Reviewing Incident Details

By clicking the Edit icon in the Action column of the Incident Information screen, the Incident Details screen appears displaying detailed information about the incident. DLP incident reviewers can use this screen to update the incident status and provide comments on the incident.

Table 1. Incident Details

Item

Description

ID

Unique incident ID

Status

Use this to update the review status of the incident.

Available options:

  • New

  • Under Investigation

  • Escalated

  • Closed

Severity

Severity level of the incident

Note:

Once Control Manager receives and processes a DLP incident, Control Manager does not update the severity level if changes occur in the managed product.

Policy

Name of the Control Manager policy that triggered the incident

Note:

For incidents triggering DLP policies created in managed products, this appears as N/A.

Rule

Names of the rules from that triggered the incident

Received

Date and time when Control Manager received incident data

Note:

After receiving DLP logs from managed products, Control Manager needs 30 minutes to process the logs before incident reviewers can view the data.

Generated

Date and time the incident occurred in the managed product

User

Name of the user who triggered the incident

Manager

Name of the user’s manager

Sender

Source email address

Recipient

Destination email address

Endpoint

Source host name

IP

Source IP address

Template

Names of the templates that triggered the incident

Matching content

Digital assets that triggered the incident

File

Name or link to the file that triggered the incident

Note:

The file is quarantined in the managed product.

SHA-1

Hash information of the file

Subject

Subject of the email message

Channel

Channel through which the transmission occurred

Action

Actions taken on the incident

User Justification Reason

The reasons provided by the agent users when administrators allow users to transfer sensitive data

Comments

User-defined notes about the incident