s advanced multi-OS data loss prevention.

Product Details

Vendor URL: Endpoint Protector DLP

Product Type: DLP

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Endpoint Protector Integration guide

Admin Guide: Endpoint Protector DLP User Guigde

Parser Details

Log Format: Syslog

Expected Normalization Rate: near 90%

Data Label: ENDPOINT_PROTECTOR_DLP

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
kv.Client_Computer principal.hostname
kv.Client_User principal.user.user_display_name
kv.Content_Policy security_result.rule_set
kv.Destination target.asset.hostname
kv.Destination_Type target.resource_ancestors.resource_subtype
kv.Device target.asset.hostname
kv.Device_PID target.asset.product_object_id
kv.Device_Serial target.asset.hardware.serial_number
kv.Device_Serial target.asset.mac
kv.Device_Type target.asset.category
kv.Device_Type target.asset.type
kv.Device_VID target.resource.product_object_id
kv.EPP_Client_Version metadata.product_version
kv.File_Hash src.file.sha1
kv.File_Name src.file.full_path
kv.File_Size src.file.size
kv.File_Type src.file.file_type
kv.IP_Address principal.ip
kv.Log_ID metadata.product_log_id
kv.MAC_Address principal.mac
kv.Matched_Item principal.user.email_addresses
kv.Serial_Number principal.asset.hardware.serial_number
meta_prod_type metadata.product_event_type
meta_summary metadata.description
obersever observer.hostname
obersever_id observer.user.group_identifiers
observer_ip observer.ip

Product Event Types

Event UDM Event Classification
All GENERIC_EVENT

Log Sample

960 <129>1 2022-12-15T12:12:12-06:00 eppserver EPP-company.com 12345 - - EPP IP - 10.10.10.1 - Device Control - File ReaX: [Log ID] abcdec971017bf123da22d8f3e212345 | [Event Name] File Read | [Client Computer] USER-123456 | [IP Address] 10.10.1.2 | [MAC Address] a1-2b-3c-4d-5e-6f | [Serial Number] ABCD123 | [Client User] Jane Doe | [Device Type] USB Storage Device | [Device] Example USB Storage Device | [Device VID] ab1 | [Device PID] cd23 | [Device Serial] 00000000ABCD123 | [EPP Client Version] 5.6.3.1 | [File Name] X:/SampleFolder/SampleFile.pptx | [File Hash]  | [File Type] Microsoft PowerPoint Presentation | [File Size] 1234567 | [Justification]  | [Time Interval]  | [Date/Time(Server)] 2022-12-12 12:12:12 | [Date/Time(Client)] 2022-12-12 12:12:12 | [Date/Time(Server UTC)] 2022-12-15T12:12:12Z | [Date/Time(Client UTC)] 2022-12-15T12:12:12Z

Sample Parsing

metadata.product_log_id = "abcdec971017bf123da22d8f3e212345"
metadata.event_type = "GENERIC_EVENT"
metadata.product_version = "5.6.3.1"
metadata.product_event_type = "File Read"
metadata.description = "Device Control"
principal.hostname = "USER-123456"
principal.user.user_display_name = "Jane Doe"
principal.asset.hardware.serial_number = "00000000ABCD123"
principal.asset.ip = "10.10.1.2"
principal.asset.mac = "a1:2b:3c:4X:5e:6f"
src.file.size = 1234567
src.file.full_path = "X:/SampleFolder/SampleFile.log"
src.file.file_type = FILE_TYPE_PPTX
target.asset.product_object_id = "cd23"
target.asset.hostname = "Example USB Storage Device"
target.asset.hardware.serial_number = "00000000ABCD123"
target.asset.category = "USB Storage Device"
target.resource.product_object_id = "ab1"
observer.hostname = "EPP-company.com"
observer.user.group_identifiers = "12345"
ip: "10.10.10.1"

Parser Alerting

This product currently does not have any Parser-based Alerting