Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Peter_Bjeldbak
Participant

DLP - how to determine user action upon "ask user"

Jump to solution

Hi

I have rule set up via DLP,  to prevent certain data to leave via mail. The rule indeed works as it should.

Since there are false positives possible - i have "ask user" enabled in order to let the user evaluate,
I need to monitor all the events, in which the user has decided to "send anyway",
I cant seem to find the relevant log "trigger" to display only dlp incidents where users found the warning to be irrelevant.

Any hints, ideas or down right solutions to my need?

regards

Peter

0 Kudos
1 Solution

Accepted Solutions
Peter_Bjeldbak
Participant

My desires have been met - i did find the solution and I am sorry to say - right in front of me.

Turns out there actually is a field - which can be Utilised - however i need to use SmartView rather than the log ind smartconsole.

The field "UserCheck response" fits like a glove (i feel stupid not finding this first time around)

Anyway - call of the dogs 🙂

View solution in original post

0 Kudos
5 Replies
_Val_
Admin
Admin

Custom action for logs (alert) for this rule, and/or specific filters for DLP logs/events

0 Kudos
Peter_Bjeldbak
Participant

Hi - and thx for the reply.  The log option is the on i am most keen on - but my problem is, simply put, i cant find the field/value which indicates the user response "send anyway" to the "ask user"

I would like to have the log show ONLY those who have received the choise (those who have sent questionable materiel) AND have chosen to "send  anyway"

I have done tests and checked the log subsequently  - to no avail 😞


0 Kudos
PhoneBoy
Admin
Admin

The end user generally has to provide a reason, which I imagine would go in the logs.
If you open up a log card on an event, do you see this reason?
If so, that would be the log field to trigger on.

0 Kudos
Peter_Bjeldbak
Participant

Thank you for the reply.

As to log entry to use for sorting out certain answers - Unfortunatly not - i can´t seem to find any indication in the log indicating the users choice.  

I have tried looking at the dlp log upon the time of the user reply to see what gives - to no avail 😞

What pussles me is that a premade log option would be logical at the get go  - after all - you would want to to able find all users who desides to override the warning.

0 Kudos
Peter_Bjeldbak
Participant

My desires have been met - i did find the solution and I am sorry to say - right in front of me.

Turns out there actually is a field - which can be Utilised - however i need to use SmartView rather than the log ind smartconsole.

The field "UserCheck response" fits like a glove (i feel stupid not finding this first time around)

Anyway - call of the dogs 🙂

View solution in original post

0 Kudos