About Data in Motion Searches

The Saved Searches section provides a list of publicly-available searches and your private saved searches. The searches are listed in order of use, with most-recent at the top. You use the searches to locate data-in-motion incidents that meet your specific criteria. A search can be saved even if it does not return results. To clear the fields, click
Clear Filters
.

Creating a Data In Motion Search

The search options for policies, organizations, countries, and scenarios are set by the privileges you have, your action plans, and the queues that you are assigned to in
Symantec ICA
.
To create Data In Motion search, do the following steps:
  1. Click
    New Search
    on the Data In Motion page.
  2. Select criteria from the following search parameters:
    Many of the parameters allow more than one option to be selected. The selections use an OR operator. For example, more than one user can be selected in the Assigned to User field.
    Symantec ICA
    returns data for any of the users selected in the field.
    Data In Motion Search Fields
    Data In Motion Search Field
    Description
    Action By
    User who performed the action. Options are Me, Others, People in my roles, People in other roles, and All.
    Action Plans
    The action plans that have data-in-motion incidents.
    Actual Departure Date
    Date range to search before or after an incident based on the actual departure date.
    Assigned To Queue
    Queue associated with the incident, such as HR or Corporate.
    Assigned to User
    User assigned to the incident. Only one user can be specified for this field. You can enter
    Me
    to view incidents assigned to you.
    Channel
    Channel used by the events, such as endpoint or network.
    Classification
    Event classification, such as Acceptable or Investigate.
    Classification Method
    Method of classification, such as manual or automatic.
    Cloud Service
    Cloud service used in the events.
    Comment
    Comments associated with the event as set in the data loss prevention system.
    Country
    Country the event occurred as set in the data loss prevention system.
    Department Peer Group Rating
    Behavioral risk rating for the user associated with the event, based on the behavior of their peers with the same peer group associated with the event.
    DIM Response Action
    Response action to the data-in-motion (DIM) event.
    End Date
    Last date for the search range. Enter a date, or select a date on the calendar tool.
    File Name
    Name of the file associated with the event.
    File Size
    Size of the event file. Select a comparison operator, enter the file size, and then select the unit of measure.
    First Action By User
    First user who performed an action on the event.
    Has Attachment
    Indicator that an attachment was involved in the event.
    Incident #
    Unique identifier for the incident in the data loss prevention system.
    Incident Group ID
    Identifier of the incident group type.
    Included in Group Type
    Type of the incident group, such as Large Files to USB, and Planned Departure. The incident groups are set by the administrator.
    Included in Scenario
    Scenarios associated with the DIM incident.
    Individual Rating
    Behavioral risk rating for the user associated with the incident, based on their own behavior.
    Job Title
    Job title of the person associated with the incident.
    Last Action By User
    User who last performed an action on the incident.
    Last Actioned End Date
    Date to end the search for data-in-motion incidents that have been acted on in the system.
    Last Actioned Start Date
    Date to begin the search for data-in-motion incidents that have been acted on in the system.
    Linked Server
    Server linked to the event.
    Manager Peer Group Rating
    Behavioral risk rating for the user's peers with the same manager.
    Manager User ID
    Unique identifier or user name of the user’s manager.
    Match Count
    Number of items involved in the event, such as the number of Social Security numbers included in an email message event. Select a comparison operator, and enter the count.
    Minimum Residual Risk Amount
    Minimum amount of residual risk for the events.
    Mitigated
    Indicator if the event has been mitigated. The residual risk associated with an event is lessened when the event has been mitigated in the system.
    Mitigation Method
    Method of mitigation, such as manual or automatic.
    Occurred Date End
    End date to search for a data-in-motion incident. The date is based on when the incident was last detected by the endpoint detection security database, not the
    Symantec ICA
    database.
    Occurred Date Range
    Date range that the incident occurred. The date range is based on when the incident was detected by the endpoint detection security database, not the
    Symantec ICA
    database.
    Occurred Date Start
    Date to begin the search for a data-in-motion incident. The date is based on when the incident was detected by the endpoint detection security database, not the
    Symantec ICA
    database.
    Occurred Time Range
    Time the incident occurred, based on the date the incident was first detected by the endpoint detection security database, not the
    Symantec ICA
    database.
    Organization
    Organization or department associated with the incident.
    Planned Departure Date
    Date range to search before or after an incident based on the planned departure date of employees.
    Policy
    Data loss prevention policy that was violated by the incident.
    Protocol
    Protocol of the incident set in the data loss prevention system.
    Public Domain
    Indicator if the domain is public.
    Reason
    Reason for escalation of the incident.
    Recipient
    Person or computer that received the data related to the incident.
    Recipient Domain
    Domain of the recipient. More than one domain can be entered. Entries should be separated by commas.
    Relative Date
    Range of dates for the search, such as last 24 hours, previous month, and month to date. Use relative date when creating a search that will be saved as a scenario.
    Relative Occurred Date
    Date range for the search, such as last 7 days, and previous month.
    Resolution
    Resolution value set for the incident in the data loss prevention system.
    Rule
    Rule associated with the incident.
    Sender
    Person or computer that send the data related to the incident.
    Sender Account Likelihood
    Likelihood that the sender and recipient of an email message are the same person. The search results do not include messages that the sender included themselves on the CC (carbon copy) or BCC (blind carbon copy) options.
    Sender Identity
    Identity of the sender associated with the incident.
    Severity
    Severity of the incident set in the data loss prevention system.
    Source Incident ID
    The identifier of the source incident.
    Start Date
    Date to begin the search for a data-in-motion incident. Enter a date, or select a date using the calendar tool.
    Status
    Status of the incident set in the data loss prevention system.
    Subject Line
    Subject of the incident.
    Time Range
    Time of the incident, in hour increments. More than one time can be selected for the search.
    Trusted Domain
    Indicator if the domain is trusted.
    User ID
    Unique identifier or user name.
    User Status
    Status of user, such as Active, Terminated, and All.
    User Type
    Type of user, such as Contractor, Employee, Vendor, and All.
    Vendor
    Name of the vendor.
    VIP
    Indicator if the user is a high-privileged user.
  3. Click
    Search
    .
Data from the search can be exported to Microsoft Excel spreadsheet by clicking
Export
.

