DLP Actions

Actions for DLP incidents include:

DLP Action	Description
Ask User	DLP incident captured and put in Quarantine, user asked to decide what to do.
Do not Send	User decided to drop transmission that was captured by DLP. An administrator with full permissions or with the View, Release or Discard DLP messages permission can also drop these transmissions. Email notification is sent to the user.
Send	User decided to continue transmission after DLP capture. An administrator with full permissions or with the View/Release/Discard DLP messages permission can also decide to continue transmission. Email notification is sent to the user.
Quarantine Expired	DLP captured data transmission cannot be sent because the user did not make a decision in time. Expired incidents may still be viewed, until they are deleted (routine cleanup process).
Prevent	DLP transmission was blocked.
Allow	DLP transmission was allowed; usually by exception to rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..
Inform User	DLP transmission was detected and allowed, and user notified.
Deleted Due To Quota	DLP incidents are deleted from gateway for disk space.

DLP General Columns

DLP incidents can show some or all of these columns and are available to all administrators.

DLP Columns	Description
Incident UID	Unique ID of the incident.
DLP Action Reason	Reason for the action. Possible values: Rule Base All rules configured in a given Security Policy. Synonym: Rulebase., Internal Error, Prior User Decision
Related Incident	Internal incident ID related to the current log.
DLP Transport	Protocol of the traffic of the incident: HTTP, FTP, Email.

Using the Incident UID as a key between multiple logs:

Each DLP incident has a unique ID included in the log and sent to the user as part of an email notification. User responses (Send, Do not Send) are assigned the same Incident UID that was assigned to the initial DLP incident log.

If a user/administrator sends an email with a DLP violation and then decides to discard it, two logs are generated. The first log is a DLP incident log with Ask User action and is assigned an Incident UID. On the user action, the second log is generated with the same UID, with the Do not Send action.

Each matched Data Type Classification of data in a Check Point Security Policy for the Content Awareness Software Blade. generates its own log. The gateway makes sure that all the Data Type logs of one incident show the same unique Incident UID and rule action (Prevent, Ask, Inform, or Detect). This happens also if Data Types were matched on different rules. The same action shown for an incident is the most restrictive.

For example, in a case that a transmission matches two Data Types. Each Data Type is used in a different rule. The action of one rule is Prevent. The action in the second rule is Detect. The two generated logs show Prevent as the action. The action implemented shows Prevent. The log of the Detect rule shows Rule Base (Action set by different rule) in the DLP Action Reason column.

DLP Restricted Columns

These columns are restricted to administrators with permissions.

Restricted Filters	Description
UserCheck
User Response	Comment entered by the user in the text box shown in the UserCheck notification.
UserCheck Message to User	The message shown to the user.
Interaction Name	The interaction name as shown in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..
Fingerprint
Matched File	The file name and path in the scanned fingerprint repository that matches the inspected message.
Matched File Percentage	How much is this file similar to Matched File. In "exact match" this always is 100%.
Matched File Text Segments	In a partial match, the number of file parts/segments that are matched between the Matched File and the inspected file (parts/segment may overlap).
DLP Type
DLP Rule Name	Name of the DLP rule on which the incident was matched.
Message to User	Message sent, as configured by administrator, for the rule on which the incident was matched.
DLP Words List	If the Data Type on which the incident was matched included a word list (keywords, dictionary, and so on), the list of matched words.
DLP Relevant Data Types	If matched Data Type is a group Data Type. This field specifies which Data Types from that group were matched.
User Information
DLP Recipients	For SMTP traffic, list of recipients of captured email.
Mail Subject	For SMTP traffic, the subject of captured email.
Scanned Data Fragment	Captured data itself: email and attachment of SMTP, file of FTP, or HTTP traffic.
More
UserCheck	A Boolean field that shows if the log is produced by UserCheck or by another DLP.
Data Type Name	Name of the matched Data Type.
Data Type UID	Internal ID of the Data Type on which the incident was matched.
DLP Categories	Category of Data Type on which the incident was matched.
DLP Template Score	A measurement, expressed as a percentage, that shows how closely a document matches the template file. 0% - The document and template are very different. 100% - The document and template are a close match.