Print Download PDF Send Feedback

Previous

Next

Auditing and Analysis

In the process of Data Loss Prevention, analysis of incidents is essential.

Before you begin, make sure that the severity of rules in the policy is accurate.

While auditing rules in the Logs & Monitor view, use the Follow Up flag. If you find an incident or a set of incidents that you want to fine-tune, or for which you doubt whether the action is best, you can set the Data Type or the rule to Follow Up.

Using the Logs & Monitor Logs View

The DLP gateway issues logs for various events.

To open the Logs & Monitor Logs view:

Go to the Logs & Monitor > Logs > Queries > DLP.

The Data Loss Prevention logs are categorized for filtering.

To see more information:

  1. Click DLP Log.

    The DLP Log Details window opens, displaying more information about the incident in an easy-to-read format, with links back to the Data Loss Prevention tab in SmartConsole or to specific information on the Data Type.

    From the log of a specific incident you can open the actual data that caused the incident. You should not have to review most of the incidents manually, but the original transmission (for example, the email or its attachment) is kept for you if there is a question from the sender or the data owners.

    Because personal emails and web posts may be captured and stored for viewing, you must let the users know that this may happen. Failure to do so may cause your organization issues with local privacy laws.

Note - To view DLP incidents in the Logs & Monitor view or SmartEvent SmartConsole application on a Windows 7 computer, Microsoft Office 2010 is required. DLP incidents may not show if the incidents (which are in EML file format) are associated with any other application.

DLP Actions

Actions for DLP incidents include:

DLP Action

Description

Ask User

DLP incident captured and put in Quarantine, user asked to decide what to do.

Do not Send

User decided to drop transmission that was captured by DLP. An administrator with full permissions or with the View, Release or Discard DLP messages permission can also drop these transmissions. Email notification is sent to the user.

Send

User decided to continue transmission after DLP capture. An administrator with full permissions or with the View/Release/Discard DLP messages permission can also decide to continue transmission. Email notification is sent to the user.

Quarantine Expired

DLP captured data transmission cannot be sent because the user did not make a decision in time. Expired incidents may still be viewed, until they are deleted (routine cleanup process).

Prevent

DLP transmission was blocked.

Allow

DLP transmission was allowed; usually by exception to rule.

Inform User

DLP transmission was detected and allowed, and user notified.

Deleted Due To Quota

DLP incidents are deleted from gateway for disk space.

DLP General Columns

DLP incidents can show some or all of these columns and are available to all administrators.

DLP Columns

Description

Incident UID

Unique ID of the incident.

DLP Action Reason

Reason for the action. Possible values: Rule Base, Internal Error, Prior User Decision

Related Incident

Internal incident ID related to the current log.

DLP Transport

Protocol of the traffic of the incident: HTTP, FTP, Email.

Using the Incident UID as a key between multiple logs:

Each DLP incident has a unique ID included in the log and sent to the user as part of an email notification. User responses (Send, Do not Send) are assigned the same Incident UID that was assigned to the initial DLP incident log.

If a user/administrator sends an email with a DLP violation and then decides to discard it, two logs are generated. The first log is a DLP incident log with Ask User action and is assigned an Incident UID. On the user action, the second log is generated with the same UID, with the Do not Send action.

Each matched Data Type generates its own log. The gateway makes sure that all the Data Type logs of one incident show the same unique Incident UID and rule action (Prevent, Ask, Inform, or Detect). This happens also if Data Types were matched on different rules. The same action shown for an incident is the most restrictive.

For example, in a case that a transmission matches two Data Types. Each Data Type is used in a different rule. The action of one rule is Prevent. The action in the second rule is Detect. The two logs that are generated will show Prevent as the action. The action implemented will be Prevent. The log of the Detect rule will show Rule Base (Action set by different rule) in the DLP Action Reason column.

DLP Restricted Columns

These columns are restricted to administrators with permissions.

Restricted Filters

Description

UserCheck

 

User Response

Comment entered by the user in the text box shown in the UserCheck notification.

UserCheck Message to User

The message shown to the user.

Interaction Name

The interaction name as shown in SmartConsole.

Fingerprint

 

Matched File

The file name and path in the scanned fingerprint repository that matches the inspected message.

Matched File Percentage

How much is this file similar to Matched File. In "exact match" this will always be 100%.

Matched File Text Segments

In a partial match, the number of file parts/segments that are matched between the Matched File and the inspected file (parts/segment may overlap).

DLP Type

 

DLP Rule Name

Name of the DLP rule on which the incident was matched.

Message to User

Message sent, as configured by administrator, for the rule on which the incident was matched.

DLP Words List

If the Data Type on which the incident was matched included a word list (keywords, dictionary, and so on), the list of matched words.

DLP Relevant Data Types

If matched Data Type is a group Data Type. This field specifies which Data Types from that group were matched.

User Information

 

DLP Recipients

For SMTP traffic, list of recipients of captured email.

Mail Subject

For SMTP traffic, the subject of captured email.

Scanned Data Fragment

Captured data itself: email and attachment of SMTP, file of FTP, or HTTP traffic.

More

 

UserCheck

A Boolean field that shows if the log is produced by UserCheck or by another DLP.

Data Type Name

Name of the matched Data Type.

Data Type UID

Internal ID of the Data Type on which the incident was matched.

DLP Categories

Category of Data Type on which the incident was matched.

DLP Template Score

A measurement, expressed as a percentage, that shows how closely a document matches the template file.

0% - The document and template are very different.

100% - The document and template are a close match.

Event Analysis Views Available in SmartConsole

As of R80, the Event Analysis views of the SmartEvent GUI have been incorporated into the SmartConsole Logs & Monitor view. They provide advanced analysis tools with filtering, charts, and statistics of all events that pass through enabled Security Gateways.