Table Properties tab

Use the Table Properties tab of the Report Catalog Edit Report page to configure which columns appear in the report, and assign a width to each.

  1. Use the check boxes to the left of the page to select the columns to display in the table for this report. The options vary depending on the type of table. See:
    • Data Loss Prevention properties
    • Mobile Device properties
    • Discovery properties
  2. Use the arrows to the right of the page to adjust the order of the columns.
  3. Use the fields in the Width column to adjust the width of each column as needed.
  4. At the bottom of the page, specify the Maximum number of incidents to display on any one page.
  5. Select a column name from the Sort by drop-down list to define which column is used to sort the table.
  6. Indicate if you want to sort in ascending or descending order.

Data Loss Prevention properties

Column Description
Action The action taken on the incident, as determined by the action plan.
Analyzed by Displays the name of the server component that analyzed the incident.
Assigned to Either Unassigned or the name of the administrator assigned to handle this incident. (See Assigning incidents.)
Channel

The channel where the incident occurred. Possible channels include:

  • Email
  • Web
  • FTP
  • Endpoint application
  • Endpoint printing
  • Network printing
Destination The intended destination or destinations of the content that violated policy.
Details Details about the incident. Shows the subject in an SMTP incident, the URL in a Web incident, etc.
Column Description
Detected by Displays the name of the Forcepoint DLP device or component that detected this incident.
Endpoint type The type of endpoint involved in the incident: PC, laptop, etc.
Email direction

This column displays the direction of the email message that triggers an incident:

  • Inbound
  • Outbound
  • Internal

If you are using the Forcepoint Email Security module, endpoint agent, or protector to monitor email, then all 3 directions are possible.

Event ID Unique number assigned to an event. An event is created for any transaction that traverses the Forcepoint DLP system.
Event time The date and time the policy engine first saw a transaction.
File name The name and size of the attachment for this incident.
ID Unique number assigned to an incident. An incident is an event that violates a policy.
Incident Tag Displays any incident tag set for the incident. (See Tagging incidents.)
Incident Time The time and date the incident was written to the database.
Policy The policies that were violated by the content.
Severity The severity of the incident: High, Medium, or Low. You define severity in the Severity & Action page of the Add rule wizard. For example: >0 matches = Low severity; >20 = Medium; >400 = High. You can also change an incidents severity (see Changing incident severity).
Source The source of the incident. Could be a person, computer, or other.
Status

The status of the incident. For example:

  • New
  • In process
  • Closed
  • False Positive
  • Escalated

You can also add and filter by up to 17 custom statuses. See Changing incident status.

Top Matches The maximum number of violations triggered by any given rule in the incident.
Total size The total size of the file or attachment involved, if any, in megabytes.
Violation Triggers The information that created the breach.

Mobile Device properties

Column Description
Action The action taken on the incident, as determined by the action plan.
Analyzed by Displays the name of the server component that analyzed the incident.
Assigned to Either Unassigned or the name of the administrator assigned to handle this incident. (See Assigning incidents.)
Destination The intended destination or destinations of the content that violated policy.
Details Details about the incident. Shows the subject in an SMTP incident, the URL in a web incident, etc.
Detected by Displays the name of the Forcepoint DLP device or component that detected this incident.
Email direction

This column displays the direction of the email message that triggers an incident:

  • Inbound
  • Outbound
  • Internal

If you are using the Forcepoint Email Security module, endpoint agent, or protector to monitor email, then all 3 directions are possible.

Event ID The ID number assigned to the event or transaction.
Event time The date and time the policy engine first saw a transaction.
File name The name and size of the attachment for this incident.
ID The incident’s unique ID number.
Incident Tag Displays any incident tag set for the incident. (See Tagging incidents.)
Incident Time The time and date the incident was written to the database.
Policy The policies that were violated by the content.
Severity The severity of the incident: High, Medium, or Low. You define severity in the Severity & Action page of the Add rule wizard. For example: >0 matches = Low severity; >20 = Medium; >400 = High. You can also change an incidents severity (see Changing incident severity.
Source The source of the incident. Could be a person, computer, or other.
Status

The status of the incident. For example:

  • New
  • In process
  • Closed

You can also add and filter by up to 17 custom statuses. See Changing incident status.

