Auditing and Analysis of Incidents

In the process of Data Loss PreventionClosed Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP., analysis of incidents is essential.

Before you begin, make sure that the severity of rules in the policy is accurate.

While auditing rules in the Logs & Monitor view, use the Follow Up flag. If you find an incident or a set of incidents that you want to fine-tune, or for which you doubt whether the action is best, you can set the Data TypeClosed Classification of data in a Check Point Security Policy for the Content Awareness Software Blade. or the ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. to Follow Up.

The DLP Gateway issues logs for various events.

To open the Logs & Monitor Logs view:

Go to the Logs & Monitor > Logs > Queries > DLP.

The Data Loss Prevention logs are categorized for filtering.

To see more information:

  1. Click DLP Log.

    The DLP Log Details window opens. It shows more information about the incident in an easy-to-read format, with links back to the Data Loss Prevention tab in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. or to specific information on the Data Type.

  2. From the log of a specific incident open the actual data that caused the incident.

    >

    Best Practice - Do not review most of the incidents manually. The original transmission (for example, the email or its attachment) stays, in case there is a question from the sender or the data owners.

Important - You must let users know that someone can capture, store, and show personal emails and web posts. If you do not do it, you organization can have issues with local privacy laws.

Note - To view DLP incidents in the Logs & Monitor view or SmartEvent SmartConsole application on a Windows 7 computer, Microsoft Office 2010 is necessary. DLP incidents may not show if the incidents (which are in EML file format) are associated with any other application.

As of R80, the Event Analysis views of the SmartEvent GUI have been incorporated into the SmartConsole Logs & Monitor view. They provide advanced analysis tools with filtering, charts, and statistics of all events that pass through enabled Security Gateways.