Video Screencast Help

Incident detail information

Created: 27 Feb 2012 | 8 comments
jjesse's picture

Ok drawing a blank this morning, maybe I need more coffee.

Here's the question from the customer... They want to have a response rule email them information about the incident including the incident details and I'm drawing a blank.

The use case:  I'm offsite (maybe on vacation) and a specific incident type is generated, the incident snapshot attribute creates a link that allows me to login to the DLP Console to the view the incident.  BUt I'm on my iPhone and don't have access to the console, so I would like to see the incident details including some of the content.

Make sense?  Am I crazy?

Comments 8 CommentsJump to latest comment

xlloyd's picture

What about the "All: Send Email Notification" response rule. You can include this list of variables in the email but you'd have to construct the message yourself:

Data Owner
Data Owner Email
Device Instance ID
Endpoint Machine
File Full Path
File Name
File Parent Directory Path
Incident ID
Incident Snapshot
Match Count
Policy Name
Policy Rules
Protocol / Device Type / Target Type
Quarantine Parent Directory Path
Scan Date
If this post has helped you, please vote up or mark as solution
jjesse's picture

I understand the different attributes/variables I can set.  Perhaps I'm not making myself clear.  THe Incident Snapshot variable will give me a link to the Incident.

I want the content of the email or the website that was blocked if possible?

Jonathan Jesse Practice Principal ITS Partners

xlloyd's picture

Oooooh! I misunderstood! My bad ^_^

If this post has helped you, please vote up or mark as solution
Mike S.'s picture

Ok I think I understand what you want. So basically you want to see in an email exactly what you would see if you opened up the incident in the management console.

I really wish I knew the answer to this because it does sound like a great idea. I currently have my system set up to email the offending employees manager and numerous times they ask me what exactly the employee did and that is when I have to go into the incident and send the incident directly to them out of the management console.

jjesse's picture

Not only notify the manager w/ the clear text but my customer is looking for a certain type of incident to get the details w/o having to login.  Think of this incident as super high or rthe keys to the kingdom.


So if I'm on vacation (no VPN) and this incident occurs it triggers a response rule that sends me the content of the email, web post, etc. Not just a link to the Incident Snapshop

Jonathan Jesse Practice Principal ITS Partners

kishorilal1986's picture

Hi   jjesse

I clearly understood your problem and wanted to make you resolved this problem.As you also told that you are at offsite and still wanted to see incident details on your iphone.Syamntec has also DLP for iphone and ipad . you may not be see exact incident details but you can see the required details that you configured.

Symantec DLP has on feature which can do this, I am provideng the refernce details of the same.

I am also attching some snapshot for your understanding.

Executing response rules

When you execute a response rule that sends an email, you can manually compose the contents of the email notification.

Note; Sending an email notification to the sender applies to SMTP incidents only. Also, the notification addressees that are based on custom attributes (such as "manager email") work correctly only if populated by the attribute lookup plug-in.

To compose an email notification response

  1. Enter optional emails for copies in the CC field.
  2. Select the language.
  3. Compose or edit the subject and body of the email.

Insert variables for the fields in the incident. The supported variables appear as links to the right of the editable fields.

For example, if you want to include the policy and rules violated, you might enter:

A message has violated the following rules in $POLICY$:


  1. Click OK to send the notification.
DLP snapshot1.7z 48.21 KB
kishorilal1986's picture

Hi   jjesse ,

You can see exact DLP incident details if yor iphone having xml web viewable support since web archiv eof incdent can be sent and  seen though web. Else other option as configured mail an data that is considered in DLP mail can be seen.



DLP Solutions2's picture

You can configure the system to allow you to send incident detail in an EMAIL and NOT just the link. (System > General settings)

This would allow you to send the incident information directly to you, but this would then send the incident information outside of the DLP system, which would mean you are proliferating the loss of information.

Please make sure to mark this as a solution

to your problem, when possible.