Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

Reasons for Respective Fields as to why they are left blank while exporting the endpoint incidents

Created: 28 Apr 2014
Lion Shaikh's picture
0 0 Votes
Login to vote
Sr. No Blank Field Type Reason
1 Destination HTTPS/SSL In endpoint Incidents Destination field is used for file transfer incidents i.e.( where files are transfered from source to destination) and since https/ssl or http transactions do not have this information destination is only populated for CD/DVD & Removable storage Incidents. But still we get the destination URL for http/s incidents which is given in recipient field.
HTTP
       
2 Destination Path CD/DVD For CD/DVD Incidents destination path would be CD/DVD Drives and since at the time of writing the files on CD/DVD drives they become un-readable for the internal applications due to which DLP is unable to monitor/ keep track of path where the files are geting copied. Hence Dlp monitors only detination for CD/DVD incidents and not its path.
FTP Destination path is used for the file transfer incidents i.e.( where files are transfered from source to destination) and since https/ssl or http transactions do not have this information destination path is only populated for Removable storage. But still we get the destination URL for http/s incidents which is given in recipient field.
HTTP
HTTPS/SSL
       
3 Source File FTP Source File is populated only for the file transfer incidents i.e.( where files are transfered from source to destination) and since https/ssl or http transactions do not have this information Source File is only populated for Removable storage.
HTTP
HTTPS/SSL
Removable Storage There are multiple reasons :
1. If user is transfering a file to removable storage directly from lotus notes then DLP might not get the source file or its path.
2. If user downloading/ copying the file directly from ftp/filesharing services to removable storage.
3. If user is working on excel sheet and instead of saving it locally he saves it directly to removable storage device then dlp would not understand the source file path as the application has copied the file directly.
       
4 Source File Path FTP Source File Path is populated only for the file transfer incidents i.e.( where files are transfered from source to destination) and since https/ssl or http transactions do not have this information Source File Path is only populated for Removable storage.
HTTP
HTTPS/SSL
Removable Storage There are multiple reasons :
1. If user is transfering a file to removable storage directly from lotus notes then DLP might not get the source file or its path.
2. If user downloading/ copying the file directly from ftp/filesharing services to removable storage.
3. If user is working on excel sheet and he tries to save the file directly to removable storage device instead of his local drive then dlp would not understand the source file path as the application has copied the file directly.
       
5 Device Instance ID FTP Device Instance ID is basically a unique ID assigned to all type of plug-n-play devices and since ftp/http/s does not have Device instance ID it is kept blank.
HTTP
HTTPS/SSL
Removable Storage Will have to investigate for these specific incidents with the user as how he had copied files since all removable storage incidents are not showing as blank for this field.
       
6 Subject All Types Since this field is monitored only for Email/smtp incidents these will be left blank for all other type of incidents
       
7 Recipient(s) CD/DVD In Endpoint Incidents Recipient field is used to populate end URL/s or Email recipients where the data has been uploaded/mailed respectively.
Hence for CD/DVD & Removable storage incidents this field is left blank.
Removable Storage
       
8 Data Owner Name All Types Only available if Data insight is implemented
       
9 Data Owner Email All Types Only available if Data insight is implemented