cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
admin2215
Level 9
Report Inappropriate Content
Message 1 of 11

Create Automatic Response from DLP Event

Jump to solution

I am trying to create an automatic event based upon a DLP event (USB being plugged in.) So far I have not been successful. I have tried setting the Event group to "ePO Notification Events" with an event type of "Client." For filtering I am setting event description to "Device Plug." I have also tried a few other combos, but none have been successful in generating an automatic response. Can anyone advise me on how to go about this? Thank you.

DLP Group.jpgEPO Filter.jpg

1 Solution

Accepted Solutions
admin2215
Level 9
Report Inappropriate Content
Message 11 of 11

Re: Create Automatic Response from DLP Event

Jump to solution

Our root cause here ended up being the local SQL Express database. There was no plan to prune old data enabled in ePO and the SQL Express database filled up to its 10gb limit. After discovering this I created an automated server event set to purge everything older than 2 weeks, as well and a database index maintenance plan. This got us working again concerning the logs we were missing and we are now able to trigger events off of those logs with no issues. Hope this helps someone else. Thanks for the replies from everyone. 

View solution in original post

10 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 11

Re: Create Automatic Response from DLP Event

Jump to solution

Have you tried it as threat event instead of client?  I am not sure exactly what type event that is since I don't support dlp.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

admin2215
Level 9
Report Inappropriate Content
Message 3 of 11

Re: Create Automatic Response from DLP Event

Jump to solution

I have tried that (unsuccessfully), but I will try again with some different filters applied. Thanks for the suggestion. I will let you know if it works. 

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 11

Re: Create Automatic Response from DLP Event

Jump to solution

You can try event ID too, other wise you might also want to ask the dlp team.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

admin2215
Level 9
Report Inappropriate Content
Message 5 of 11

Re: Create Automatic Response from DLP Event

Jump to solution

So I did think about that, but I don't know how to get the event ID. Would you be able to give any info on this? Thanks again. 

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 11

Re: Create Automatic Response from DLP Event

Jump to solution

Is there an event in epo for it when you look at dlp events?  If so, that should have an event id in the event.  Otherwise, you will have to ask dlp team.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

admin2215
Level 9
Report Inappropriate Content
Message 7 of 11

Re: Create Automatic Response from DLP Event

Jump to solution
I do not see an event outside of the DLP incidents. I am starting to think it is not possible to trigger an automatic response based on DLP events.
SCtbe
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 11

Re: Create Automatic Response from DLP Event

Jump to solution

Seems to work fine for me (ePO 5.10 U10, DLPe 11.6.400), but you have to be precise on Threat Event fields content.

Note that Automatic Responses works on normalized DLP events, these you can point with ePO Notification Events > Threat in automatic response builder.

Details or how actually DLP events are normalized into ePO Threat event can be found under Reporting > Threat Event Log.

I've tried with Event id, where for Web Protection rule is 19114. Others fields probably can be also used but you have to look over them, because, they may change for example depending on actual rule names and action taken. Nevertheless you find examples in Threat Event Log.

admin2215
Level 9
Report Inappropriate Content
Message 9 of 11

Re: Create Automatic Response from DLP Event

Jump to solution

Thanks for your reply. I have review the log quite thoroughly and I see nothing related to DLP regarding USB mass storage events. I see a large number of events from solidcore, and also some events regarding malware findings (part of our testing) but nothing else. 

SCtbe
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 10 of 11

Re: Create Automatic Response from DLP Event

Jump to solution

I'm not sure how you configured  DLP Rules, but in my case all incidents visible in DLP Incident Manager are also present in ePO Theat Event Log. That include also Device Plug incidents:dlp_device_plug.png

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community