Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Filter out company domain in Reports

Created: 16 Oct 2012 | 6 comments

The default reporting of Symantec DLP includes the actual domain our company is using 'pg.com'. I've tried using the filters and summarization for the custom report, but what would happen is it filters out all incidents that contain the 'pg.com' domain even if the incident also has another external domain (i.e. incident is gmail.com, pg.com, the entire incident is filtered out including the domain gmail.com). I've tried filtering via 'Domain contains any of' and typing all existing domains, but from a maintenance stand point, it doesnt seem sustainable, as i will need to add the new domains every time a new one comes in. 

Any ideas on how to do this? 

Thanks, 
Cristine 

Discussion Filed Under:

Comments 6 CommentsJump to latest comment

stephane.fichet's picture

Hello cristine,

 Reporting in symantec DLP is not always as powerful as we expect for executive or business report on data leakage. What we used to do for our customer is performing an export in csv (for simple report) or xml (for more detailed and complex report) and then process them in excel or other tool. 

 May be it is a stupid point, but you can also remove these messages, which contains only your domain, in DLP policy and so it wont raise any incident.

 

 Regards.

calacson's picture

Hi Steph, 

Thanks for your input. I understand that exporting is always an option for more complex reports - was just wondering if there was any known way within the product

As for removing it fromt he policy, its not an option because the messages/incidents containg recipients from both our own domain and external domains. Deleting it would also remove the count for the external domain. 

Thanks, 

Cristine 

stephane.fichet's picture

Cristine,

 In DLP policy you can reject message which contains only your domain as recipient and if it contains your domain and some other domains it will still raise an incident in DLP tool.

 It is not the fact to delete existing anomalies but to avoid raising anomalies if messages is sent only to your domain.

 regards.

kishorilal1986's picture

Hi Calacson,

You can get domain wise filter in All reports and in domain wise reports option in DLP system predifed reports. Also u can get the same by including or excluding and summarizing by domain.

kishorilal1986's picture

Login to DLP console and see below

go to All reports>network reports>Top recipient (Domains)

calacson's picture

Stephanie/Kishorilla,  

The policy has no issue with getting the right incidents. It does not capture an incident if it is only sent to our company domain.

Its in the reporting that i need to filter out pg.com as a top recipient domain, but if i attempt to exclude pg.com as a domain, it removes any incident that contained pg.com even if it contained an external domain.

I.e.

1 incident has pg.com, gmail.com as domains

1 incident has gmail.com

 

The count would be 2 incidents under gmail.com, and 1 incident with pg.com as domain. If i try to filter out pg.com, only the incident with gmail.com will show up in the report.

Did that make sense?