Use Mobile Prevent incident reports to monitor and respond to Mobile Prevent incidents. You can save, send, export, or schedule Symantec Data Loss Prevention reports.
In the Enforce Server administration console, on the Incidents menu, click Mobile. This incident report displays all incidents for any target that is a mobile device. You can select the standard reports for all incidents, new incidents, policy summary, status by policy, or high-risk senders.
Summaries and filter options can select which incidents to display.
About filters and summary options for reports :
You can set a number of filters and summaries for Symantec Data Loss Prevention incident reports.
These filters let you see the incidents and incident data in different ways.
The set of filters apply separately to Network, Endpoint, Mobile, and Storage events.
The filters and summary options are in the following sections:
General filters : The general filter options are the most commonly used. They are always visible in the incident list report.
Advanced filters : The advanced filters provide many additional filter options. You must click the Advanced Filters & Summarization bar, and then click Add Filter to view these filter options.
Summary options : The summary options provide ways to summarize the incidents in the list. You must click the Advanced Filters & Summarization bar to view these summary options.
Symantec Data Loss Prevention contains many standard reports. You can also create custom reports or save report summary and filter options for reuse.
Mobile Prevent incident list :
A Mobile Prevent incident list shows multiple mobile incident records with information about the incident such as: the severity, associated policy, number of matches, and status of the incident. Click a row of the incident list to view more details about a specific incident. Select specific incidents (or groups of incidents) to modify or remediate by clicking the check boxes at the left.
Note:
Use caution when you click Select All. This action selects all incidents in the report (not only those on the current page). Any incident command you subsequently apply affects all incidents. To select only the incidents on the current page, select the checkbox at top left of the incident list.
Incident information is divided into several columns. Click any column header to sort alpha-numerically by that column's data. To sort in reverse order, click the column header a second time. By default, Symantec Data Loss Prevention sorts incidents by date.
Mobile Prevent incident snapshot :
An incident snapshot provides detailed information about a particular incident. It displays general incident information, matches detected in the intercepted text, and incident attributes. The snapshot also enables you to execute any Smart Response rules that you have configured.
The incident snapshot is divided into three panes, with navigation and Smart Response options.
Mobile Prevent incident list - Columns :
Incident information is divided into several columns. Click any column header to sort alpha-numerically by that column's data. To sort in reverse order, click the column header a second time. By default, Symantec Data Loss Prevention lists incidents by date.
The report includes the following columns:
Checkboxes that let you select incidents to remediate.
You can select one or more incidents to which to apply commands from the Incident drop-down menu at the top of the list. Click the checkbox at the top of the column to select all incidents on the current page. (Note that you can also click Select All at far right to select all incidents in the report.)
Type : The protocol over which the match was detected.
Subject/Sender/Recipient(s) : Message subject, sender email address or IP address, recipient email address(es), or URL(s).
Sent : Date and time the message was sent.
ID/Policy : Symantec Data Loss Prevention incident ID number and the policy against which the incident was logged.
Matches : Number of matches in the incident.
Severity : Incident severity as determined by the severity setting of the rule the incident matched.
The possible values are as follows:
Icon Description
High
Medium
Low
For Information Only
Status :
Current incident status.
The possible values are as follows:
New
In Process
Escalated
False Positive
Configuration Errors
Resolved
You or your administrator can add new status designations on the Attribute Setup page.
Mobile Prevent incident snapshot - Heading and navigation
The following page navigation tools appear near the top of the incident snapshot:
Previous
Displays the previous incident in the source report.
Next
Displays the next incident in the source report.
Returns to the source report (where you clicked the link to get to this screen).
Updates the snapshot with any new data, such as a new comment in the History section or a modified status.
Mobile Prevent incident snapshot - General information :
The left section of the snapshot displays general incident information. You can click on many values to view an incident list that is filtered on that value. An icon may appear next to the Status drop-down list to indicate whether the request that generated the incident was blocked or altered.
The current status and severity of the incident appear to the right of the snapshot heading. To change one of the current values, click on it and choose another value from the drop-down list.
The remaining portion of the general information pane is divided into four tabs.
i] Key Info
ii] History
iii] Notes
iv] Correlations
Information in this section is divided into the following categories (not all of which appear for every incident type):
i] Key Info : The Key Info tab shows the policy that was violated in the incident. It also shows the total number of matches for the policy, as well as matches per policy rule. Click the policy name to view a list of all incidents that violated the policy. Click view policy to view a read-only version of the policy.
