Filter out company domain in Reports
Created: 16 Oct 2012 | 6 comments
The default reporting of Symantec DLP includes the actual domain our company is using 'pg.com'. I've tried using the filters and summarization for the custom report, but what would happen is it filters out all incidents that contain the 'pg.com' domain even if the incident also has another external domain (i.e. incident is gmail.com, pg.com, the entire incident is filtered out including the domain gmail.com). I've tried filtering via 'Domain contains any of' and typing all existing domains, but from a maintenance stand point, it doesnt seem sustainable, as i will need to add the new domains every time a new one comes in.
Any ideas on how to do this?
Thanks,
Cristine
Discussion Filed Under:
Comments 6 Comments • Jump to latest comment
Hello cristine,
Reporting in symantec DLP is not always as powerful as we expect for executive or business report on data leakage. What we used to do for our customer is performing an export in csv (for simple report) or xml (for more detailed and complex report) and then process them in excel or other tool.
May be it is a stupid point, but you can also remove these messages, which contains only your domain, in DLP policy and so it wont raise any incident.
Regards.
Hi Steph,
Thanks for your input. I understand that exporting is always an option for more complex reports - was just wondering if there was any known way within the product
As for removing it fromt he policy, its not an option because the messages/incidents containg recipients from both our own domain and external domains. Deleting it would also remove the count for the external domain.
Thanks,
Cristine
Cristine,
In DLP policy you can reject message which contains only your domain as recipient and if it contains your domain and some other domains it will still raise an incident in DLP tool.
It is not the fact to delete existing anomalies but to avoid raising anomalies if messages is sent only to your domain.
regards.
Hi Calacson,
You can get domain wise filter in All reports and in domain wise reports option in DLP system predifed reports. Also u can get the same by including or excluding and summarizing by domain.
Login to DLP console and see below
go to All reports>network reports>Top recipient (Domains)
Stephanie/Kishorilla,
The policy has no issue with getting the right incidents. It does not capture an incident if it is only sent to our company domain.
Its in the reporting that i need to filter out pg.com as a top recipient domain, but if i attempt to exclude pg.com as a domain, it removes any incident that contained pg.com even if it contained an external domain.
I.e.
1 incident has pg.com, gmail.com as domains
1 incident has gmail.com
The count would be 2 incidents under gmail.com, and 1 incident with pg.com as domain. If i try to filter out pg.com, only the incident with gmail.com will show up in the report.
Did that make sense?
Would you like to reply?
Login or Register to post your comment.