View DLP Classification Events in the Audit Log

You can use the Audit Log to gain insights into various events, such as the creation, modification, and deletion of DLP classifications by users within your organization. This enables you to identify the users that triggered these classification events. For details on classifications, see About Classifications.

For example, a Security Operations Center (SOC) may want to view the events for DLP classifications created by users on the Classifications page. To achieve this use case, the SOC can select DLP Classifications as the event category and select Classification created as the event type on the Audit Log page. This allows admins to investigate any unauthorized or malicious activity related to classification management.

To view events for DLP Classifications in the Audit Log:

1. Log in to Skyhigh CASB.
2. Go to Settings > Audit Log.
3. On the Audit Log page, configure the following: 
   1. All Event Categories. Select DLP Classifications as the event category.
   2. All Events. Select any one of the following event type for DLP Classifications:
      1. Classification created. Displays events for newly created classifications. For example, if an existing classification is cloned or synced from Trellix ePolicy Orchestrator (ePO) to Skyhigh.
      2. Classification deleted. Displays events for deleted classifications. For example, if a classification is deleted.
      3. Classification updated. Displays events for modified classifications. For example, if a rule is edited or a rule group is added for an existing classification.
         

You can now view the events for DLP classifications triggered by users within your organization.