This section also lists other policies that the same file violated. To view the snapshot of an incident that is associated with a particular policy, click go to incident next to the policy name. To view a list of all incidents that the file created, click show all.
The Key Info tab also includes the following information:
The name of the detection server that recorded the incident.
The date and time the message was sent.
The sender email or IP address.
The recipient email or IP address(es).
The SMTP heading or the NNTP subject heading.
Attachment file name(s). Click to open or save the file.
If a response rule tells Symantec Data Loss Prevention to discard the original message, you cannot view the attachment.
The person responsible for remediating the incident (Data Owner Name). This field must be set manually. Reports can automatically be sent to the data owner for remediation.
If you click on a hyperlinked Data Owner Name, a filtered list of incidents by Data Owner Name is displayed.
The email address of the person responsible for remediating the incident (Data Owner Email Address). This field must be set manually.
If you click on the hyperlinked Data Owner Email Address, a filtered list of incidents by Data Owner Email Address is displayed.
ii] History : View the actions that were performed on the incident. For each action, Symantec Data Loss Prevention displays the action date and time, the actor (a user or server), and the action or the comment.
iii] Notes : View any notes that you or others have added to the incident. Click Add Note to add a note.
iv] Correlation : You can view a list of those incidents that share attributes of the current incident. For example, you can view a list of all incidents that a single account generated. Symantec Data Loss Prevention shows a list of correlations that match single attributes. Click on attribute values to view lists of those incidents that are related to those values.
To search for other incidents with the same attributes, click Find Similar. In the Find Similar Incidents dialog box that appears, select the desired search attributes. Then click Find Incidents.
Mobile Prevent incident snapshot - Matches :
Beneath the general information, Symantec Data Loss Prevention displays the message content (if applicable) and the matches that caused the incident. Symantec Data Loss Prevention displays the following types of message content, depending on protocol type:
Protocol Message content
HTTP/S Name value pairs of the HTTP/S request
FTP Nothing shown
Matches are highlighted in yellow and organized according to the message component (such as header, body, or attachment) in which they were detected. Symantec Data Loss Prevention displays the total relevant matches for each message component. It shows matches by the order in which they appear in the original text. To view the rule that triggered a match, click on the highlighted match.
Mobile Prevent incident snapshot - Attributes :
Note: This section appears only if a system administrator has configured custom attributes.
You can view a list of custom attributes and their values, if any have been specified. Click on attribute values to view an incident list that is filtered on that value. To add new values or edit existing ones, click Edit. In the Edit Attributes dialog box that appears, type the new values and click Save.
Mobile Prevent summary report :
The Mobile Prevent summary report provides summary information about the incidents that are generated on your mobile devices. You can organize the report by one or two summary criteria. A single-summary report is organized by a single summary criterion, such as the policy that is associated with each incident. A double-summary report is organized by two criteria, such as policy and incident status.
To view the primary criteria and the secondary summary criteria available for the current report, click the Advanced Filters and Summarization bar. The bar is near the top of the report. The Summarize By: listboxes show the primary criteria and the secondary summary criteria. In each listbox, Symantec Data Loss Prevention displays all detection criteria in alphabetical order, followed by any custom criteria that your system administrator has defined. Summary reports take their name from the primary summary criterion (the value of the first listbox). If you rerun a report with new criteria, the report name changes accordingly.
Summary entries are divided into several columns. Click any column header to sort alpha-numerically by that column's data. To sort in reverse order, click the column header a second time.
summary_criterion : This column is named for the primary summary criterion. It lists primary and (for double summaries) secondary summary items. In a Policy Summary, this column is named Policy and it lists policies. Click on a summary item to view a list of incidents that are associated with that item.
Total : The total number of incidents that are associated with the summary item. In a Policy Summary, this column gives the total number of incidents that are associated with each policy.
High : Number of high-severity incidents that are associated with the summary item. (The severity setting of the rule that was matched determines the incident severity.)
Med : Number of medium-severity incidents that are associated with the summary item.
Low : Number of low-severity incidents that are associated with the summary item.
Info : The number of informational incidents that are associated with the summary item.
Bar Chart : A visual representation of the number of incidents (of all severities) associated with the summary item. The bar is broken into proportional, colored sections to represent the various severities.
Matches : Total number of matches associated with the summary item.
If any of the severity columns contain totals, you can click on them to view a list of incidents of the chosen severity.