Saving Data in Motion Search

To save a search, do the following steps:
  1. Create and run a search as described in Creating a Data In Motion Search.
  2. After the results display, click
    My Selections
    , and then click
    Save This Search
    .
  3. Do one of the following:
    Type of Search
    Procedure
    New search
    1. Select
      Save As New
    2. Enter a name in the Search name field.
    3. Set the search to
      Public
      ,
      Private
      ,
      Rollup
      , or
      Scenario
      . Scenarios are data sets used to build correlations between data-in-motion incidents. Saved scenarios do not appear on the Saved Searches section of the Data in Motion page. The scenarios are available on the saved search list after clicking the New Search option.
    4. Click
      Save
      .
    Modify an existing search
    1. Select
      Overwrite Existing
      .
    2. Select the existing search name in the Saved search list.
    3. Set the search to
      Public
      ,
      Private
      ,
      Rollup
      , or
      Event Scenario Set
      . Scenarios are data sets used to build correlations between data-in-motion incidents. Saved scenarios do not appear on the Saved Searches section of the Data in Motion page. The scenarios are available on the saved search list after clicking the New Search option.
    4. Click
      Save
      .
A search can be saved even when the search returns no results.

Opening a Saved Data in Motion Search

Select a search from the Saved Searches list or click
New Search
. Then, click
Saved Searches
and select the search name from the list. Click
My Selections
to set up filters.
Saved searches that are created in the Analyzer cannot be edited with the
My Selections
option. If you create a Saved Search with the Analyzer, any edits to that Saved Search must be made in the Analyzer.

Exporting a Saved Data in Motion Search

The results from a saved Data in Motion search can be exported to a Microsoft Excel spreadsheet.
To export a saved Data in Motion search, do the following steps:
  1. From the Data In Motion page, select the search from the Search Events list or click
    New Search
    , and select the search from the list.
  2. Click
    Export
    on the toolbar to download the data as a Microsoft Excel spreadsheet.

Deleting a Saved Data In Motion Search

To delete a saved Data In Motion search, do the following steps:
  1. From the Data in Motion page, click
    New Search
    .
  2. Click
    Saved Searches
    .
  3. Click
    Delete
    next to the name of the saved search.
  4. Click
    Yes
    to confirm the deletion.
  5. Click
    X
    to close the window, and return to the Search Results page.