The title is a bit weird, so I'll explain--
I am using Lookup Plugins in the following manner to support incident analysis:
1. Data Insight lookup plugin, for inferred ownership data,
2. the python plugin called "script-lookup.py," for mapping the DI data ownership name to its counterpart in AD,
3. and the LDAP plugin.
For endpoint DLP and network prevent (email), the LDAP plugin works as expected, and successfully pulls data from AD. No issues there, which to me validates a correctly configured LDAP plugin.
However, things get weird when doing Discover scans. The plugins pull NO data; not even the LDAP plugin. In turning up the logging for the Tomcat logs (log named as "localhost.[year-month-day]") by modifying the "ManagerLogging.properties" such that I can get more verbose logging for the plugin framework (changed from INFO to FINER), I am able to see that in these cases, "null" is being pulled for all attributes. So I figured maybe I've incorrectly defined my custom attributes and perhaps didn't map them correctly. In exhausting my review of syntax, case sensitivity, and mapping, I cannot find an issue.
In working something else related to auto-quarantining sensitive files for discover scanning, I made a chance discovery. If I do anything to cause the auto-quarantining to fail upon a Discover incident ( this KB here outlines an easy issue to replicate for this purpose -- https://support.symantec.com/en_US/article.TECH224...), such that I get a "Protect Remediation Error", all of my lookup plugins work!!! As soon as I fix the issue causing the "Protect Remediation Error," sensitive data will get found and quarantined, but the Lookup plugins begin to pull "null" values again.
This behavior continues to stump me, and even trying "FINEST" to get a more detailed plugin look from the Tomcat logs, I have yet to find a root cause. Any suggestions or ideas are much appreciated!
Thank you.