Incidents

Data Loss Prevention (DLP) Incidents

Context Only

The incident Summary provides the following details:
Object Type—the type of document or file that triggered the incident.
Name—the name of the document.
Asset Size—the size of the file.
Platform—which platform the incident occurred in.
Owner—the user name of the owner of the file.
Reason—what caused the incident (e.g. matching criteria in a context policy) and the date and time stamp of the occurrence.
Policy—which policy the file triggered an incident for.
Status—the current status of the incident.
Severity—the severity of the incident as chosen in policy criteria.

Access Control allows you to see who has access to the file that triggered the incident. The Sharing Settings display the owner of the file and any exposures the file may have. A list of collaborators and their access level is also provided.

The Incident History provides a list of events that affected the incident, such as a response action workflow or revoking access to a file.

Incident Notes enables collaborating users to add any notes regarding the incident for auditing or review purposes.

Custom Regex and Predefined

Custome Regex and Predefined policy incidents have the same Summary details as context policies:
Object Type—the type of document or file that triggered the incident.
Name—the name of the document.
Asset Size—the size of the file.
Platform—which platform the incident occurred in.
Owner—the user name of the owner of the file.
Policy—which policy the file triggered an incident for.
Status—the current status of the incident.
Severity—the severity of the incident as chosen in policy criteria.

However, instead of a Reason field, this summary provides a list of matches where the regular expression was found in the document.

Access Control will provide any possible exposures and the file owner.

Incident History displays a list of events affecting the incident such as response action workflow or viewing the object.

User Events and Behavior Analysis

Summary

Object Type—this will always display as Activity for UEBA incidents.
Name—the name of the event that triggered the incident.
Platform—the platform in which the incident occurred.
Owner—the name of the user that caused the incident.
Location—the location where the event took place.
Policy—the policy which triggered the incident.
Status—the current status of the incident.
Severity—the severity of the incident as chosen in policy criteria.
Time—the date and time the event took place that triggered the incident.
IP Address—the IP address of the user's activity that triggered the incident.

Clicking trust this IP will open a panel to add the IP address to the Trusted IP Library.
Clicking mark as suspicious will open a panel to add the IP address to the Suspicious IP Library.

The bottom section of the screen displays the matches for events the violated the policy. In this example, a velocity policy was violated when a user logged into two locations with a significant distance between them in under an hour. The Matches lists the detection date, the match type, and the match details. The match details can include:

  • Event name
  • Location
  • Time and date of the event
  • IP Address

On the top right of the Incident panel, you can click Show Activity which brings you to the Activities Page filtered by the user and the date of the events.

Incident History

Incident History displays a list of events affecting the incident such as response action workflow or viewing the object.

Incident Notes

Incident Notes enables collaborating users to add any notes regarding the incident for auditing or review purposes.

Incidents


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.