Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Archiving incidents

Created: 13 Feb 2014 • Updated: 05 Mar 2014
Language Translations
Lion Shaikh's picture
0 0 Votes
Login to vote

1] Incident Archiving :

Incident archiving lets you flag specified incidents as "archived." Because these archived incidents are excluded from normal incident reporting, you can improve the reporting performance of your Symantec Data Loss Prevention deployment by archiving any incidents that are no longer relevant. The archived incidents remain in the database; they are not moved to another table, database, or other type of offline storage.

You can set filters on incident reports in the Enforce Server administration console to display only archived incidents or to display both archived and non-archived incidents. Using these reports, you can flag one or more incidents as archived by using the Archive options that are available when you select one or more incidents and click the Incident Actions button. The Archive options are:

i] Archive Incidents - Flags the selected incidents as archived.

ii] Restore Incidents - Restores the selected incidents to the non-archived state.

iii] Do Not Archive - Prevents the selected incidents from being archived.

iv] Allow Archive - Allows the selected incidents to be archived.

The archive state of an incident displays in the incident snapshot screen in the Enforce Server administration console. The History tab of the incident snapshot includes an entry for each time the Do Not Archive or Allow Archive flags are set for the incident.

Access to archiving functionality is controlled by roles. You can set the following user privileges on a role to control access:

i] Archive Incidents - Grants permission for a user to archive incidents.

ii] Restore Archive Incidents - Grants permission for a user to restore archived incidents.

iii] Remediate Incidents - Grants permission for a user to set the Do Not Archive or Allow Archive flags.

2] To archive incidents :

A] Open the Enforce Server administration console and navigate to an incident report.
B] Select the incidents you want to archive, either by selecting the incidents manually or by setting filters or advanced filters to return the set of

    incidents that you want to archive.
C] Click the Incident Actions button and select Archive > Archive Incidents.The selected incidents are archived.

3] Restoring archived incidents :

To restore archived incidents

A] Open the Enforce Server administration console and navigate to an incident report.
B] Select the Advanced Filters & Summarization link.
C] Click the Add filter button.
D] Select Is Archived in the first drop-down list.
E] Select Show Archived from the second drop-down list.
F] Select the incidents you want to restore, either by selecting incidents manually or by setting filters or advanced filters to return the set of incidents you  want to restore.

The selected incidents are restored.

4] Preventing incidents from being archived :

You can prevent incidents from being archived using either an incident report or an incident snapshot.

To prevent incidents from being archived using an incident report.

A] Open the Enforce Server administration console and navigate to an incident report.
B] Select the incidents you want to prevent from being archived. You can select incidents manually or by setting filters or advanced filters to return the set of incidents you want to prevent from being archived.
C] Click the Incident Actions button and select Archive > Do Not Archive.
The selected incidents are prevented from being archived.

Note:  You can allow incidents to be archived that you have prevented from being archived by selecting the incidents and then selecting Archive > Allow Archive from the Incident Actions button.
 

To prevent an incident from being archived using the incident snapshot.

A] Open the Enforce Server administration console and navigate to an incident report.
B] Click on an incident to open the incident snapshot.
C] On the Key Info tab, in the Incident Details section, click Do Not Archive.

Note:  You can allow an incident to be archived that you have prevented from being archived by opening the incident snapshot and then clicking Allow Archive in the Incident Details section.

5] Deleting archived incidents :

To delete archived incidents

A] Open the Enforce Server administration console and navigate to an incident report.
B] Click the Advanced Filters & Summarization link.
C] Click Add filter.
D] Select Is Archived in the first drop-down list.
E] Select Show Archived from the second drop-down list.
F] Select the incidents you want to delete. You can select the incidents manually or you can set filters or advanced filters that return the set of incidents you want to delete.
G] Click the Incident Actions button and select Delete incidents.
H] Select one of the following delete options:

i] Delete incident completely -  Permanently deletes the incident(s) and all associated data (for example, any emails and attachments). Note that you cannot recover the incidents that have been deleted.
 
ii] Retain incident, but delete message data -  Retains the actual incident(s) but discards the Symantec Data Loss Prevention copy of the data that triggered the incident(s). You have the option of deleting only certain parts of the associated data. The rest of the data is preserved.
 
iii] Delete Original Message -  Deletes the message content (for example, the email message or HTML post). This option applies only to Network incidents.
 
iv] Delete Attachments/Files -  This option refers to files (for Endpoint and Discover incidents) or email or posting attachments (for Network incidents). The options are All, which deletes all attachments, and Attachments with no violations. For example, choose this option to delete files (for Endpoint and Discover incidents) or email attachments (for Network incidents).

This option deletes only those attachments in which Symantec Data Loss Prevention found no matches. For example, choose this option when you have incidents with individual files taken from a compressed file (Endpoint and Discover incidents) or several email attachments (Network incidents).
 

I] Click the Delete button.