- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi
I have rule set up via DLP, to prevent certain data to leave via mail. The rule indeed works as it should.
Since there are false positives possible - i have "ask user" enabled in order to let the user evaluate,
I need to monitor all the events, in which the user has decided to "send anyway",
I cant seem to find the relevant log "trigger" to display only dlp incidents where users found the warning to be irrelevant.
Any hints, ideas or down right solutions to my need?
regards
Peter
My desires have been met - i did find the solution and I am sorry to say - right in front of me.
Turns out there actually is a field - which can be Utilised - however i need to use SmartView rather than the log ind smartconsole.
The field "UserCheck response" fits like a glove (i feel stupid not finding this first time around)
Anyway - call of the dogs 🙂
Custom action for logs (alert) for this rule, and/or specific filters for DLP logs/events
Hi - and thx for the reply. The log option is the on i am most keen on - but my problem is, simply put, i cant find the field/value which indicates the user response "send anyway" to the "ask user"
I would like to have the log show ONLY those who have received the choise (those who have sent questionable materiel) AND have chosen to "send anyway"
I have done tests and checked the log subsequently - to no avail 😞
The end user generally has to provide a reason, which I imagine would go in the logs.
If you open up a log card on an event, do you see this reason?
If so, that would be the log field to trigger on.
Thank you for the reply.
As to log entry to use for sorting out certain answers - Unfortunatly not - i can´t seem to find any indication in the log indicating the users choice.
I have tried looking at the dlp log upon the time of the user reply to see what gives - to no avail 😞
What pussles me is that a premade log option would be logical at the get go - after all - you would want to to able find all users who desides to override the warning.
My desires have been met - i did find the solution and I am sorry to say - right in front of me.
Turns out there actually is a field - which can be Utilised - however i need to use SmartView rather than the log ind smartconsole.
The field "UserCheck response" fits like a glove (i feel stupid not finding this first time around)
Anyway - call of the dogs 🙂
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY