Your scripted lookup is returning an error for certain types of incident lookups
search cancel

Your scripted lookup is returning an error for certain types of incident lookups

book

Article ID: 160456

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention

Issue/Introduction

Parameters being passed to a custom script, as defined by Plugins.properties, are presenting the below error in the IncidentPersister log.

"Warning: The attributes below were stripped from the script arg list as they contain characters that are not permitted."

 

The error indicates that the incident attributes include a non-permitted character, as indicated by the following KB:
Warning: The attributes below were stripped from the script arg list as they contain characters that are not permitted (broadcom.com).

Cause

Scripted lookups need to be configured to avoid sending non-permitted characters.

Resolution

This can occur if multiple lookup chains are in place. Verify the list of parameters associated with the lookup plug-ins, which are defined in the properties associated with the plugins in the Enforce Server console.

The base list of defaults includes: attachment, incident, message, policy, recipient, sender, server, status; but each of these properties contains larger sub-sets of attributes which can be individually selected. Determine which attributes are essential for lookups, and delimit those that are causing the script to err.

 For instance, the "sender" parameter includes a subset with the following attributes:

# sender
#   sender-email
#   sender-ip
#   sender-port
#   endpoint-user-name
#   endpoint-machine-name

If the "endpoint-user-name" is returning a disallowed character (such as "WinNT://domain/username"), then one can instead set the following parameters specifically:

 com.vontu.api.incident.attributes.AttributeLookup.parameters=sender-email,sender-ip,endpoint-machine-name

For more information on disallowed characters, and using scripted lookups, see:

Warning: The attributes below were stripped from the script arg list as they contain characters that are not permitted (broadcom.com).

Additional Information

More information is also available in this Help Center topic:

Implementing and testing lookup plug-ins (broadcom.com)

For an issue where this occurs just after upgrading, see Script Lookup plugin failing after upgrade (broadcom.com).

Powered by Wolken Software