Data Security reports

Data Security reports can contain the attributes shown in the table below.

Note that data is only displayed in your report if the relevant classifier, category, regulation, etc. is included in your web policy. This is configured on the Data Security tab of the policy and the data is specific to policies configured with DLP Lite.

Data for some attributes is not available for policies configured with Data Protection Service. Use Forcepoint DLP to view and report on incidents not included in the these reports. See Viewing Incidents and Reports for more information.

Name Description Filter values
Data Security
Action Select Blocked to view incidents where potential data loss or theft was prevented. Select Monitored to view those that were permitted. Check boxes
Content Category

Select the types of content classifiers to include in the report:

  • Regulatory Compliance - detects data loss applicable to your industry and region.
  • Data Theft - detects when data is being leaked due to malware or malicious transactions.
  • Custom Classifier - detects when patterns, phrases, or dictionary terms that are specific to your business are being leaked.

Only incidents that breach these types are shown in the report.

Check boxes
Content Classifier

Enter the names of the content classifiers that you want to include in the incident report, one entry per line. For example:

PCI: Credit Card Magnetic Strips US PII

UK PII

Pattern-1 KeyPhrase-X MyDictionary

Only incidents that breach these classifiers are shown in the report.

Manual text
Event ID

Enter unique incident identifiers, one entry per line. Event IDs are15-digit numerals. For example:

123-456-789-000-123

124-457-789-000-124

You can enter full or partial IDs. If you enter more than 3 digits, you must include hyphens. For example, “456-7”.

“Event ID contains 547” will show all events containing that number.

Manual text
Content Subcategory

Select the particular content subcategories to include in the report.

For example, PII and PHI are subcategories of the content category, Regulatory Compliance. Choose them if you want to show only PII and PHI incidents in the report.

You can choose from the following.

Regulatory Compliance

  • PII
  • PHI
  • PCI DSS

See Regulations for a description of the regulations.

Data Theft

  • Common password information
  • Encrypted files – known format
  • Encrypted files – unknown format
  • Password files
  • IT asset information
  • Malware communication

See Data Theft for a description of the data theft policies.

Custom Classifiers

  • RegEx
  • Dictionary
  • Key phrase

Create these under Policy Management > Content Classifiers, and then enable them on the Data Security tab of your policy.

Check boxes
Severity

Incidents can be classified as high, medium, or low severity. Select the severities to include in the report.

The severities of regulatory and data theft incidents are automatically decided by the system. This calculation takes both the prescribed severity of the incident and the number of matched violations into account.

Custom classifier severities are user-defined.

Check boxes
Top Matches

Top matches indicates the number of matches on the incident’s most violated rule.

For example, if rule A in MyPolicy has 2 matches, rule B has 5 matches, and rule C has 10 matches, top match equals 10.

Enter the threshold for top matches to include in the report (a numeric value), and then select the operator to use: equal to, greater than, etc.

If you enter Top Match > 10, then all incidents with a top match of 10 or more are included in the report.

Numeric
Transaction Size

Enter a numeric value to indicate the size of transactions to include in the report—namely, transactions that resulted in incidents.

Next, select the operator to use: equal to, greater than, etc. For example, you can show transactions greater than 200 KB.

Numeric (in KB)
Web Category Category of the website that was used for the data transaction. Auto-completed text
Web Policy Name of the web policy that was violated. Auto-completed text
Source & Destination
Connection IP IP address of connection to the cloud service. Manual text
Destination Country Country in which the destination IP address is located. Auto-completed text
Destination IP Enter the IP address of the destination site you want included in the report. Manual text
Domain

Enter the domain name of the destination site you want included in the report. For example:

cnn.co.uk

Manual text
Full URL

Enter the full URL of the destination site you want included in the report. For example:

http://entertainment.cnn.co.uk

Manual text
Source Country Country in which the source IP address is located. Auto-completed text
User

Enter the name or IP address of the users you want included in the report. For example:

jdoe 10.2.33.7

To show records where User is empty, select

“Include results with no User”.

Manual text
Media
File Name(s)

If you want to see incidents that involved specific files, enter the name of the files, one entry per line. For example:

confidential.doc myData.xls

Manual text
Time
Date In the left box, click the dates to include in the report, and then click the right arrow to select them. Selector
Hour

Select the time of interest. For example:

9:35

23:00

Selector