View DLP Classification Events in the Audit Log
NOTE: Users with the Administrator role can view the events for Data Loss Prevention (DLP) classifications on the Audit Log page. For details, see About User Roles and Access Levels.
You can use the Audit Log to gain insights into various events related to the creation, modification, and deletion of DLP classifications by admins within your organization. It also provides detailed information about key updates linked to advanced patterns and dictionaries. The Audit Log enables you to identify and track changes in classifications that impact your SSE DLP policies (Sanctioned DLP, Shadow/Web DLP, Private Access DLP, and more). For details on classifications, see About Classifications.
Security Operations Center (SOC) analysts can use the audit log for DLP classifications to monitor risky classification updates, gain actionable insights, and maintain regulatory compliance. These capabilities empower SOC analysts to improve their organization's data protection strategy and reduce the risk of data exfiltration.
Use Case: Suppose a Security Operations Center (SOC) administrator wants to view the classification events for dictionaries updated by admins on the Classifications page. To achieve this use case, the SOC admin can select DLP Classifications as the event category and the associated event type (Classification Dictionary updated) on the Audit Log page. The SOC admin can also refer to the corresponding Additional Information column of a dictionary update event for detailed insights into the specific changes associated with the dictionary. This helps admins identify and investigate any unauthorized or malicious activity related to classification management.
NOTE: You can also view events for sanctioned DLP policies in the Audit Log. For details, see View Sanctioned DLP Policy Events in the Audit Log.
To view events for DLP Classifications in the Audit Log:
- Log in to Skyhigh CASB.
- Go to Settings > Audit Log.
- On the Audit Log page, configure the following:
- All Event Categories. Select DLP Classifications as the event category.
- All Events. Select any one of the following event type for DLP Classifications:
- Classification created. Displays events for newly created classifications. For example, if an existing classification is cloned or synced from Trellix ePolicy Orchestrator (ePO) to Skyhigh.
- Classification deleted. Displays events for deleted classifications. For example, if a classification is deleted.
- Classification updated. Displays events for modified classifications. For example, if a rule is edited or a rule group is added for an existing classification.
- Classification Advanced Pattern created. Displays events for newly created advanced patterns. For example, if an advanced pattern is created.
- Classification Advanced Pattern deleted. Displays events for deleted advanced patterns. For example, if an advanced pattern is deleted.
- Classification Advanced Pattern updated. Displays events for modified advanced patterns. For example, if regular expressions are added to an existing advanced pattern or a classification containing an advanced pattern is deleted.
- Classification Dictionary created. Displays events for newly created dictionaries. For example, if a dictionary is created.
- Classification Dictionary deleted. Displays events for deleted dictionaries. For example, if a dictionary is deleted.
- Classification Dictionary updated. Displays events for modified dictionaries. For example, if keywords are added to an existing dictionary or a classification containing a dictionary is deleted.
You can now view the events for DLP classification updates made by admins within your organization.