This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Peter_Bjeldbak
Contributor
‎2021-05-17 01:40 AM

DLP - how to determine user action upon "ask user"

Jump to solution

Hi

I have rule set up via DLP,  to prevent certain data to leave via mail. The rule indeed works as it should.

Since there are false positives possible - i have "ask user" enabled in order to let the user evaluate,
I need to monitor all the events, in which the user has decided to "send anyway",
I cant seem to find the relevant log "trigger" to display only dlp incidents where users found the warning to be irrelevant.

Any hints, ideas or down right solutions to my need?

regards

Peter

0 Kudos
1 Solution

Accepted Solutions
Peter_Bjeldbak
Contributor
‎2021-05-24 11:57 PM

Jump to solution

My desires have been met - i did find the solution and I am sorry to say - right in front of me.

Turns out there actually is a field - which can be Utilised - however i need to use SmartView rather than the log ind smartconsole.

The field "UserCheck response" fits like a glove (i feel stupid not finding this first time around)

Anyway - call of the dogs 🙂

View solution in original post

0 Kudos
5 Replies
_Val_
Admin
Admin
‎2021-05-17 02:45 AM

Jump to solution

Custom action for logs (alert) for this rule, and/or specific filters for DLP logs/events

0 Kudos
Peter_Bjeldbak
Contributor
‎2021-05-17 06:21 AM
In response to _Val_

Jump to solution

Hi - and thx for the reply.  The log option is the on i am most keen on - but my problem is, simply put, i cant find the field/value which indicates the user response "send anyway" to the "ask user"

I would like to have the log show ONLY those who have received the choise (those who have sent questionable materiel) AND have chosen to "send  anyway"

I have done tests and checked the log subsequently  - to no avail 😞


0 Kudos
PhoneBoy
Admin
Admin
‎2021-05-23 08:45 PM

Jump to solution

The end user generally has to provide a reason, which I imagine would go in the logs.
If you open up a log card on an event, do you see this reason?
If so, that would be the log field to trigger on.

0 Kudos
Peter_Bjeldbak
Contributor
‎2021-05-24 11:12 PM
In response to PhoneBoy

Jump to solution

Thank you for the reply.

As to log entry to use for sorting out certain answers - Unfortunatly not - i can´t seem to find any indication in the log indicating the users choice.  

I have tried looking at the dlp log upon the time of the user reply to see what gives - to no avail 😞

What pussles me is that a premade log option would be logical at the get go  - after all - you would want to to able find all users who desides to override the warning.

0 Kudos
Peter_Bjeldbak
Contributor
‎2021-05-24 11:57 PM

Jump to solution

My desires have been met - i did find the solution and I am sorry to say - right in front of me.

Turns out there actually is a field - which can be Utilised - however i need to use SmartView rather than the log ind smartconsole.

The field "UserCheck response" fits like a glove (i feel stupid not finding this first time around)

Anyway - call of the dogs 🙂

0 Kudos