Data Loss Prevention

 View Only
  • 1.  Archive incidents

    Posted Oct 28, 2015 10:01 AM

    Hello all,

    What is the use of archiving incidents ? and what the gain between deleting/archiving ?

     



  • 2.  RE: Archive incidents
    Best Answer

    Posted Oct 28, 2015 10:58 AM

    Incident archiving lets you flag specified incidents as "archived." Because these archived incidents are excluded from normal incident reporting, you can improve the reporting performance of your Symantec Data Loss Prevention deployment by archiving any incidents that are no longer relevant. The archived incidents remain in the database; they are not moved to another table, database, or other type of offline storage.

    You can set filters on incident reports in the Enforce Server administration console to display only archived incidents or to display both archived and non-archived incidents. Using these reports, you can flag one or more incidents as archived by using the Archive options that are available when you select one or more incidents and click the Incident Actions button. The Archive options are:

    •     Archive Incidents - Flags the selected incidents as archived.
    •     Restore Incidents - Restores the selected incidents to the non-archived state.
    •     Do Not Archive - Prevents the selected incidents from being archived.
    •     Allow Archive - Allows the selected incidents to be archived.

    The archive state of an incident displays in the incident snapshot screen in the Enforce Server administration console. The History tab of the incident snapshot includes an entry for each time the Do Not Archive or Allow Archive flags are set for the incident.

    Access to archiving functionality could also be controlled by roles. You can set the following user privileges on a role to control access:

    •     Archive Incidents - Grants permission for a user to archive incidents.
    •     Restore Archive Incidents - Grants permission for a user to restore archived incidents.
    •     Remediate Incidents - Grants permission for a user to set the Do Not Archive or Allow Archive flags.


  • 3.  RE: Archive incidents

    Posted Oct 28, 2015 11:23 AM

    Ok for the Symantec documentation,

    but what are the process you usually do ? only archiving incidents ? only deleting ?

    And what is the difference in terms of performance between a deleted incident and an archived incident ?

     

     



  • 4.  RE: Archive incidents

    Posted Oct 28, 2015 02:05 PM

    There are multiple approaches oraganizations take -

    • The ones that have the Status Codes set right would normally still keep the incidents as/if they require to follow the 'retention period policy' enforced however get the unwanted/low SEV onces like 'log only' or 'monitor only' or 'test only' archived.
    • However largely I've seen people asking for exceptions in the retention policy and at times, simply deleting the attachments for the ones not important.
    • A small number known to me even delete the non-important ones altogether (mostly where DB size is already high)

    Now performance wise -

    • 'Archiving' to my experience is 'Better Performance' wherein
    • 'Deleting' (ofcourse after the actual deletion task in DB has ended completing the DB deletion - triggered at mid-night bydefault) the Performance is the 'Best'