Data Loss Prevention

Hi,

We have been testing some options and functional aspects of Symantec DLP platform for our company.

When applying User Cancel as Response Rule, would it be possible that when user selects "Cancel", an incident is created but with status "Resolved"?

Because in reality there is an incident, but if the action is cancelled, that should set status as resolved (the issue ends there).

In a company with 35k users that makes a lot of difference when we have to analyse all the incidents...

The ideal solution (as we see it) was to have the hability to define X actions when a user selects "Allow" and to define Y actions if user selects "Cancel". Or, as usual procedure, when user selects cancel, to set status as resolved (as stated before) and send an email alert about it.

Regards.

An incident is genterated regardless of the user's selection.

I dont belive that there is an Automatic Response Rule condition based on user feedback for those types of events, so your incident status will be..whatever your policy/rule sets it to be.

However, you can filter Endpoint incident reports by Agent Response, so you can make a report of incidents where users did choose to cancel, and then collectively change their status values.

Hello,

 As steven said status of your incident will be the one defined by your policy. But you can use an external tool plugged to DLP web service to change status of these incidents automatically every day (or whatever frequency) (or do it by hand).

 Regards.

by "external" do you mean "self-made" or are there third-party tools available?

Hello,

both are possible. Some companies has develloped some tools to improve Symantec DLP capabilities, but you could also do it on your own (i used to do some for my customers) as it is not too complicated.

 regards.

Hello,

Thanks for your replies.

I will study those possibilities, but the one using "external" tool seems to be the best aproach.

Regards.

Its quite possible through some customized script or Symantec request