McAfee Data Loss Prevention 9.2.2 Product Guide
McAfee Data Loss Prevention 9.2.2 Product Guide McAfee Data Loss Prevention 9.2.2 Product Guide
2Using McAfee DLP MonitorTypical scenariosTask1 Select one of these options:• In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Reporting | Basic Search.• On your McAfee DLP appliance, select Capture | Basic Search.2 Select Input Type | GeoIP Location and click ?.3 Select one or more country names from the pop‐up menu.4 Click Apply, then Search and examine the incidents on your dashboard.If you do not see locations in your results, click Columns and add Source, Destination, Sender or Recipientcolumns to the dashboard.Search for social networking activityEmployees who are accustomed to using social networking sites might not realize how much time theyare spending on activities that reduce their productivity, or how much sensitive information might beleaked when they use such sites in the workplace.This case helps you to find out how much social networking activity is occurring on your network byidentifying all traffic to and from specific web sites.Task1 Select one of these options:• In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Reporting.• On your McAfee DLP appliance, select Capture.2 On the Basic Search page, select an Input Type and click ?.• Select Protocols, then HTTP_Post from an Internet Protocols menu. Click Apply, then Search.• Select Keywords, type keywords (for example, facebook or deadspin), then Search.Find postings to message boardsEmployees sometimes spend company time posting to Internet sites that are not work‐related.This case helps you to identify that activity by targeting the protocol that is used to transmit suchpostings.This filter identifies all posting traffic. If you know what web site it is being posted to, add a Content |equals parameter and type its name (for example, webrats.com).Task1 Select one of these options:• In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Reporting | Incidents.• On your McAfee DLP appliance, select Incidents.2 From the Filter by menu, select a time from the Timestamp sub‐menu.3 Click the plus icon to add a filter and select Protocol | equals.4 Click ?, select a protocol from the pop‐up list, then click Apply.5 Click Apply.24 McAfee Data Loss Prevention 9.2.2 Product Guide
Using McAfee DLP MonitorSearch basics 2Find frequently visited web sitesFind web sites that are frequently visited by users who might routinely use the Internet to completetheir job duties, but might enter URLs that can compromise network security.This case creates a content capture filter to store all traffic to and from inappropriate web sites to findout if your company policy is being violated.Task1 Select one of these options:• In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Reporting | Advanced Search.• On your McAfee DLP appliance, select Capture | Advanced Search.2 Open the Source/Destination category.3 Select URL | is any of and type the URL of the website into the value field.For example, type in www.deadspin.com.4 Click Search.If no results are retrieved, check to see if the default ignore_http_header content capture filter isstill active.Search basicsYou can use the following tasks to help you to build successful queries.Tasks• Add or delete parameters on page 25Add or subtract McAfee DLP parameters that correspond to database object attributes byclicking +, ‐, or X buttons on the search, rule, template, case, or capture filter pages.• Retrieve data from directory servers on page 26If a directory server is registered to McAfee DLP Manager, you can retrieve data from it byuser name, group, city, country, or organization.• Get search details on page 27The stages of each search are recorded and displayed in the Search Details window.• Get search results on page 27Search results are displayed on the Data‐in‐Motion dashboard.• Stop searching on page 27You can stop searches that are running by using the Abort function.• Set up notification for backgrounded queries on page 27Searches that take over 60 seconds automatically run in background mode, but whenresults are available, an email notification is sent to the address you provide.• Clone searches on page 28If you want to use the same search repetitively, you can clone it so that you can repeat theprocess without re‐selecting all of your parameters.Add or delete parametersAdd or subtract McAfee DLP parameters that correspond to database object attributes by clicking +, ‐,or X buttons on the search, rule, template, case, or capture filter pages.The following procedure uses the Advanced Search page as an example.McAfee Data Loss Prevention 9.2.2 Product Guide 25
- Page 1: Product GuideRevision AMcAfee Data
- Page 6 and 7: ContentsFind host names in data at
- Page 8 and 9: ContentsDelete views . . . . . . .
- Page 10 and 11: ContentsTypical scenarios . . . . .
