Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

View Sanctioned DLP Policy Events in the Audit Log

  1. Last updated
  2. Save as PDF

NOTE: Users with the Administrator role can view the events for sanctioned Data Loss Prevention (DLP) policies on the Audit Log page. For details, see About User Roles and Access Levels.

 

You can use the Audit Log to gain insights into various events, such as the creation, modification, and deletion of sanctioned DLP policies by admins within your organization. It also provides detailed information about key updates linked to sanctioned DLP policies. The Audit Log enables you to identify and track changes made by admins to DLP policies and their configurations that impact your sanctioned DLP policies. For details on sanctioned DLP policies, see About Sanctioned DLP Policies.

Security Operations Center (SOC) analysts can use the audit log for sanctioned DLP policies to monitor risky policy updates, gain actionable insights, and maintain regulatory compliance. These capabilities empower SOC analysts to improve their organization's data protection strategy and reduce the risk of data exfiltration. 

Use Case: Suppose a SOC administrator wants to view the events for changes to rule or exception groups under the Rules & Exceptions section in sanctioned DLP policies. To achieve this use case, the SOC admin can select CASB DLP Policy as the event category and the associated event type (CASB DLP Policy Rule or Exception Group updated) on the Audit Log page. The SOC admin can also refer to the corresponding Additional Information column of a sanctioned DLP policy update event for detailed insights into the specific changes associated with the sanctioned DLP policy. This helps admins identify and investigate any unauthorized or malicious activity related to policy management.

NOTE: You can also view events for DLP classifications in the Audit Log. For details, see View DLP Classification Events in the Audit Log

 

To view events for Sanctioned DLP Policies in the Audit Log:

  1. Log in to Skyhigh CASB.
  2. Go to Settings > Audit Log.
  3. On the Audit Log page, configure the following: 
    1. All Event Categories. Select CASB DLP Policy as the event category.
    2. All Events. Select any one of the following event types for Sanctioned DLP Policies:
      1. Assigned jurisdiction to CASB DLP Policy. Displays events for sanctioned service data jurisdictions assigned to sanctioned DLP policies. For example, if a sanctioned jurisdiction is assigned to a sanctioned DLP policy on the DLP Policies page.
      2. CASB DLP Policy Rule or Exception Group updated. Displays events for changes to rule or exception groups in sanctioned DLP policies. For example, if a classification rule is added, modified, or deleted in a rule or exception group under the Rules & Exceptions section.
      3. CASB DLP Policy activated. Displays events for enabled sanctioned DLP policies. For example, if a disabled-sanctioned DLP policy is enabled on the DLP Policies page.
      4. CASB DLP Policy created. Displays events for newly created sanctioned DLP policies. For example, if a sanctioned DLP policy is created on the DLP Policies page.
      5. CASB DLP Policy de-activated. Displays events for disabled-sanctioned DLP policies. For example, if an enabled sanctioned DLP policy is disabled on the DLP Policies page.
      6. CASB DLP Policy deleted. Displays events for deleted sanctioned DLP policies. For example, if an existing sanctioned DLP policy is deleted on the DLP Policies page.
      7. CASB DLP Policy exported. Displays events for exported sanctioned DLP policies. For example, if an existing sanctioned DLP policy is exported to a template on the DLP Policies page.
      8. CASB DLP Policy updated. Displays events for changes to sanctioned DLP policies. For example, if the name of an existing sanctioned DLP policy is modified under the Description section.
      9. DLP Dictionary created. Displays events for newly created policy dictionaries. For example, if a dictionary is created on the Policy Dictionaries page.
      10. DLP Dictionary deleted. Displays events for deleted policy dictionaries. For example, if a dictionary is deleted on the Policy Dictionaries page.
      11. DLP Dictionary updated. Displays events for changes to policy dictionaries. For example, if keywords are added to an existing dictionary on the Policy Dictionaries page.

        clipboard_e9fdf339ffe373b967848b756749d561e.png
         

You can now view the events for sanctioned DLP policy updates made by admins within your organization.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.