This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"User action" property available in "Data Control Log" of Sophos EndPoint Protection (AV client) and not available on Sophos Enterprise Console

Hello,

 

as we want to use a combination of Sophos Enterprise Console and our SIEM for DLP, I noticed huge ammount of false-positives.

If for instance user opens a file using web browser it triggers DLP rules to send an alert.

I noticed that in "Data Control Log" of the Sophos antivirus client, each of Data Control events has "user action" field with assigned values like:

"File copy", "file open" etc.

 

Unfortunately - this is something that is not send to the Sophos Enterprise Console (or I don't know how to find it in the SQL database for the Console).

If we would know which table/view contains "user action", we can easily alert the SQL view we use for our SIEM (SIEM queries specific SQL view periodically and collects logs this way).

 

Thanks in advance for any suggestions.



This thread was automatically locked due to age.
Parents
  • Hello Dominik Uliasz,

    could you show some examples of this user action field and how you intend to utilize or interpret them w.r.t. false positives?
    There's an Action column in the Events table but in the context of DLP it contains codes for e.g. Blocked, Allowed by user, or Alert only.

    Christian

Reply
  • Hello Dominik Uliasz,

    could you show some examples of this user action field and how you intend to utilize or interpret them w.r.t. false positives?
    There's an Action column in the Events table but in the context of DLP it contains codes for e.g. Blocked, Allowed by user, or Alert only.

    Christian

Children
No Data