IncidentID |
Incident ID |
Unique ID of the incident. |
IncidentType |
Incident Type |
Class name of the Incident object retrieved by calling DLP reporting APIs. This is required to simplify the asset reconciliation rules definition logic. |
IncidentBaseType |
Incident Base Type |
Base class name of the Incident object retrieved by calling DLP reporting APIs. This is required to simplify the asset reconciliation rules definition logic. Possible values are:
EndpointIncidentDetailType (for Endpoint incidents) DiscoverIncidentDetailType (for Discover incidents) NetworkIncidentDetailType (for Network incidents)
|
IncidentCreationDate |
Incident Creation Date |
Date and time when the incident was added to the Enforce database. |
DetectionDate |
Detection Date |
Date and time at which the Symantec Data Loss Prevention detected the incident. |
Severity |
Severity |
Severity of the incident. |
SeverityID |
Severity ID |
ID that corresponds to the severity of the incident. |
Status |
Status |
Status of the incident. |
StatusID |
Status ID |
ID that corresponds to the status of the incident. |
StatusID |
CCS Status ID |
ID that is obtained as per the specified Status ID mapping with the CCS Status ID. |
MessageSource |
Source Type |
Symantec Data Loss Prevention product that generated the incident. Source type can be one of the following:
NETWORK: Network Monitor, Network Prevent (Email), or Network Prevent (Web) DISCOVER: Network Discover or Network Protect ENDPOINT: Endpoint Discover or Endpoint Prevent
|
MessageType |
Message Type |
Symantec Data Loss Prevention product component that generated the incident. |
MessageTypeID |
Message Type ID |
ID that corresponds to the Symantec Data Loss Prevention product component that generated the incident. |
Policy |
Policy Name |
Policy that was violated due to which the incident is generated. |
PolicyID |
Policy ID |
ID that corresponds to the policy that was violated due to which the incident is generated. |
PolicyVersion |
Policy Version |
Version of the policy that was violated due to which the incident is generated. |
ViolatedPolicyRules |
Violated Policy Rules |
Rules within the policy that was violated due to which the incident is generated. |
BlockedStatus |
Blocked Status |
String value that indicates whether the message was blocked. |
BlockedStatusID |
Blocked Status ID |
ID that corresponds to the blocked status. |
DetectionServer |
Detection Server |
Name of the detection server that created the incident. |
IncidentHistory |
Last Modification Date |
Contains changes to the incident such as change in status or severity. The most recent date included in the history is recorded as Last Modification Date. |
MessageDate |
Message Date |
Date and time at which the network message (for example, an email message, HTTP request, instant message, or other protocol request) was created. |
OriginatorIP |
Originator IP |
IP address of the sender of the network message. |
OriginatorID |
Originator ID |
Identifying string of the sender of the network message. |
RecipientIP |
Recipient IP |
IP Address of the intended recipient of the network message. |
RecipientID |
Recipient ID |
Identifying string of the intended recipient of the network message. |
TargetServer |
Target Server |
Name of the Network Discover Server that performed the scan. |
Scan |
Scan Date |
Date and time when the scan started. |
Target |
Target |
Name of the configured Network Discover target. |
URL |
URL |
URL associated with a scan target. (Database connection URL in case of DiscoverSQLDatabaseIncidentDetail incident). |
EventDate |
Event Date |
Date and time at which the violation occurred. |
ApplicationName |
Application Name |
Name of the application that caused the incident. |
ApplicationPath |
Application Path |
Path of the application that caused the incident. |
UserName |
User Name |
Endpoint user name (for example, MYDOMAIN\bsmith) |
MachineName |
Machine Name |
Computer on which the incident occurred. |
FileName |
File Name |
Name of the file that caused the incident. |
FilePath |
File Path |
Path of the file that caused the incident. |
FileOwner |
File Owner |
Owner of the file at the time the incident was created. |
FileCreateDate |
File Creation Date |
Date and time when the file was created. |
AssessmentEvidence |
Assessment Evidence |
A string of the format: Incident [Incident ID] did not comply with the following rules: <list of violated rules> |
AssessmentMessage |
Assessment Message |
A string of the format: Incident [Incident ID] did not comply with the rules. |
MachineID |
Machine ID |
Contains value of target server (in case of Discover incidents), originatorIPAddress (in case of Network incidents) or machineName (in case of Endpoint incidents) |
IPAddress |
IP Address |
Populated with Machine ID field value, if it is IP Address. Helps in defining asset reconciliation rules. |
FQDN |
FQDN |
Populated with Machine ID field value, if it is FQDN. Helps in defining asset reconciliation rules. |
HostName |
Host Name |
Populated with Machine ID field value, if it is Host Name. Helps in defining asset reconciliation rules. |
DatabaseServerName |
Database Server Name |
Contains database server name which is read by parsing the URL field, in case of DiscoverSQLDatabaseIncidentDetail incident. |
DatabaseServerType |
Database Server Type |
Contains database server type which is read by parsing the URL field, in case of DiscoverSQLDatabaseIncidentDetail incident. (Possible values are sqlserver, oracle, db2) |
DatabaseName |
Database Name |
Contains database name which is read by parsing the URL field, in case of DiscoverSQLDatabaseIncidentDetail incident. |
DatabasePort |
Database Port |
Contains database port which is read by parsing the URL field, in case of DiscoverSQLDatabaseIncidentDetail incident. |
Thanks for your feedback. Let us know if you have additional comments below. (requires login)