Data Loss Prevention

Hello everybody!

Is it possible to find an incident in Symantec DLP(Endpoint/Network) according to it's content?

For example, I have worked with an incident last month and then closed it. Now I need to investigate this already closed incident again, but I couldn't find it, because I don't remember the date, incident's ID, Username, etc. The only thing that I know - part of text from this incident.

I was trying to apply all filters one by one, but I couldn't find any incident according to it's content.

Please, HELP me!

Thanks a lot in advance!

hello

 you cant filter on message content. You will have to remember more than just incident content, may be policy or type of incident (network or endpoint), attachment name or size or information available in your custom attribute (user department ? ...) or a note you put at this time in this incident or someone who assess it and change its status....and then have a look at all result to find the right one. I know this is not what you expect but i am afraid there is no other way to do it.

regards.

Good afternoon, Stephan!

Thanks a lot for your soon reply and helpfull answer! I guess you are right about "there is no other way to do it", because after 3 days of researches and manipulations with DLP I couldn't do it :(!

Hope that Symantec Company will add such kind of features in the next version of DLP :)!

What you can do is create a report that will contain the incident in question and then export the incidents in xml format.  Then you can search the XML for the incident details.  Clunky, but it does work.

if by "closed it" you updated the status you can search by Incident History Issuer and choose your ID from the list of choices

You can.t chcek by contents, you have to search by predefined parameter in filter like attachement file name, size,history issueer contents if added anything etc.I hope Symantec should do on searching by contents