Column Description
Synced by

Use this filter to display incidents on messages that were synchronized by a certain number of mobile device users.

For example, you want to know when the same violating message was synchronized to more than 10 phones or iPads.

Top Matches The maximum number of violations triggered by any given rule in the incident.
Total size The total size of the file or attachment involved, if any, in megabytes.
Violation Triggers The information that created the breach.

Discovery properties

Column Description
Action The action taken on the incident, as determined by the action plan.
Additional action Additional executed actions, such as remediation scripts or notifications.
Analyzed by Displays the name of the server component that analyzed the incident.
Assigned to Either Unassigned or the name of the administrator assigned to handle this incident. (See Assigning incidents.)
Channel

The channel where the incident occurred. Possible channels include:

  • Email
  • Web
  • FTP
  • Endpoint application
  • Endpoint printing
  • Network printing
Current labels The labels on a file after a labeling action.
Details The details listed in the forensics Properties tab. Shows the subject in an SMTP incident, the URL in a Web incident, etc.
Detected by Displays the name of the Forcepoint DLP device or component that detected this incident
Discovery task The discovery task that identified the incident.
Discovery type The type of resource that was scanned: File System, Endpoint, SharePoint, SharePoint Online, Database, Exchange, Exchange Online, and/or Outlook PST.
Endpoint type The type of endpoint involved in the incident: PC, laptop, etc.
Event ID The ID number assigned to the event or transaction.
Event time The date and time the policy engine first saw a transaction.
File extension The file extension of the file that violated a policy. For example: docx or pptx.
Column Description
File full path The full directory path of the file that violated a policy.
File labeling status

The status of a labeling action, which can be one of the following:

  • Labeling succeeded - All labels were successfully applied to the file.
  • Labeling failed - No labels were successfully applied to the file.
  • Partially labeled - Some labels were successfully applied and some were not, because of an error or labeling system guidelines (for example, only a higher-priority label can be applied).
  • File was not labeled - Labels were not applied either because the label already exists on the file, or because of labeling system guidelines (for example, only a higher-priority label can be applied).

Relevant only for endpoint discovery.

File properties Additional file properties. For example, files protected by Microsoft Information Protection can have “Marking” or “Protection” properties.
Sharing status Indicates whether the file was shared internally or externally.
Shared with Indicates whether the file was shared with everyone or with a list of users.
File name The name of the file that violated a policy.
File owner The owner of the file that violated a policy.
File owner’s email address The email address of the owner of the file that violated a policy.
File type The type of the file that violated a policy.
File size The size of the file that violated a policy.
Folder The folder of the file that violated a policy.
Hostname The name of the host on which the violation was detected.
ID The incident’s unique ID number.
Ignored incident The incidents marked as ignored.
Incident Tag Displays any incident tag set for the incident. (See Tagging incidents)
Incident Time The time and date the incident was written to the database.
IP address The IP address of the host on which the violation was detected.
Labeled by DLP Labels applied to a file by Forcepoint DLP.
Locked Indicates whether the incident is locked or unlocked. Locking an incident prevents it from being overwritten with new data in subsequent scans. (To lock an incident, choose Workflow > Lock in the Discovery incident report.)
Policy The policies that were violated by the content.
Previous labels The labels that were on a file before a labeling action.
Column Description
Severity The severity of the incident: High, Medium, or Low. You define severity in the Severity & Action page of the Add rule wizard. For example: >0 matches = Low severity; >20 = Medium; >400 = High. You can also change an incidents severity (see Changing incident severity).
Status

The status of the incident. For example:

  • New
  • In process
  • Closed
  • False Positive
  • Escalated

You can also add and filter by up to 17 custom statuses. See Changing incident status.

Top Matches The maximum number of violations triggered by any given rule in the incident.
Violation Triggers The information that created the breach.