Data Loss Prevention

 View Only

  • 1.  DLP Incident report - Data Inconsistency

    Posted Jul 14, 2015 11:04 AM

    Hello,

    I am running a report via DLP that needs to show:

    -Created Date
    -File name shows up in 'Location'
    -Number of PII
    -Location
    -Last accessed Date

    I can pull the data easy enough, but I am running into what looks like data inconsistency issues.

    If you take a look at the Incidents_detail_redact_capture file, you'll see that the scan and detection date is 06/02/15.

    *File Created Date: 11/24/14

    *Last Modified: 11/24/14

    *Last accessed date: 03/25/15

    Now take a look at the Attibutes_snip_redact_capature file.

    *Data User Last Access: 06/08/2015 

    *File Access History Start Date: 04/16/2015

    *File Last Access Date: 06/08/2015

    I have few questions :

    Can anyone tell me what the difference is between "Last Access Date" and "File Last Access Date"?

    File Last Access Date appears to be connected to Data User Last Access date...who is the "Data User"? is it the "Data Owner" or is the DLP Scan (dlscan)?

    How can the "file access history start date" be before the actual scan happened and before the "last accessed date"?

    Also, can someone tell me where I can find a list of the LDAP attributes and the definitions for each?

    Any help you all can provide would be greatly appreciated.



  • 2.  RE: DLP Incident report - Data Inconsistency

    Trusted Advisor
    Posted Jul 29, 2015 10:42 AM

    Spharris,

    It looks like you are also using Data Insight. Which is where all of that data is being populated from.

    You have DLP that is then pulling the Access info from Data Insight.

    The "Data Owner Name" is being populated based on the Data Insight Information. This is as well as the other Storage Information.

    So ultimately your answer is going to come from Data Insight. 

    Take a look at the Attributes Lookup Section of the DLP application (under System) and see how the Data Insight Lookup is configured. This will tell you what information is being pulled and then shown to you in the incident.

    When it comes to the access information, there is a way in Data Insight to eleimnate certain users from the audits that Data Insight is collecting and then showing to you in the Attributes. This can help eliminate some 'noise' caused by the dlscan user.

    Good Luck

    Ronak

    IF THIS ANSWERS YOUR QUESTION PLEASE MARKED THIS AS SOLVED