cancel
Showing results for 
Search instead for 
Did you mean: 
mcafeee
Level 7

DLP Reporting

Hi,

Im struggling with the reporting on DLP Monitor.

I want to create a report on all USB activity that lists the file name(s) that are being copied etc.

can anyone offer some advice please?

thanks in advance.

Labels (1)
Tags (1)
0 Kudos
6 Replies
McAfee Employee

Re: DLP Reporting

Here are instructions for EPO 4.5 (may differ slightly for EPO 4.0):

  1. Logon to ePO console
  2. Navigate to Menu | Reporting | Queries
  3. Click New Query
  4. Select Others for Feature Group and DLP Events for Result Types | Next
  5. Select Table | Next
  6. Remove all of the selected columns and add the following*:
    • Computer Name
    • User Name
    • Destination
    • Evidence Type
    • Evidence value
  7. Click Next
  8. Add the filter Event Type | Equals | DLP: Removable Storage Protection
  9. Click Run and confirm you have the results you are looking for. If so click Save | Give the report a name and select a group to store it in | Click Save.

* You may want different columns these are just the ones that made sense to me given what you wish to query. The actual file name will be stored in the Evidence value column.

0 Kudos
mcafeee
Level 7

Re: DLP Reporting

thanks for the reply!

in "query builder" i do not have an option for "others" though, would it be called something else?

Message was edited by: mcafeee on 08/01/10 03:13:40 CST
0 Kudos
Highlighted
McAfee Employee

Re: DLP Reporting

Thats because you are using EPO 4.0 and I wrote the instructions for EPO 4.5. Unfortunately I don't have DLP 3.0 implemented on an ePO 4.0 server at this time but I should be able to get the correct instructions for you. I'll repost as soon as I have them.

0 Kudos
McAfee Employee

Re: DLP Reporting

I found a co-worker that had DLP 3.0 implemented on ePO 4.0. These instructions should be accurate for ePO 4.0:

  1. Logon to EPO console
  2. Click Reporting | New Query
  3. Select DLP Events | Next
  4. Select Table | Next
  5. Remove all event columns and add the following:
    • Computer Name
    • User Name
    • Destination
    • Evidence Type
    • Evidence value
  6. Click Next
  7. Add the filter Event Type | Equals | DLP: Removable Storage Protection
  8. Click Run and confirm you have the results you are looking for. If so click Save | Give the report a name | Click Save.

As before you may want to use different columns and the actual file name will be stored in the Evidence value column.

0 Kudos
mcafeee
Level 7

Re: DLP Reporting

thanks again for the reply!

ive got as far as "select table", however i cannot see any of the colums! do i need to configure something within epolicy orchestrator to see these extra columns?

0 Kudos
McAfee Employee

Re: DLP Reporting

Either you did not select DLP Events for the report type in step 3 or you are using DLP 2.2 or lower. For questions like these you should always post the version number of ePO/DLP you are using as the instructions will differ from one version to the next. If you are using DLP 2.2 the report you are requesting cannot be done you will need to upgrade to DLP 3.0 or higher.

Message was edited by: Jeremy Stanley on 1/8/10 9:32:20 AM CST
0 Kudos