Table Properties tab
Use the Table Properties tab of the
page to configure which columns appear in the report, and assign a width to each.- Use the check boxes to the left of the page to select the columns to display in the table for this report. The options vary depending on the type of table. See:
- Data Loss Prevention properties
- Mobile Device properties
- Discovery properties
- Use the arrows to the right of the page to adjust the order of the columns.
- Use the fields in the Width column to adjust the width of each column as needed.
- At the bottom of the page, specify the Maximum number of incidents to display on any one page.
- Select a column name from the Sort by drop-down list to define which column is used to sort the table.
- Indicate if you want to sort in ascending or descending order.
Data Loss Prevention properties
Column | Description |
---|---|
Action | The action taken on the incident, as determined by the action plan. |
Analyzed by | Displays the name of the server component that analyzed the incident. |
Assigned to | Either Unassigned or the name of the administrator assigned to handle this incident. (See Assigning incidents.) |
Channel |
The channel where the incident occurred. Possible channels include:
|
Destination | The intended destination or destinations of the content that violated policy. |
Details | Details about the incident. Shows the subject in an SMTP incident, the URL in a Web incident, etc. |
Column | Description |
---|---|
Detected by | Displays the name of the Forcepoint DLP device or component that detected this incident. |
Endpoint type | The type of endpoint involved in the incident: PC, laptop, etc. |
Email direction |
This column displays the direction of the email message that triggers an incident:
If you are using the Forcepoint Email Security module, endpoint agent, or protector to monitor email, then all 3 directions are possible. |
Event ID | Unique number assigned to an event. An event is created for any transaction that traverses the Forcepoint DLP system. |
Event time | The date and time the policy engine first saw a transaction. |
File name | The name and size of the attachment for this incident. |
ID | Unique number assigned to an incident. An incident is an event that violates a policy. |
Incident Tag | Displays any incident tag set for the incident. (See Tagging incidents.) |
Incident Time | The time and date the incident was written to the database. |
Policy | The policies that were violated by the content. |
Severity | The severity of the incident: High, Medium, or Low. You define severity in the Severity & Action page of the Add rule wizard. For example: >0 matches = Low severity; >20 = Medium; >400 = High. You can also change an incidents severity (see Changing incident severity). |
Source | The source of the incident. Could be a person, computer, or other. |
Status |
The status of the incident. For example:
You can also add and filter by up to 17 custom statuses. See Changing incident status. |
Top Matches | The maximum number of violations triggered by any given rule in the incident. |
Total size | The total size of the file or attachment involved, if any, in megabytes. |
Violation Triggers | The information that created the breach. |
Mobile Device properties
Column | Description |
---|---|
Action | The action taken on the incident, as determined by the action plan. |
Analyzed by | Displays the name of the server component that analyzed the incident. |
Assigned to | Either Unassigned or the name of the administrator assigned to handle this incident. (See Assigning incidents.) |
Destination | The intended destination or destinations of the content that violated policy. |
Details | Details about the incident. Shows the subject in an SMTP incident, the URL in a web incident, etc. |
Detected by | Displays the name of the Forcepoint DLP device or component that detected this incident. |
Email direction |
This column displays the direction of the email message that triggers an incident:
If you are using the Forcepoint Email Security module, endpoint agent, or protector to monitor email, then all 3 directions are possible. |
Event ID | The ID number assigned to the event or transaction. |
Event time | The date and time the policy engine first saw a transaction. |
File name | The name and size of the attachment for this incident. |
ID | The incident’s unique ID number. |
Incident Tag | Displays any incident tag set for the incident. (See Tagging incidents.) |
Incident Time | The time and date the incident was written to the database. |
Policy | The policies that were violated by the content. |
Severity | The severity of the incident: High, Medium, or Low. You define severity in the Severity & Action page of the Add rule wizard. For example: >0 matches = Low severity; >20 = Medium; >400 = High. You can also change an incidents severity (see Changing incident severity. |
Source | The source of the incident. Could be a person, computer, or other. |
Status |
The status of the incident. For example:
You can also add and filter by up to 17 custom statuses. See Changing incident status. |
Column | Description |
---|---|
Synced by |
Use this filter to display incidents on messages that were synchronized by a certain number of mobile device users. For example, you want to know when the same violating message was synchronized to more than 10 phones or iPads. |
Top Matches | The maximum number of violations triggered by any given rule in the incident. |
Total size | The total size of the file or attachment involved, if any, in megabytes. |
Violation Triggers | The information that created the breach. |
Discovery properties
Column | Description |
---|---|
Action | The action taken on the incident, as determined by the action plan. |
Additional action | Additional executed actions, such as remediation scripts or notifications. |
Analyzed by | Displays the name of the server component that analyzed the incident. |
Assigned to | Either Unassigned or the name of the administrator assigned to handle this incident. (See Assigning incidents.) |
Channel |
The channel where the incident occurred. Possible channels include:
|
Current labels | The labels on a file after a labeling action. |
Details | The details listed in the forensics Properties tab. Shows the subject in an SMTP incident, the URL in a Web incident, etc. |
Detected by | Displays the name of the Forcepoint DLP device or component that detected this incident |
Discovery task | The discovery task that identified the incident. |
Discovery type | The type of resource that was scanned: File System, Endpoint, SharePoint, SharePoint Online, Database, Exchange, Exchange Online, and/or Outlook PST. |
Endpoint type | The type of endpoint involved in the incident: PC, laptop, etc. |
Event ID | The ID number assigned to the event or transaction. |
Event time | The date and time the policy engine first saw a transaction. |
File extension | The file extension of the file that violated a policy. For example: docx or pptx. |
Column | Description |
---|---|
File full path | The full directory path of the file that violated a policy. |
File labeling status |
The status of a labeling action, which can be one of the following:
Relevant only for endpoint discovery. |
File properties | Additional file properties. For example, files protected by Microsoft Information Protection can have “Marking” or “Protection” properties. |
Sharing status | Indicates whether the file was shared internally or externally. |
Shared with | Indicates whether the file was shared with everyone or with a list of users. |
File name | The name of the file that violated a policy. |
File owner | The owner of the file that violated a policy. |
File owner’s email address | The email address of the owner of the file that violated a policy. |
File type | The type of the file that violated a policy. |
File size | The size of the file that violated a policy. |
Folder | The folder of the file that violated a policy. |
Hostname | The name of the host on which the violation was detected. |
ID | The incident’s unique ID number. |
Ignored incident | The incidents marked as ignored. |
Incident Tag | Displays any incident tag set for the incident. (See Tagging incidents) |
Incident Time | The time and date the incident was written to the database. |
IP address | The IP address of the host on which the violation was detected. |
Labeled by DLP | Labels applied to a file by Forcepoint DLP. |
Locked | Indicates whether the incident is locked or unlocked. Locking an incident prevents it from being overwritten with new data in subsequent scans. (To lock an incident, choose | in the Discovery incident report.)
Policy | The policies that were violated by the content. |
Previous labels | The labels that were on a file before a labeling action. |
Column | Description |
---|---|
Severity | The severity of the incident: High, Medium, or Low. You define severity in the Severity & Action page of the Add rule wizard. For example: >0 matches = Low severity; >20 = Medium; >400 = High. You can also change an incidents severity (see Changing incident severity). |
Status |
The status of the incident. For example:
You can also add and filter by up to 17 custom statuses. See Changing incident status. |
Top Matches | The maximum number of violations triggered by any given rule in the incident. |
Violation Triggers | The information that created the breach. |