2 Replies Latest reply on Aug 1, 2017 5:31 AM by apopisteru

    Endpoint DLP 10.x: how to include Evidence File Name as a column in queries

    apopisteru

      Hello,

       

      Is there a way to include Evidence File Name field in DLP queries tables columns ? I've tried every DLP Incident and operational template, but there is no evidence-related column to include.

       

      Is there a way to trace back, without directlyaccessing SQL server, the Evidence File Name to the query template ?

       

      Thank you for your time and support,

       

      andreip

        • 1. Re: Endpoint DLP 10.x: how to include Evidence File Name as a column in queries
          chrisnlc

          You'll need to use the Query Builder option in ePO Queries and Reports as I don't think this query type is used in the canned examples:

           

          Hit the [New Query] button at the top

           

          Choose 'Other' on the left then 'DLP Data In-use/motion Incidents History'

           

          [Next] - choose whatever chart type you like but start with Table as it's the most simple

           

          [Next] - choose your columns but include 'Evidence File Path'

           

          [Next] - choose your filters or leave empty

           

          Save and Run and you'll have all the evidence listed with their file paths.

           

          Now you can go back and choose different filters, columns, chart types until you're happy with the output!

           

          rgds

           

          _Chris.

          1 of 1 people found this helpful
          • 2. Re: Endpoint DLP 10.x: how to include Evidence File Name as a column in queries
            apopisteru

            Hello,

             

            Thank you for the promptitude of your answer.

             

            The Result Type in Query Builder is conditioning the columns which could be used. To have the names of the files (Evidence File Name) witten on USB removable storage (Removable Storage Protection) , I found DLP Data In-use/motion Incidents result type.

             

            BR,

             

            andreip