Data Loss Prevention

 View Only

  • 1.  How to schedule a recurring report on found data?

    Posted Apr 01, 2013 02:30 AM

    I have just setup the endpoint server and the endpoint agent on a few test workstaions.

    I put a test file on the endpoints that contained test social security number and credit card numbers and did a manual scan and was able to find the matches.

    Before I deploy the agent to more endpoints I would like to configure an automated report every morning on all the endpoints that had matches of ssns and credit cards from the policies I have already set up.

    Now, how should this be automated?  Do I need to schedule a scan on a schedule?  Does the agent do a full scan and index of the hard disk on a schedule or does it find the matching data instantly on access or both?

    I would think scans should be scheduled during the night so they don't impact performance when the users are using their computers, but if they are scheduled durning the night, all laptops and some desktops that are powered off during the night will just keep missing the schedule and may mever get scanned.  How is the handled?



  • 2.  RE: How to schedule a recurring report on found data?

    Posted Apr 01, 2013 06:28 AM

    Please chcek scheduled setting in reports.



  • 3.  RE: How to schedule a recurring report on found data?

    Posted Apr 01, 2013 03:08 PM

    I found it and tried sending a report, but the report summary page all shows "no data available," but when I go into  Incidents/Discover, I can see the incidents listed there.



  • 4.  RE: How to schedule a recurring report on found data?

    Trusted Advisor
    Posted Apr 02, 2013 01:31 AM

    Endpoint discover scan reports and all discover reports have a setting of "all scans" "last completed scan" etc..

    So make sure the scheduled report is configured for "all scans", this will then send a report for all of the incidents. If you want to get only the last scan, then configure the report that way, then set it for "last completed scan" or "currently running scans"

    Keep in mind that if you scheduled the scan and it has not finished it will have an empty report.

     

    If this answered your question please mark this as solved!!

    Ronak



  • 5.  RE: How to schedule a recurring report on found data?

    Posted Apr 02, 2013 02:09 AM

    Dear Netuser,

    Please refer below, this will surely help u.

    https://www-secure.symantec.com/connect/articles/schedule-csv-report-be-sent-email-dlp

    https://www-secure.symantec.com/connect/articles/dlp-create-dashboard-and-send-report-email

     



  • 6.  RE: How to schedule a recurring report on found data?

    Posted Apr 02, 2013 10:48 AM

    This is still not working the way I expected it to work.

    I ran a manual scan when I first deployed the agents and the results showing the ssn and credit card match from the test file is there, but it doesn't appear to have any reports showing the match past the day I first copied the test credit card and ssn file.

    Since I never deleted the file, shouldn't there be new reports showing detection of the file every day until it's deleted?

    Do I have to do repeated full scans on every system on a schedule or will it find and report on new data matches on the fly? 

    I'm trying to get a daily report that will show ssn and credit card matches every day until someting is done with the file to create an exception or the file is deleted from the system.



  • 7.  RE: How to schedule a recurring report on found data?

    Posted Apr 02, 2013 02:52 PM

    We use incident statuses to create this effect.  When you do the scan the incident status was likely set to new.  Create a report that gathers all the new status events from ALL scans over ALL time and schedule it to be sent out. Then you can come into the incidents and change the status to remove it from the report.



  • 8.  RE: How to schedule a recurring report on found data?

    Posted Apr 02, 2013 04:43 PM
    In order to accomplish this you will need to run the scan daily and create your report so that it only sees the last scan. Otherwise the endpoint agent has no way to know that the file was removed. There are two types of discovery on the endpoint client. 1. Endpoint discover - this scans the machine and appears to be what you are using. This is a static scanner and would have to be used daily to accomplish what you are trying to do. This finds data at rest on the machine. 2. Endpoint prevent - this is the active scanning portion of the endpoint client. This can be used to prevent data from ever getting to the endpoint (copy to local drive), and to prevent it from leaving the endpoint. This finds data moving to the machine or getting moved from the machine.


  • 9.  RE: How to schedule a recurring report on found data?

    Posted Apr 02, 2013 04:43 PM

    I don't want to manually remove them from the report.  I would like the reports to run automated and show the detection in each day's reports for as long as the file exists.  Then, if the file is removed from the system, the new reports from that date forward should  stop showing the incident on the endpoint.

    Can it be set that way so we can see the the days the file was on the system and also the days the file containing SSNs and credit card numbers (or any other file with that type of data) was not on the system?

     

    Also, I don't think I understand how the detections are working.  Do I have to keep running repeated manual discover scans to detect the changes to whether there are files containing the type of data we are trying to match?