About Data in Motion Searches
The Saved Searches section provides a list of publicly-available searches and your private saved searches. The searches are listed in order of use, with most-recent at the top. You use the searches to locate data-in-motion incidents that meet your specific criteria. A search can be saved even if it does not return results. To clear the fields, click
Clear Filters
. Creating a Data In Motion Search
The search options for policies, organizations, countries, and scenarios are set by the privileges you have, your action plans, and the queues that you are assigned to in
Symantec ICA
.To create Data In Motion search, do the following steps:
- ClickNew Searchon the Data In Motion page.
- Select criteria from the following search parameters:Many of the parameters allow more than one option to be selected. The selections use an OR operator. For example, more than one user can be selected in the Assigned to User field.Symantec ICAreturns data for any of the users selected in the field.Data In Motion Search FieldsData In Motion Search FieldDescriptionAction ByUser who performed the action. Options are Me, Others, People in my roles, People in other roles, and All.Action PlansThe action plans that have data-in-motion incidents.Actual Departure DateDate range to search before or after an incident based on the actual departure date.Assigned To QueueQueue associated with the incident, such as HR or Corporate.Assigned to UserUser assigned to the incident. Only one user can be specified for this field. You can enterMeto view incidents assigned to you.ChannelChannel used by the events, such as endpoint or network.ClassificationEvent classification, such as Acceptable or Investigate.Classification MethodMethod of classification, such as manual or automatic.Cloud ServiceCloud service used in the events.CommentComments associated with the event as set in the data loss prevention system.CountryCountry the event occurred as set in the data loss prevention system.Department Peer Group RatingBehavioral risk rating for the user associated with the event, based on the behavior of their peers with the same peer group associated with the event.DIM Response ActionResponse action to the data-in-motion (DIM) event.End DateLast date for the search range. Enter a date, or select a date on the calendar tool.File NameName of the file associated with the event.File SizeSize of the event file. Select a comparison operator, enter the file size, and then select the unit of measure.First Action By UserFirst user who performed an action on the event.Has AttachmentIndicator that an attachment was involved in the event.Incident #Unique identifier for the incident in the data loss prevention system.Incident Group IDIdentifier of the incident group type.Included in Group TypeType of the incident group, such as Large Files to USB, and Planned Departure. The incident groups are set by the administrator.Included in ScenarioScenarios associated with the DIM incident.Individual RatingBehavioral risk rating for the user associated with the incident, based on their own behavior.Job TitleJob title of the person associated with the incident.Last Action By UserUser who last performed an action on the incident.Last Actioned End DateDate to end the search for data-in-motion incidents that have been acted on in the system.Last Actioned Start DateDate to begin the search for data-in-motion incidents that have been acted on in the system.Linked ServerServer linked to the event.Manager Peer Group RatingBehavioral risk rating for the user's peers with the same manager.Manager User IDUnique identifier or user name of the user’s manager.Match CountNumber of items involved in the event, such as the number of Social Security numbers included in an email message event. Select a comparison operator, and enter the count.Minimum Residual Risk AmountMinimum amount of residual risk for the events.MitigatedIndicator if the event has been mitigated. The residual risk associated with an event is lessened when the event has been mitigated in the system.Mitigation MethodMethod of mitigation, such as manual or automatic.Occurred Date EndEnd date to search for a data-in-motion incident. The date is based on when the incident was last detected by the endpoint detection security database, not theSymantec ICAdatabase.Occurred Date RangeDate range that the incident occurred. The date range is based on when the incident was detected by the endpoint detection security database, not theSymantec ICAdatabase.Occurred Date StartDate to begin the search for a data-in-motion incident. The date is based on when the incident was detected by the endpoint detection security database, not theSymantec ICAdatabase.Occurred Time RangeTime the incident occurred, based on the date the incident was first detected by the endpoint detection security database, not theSymantec ICAdatabase.OrganizationOrganization or department associated with the incident.Planned Departure DateDate range to search before or after an incident based on the planned departure date of employees.PolicyData loss prevention policy that was violated by the incident.ProtocolProtocol of the incident set in the data loss prevention system.Public DomainIndicator if the domain is public.ReasonReason for escalation of the incident.RecipientPerson or computer that received the data related to the incident.Recipient DomainDomain of the recipient. More than one domain can be entered. Entries should be separated by commas.Relative DateRange of dates for the search, such as last 24 hours, previous month, and month to date. Use relative date when creating a search that will be saved as a scenario.Relative Occurred DateDate range for the search, such as last 7 days, and previous month.ResolutionResolution value set for the incident in the data loss prevention system.RuleRule associated with the incident.SenderPerson or computer that send the data related to the incident.Sender Account LikelihoodLikelihood that the sender and recipient of an email message are the same person. The search results do not include messages that the sender included themselves on the CC (carbon copy) or BCC (blind carbon copy) options.Sender IdentityIdentity of the sender associated with the incident.SeveritySeverity of the incident set in the data loss prevention system.Source Incident IDThe identifier of the source incident.Start DateDate to begin the search for a data-in-motion incident. Enter a date, or select a date using the calendar tool.StatusStatus of the incident set in the data loss prevention system.Subject LineSubject of the incident.Time RangeTime of the incident, in hour increments. More than one time can be selected for the search.Trusted DomainIndicator if the domain is trusted.User IDUnique identifier or user name.User StatusStatus of user, such as Active, Terminated, and All.User TypeType of user, such as Contractor, Employee, Vendor, and All.VendorName of the vendor.VIPIndicator if the user is a high-privileged user.
- ClickSearch.
Data from the search can be exported to Microsoft Excel spreadsheet by clicking
Export
.Saving Data in Motion Search
To save a search, do the following steps:
- Create and run a search as described in Creating a Data In Motion Search.
- After the results display, clickMy Selections, and then clickSave This Search.
- Do one of the following:Type of SearchProcedureNew search
- SelectSave As New
- Enter a name in the Search name field.
- Set the search toPublic,Private,Rollup, orScenario. Scenarios are data sets used to build correlations between data-in-motion incidents. Saved scenarios do not appear on the Saved Searches section of the Data in Motion page. The scenarios are available on the saved search list after clicking the New Search option.
- ClickSave.
Modify an existing search- SelectOverwrite Existing.
- Select the existing search name in the Saved search list.
- Set the search toPublic,Private,Rollup, orEvent Scenario Set. Scenarios are data sets used to build correlations between data-in-motion incidents. Saved scenarios do not appear on the Saved Searches section of the Data in Motion page. The scenarios are available on the saved search list after clicking the New Search option.
- ClickSave.
A search can be saved even when the search returns no results.
Opening a Saved Data in Motion Search
Select a search from the Saved Searches list or click
New Search
. Then, click Saved Searches
and select the search name from the list. Click My Selections
to set up filters. Saved searches that are created in the Analyzer cannot be edited with the
My Selections
option. If you create a Saved Search with the Analyzer, any edits to that Saved Search must be made in the Analyzer.Exporting a Saved Data in Motion Search
The results from a saved Data in Motion search can be exported to a Microsoft Excel spreadsheet.
To export a saved Data in Motion search, do the following steps:
- From the Data In Motion page, select the search from the Search Events list or clickNew Search, and select the search from the list.
- ClickExporton the toolbar to download the data as a Microsoft Excel spreadsheet.
Deleting a Saved Data In Motion Search
To delete a saved Data In Motion search, do the following steps:
- From the Data in Motion page, clickNew Search.
- ClickSaved Searches.
- ClickDeletenext to the name of the saved search.
- ClickYesto confirm the deletion.
- ClickXto close the window, and return to the Search Results page.