I'm a Qradar guy & got some queries in McAfee DLP Endpoint.
What are all the events which are considered as Violation in terms of DLP - Confirmed & Possible Data Loss. I went though the URL McAfee Corporate KB - Data Loss Prevention Endpoint 9.3/9.4 event codes for ePolicy Orchestrator 5.x... but still unclear.
What is the consequence for User Logged Into Safe Mode (19104)?
Also kindly let me know the events to choose to detect confirmed & possible Data Loss.