Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Searching Entire Incidents

Created: 13 May 2014 | 3 comments

Hello, I think I already know the answer to this question but wanted to post it out here to verify I am not missing a possible solution or work around.  I have created a bunch of polices inside DLP with keywords and terms.  I was curious if there is any way to search or filter the incidents view based upon one of those keywords/terms.  For instance, say one of the words I have a policy for is "apple".  Is there any way to do a seach for all incidents that violated the word apple?  I did some looking at all the filters and can do a search for all attachments that contain a specific word but that leaves out the incidents that caught the violation in the email body.  Thanks in advance for any help on this issue.

Also if this is not possible it would be a huge benefit on future releases of DLP.

Operating Systems:

Comments 3 CommentsJump to latest comment

RonCaplinger's picture

No, it is not possible to search within the incidents for a specific word.  That is something many people have requested in other posts here, but I don't see anything in the "Ideas" section here on Connect that mentions that feature.  I agree, it should be a basic feature to search the incidents in the database. 

 

Edit: I added an Idea, please be sure to up-vote it!

https://www-secure.symantec.com/connect/ideas/allow-searching-through-incidents-any-text

jasonhopp's picture

Thanks for the response.  I figured that was going to be the answer of no way to do that type of search within the incidents currently.  I went ahead and added a comment to your idea post and voted it up.  Hopefully we will see this feature get added.

stephane.fichet's picture

hi jason,

 

 not in the DLP UI. The best you can do is performing a search per policy rule which will allow you to search all incident which violate a specific rule in your policy.

 But in XML export you have access to "violationText" (the one overlined in yellow in incident UI page) which will give you all matching keywords, so you will be able to filter on them.

 regards.