Configure advanced settings for Data Loss Prevention Incident Response

  • Release version: Washingtondc
  • Updated August 1, 2024
  • 4 minutes to read

    • Configure the advanced settings so that you can determine the fields on the Incident for identifying the end users, among other capabilities.

    Before you begin

    Role required:
    • sn_dlir.admin - Create, edit, and delete.
    • sn_dlir.analyst and sn_dlir.analyst_read - View (read-only).

    About this task

    Configuring advanced settings on the Data Loss Prevention Incident Response is optional. Some advanced settings include the following:
    • Define the maximum number of incidents that can be sent in a digest email.
    • Enable quick mode to send emails faster.
    • Determine the log verbosity of the application.

    Procedure

    1. Navigate to All > DLP Administration > Advanced Settings.
    2. On the form, fill in the fields.
      Table 1. Advanced Settings form
      Field Description
      Should the sensitive data which caused the violation be displayed on the incident? Option to choose whether you want to display the sensitive data that caused the violation on the DLP incident.

      By default, this option is enabled.
      Should the sensitive data which caused the violation be displayed on the child incidents as well? Option to choose whether you want to display the sensitive data that caused the violation on the DLP child incident as well.

      By default, this option is turned off.
      List of fields on the incident that are used to identify the end user The list of fields on the incident of the Assignment Rule module that are used to identify the end user. You can also specify your own custom attributes to identify the end user.
      Maximum number of incidents in a digest email The maximum number of incidents that can be sent in a digest email.

      By default, the value is 100.
      Repeat offense maximum duration (in days) The maximum duration to identify a repeat offender.

      By default, the value is 90 days.
      Quick mode to send emails Option to validate emails and identify issues. You can perform the validation by enabling the Yes option.

      By default, this option is enabled.
      This property is used to set the log verbosity of the application The log verbosity level of the application, meaning the name of the type of information. You can also update the value to the following options:
      • error
      • warn
      • info
      • debug

      By default, the value is info.
      Exclude cloned and child incidents from reports Option to exclude the cloned and child incidents from the reports.

      By default, this option is Yes.
      Day(s) to wait for deleting match content on cloud storage after incident gets closed Option to choose the number of wait days to clean up the match content of those incidents which are inactive for a specific time duration.

      By default, the value is 90. After 90 days if DLP incident is inactive then the match content will be cleaned up from the cloud storage.
      Assign Incident to DLP Analyst group after last escalation level Select this checkbox to assign the incident to the analyst after the last escalation level.
      Allow users to access incidents post escalation Select this check box to allow the assigned users to access the incident(s) after the escalation.

      When you select this option, all the users that were added to the escalation chain list will then be able to access the incident(s).
      Allow analyst to edit completed assessment Select this check box to allow the analyst to edit the completed assessment.

      When you select this option, the analysts can edit the Assessments, when unselected you can view the assessments in the Read-Only mode.
      Evidence Files Preview Properties
      Enabling this system property activates the evidence file preview feature in the DLP analyst workspace.

      sn_dlir.enable_evidence_file_preview

      		 Option to choose whether you want to preview the evidence files directly in the workspace.

      By default, this option is Yes.
      This will allow DLP users to download the previewed evidence files. Once this property is enabled, users will see a download button in the document viewer to download the evidence file.

      sn_dlir.enable_download in_preview

      		 Option to choose whether you want to display the download button in the document viewer, which will allow you to download the previewed evidence files.

      By default, this option is Yes.
      This property determines the duration for which files will be temporarily retained for evidence file preview purposes. (in minutes)

      sn_dlir.preview_temp_files_cleanup_interval

      		 The maximum duration for which files are temporarily stored for evidence file preview.

      By default, the value is 10. After 10 minutes if DLP incident is inactive then the evidence file will be cleaned up from the analyst workspace.
      Enabling this property will extend the cleanup interval if evidence files are in use. This will allow the system to extend the expiry time of evidence files based on the value set in the system property "sn_dlir.preview_temp_files_cleanup_interval".

      sn_dlir.extend_cleanup_interval_on_usage

      		 Option to extend the time before evidence files are deleted if they are being used.

      By default, this option is Yes.
      The maximum duration to extend the cleanup interval of evidence files (in minutes).

      sn_dlir.max_extension_duration_for_cleanup

      		 Option to select how long, in minutes, the system will keep your evidence files before cleaning them up.

      By default, the value is 60.
    3. Click Save.