Configuring User Risk Reporting in Symantec DLP

The User Risk Summary report breaks down incidents based on User and covers email and endpoint incidents  From the help file: “The user risk summary gives you insight into the behavior of specific individuals in your organization by associating users with email and endpoint incidents. This information helps you focus your data loss prevention efforts on those users posing the highest risk to the security of your data.”

There are 3 steps to take in order for the user risk summary report is displayed:

  1. Create custom user attributes
  2. Import user data
  3. View the reports

Create Custom User Attributes

One item to keep clear is the attributes defined here are different then the custom attributes populated by Active Directory as a part of an Incident  These attributes need to be created outside  This has lead to a lot of confusion on my part but needs to be setup

To setup the custom attributes for User Risk Reporting navigate to System -> Users -> Attributes  By default there are now attributes in the system

To add new attribute, select “Add” and then type in the Attribute Name (example: First Name or Department)  These attributes will be populated by the data source (either Active Directory or a CSV file)

The screenshots shows the attributes that are populated in my demo system

Image

Import User Data

Once again this is different than populating the data for incident and needs to be configured separately  We can leverage the existing directory connection that is already being used, or create a new data source

This is found under System -> Users -> Data Sources

Selecting Add presents you with this screenshot

Image

As you can seem I’m using the existing Directory Connection already created, but after I provide a name the data source is ready

Check the box next to the data source and select “Import” to run the import  After the import is complete information will be presented on the User Risk Summary report (if you have incidents)

View the reports

User risk reports will group the Network Incidents and the Endpoint Discover incidents together  These reports will break the incidents down based on severity

Image

If the user is selected then it will present further detail about the types of generated

Image

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s