How to configure Symantec DLP to retain the Endpoint incident file

book

Article ID: 160367

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover

Issue/Introduction

The endpoint incident detail only shows the match in the file.  How can I get the original file?

Resolution

RELEVANT VERSIONS:  ALL

Endpoint file retention is accomplished by creating an automated response rule as follows:

  • Add a new Automated response rule:
    • Click Response Rule
    • Click the Add a New Response Rule tab
    • Select Automated Response and click Next
    • Name the Response Rule and provide a description
  • In the action drop down, choose All: Limit Incident Data Retention, then click Add Action
  • Tick the box "Retain Original File" for the Endpoint and Save the rule

NOTE:  Enabling retention of the original files on the Endpoint will increase the network bandwidth consumption. This is the main reason this feature is turned off by default.


Powered by Wolken Software