How to configure Symantec DLP to retain the Endpoint incident file
book
Article ID: 160367
calendar_today
Updated On:
Products
Data Loss Prevention Endpoint PreventData Loss Prevention Endpoint Discover
Issue/Introduction
The endpoint incident detail only shows the match in the file. How can I get the original file?
Resolution
RELEVANT VERSIONS: ALL
Endpoint file retention is accomplished by creating an automated response rule as follows:
Add a new Automated response rule:
Click Response Rule
Click the Add a New Response Rule tab
Select Automated Response and click Next
Name the Response Rule and provide a description
In the action drop down, choose All: Limit Incident Data Retention, then click Add Action
Tick the box "Retain Original File" for the Endpoint and Save the rule
NOTE: Enabling retention of the original files on the Endpoint will increase the network bandwidth consumption. This is the main reason this feature is turned off by default.