Based on the attached files in that KB, the DLP events do not seem to forward everything when a DLP incident is generated.
We're trying to get out of the DB query/connect as this is custom, joining tables can be daunting when you're not a DBA. Unfortunately, the support team won't touch an SR when we need assistance when it comes to custom DB query.
So, I'm leveraging this forward feature from ePO to syslog. Disappointing to initially see that the forwarded DLP events are limited. It's looking like we have to go back to modifying our DB queries to get this information to Splunk.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.