Endpoint Protector DLP¶
About¶
Discover, monitor, and protect your sensitive data with Endpoint Protector’s advanced multi-OS data loss prevention.
Product Details¶
Vendor URL: Endpoint Protector DLP
Product Type: DLP
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Endpoint Protector Integration guide
Admin Guide: Endpoint Protector DLP User Guigde
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: near 90%
Data Label: ENDPOINT_PROTECTOR_DLP
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| kv.Client_Computer | principal.hostname |
| kv.Client_User | principal.user.user_display_name |
| kv.Content_Policy | security_result.rule_set |
| kv.Destination | target.asset.hostname |
| kv.Destination_Type | target.resource_ancestors.resource_subtype |
| kv.Device | target.asset.hostname |
| kv.Device_PID | target.asset.product_object_id |
| kv.Device_Serial | target.asset.hardware.serial_number |
| kv.Device_Serial | target.asset.mac |
| kv.Device_Type | target.asset.category |
| kv.Device_Type | target.asset.type |
| kv.Device_VID | target.resource.product_object_id |
| kv.EPP_Client_Version | metadata.product_version |
| kv.File_Hash | src.file.sha1 |
| kv.File_Name | src.file.full_path |
| kv.File_Size | src.file.size |
| kv.File_Type | src.file.file_type |
| kv.IP_Address | principal.ip |
| kv.Log_ID | metadata.product_log_id |
| kv.MAC_Address | principal.mac |
| kv.Matched_Item | principal.user.email_addresses |
| kv.Serial_Number | principal.asset.hardware.serial_number |
| meta_prod_type | metadata.product_event_type |
| meta_summary | metadata.description |
| obersever | observer.hostname |
| obersever_id | observer.user.group_identifiers |
| observer_ip | observer.ip |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| All | GENERIC_EVENT |
Log Sample¶
960 <129>1 2022-12-15T12:12:12-06:00 eppserver EPP-company.com 12345 - - EPP IP - 10.10.10.1 - Device Control - File ReaX: [Log ID] abcdec971017bf123da22d8f3e212345 | [Event Name] File Read | [Client Computer] USER-123456 | [IP Address] 10.10.1.2 | [MAC Address] a1-2b-3c-4d-5e-6f | [Serial Number] ABCD123 | [Client User] Jane Doe | [Device Type] USB Storage Device | [Device] Example USB Storage Device | [Device VID] ab1 | [Device PID] cd23 | [Device Serial] 00000000ABCD123 | [EPP Client Version] 5.6.3.1 | [File Name] X:/SampleFolder/SampleFile.pptx | [File Hash] | [File Type] Microsoft PowerPoint Presentation | [File Size] 1234567 | [Justification] | [Time Interval] | [Date/Time(Server)] 2022-12-12 12:12:12 | [Date/Time(Client)] 2022-12-12 12:12:12 | [Date/Time(Server UTC)] 2022-12-15T12:12:12Z | [Date/Time(Client UTC)] 2022-12-15T12:12:12Z
Sample Parsing¶
metadata.product_log_id = "abcdec971017bf123da22d8f3e212345"
metadata.event_type = "GENERIC_EVENT"
metadata.product_version = "5.6.3.1"
metadata.product_event_type = "File Read"
metadata.description = "Device Control"
principal.hostname = "USER-123456"
principal.user.user_display_name = "Jane Doe"
principal.asset.hardware.serial_number = "00000000ABCD123"
principal.asset.ip = "10.10.1.2"
principal.asset.mac = "a1:2b:3c:4X:5e:6f"
src.file.size = 1234567
src.file.full_path = "X:/SampleFolder/SampleFile.log"
src.file.file_type = FILE_TYPE_PPTX
target.asset.product_object_id = "cd23"
target.asset.hostname = "Example USB Storage Device"
target.asset.hardware.serial_number = "00000000ABCD123"
target.asset.category = "USB Storage Device"
target.resource.product_object_id = "ab1"
observer.hostname = "EPP-company.com"
observer.user.group_identifiers = "12345"
ip: "10.10.10.1"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon