cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 4

Can you get incident reported from your exception list

Jump to solution

Hey Guys,

Right now I get incident reports on every rule that I have under condition but nothing under Exceptions. One of the rule I have in my exceptions is allow a group of user that belong to a certain AD group. Is there a way to see what they are doing? Do I have to set that rule in another place to be able to get the incidents reported?

Thank you

1 Solution

Accepted Solutions
Corey-DLP
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Can you get incident reported from your exception list

Jump to solution

Hello and thank you for posting here!

When you have users/groups added as exceptions in rules, there will not be any incidents reported for those users even when their actions may have otherwise violated the rule. In order to generate incidents for those users to simply follow user actions, you could create a specific rule for those users and have it in monitoring mode. This would generate an incident once the rule has been violated, but not actually prevent the user from conducting the action. To place a rule in monitoring mode you would set the rule reaction to "No Action" and select the "report incident" option. Another option would be to use the "Request Justification" option (if available in the rule). This would present the end-user with a pop-up asking them to provide a justification (purpose) for what they are doing. Once provided, the action can proceed and an incident would be generated that would include their justification reasoning. 

View solution in original post

3 Replies
Corey-DLP
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Can you get incident reported from your exception list

Jump to solution

Hello and thank you for posting here!

When you have users/groups added as exceptions in rules, there will not be any incidents reported for those users even when their actions may have otherwise violated the rule. In order to generate incidents for those users to simply follow user actions, you could create a specific rule for those users and have it in monitoring mode. This would generate an incident once the rule has been violated, but not actually prevent the user from conducting the action. To place a rule in monitoring mode you would set the rule reaction to "No Action" and select the "report incident" option. Another option would be to use the "Request Justification" option (if available in the rule). This would present the end-user with a pop-up asking them to provide a justification (purpose) for what they are doing. Once provided, the action can proceed and an incident would be generated that would include their justification reasoning. 

View solution in original post

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 4

Re: Can you get incident reported from your exception list

Jump to solution

Thank you very much! That will do!

Quick question, Is this rule going to altered my previous rules? Don't want to create a mess.

 

Corey-DLP
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Can you get incident reported from your exception list

Jump to solution

Not seeing your policy it is a little difficult to say no 100%. However, what I can tell you is that there can be some overlap with rules depending on configuration and DLP will always take the most restrictive action. For example, if you remove the exceptions for those users in a block rule and have them in a monitoring rule, the user actions will get blocked since that is the most restrictive. If there's concern about rule overlap in your environment, a way to workaround that would be to create separate rule sets and even separate DLP policies. This can help compartmentalize your DLP rules so that they don't interfere or overlap each other.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community