I want to know if it's possible to get the 'User Justification' field data from Endpoint Prevent incidents included in the Incident export-to-csv report that we can download from the Enforce console Incident List page.
This field will allow us to examine what explanation users wrote in the justification field of the DLP Response Rule - User Cancel/Notify/Block pop-up window that appears during detection of sensitive data transfer.
Release : 15.7,15.8
Component : Default-Sym
At this time the incident export to CSV file does not include the User Justification field.
We have an open feature request as follows for this:
Ref: ISFR-925 / PM-3533 - DLP Enforce - DLP export User Justification in Report
Description: Ability to include User Justification from Endpoint Incident in CSV / HTML report. This would be used to add additional context to incident review.
If you would like to endorse this request please contact Broadcom support who can add you.
A workaround is available as follows:
Instead of using Export to CSV in the Enforce console on the Incident list page, use the Export to XML
Then open Excel and navigate to Data tab and select the menu -> From Other Sources -> From XML Import and browser to the exported XML file to import the entire incident list into Excel.
Click OK if you receive the following pop up message:
Click OK to the pop up Import Data - Where do you want to put the data?
Then you'll find in column AG the ns1:userJustification column containing all the written answers from the users. You can use the Filter option to select populated rows then.
For example: