6 Replies Latest reply on Jan 8, 2010 9:32 AM by jstanley

    DLP Reporting

      Hi,

       

      Im struggling with the reporting on DLP Monitor.

       

      I want to create a report on all USB activity that lists the file name(s) that are being copied etc.

       

      can anyone offer some advice please?

       

      thanks in advance.

        • 1. Re: DLP Reporting
          jstanley

          Here are instructions for EPO 4.5 (may differ slightly for EPO 4.0):

          1. Logon to ePO console
          2. Navigate to Menu | Reporting | Queries
          3. Click New Query
          4. Select Others for Feature Group and DLP Events for Result Types | Next
          5. Select Table | Next
          6. Remove all of the selected columns and add the following*:
            • Computer Name
            • User Name
            • Destination
            • Evidence Type
            • Evidence value
          7. Click Next
          8. Add the filter Event Type | Equals | DLP: Removable Storage Protection
          9. Click Run and confirm you have the results you are looking for. If so click Save | Give the report a name and select a group to store it in | Click Save.

           

          * You may want different columns these are just the ones that made sense to me given what you wish to query. The actual file name will be stored in the Evidence value column.

          • 2. Re: DLP Reporting

            thanks for the reply!

             

            in "query builder" i do not have an option for "others" though, would it be called something else?

             

             

            Message was edited by: mcafeee on 08/01/10 03:13:40 CST
            • 3. Re: DLP Reporting
              jstanley

              Thats because you are using EPO 4.0 and I wrote the instructions for EPO 4.5. Unfortunately I don't have DLP 3.0 implemented on an ePO 4.0 server at this time but I should be able to get the correct instructions for you. I'll repost as soon as I have them.

              • 4. Re: DLP Reporting
                jstanley

                I found a co-worker that had DLP 3.0 implemented on ePO 4.0. These instructions should be accurate for ePO 4.0:

                1. Logon to EPO console
                2. Click Reporting | New Query
                3. Select DLP Events | Next
                4. Select Table | Next
                5. Remove all event columns and add the following:
                  • Computer Name
                  • User Name
                  • Destination
                  • Evidence Type
                  • Evidence value
                6. Click Next
                7. Add the filter Event Type | Equals | DLP: Removable Storage Protection
                8. Click Run and confirm you have the results you are looking for. If so click Save | Give the report a name | Click Save.

                 

                As before you may want to use different columns and the actual file name will be stored in the Evidence value column.

                • 5. Re: DLP Reporting

                  thanks again for the reply!

                   

                  ive got as far as "select table", however i cannot see any of the colums! do i need to configure something within epolicy orchestrator to see these extra columns?

                  • 6. Re: DLP Reporting
                    jstanley

                    Either you did not select DLP Events for the report type in step 3 or you are using DLP 2.2 or lower. For questions like these you should always post the version number of ePO/DLP you are using as the instructions will differ from one version to the next. If you are using DLP 2.2 the report you are requesting cannot be done you will need to upgrade to DLP 3.0 or higher.

                     

                     

                    Message was edited by: Jeremy Stanley on 1/8/10 9:32:20 AM CST