Using Protection Workspace to manage McAfee DLP Endpoint incidents

The incident management workspace provides a visual representation of the McAfee DLP Endpoint incidents in your network. You can quickly identify incidents, investigate any impacted device, and take appropriate action to manage them.

Protection Workspace helps you answer these questions:

  • What incidents are discovered by McAfee® Data Loss Prevention Endpoint (McAfee DLP Endpoint)?
  • Why is an incident escalated?
  • Where did the incident come from?
  • When was the incident discovered?
  • Who logged on to the endpoint when the incident was generated?

The incident management workspace displays information about the computer and logged-on user generating the incident, client version, operating system, and other information. You can select the severity, status, and resolution definitions for an incident.

When you enter the workspace, the Filter By and Incidents panes are displayed by default. New panes open on the right side of the screen, as shown in this image.



  1. View the Protection Workspace header.
  2. Filter the incidents based on severity, status, resolution, the incident type, the classification, the user, or by the rule set.
  3. Click the row of the incident in the Incidents pane to select it, or select the checkbox to open the Incident Details pane on the right of the screen.
  4. The Incident Details pane shows more details about the incident, such as additional information including details about the endpoint, device or email, evidence, the rule triggered, and classification criteria.

    You can update the incident status, severity, resolution, and assign a reviewer to the selected incident.

    You can expand and collapse the sections in the Incident Details pane by clicking the section header. Select any of the active sections to expand it and view more information about the incident.

    Note: An active section contains further information, and the number displayed is not zero, or grayed out.

  5. Expand the active sections in the Incident Details pane to view further details. For example, if there is evidence associated with an incident, expanding the Evidence section allows you to select the evidence file and view further details about it in the Evidence Details panel.

Identifying incident severity

The incidents of different severities are represented using these colors.

  • Dark Red — Critical.
  • Pink — Major.
  • Orange — Minor.
  • Yellow — Warning.
  • Light blue — Informational.