DLP Endpoint Incident Details Cube

Contains information about incidents generated by Symantec Endpoint Data Loss Prevention as well as the conditions that triggered those incidents. Information specific to this cube includes the total number of incidents, number of violations, the name of the policy that generated the incident, the conditions within those policies, the incident severity, and status.

Dimensions

  • Agent – AD User Name: User logged on to the endpoint computer at the time AD resolution is run
  • Agent – Investigating: Denotes whether or not the agent’s status is set to Under Investigation
  • Agent – IP Address: IP Address on the endpoint computer
  • Agent – Is Deleted: Denotes whether or not the agent has been deleted from the endpoint server
  • Agent – Name: Endpoint computer name
  • Agent On or Off the Network: Indicates whether the agent is on or off the corporate network
  • Agent – Status: Endpoint agent’s status
  • Agent – Version: Endpoint agent’s full version number
  • Agent – Major Version: Endpoint agent’s version number up to the third decimal place. This allows minor versions to be grouped more easily.
  • Condition – Detection or Group: Indicates whether the condition belongs to one of two rule types
  • Condition – ID: Condition ID
  • Condition – Is Latest: Indicates whether or not this is the latest version of the condition
  • Condition – Minimum Matches: Specifies the minimum number of matches required to trigger the condition and generate an incident
  • Condition – Processing Order: Denotes the order in which conditions are processed
  • Condition – Rule or Exception: Indicates whether the condition was added as a rule or as an exception
  • Condition - Status: Captures historical changes of the condition status
  • Condition – Type: Describes the type of matching used in the condition
  • Condition – Unique or Multiple Matches: Indicates the match counting type selected in the condition
  • Rule – Name: Name given to the detection or exception rule.
  • Custom Attribute – Name: Lists all user-defined custom attributes
  • Custom Attribute – Value: Lists values assigned to the custom attributes
  • Data Owner – Name: Name of the person responsible for remediating the incident
  • Data Owner – Email: Email address of the person responsible for remediating the incident.
  • Detection – Date: Incident detection date as reported by the detection server
  • Detection – Date Range: Incident detection date range as reported by the detection server
  • Detection – Day of Week: Incident detection day as reported by the detection server
  • Detection – Month: Incident detection month as reported by the detection server
  • Detection – Quarter: Incident detection quarter as reported by the detection server
  • Detection – Week Number: Incident detection week number as reported by the detection server
  • Detection – Year: Incident detection year as reported by the detection server
  • Detection – Hour: Incident detection hour as reported by the detection server
  • Detection – Minute: Incident detection minute as reported by the detection server
  • Detection – Second: Incident detection second as reported by the detection server
  • Detection – Time: Incident detection time as reported by the detection server
  • Endpoint Incident – Application Name: The name of the application employed by the end user
  • Endpoint Incident – Device Type: Lists the endpoint monitoring channel that triggered the incident
  • Endpoint Incident – File Name: Destination name of the file or item that triggered the incident
  • Endpoint Incident – File Owner: Creator of the file or item that triggered the incident
  • Endpoint Incident – File Path: Full destination path of the file that triggered the incident
  • Endpoint Incident – Instance ID: Endpoint device identifier on which the violation occurred
  • Endpoint Incident – IP Address: IP address of the endpoint at the time the violation occurred
  • Endpoint Incident – Machine Name: Name of the computer that triggered the incident
  • Endpoint Incident – On or Off the Network: Indicates the agent location at the time the violation occurred
  • Endpoint Incident – Source File Name: Name of the file or item that triggered the incident
  • Endpoint Incident – Source File Path: Full path of the file that triggered the incident
  • Endpoint Incident – User Name: Logged on user on the computer that triggered the incident
  • Endpoint Incident – Agent Response: Response or action taken by the endpoint agent
  • Endpoint Incident – User Justification Response: Justification response as defined in the Enforce console
  • Endpoint Incident – User Justification Type: Justification type as defined in the Enforce console
  • Endpoint Server - Name: Endpoint server name
  • Incident – ID: Incident ID
  • Message Component – Document Format: File format used in the message
  • Message Component – MIME Type: MIME type used in the message
  • Message Component – Name: Name used in the message
  • Incident – Severity: Incident severity
  • Incident – Status: Incident status as shown in the incident snapshot
  • Incident – Status Group: Incident status group as defined in the Enforce console
  • Message – Date: Date the message was received by the detection server or endpoint client
  • Message – Date Range: Date range the message was received by the detection server or endpoint client
  • Message – Day of Week: Day the message was received by the detection server or endpoint client
  • Message – Month: Month the message was received by the detection server or endpoint client
  • Message – Quarter: Quarter the message was received by the detection server or endpoint client
  • Message – Week Number: Week number the message was received by the detection server or endpoint client
  • Message – Year: Year the message was received by the detection server or endpoint client
  • Message – Hour: Hour the message was received by the detection server or endpoint client
  • Message – Minute: Minute the message was received by the detection server or endpoint client
  • Message – Second: Second the message was received by the detection server or endpoint client
  • Message – Time: Time the message was received by the detection server or endpoint client
  • Oracle Database – Host Name: Denotes the Oracle database name and instance name from which the data is obtained
  • Policy – Group Name: Policy Group names as defined in the Enforce console
  • Policy – Description: Policy description as displayed in the Enforce console
  • Policy – ID: Policy ID
  • Policy – Name: Policy name
  • Policy – Status: Indicates whether the policy is active or inactive
  • Policy – Version: Policy version number
  • Policy – Group Name: Policy Group names as defined in the Enforce console

Measures

  • Agents Count: Total number of agents that generated incidents.
  • Incident Count: Total number of Endpoint incidents.
  • Match Count: Total number of Endpoint matches.