Access the Data Loss Prevention Incident Response (DLP) User workspace, review the assigned DLP incidents, and report or respond to the incidents.
시작하기 전에
Role required:
Any valid user/employee
프로시저
Navigate to All > DLP Incident Management > DLP User Workspace.
The My DLP Incidents page opens in a new tab.
Click a list view to review the incidents that are assigned to you.
List view
Description
All
View all the assigned incidents.
Due in the next 7 days
View all the incidents that are due in the next 7
days.
Critical incidents
View all the incidents with the severity label
critical.
New incidents this week
View all the incidents that are assigned this
week.
Pending Assessments
View all the assessments that are still pending.
You can review the DLP incidents using two ways:
The first way is to locate and select one or more DLP incidents that
you want to review, and click the check box next to the incidents.
Choose the option that is appropriate for you.
표 1. DLP End User portal homepage
Option
Description
Refresh List
Option to refresh the list of DLP incidents if you made an update.
List Actions
List of actions that you can perform. Choices are as follows:
Save as
Edit columns
Reset widths
주:
When you have your own custom list which is created under My Lists section configured for your workspace, you will be able to perform the below additional list actions as well:
Rename
Save
Delete
Copy URL for All
Option to copy the URLs of all the DLP incidents.
Report Incident
Action to report the incident as false positive or wrong owner. For example, you can report a wrong owner and suggest another owner or report the incident as a false positive.
Respond
Respond to an incident by selecting an incident response option. For example, user delete a file violating a DLP policy, the user can choose the option Deleted File to submit
manual acknowledgement that the file has been deleted and provide comments.
From here you can also select advanced response options. For example, Request email release from
quarantine.
그림 1. DLP User Portal homepageFor an overview of the DLP incident actions, watch the following video.
The second way is to click a particular DLP incident to open it.
The Details tab displays the following
sections:
Details: You can view the details of the DLP incident
such as incident number, severity, file name.
Compose: To add comments about the DLP incident that is
visible to everyone, enter the comments in the Comments tab. To
add comments that are visible to certain people, enter the
comments in the Work notes (Private) tab.
Activity: You can view the details of the different
activities on the DLP incident.
Attachments: If you have any attachments related to the
DLP incident, click Browse and select the
attachment from your local drive.
The Additional
Details tab displays all the additional
information about the DLP incident including custom fields.
중요사항:
Custom fields for DLP incidents are supported
only on the San Diego version or later.
If there are any custom fields data available
for a particular DLP incident, you can view them
under the Additional
Details tab. If there are no custom
fields for the DLP incident, you would see a blank
page.
Detected Sensitive Information Type: Displays the incident detected sensitive information.
주:
This related list is visible only for the DLP Incidents created for Microsoft or Symantec
integrations. Within the Microsoft or Symantec incident record, whenever the user accesses the detected sensitive information type record, the highlighted match content with respect to that integration is
displayed.
Choose the option that is appropriate for you.
Option
Description
Report False Positive
Action to report that the DLP incident has been wrongly triggered or created. You can mention the details of why you’ve marked the incident as false positive in the Comments field.
Report Wrong Owner
Action to report that the DLP incident has been assigned to the incorrect user. If you know the correct owner for the incident, you can select the owner's name in the Suggest Owner field. To add any
additional details, use the Comments field.
Respond
Respond to an incident by selecting an incident response option. For example, user delete a file violating a DLP policy, the user can choose the option Deleted File to submit
manual acknowledgement that the file has been deleted and provide comments.
From here you can also select advanced response options. For example, Request email release from
quarantine.
Select the Respond button after answering the analyst query.
A pop-up to submit an incident response appears. Select the response from the drop-down menu and add comments.
Select Submit.
A banner appears confirming that your response has been submitted successfully.
주:
The incident is assigned to the corresponding approver or analyst and the end user will lose the access to the
incident.
To take assessments, select the Pending Assessments list
view.
Click a particular assessment number to open it.
Answer the assessment questions, and click Save
or Submit based on your requirements.
Click on the Instructions card section which is displayed on top of all the fields in the DLP incident form view, to view the additional information about a particular incident.
주:
This section on the workspace guides the users on the incident information, which helps in understanding the next steps of the incident resolution.
The user instructions card displays two different headers which
provides you more information about a specific incident on the form view. Click on any user instruction header to know the additional details.