Data loss
The Data loss page displays a summarized list of sessions who have detected a data loss event.
Click Analysis > Data loss. The right pane displays the basic session details in a tabular form; each session being assigned a threat score. The interface provides both Quick Search and Advanced Search features on the left pane.
Columns available in the Advanced Search menu for the Data loss page are:
- Source IP
- Destination IP
- Source Port
- Destination Port
- Threat score
- Events count
- Events count (Unique)
- VLAN ID
- Workflow
- Collector
- Workflow Owner
- Protocol
- File: MD5
- File: SHA1
- File: SHA256
- File: SHA512
- File: Entropy
- File: Signature Name
Data loss is displayed in a tabular form. Basic details of the data loss appear on the right pane in a tabular form and include:
- Time – Time data captured off the network sessions.
- Source – Source IP address from where the data originated.
- Destination – Destination IP address.
- Protocol – HTTP or SMTP protocol involved in the file transmission.
- VLAN – Virtual local area network ID of the collector.
- Collector – Collector host name.
- Exposure Score – Exposure score assigned to the file content.
- Data Loss Events – Number of unique events that occurred out of the total number of events. For example: 4(1) indicates 1 unique event out of 4 events.
- Workflow Status – Current workflow status of the data loss that can be changed using the drop-down menu options.
Viewing Session Details
Details of a data loss session can be viewed by clicking View in the Actions column corresponding to that session. This page displays the TCP session ID, instance when the PCAPs were captured off the sessions, threat score, source and destination IP address of the session, protocol involved, VLAN, files transferred, details on the protocol header and the transferred files along with the option to view the file(s) content and download them as raw or encrypted file(s), and the data loss events that were triggered.