If we have evidence files on a file server and the related event in the DLP console in ePO has been purged, is there any way to retrieve any information on the leftover files. Basically the question asked of me is whether or not we can attribute a file to a specific user, machine or incident ID once the DLP event we alert on ages out and is purged. Thanks.
Have all of the associated incidents also been purged out of the Incidents History table? If all associated incidents have been purged out of both incident tables, then unfortunately all identifiable information belonging to those incidents have also been deleted. There is a process in which the evidence file can be manually decrypted. This may provide you some insight. If you are interesting in this process, please contact McAfee Support to obtain the steps.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.