Data Loss Prevention

 View Only
  • 1.  Filter out company domain in Reports

    Posted Oct 16, 2012 10:47 PM

    The default reporting of Symantec DLP includes the actual domain our company is using 'pg.com'. I've tried using the filters and summarization for the custom report, but what would happen is it filters out all incidents that contain the 'pg.com' domain even if the incident also has another external domain (i.e. incident is gmail.com, pg.com, the entire incident is filtered out including the domain gmail.com). I've tried filtering via 'Domain contains any of' and typing all existing domains, but from a maintenance stand point, it doesnt seem sustainable, as i will need to add the new domains every time a new one comes in. 

    Any ideas on how to do this? 

    Thanks, 
    Cristine 



  • 2.  RE: Filter out company domain in Reports

    Trusted Advisor
    Posted Oct 17, 2012 02:32 AM

    Hello cristine,

     Reporting in symantec DLP is not always as powerful as we expect for executive or business report on data leakage. What we used to do for our customer is performing an export in csv (for simple report) or xml (for more detailed and complex report) and then process them in excel or other tool. 

     May be it is a stupid point, but you can also remove these messages, which contains only your domain, in DLP policy and so it wont raise any incident.

     

     Regards.



  • 3.  RE: Filter out company domain in Reports

    Posted Oct 17, 2012 02:45 AM

    Hi Steph, 

    Thanks for your input. I understand that exporting is always an option for more complex reports - was just wondering if there was any known way within the product


    As for removing it fromt he policy, its not an option because the messages/incidents containg recipients from both our own domain and external domains. Deleting it would also remove the count for the external domain. 

    Thanks, 

    Cristine 



  • 4.  RE: Filter out company domain in Reports

    Trusted Advisor
    Posted Oct 17, 2012 11:10 AM

    Cristine,

     In DLP policy you can reject message which contains only your domain as recipient and if it contains your domain and some other domains it will still raise an incident in DLP tool.

     It is not the fact to delete existing anomalies but to avoid raising anomalies if messages is sent only to your domain.

     regards.



  • 5.  RE: Filter out company domain in Reports

    Posted Oct 22, 2012 05:12 AM

    Hi Calacson,

    You can get domain wise filter in All reports and in domain wise reports option in DLP system predifed reports. Also u can get the same by including or excluding and summarizing by domain.



  • 6.  RE: Filter out company domain in Reports

    Posted Dec 06, 2012 02:45 AM

    Login to DLP console and see below

    go to All reports>network reports>Top recipient (Domains)



  • 7.  RE: Filter out company domain in Reports

    Posted Dec 06, 2012 03:09 AM

    Stephanie/Kishorilla,  

    The policy has no issue with getting the right incidents. It does not capture an incident if it is only sent to our company domain.

    Its in the reporting that i need to filter out pg.com as a top recipient domain, but if i attempt to exclude pg.com as a domain, it removes any incident that contained pg.com even if it contained an external domain.

    I.e.

    1 incident has pg.com, gmail.com as domains

    1 incident has gmail.com

     

    The count would be 2 incidents under gmail.com, and 1 incident with pg.com as domain. If i try to filter out pg.com, only the incident with gmail.com will show up in the report.

    Did that make sense?