- Page 12 and 13: Contents12 McAfee Data Loss Prevent
- Page 14 and 15: PrefaceFind product documentationTi
- Page 16 and 17: 1McAfee DLP ManagerMcAfee DLP data
- Page 18 and 19: 2Using McAfee DLP MonitorHow data i
- Page 20 and 21: 2Using McAfee DLP MonitorTypical sc
- Page 22 and 23: 2Using McAfee DLP MonitorTypical sc
- Page 26 and 27: 2Using McAfee DLP MonitorSearch bas
- Page 28 and 29: 2Using McAfee DLP MonitorUsing logi
- Page 30 and 31: 2Using McAfee DLP MonitorSupported
- Page 32 and 33: 2Using McAfee DLP MonitorSupported
- Page 34 and 35: 2Using McAfee DLP MonitorSupported
- Page 36 and 37: 2Using McAfee DLP MonitorSupported
- Page 38 and 39: 2Using McAfee DLP MonitorRules used
- Page 40 and 41: 2Using McAfee DLP MonitorFinding in
- Page 42 and 43: 2Using McAfee DLP MonitorFinding in
- Page 44 and 45: 2Using McAfee DLP MonitorUse concep
- Page 46 and 47: 2Using McAfee DLP MonitorFind data
- Page 48 and 49: 2Using McAfee DLP MonitorFind data
- Page 50 and 51: 2Using McAfee DLP MonitorFind data
- Page 52 and 53: 2Using McAfee DLP MonitorSearching
- Page 54 and 55: 2Using McAfee DLP MonitorSearching
- Page 56 and 57: 2Using McAfee DLP MonitorSearching
- Page 58 and 59: 2Using McAfee DLP MonitorSearching
- Page 60 and 61: 2Using McAfee DLP MonitorSearching
- Page 62 and 63: 2Using McAfee DLP MonitorSearching
- Page 64 and 65: 2Using McAfee DLP MonitorFinding do
- Page 66 and 67: 3Managing McAfee DLP PreventHow McA
- Page 68 and 69: 3Managing McAfee DLP PreventConfigu
- Page 70 and 71: 3Managing McAfee DLP PreventConfigu
- Page 72 and 73: 4Using McAfee DLP DiscoverTypical s
Using <strong>McAfee</strong> DLP MonitorSearch basics 2Find frequently visited web sitesFind web sites that are frequently visited by users who might routinely use the Internet to completetheir job duties, but might enter URLs that can compromise network security.This case creates a content capture filter to store all traffic to and from inappropriate web sites to findout if your company policy is being violated.Task1 Select one of these options:• In ePolicy Orchestrator, select Menu | <strong>Data</strong> <strong>Loss</strong> <strong>Prevention</strong> | DLP Reporting | Advanced Search.• On your <strong>McAfee</strong> DLP appliance, select Capture | Advanced Search.2 Open the Source/Destination category.3 Select URL | is any of and type the URL of the website into the value field.For example, type in www.deadspin.com.4 Click Search.If no results are retrieved, check to see if the default ignore_http_header content capture filter isstill active.Search basicsYou can use the following tasks to help you to build successful queries.Tasks• Add or delete parameters on page 25Add or subtract <strong>McAfee</strong> DLP parameters that correspond to database object attributes byclicking +, ‐, or X buttons on the search, rule, template, case, or capture filter pages.• Retrieve data from directory servers on page 26If a directory server is registered to <strong>McAfee</strong> DLP Manager, you can retrieve data from it byuser name, group, city, country, or organization.• Get search details on page 27The stages of each search are recorded and displayed in the Search Details window.• Get search results on page 27Search results are displayed on the <strong>Data</strong>‐in‐Motion dashboard.• Stop searching on page 27You can stop searches that are running by using the Abort function.• Set up notification for backgrounded queries on page 27Searches that take over 60 seconds automatically run in background mode, but whenresults are available, an email notification is sent to the address you provide.• Clone searches on page 28If you want to use the same search repetitively, you can clone it so that you can repeat theprocess without re‐selecting all of your parameters.Add or delete parametersAdd or subtract <strong>McAfee</strong> DLP parameters that correspond to database object attributes by clicking +, ‐,or X buttons on the search, rule, template, case, or capture filter pages.The following procedure uses the Advanced Search page as an example.<strong>McAfee</strong> <strong>Data</strong> <strong>Loss</strong> <strong>Prevention</strong> <strong>9.2.2</strong> <strong>Product</strong> <strong>Guide</strong> 25