Since DLP endpoint is based on ePO and ePO is installed on a Windows machine, you cannot work with syslog, you probably will have to install an agent/connector of that SIEM solution.
Start by creating an ePO DLP Incident query based on the data you are looking to build a SQL query on.
There is an option in ePO to view the details of a saved query. Under “Actions” you can “View SQL” to get a database query of the selected ePO query.
The “View SQL” action give you the SQL query that was used by ePO to generate the ePO query.
From there, you can look into the database structure to include additional information from other tables that are not available from a normal ePO DLP query. Unfourtunately, this is neccesary if you want more specific information from certain types of DLP events.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center