Data Loss Prevention

Dear Guyz.

Help me how to archive the incidents in Symantec DLP

I archive incidents in symantec DLP by following the steps

1. selecting custom date range (eg:, 1/1/2016 to 12/1/2016),
2. then i save the report with the required name <test_Archive>,
3. then go to System--> incidents data -->web archive.
4. Name the archive <test_archive 1>
5. In <Report to Export> drop down, i select my saved report <test_Archive>
6. then hit <Create> button.
7. Archive finishes successfuly.

But, when i again go to incidents--> Endpoint and select custom range (1/1/2016 to 12/1/2016) i again see the same incidents is on place.

Please help me urgently.

Thanks

Regards

Zuhaib

hello,

 What you did is correct but unfortunately when you create a "web archive" it does not archive incident stored in DLP DB.

You must :

- delete them (this will definitlety remove them and their content from your DLP system)

- tag them as archived (in order to remove them from DLP user report (if in their role definition you does not allow them to see archived incident))

 But you have to do this a part from web archive, with your DLP account if you have enough privileges to do this.

 Regards.

As Stephane said, you would select all the incidents in the report that you want to archive and then go to incident actions and select archive. This will keep the incidents in the database but remove them from the defualt reports. You can always go back and see those incidents by filtering on "Is Archived" and selecting true.

The web archive functionationality is for external users to have a static copy of the DLP incidents outside of the console. This is usually for things such a legal evidence collection or for when you really want to delete an incident from the database but maintain a copy for potential use later. Since the database is a live working copy that allows for status to change when you may not want it to for these reasons. The other thing to keep in mind is that in order to collect the web archive you would need file system access to Enforce.

Dear Guyz,

When I go to Incident window and select all incident in the report which i want to archive, there is no "Archive" option available in 'incident Actions' menu. 

and also when i go to filtering there is no "Is Archive" option.

Why all these options are not showing or displaying?

Thanks

regards

Zuhaib

I think i am missing one step in all the process. dear guyz i appreciate if you list all steps here.

hello,

 if you are using DLP 14.X (dont know from which version this was done) , "archive" was renamed "Hide".

so in "incident action" you should see "Hide / Unhide" and a list of actions :

- Hide incident

- unhide incident

- do not hide

- allow hiding

 As first two actions are linked to a specific privilege in your role, if you dont see them it means you dont have enough privilege to hide incident.

 Regards.

Please find this article. I hope it may help you.

https://www.symantec.com/connect/articles/archiving-incidents