Previewing incidents

Administrator Help | Forcepoint DLP | Version 8.7.x

Details of the selected incident appear at the bottom of the screen. In this preview, you can see:

To see more of the preview, select View > Incident Preview Only or View > Open Preview in New Window.

Violations

In this section, you can display violation triggers or violated rules.

Violated rules displays which rules were violated by the incident. Click the information icon to view more details, such as the policy and action plan for the rule. Only the first 500 rules or 500 MB for the incident are displayed.

Violation triggers displays the precise values that triggered the violation and how many of those triggers were found. Click the numeric link to view details about the trigger. Only the first 500 triggers or 500 MB for the incident are displayed.


	Note If there are more than 500 violation rules or triggers, go to the Forensics tab. There you can see the complete transaction, including violations.

Click Tune Policy to update your policy for this incident. You can select any of the following:

Exclude Source from Rules - Select this option to exclude the incident source from one or more of the rules. You cannot exclude an incident source from an email or Web data loss prevention policy.

Disable Policies - Select this option to disable a policy if it is not producing the desired effect. You cannot disable an email or Web data loss prevention policy; you can only disable attributes.

Disable Rules - Select this option to disable a rule if it is not producing the desired effect. To disable attributes in an email or Web data loss prevention policy, highlight the policy, click Edit, then de-select Enabled for the desired attributes.

See Tuning policies for more information.

Forensics

The Forensics tab shows information about the original transaction.

For data loss prevention incidents that occurred on an email or a mobile channel, it displays the message subject, from, to, attachments, and message body. You can click links for details about the source or destination of the incident, such as email address, manager, and manager's manager. You can retrieve thumbnail photos, if configured. You can also open attachments. The bottom portion of the incident screen displays the message body.

For data loss prevention incidents that occurred on a Web channel, the forensics could include the URL category property.

For discovery incidents, forensics includes the hostname and file name.

Use the Show as field to select how you want the text displayed: Marked HTML, plain text, or HTML.

Marked HTML includes the HTML markup language. HTML does not.

Forensics are stored in the \forensics_repository\data directory on the management server.

Note that the extracted text may appear slightly different from channel to channel. This is due to the way the policy engine works in different environments.

Properties

The Properties tab displays incident details, such as:

It also shows information about the source and destination of the incident.

For discovery incidents, this tab also displays:

Detection information

The History tab displays the incident history, such as when it was received, released, or assigned to someone. These are automatically generated when a workflow operation is performed.

This tab also displays comments that were added by administrators using the Workflow > Add Comments option.

Each event in the incident's history is shown in a separate row. You can expand or collapse events to view details.