Data Loss Prevention

Hello,

I want to monitor which of users opens specific websites, for instance, competitor's or hacker's portals. I want to monitor a visit specific web-sites as fact even without transmit any data. But the Symantec DLP system controls GET or POST requests. Maybe the system has a mechanism to monitor were specific websites visited or no?
I guess we can define the  custom protocol for that. Is it right?

---
Best regards, Artem.

Artem,

Unfortunately a user will have to perform SOME action (post, put or get) in order for DLP to create an incident.

If you want metrics on visited sites, then you should look at proxy logs.

Hope this makes sense.

If this solves your questions please marked as solved.

Ronak

Proxy logs are good, but for creating corresponding incidents a customer needs the log analysis system.
And yet, can I use custom protocol and set the website names as a condition?
Will the system work correctly if I create the custom protocol and set the following content filter?

I,Host:,website1.com,website2.com,website3.com

I think the custom protocol will be able to caught what I need. Unfortunately I can't try it right now.

---
Best regards, Artem.

Artem,

A custom protocol will NOT work. It will still need to see the proper header for HTTP traffic, which you cannot do with a custom protocol.

Hope this makes sense.

If this solves your questions please marked as solved.

Ronak

Dear Artem,

To monitor (Logs incidents for data transferred by temporary usb / cd users ) which of users opens specific websites you need to create a temporary user policy.

Detection Rules :  Data Transfer - endpoint (Protocol): Protocol is FTP, Copy to Network Share, HTTP, Email/SMTP, Removable Storage, ....

• Data Transfer - endpoint (Sender): Match IP address(es)......

Please make sure to mark this as a solution to your problem,