Let me make sure I understand the question. You want to know the exact path and file name of the file that triggered a DLP protection rule? For example if someone attempted to copy a file called "test.txt" from their desktop to a removable storage device you would like to know the path to the file they attempted to copy that DLP blocked?
If that is correct this information is gathered assuming you have configured the protection rule to "store evidence". The path and file name can be found in the DLP Monitor or you can author a report and select the "evidence value" column which also displays this path.
Here is the scenario:
I have DLP protecting copying .bat files to my usb stick and that works fine. The policy is set to block and store evidence. If I take a file say c:\loc.bat and try to copy it to my usb stick, which is drive e: it blocks the files and shows the message as it should. However, when I look at the DLP monitor(evidence) or the Evidence value in the reports, the value is always e:\loc.bat which is the destination. There seems to be no value that tells me that the file comes from the C: drive. This is important as we would like to track where files are coming from, not where they are going.
As well, I cannot get the store evidence folder to work. I have to set the quarentine folder to what I want as an evidence folder to get the files copies to the evidence folder.
I do apologize I was not explicit enough in my response. To answer your original question yes in DLP 9.0 both the DLP monitor and the DLP evidence value in reports will show the source (where the file was copied from) rather than the destination (where the file was copied to). This is definitely a change from the way DLP 3.0 reports the same information (where the destination is reported but not the source). I have both versions setup in a test environment and I was able to confirm this first-hand.
As for the evidence replication I'd suggest upgrading to DLP 9.0 and see if the problem persists. If so I'd temporarily grant everyone full access to the evidence share just to confirm we are not having a permissions issue. This is only a test and I would not recommend leaving everyone full access to the evidence share for more than a few minutes.
I hope that helps!
hi there jeremy, i have a question, it is possible to export on a report the evidence on DLP, becouse on the monitor i only can export the events but without evidence and it is critical for me.
If you are asking if it is possible to export a report which contains the actual evidence collected the answer is no. The report only contains data it cannot contain file attachments.