|
|
|
In the process of Data Loss Prevention, analysis of incidents is essential.
Before you begin, make sure that the severity of rules in the policy is accurate.
While auditing rules in the Logs & Monitor view, use the Follow Up flag. If you find an incident or a set of incidents that you want to fine-tune, or for which you doubt whether the action is best, you can set the Data Type or the rule to Follow Up.
The DLP gateway issues logs for various events.
To open the Logs & Monitor Logs view:
Go to the Logs & Monitor > Logs > Queries > DLP.
The Data Loss Prevention logs are categorized for filtering.
To see more information:
The DLP Log Details window opens, displaying more information about the incident in an easy-to-read format, with links back to the Data Loss Prevention tab in SmartConsole or to specific information on the Data Type.
From the log of a specific incident you can open the actual data that caused the incident. You should not have to review most of the incidents manually, but the original transmission (for example, the email or its attachment) is kept for you if there is a question from the sender or the data owners.
Because personal emails and web posts may be captured and stored for viewing, you must let the users know that this may happen. Failure to do so may cause your organization issues with local privacy laws.
|
Note - To view DLP incidents in the Logs & Monitor view or SmartEvent SmartConsole application on a Windows 7 computer, Microsoft Office 2010 is required. DLP incidents may not show if the incidents (which are in EML file format) are associated with any other application. |
Actions for DLP incidents include:
DLP Action |
Description |
|---|---|
Ask User |
DLP incident captured and put in Quarantine, user asked to decide what to do. |
Do not Send |
User decided to drop transmission that was captured by DLP. An administrator with full permissions or with the View, Release or Discard DLP messages permission can also drop these transmissions. Email notification is sent to the user. |
Send |
User decided to continue transmission after DLP capture. An administrator with full permissions or with the View/Release/Discard DLP messages permission can also decide to continue transmission. Email notification is sent to the user. |
Quarantine Expired |
DLP captured data transmission cannot be sent because the user did not make a decision in time. Expired incidents may still be viewed, until they are deleted (routine cleanup process). |
Prevent |
DLP transmission was blocked. |
Allow |
DLP transmission was allowed; usually by exception to rule. |
Inform User |
DLP transmission was detected and allowed, and user notified. |
Deleted Due To Quota |
DLP incidents are deleted from gateway for disk space. |
DLP incidents can show some or all of these columns and are available to all administrators.
DLP Columns |
Description |
|---|---|
Incident UID |
Unique ID of the incident. |
DLP Action Reason |
Reason for the action. Possible values: Rule Base, Internal Error, Prior User Decision |
Related Incident |
Internal incident ID related to the current log. |
DLP Transport |
Protocol of the traffic of the incident: HTTP, FTP, Email. |
Using the Incident UID as a key between multiple logs:
Each DLP incident has a unique ID included in the log and sent to the user as part of an email notification. User responses (Send, Do not Send) are assigned the same Incident UID that was assigned to the initial DLP incident log.
If a user/administrator sends an email with a DLP violation and then decides to discard it, two logs are generated. The first log is a DLP incident log with Ask User action and is assigned an Incident UID. On the user action, the second log is generated with the same UID, with the Do not Send action.
Each matched Data Type generates its own log. The gateway makes sure that all the Data Type logs of one incident show the same unique Incident UID and rule action (Prevent, Ask, Inform, or Detect). This happens also if Data Types were matched on different rules. The same action shown for an incident is the most restrictive.
For example, in a case that a transmission matches two Data Types. Each Data Type is used in a different rule. The action of one rule is Prevent. The action in the second rule is Detect. The two logs that are generated will show Prevent as the action. The action implemented will be Prevent. The log of the Detect rule will show Rule Base (Action set by different rule) in the DLP Action Reason column.
These columns are restricted to administrators with permissions.
Restricted Filters |
Description |
|---|---|
UserCheck |
|
User Response |
Comment entered by the user in the text box shown in the UserCheck notification. |
UserCheck Message to User |
The message shown to the user. |
Interaction Name |
The interaction name as shown in SmartConsole. |
Fingerprint |
|
Matched File |
The file name and path in the scanned fingerprint repository that matches the inspected message. |
Matched File Percentage |
How much is this file similar to Matched File. In "exact match" this will always be 100%. |
Matched File Text Segments |
In a partial match, the number of file parts/segments that are matched between the Matched File and the inspected file (parts/segment may overlap). |
DLP Type |
|
DLP Rule Name |
Name of the DLP rule on which the incident was matched. |
Message to User |
Message sent, as configured by administrator, for the rule on which the incident was matched. |
DLP Words List |
If the Data Type on which the incident was matched included a word list (keywords, dictionary, and so on), the list of matched words. |
DLP Relevant Data Types |
If matched Data Type is a group Data Type. This field specifies which Data Types from that group were matched. |
User Information |
|
DLP Recipients |
For SMTP traffic, list of recipients of captured email. |
Mail Subject |
For SMTP traffic, the subject of captured email. |
Scanned Data Fragment |
Captured data itself: email and attachment of SMTP, file of FTP, or HTTP traffic. |
More |
|
UserCheck |
A Boolean field that shows if the log is produced by UserCheck or by another DLP. |
Data Type Name |
Name of the matched Data Type. |
Data Type UID |
Internal ID of the Data Type on which the incident was matched. |
DLP Categories |
Category of Data Type on which the incident was matched. |
DLP Template Score |
A measurement, expressed as a percentage, that shows how closely a document matches the template file. 0% - The document and template are very different. 100% - The document and template are a close match. |
As of R80, the Event Analysis views of the SmartEvent GUI have been incorporated into the SmartConsole Logs & Monitor view. They provide advanced analysis tools with filtering, charts, and statistics of all events that pass through enabled Security Gateways.
