Configure advanced settings
Configure the advanced settings to customize the incident display and behavior. For example, enable displaying the sensitive data on an incident and its clone, or specifying fields on the incident to identify the end users. In addition, activate and customize the evidence files preview properties.
시작하기 전에
- sn_dlir.admin
- sn_dlir.analyst and sn_dlir.analyst_read
이 태스크 정보
Configure the advanced settings on the Data Loss Prevention Incident Response to customize the details to display for an incident or control the duration to identify a repeat offender.
프로시저
- Navigate to All > DLP Administration > Advanced Settings.
-
On the form, fill in the fields.
표 1. Advanced Settings form Field Description Should sensitive data which caused the violation be displayed on the incident Option to choose whether you want to display the sensitive data that caused the violation on the DLP incident. By default, this option is enabled.
Should sensitive data which caused the violation be displayed on the cloned incidents as well? Option to choose whether you want to display the sensitive data that caused the violation on the DLP cloned incident as well. By default, this option is turned off.
List of fields on the incident that are used to identify the end user The list of fields on the incident of the Assignment Rule module that are used to identify the end user. You can also specify your own custom attributes to identify the end user. Maximum number of incidents in a digest email The maximum number of incidents that can be sent in a digest email. By default, the value is 100.
Repeat offense maximum duration (in days) The maximum duration to identify a repeat offender. By default, the value is 90 days.
Quick mode to send emails Option to validate emails and identify issues. You can perform the validation by enabling the Yes option. By default, this option is enabled.
This property is for setting the log verbosity of the application The log verbosity level of the application, meaning the name of the type of information. You can also update the value to the following options: - error
- warn
- info
- debug
By default, the value is info.
Should downloading the violating file of the reported incident be allowed Option to download the violating file of the reported incident. By default, this option is Yes.
Exclude cloned and child incidents from reports Option to exclude the cloned and child incidents from the reports. By default, this option is Yes.
Day(s) to wait for deleting match content on cloud storage after incident gets closed Option to choose the number of wait days to clean up the match content of those incidents that are inactive for a specific time duration. By default, the value is 90. If the DLP incident is inactive after 90 days, the match content is cleaned up from the cloud storage.
Assign Incident to DLP Analyst group after last escalation level Select this check box to assign the incident to the analyst after the last escalation level. Allow users to access incidents post escalation Select this check box to enable the assigned users to access the incidents after the escalation. When you select this option, all the users that were added to the escalation chain list can access the incidents.
List of fields on the "sys_user" table that are used to uniquely identify the user in DLP workspaces Options to uniquely identify the user in the DLP workspaces. The options are email and user_name.
Allow analyst to edit completed assessment Select this check box to enable the analyst to edit the completed assessment. When you select this option, the analysts can edit the Assessments, when unselected you can view the assessments in the Read-Only mode.
List of valid file extensions. This property is a comma separated string. Each token indicates an extension. List of the valid file extensions. Keep the field empty to allow all file extensions. Enabling this system property will display the Playbook tab under DLP Incidents and provide the option to manually trigger a playbook via the Add Playbook action Option to display the Playbook tab and manually add the Playbook action. By default, this option is Yes.
Evidence Files Preview Properties Enabling this system property activates the evidence file preview feature in the DLP analyst workspace. sn_dlir.enable_evidence_file_preview
Option to choose whether you want to preview the evidence files directly in the workspace. By default, this option is Yes.
This will allow DLP users to download the previewed evidence files. Once this property is enabled, users will see a download button in the document viewer to download the evidence file. sn_dlir.enable_download in_preview
Option to display the download button in the document viewer. The download button enables you to download the previewed evidence files. By default, this option is Yes.
This property determines the duration for which files will be temporarily retained for evidence file preview purposes. (in minutes) sn_dlir.preview_temp_files_cleanup_interval
The maximum duration for which files are temporarily stored for evidence file preview. By default, the value is 10. If the DLP incident is inactive after 10 minutes, the evidence file is cleaned up from the analyst workspace.
Enabling this property will extend the cleanup interval if evidence files are in use. This will allow the system to extend the expiry time of evidence files based on the value set in the system property "sn_dlir.preview_temp_files_cleanup_interval". sn_dlir.extend_cleanup_interval_on_usage
Option to extend the time before evidence files are deleted if they’re being used. By default, this option is Yes.
The maximum duration to extend the cleanup interval of evidence files (in minutes). sn_dlir.max_extension_duration_for_cleanup
Option to select how long, in minutes, the system keeps your evidence files before cleaning them up. By default, the value is 60.
- Select Save.