Available Search Terms for DLP Incidents
The following Omnibar facets are used exclusively in on the DLP Incidents page.
Search Term | Description | Available Options |
---|---|---|
File Name | The name of the file matching the DLP policy rule. You can use this Omnibar facet to locate policy violations centering on a specific file. | All detected files can be used in this search filter. |
File Size |
The detected file size of the file matching the DLP policy rule. You can use this Omnibar facet to filter results around the size of the file. Transfers of unusually large files may indicate potential data exfiltration events. Excessive transfers of unusually small files may indicate attempts to test security measures in preparation of a data theft incident. |
Filter on file size based on KB, MB or GB. The filter can compare files against the user-entered value based on the following criteria:
|
File Type | The format of the file matching the DLP policy rule. You can use this Omnibar facet to filter results around a specific file format in order to better tune policies that control which formats can be shared. For example, if you have a policy that only allows PDFs to be shared, you could use the File Type filter to confirm that .DOC or .XLS files are triggering policy violations. |
One or more formats can be selected from any of the Skyhigh CASB CASB supported formats. |
Incident ID | This Omnibar facet is reserved for internal functionality. | N/A |
Match Count | The number of policy rule matches were found in the document that triggered the policy violation. You can use this Omnibar facet to filter results to investigate files that violate a policy in many places (as those indicate the highest risk violations) or to review files that have a small number of matches as those may indicate false positives or accidental violations. | Enter any integer to filter to the number of policy matches. |
Policy | The name of the violated policy. You can use this Omnibar facet to review all policy violations from a specific policy. | Select from any of your existing DLP policies. |
Remediator |
The remediator is the CASB user who has been assigned to investigate the policy violation. You can use this Omnibar facet to view the workflow of your remediators. |
Select from any CASB user with the Policy Manager role to view any policy violations where that user is assigned as a remediator. |
Response |
The response action taken as a result of the policy violation. You can use this Omnibar facet to review policy responses and see how many policy violations are responded to in a certain way. |
Select from Skyhigh CASB's DLP response actions. |
Scan Name | The name of the On-Demand Scan that detected the policy violation. You can use this Omnibar facet to review your On-Demand Scans; if an On-Demand Scan consistently runs without triggering any policy violations it may not be configured correctly. Conversely, if an On-Demand Scan produces excessive false positives you may need to adjust the scan criteria. | Select from your active On-Demand Scans. |
Severity | The recorded severity level of the policy violation. Severity level is defined by the user during DLP policy creation. You can use this Omnibar facet to manage your remediation workflow; filtering based on severity level allows your remediators to focus on the highest priority violations first. |
|
Sharing | If the content is included in a shared folder or external link within the CSP. Some companies view policy violations for files shared outside of the company more harshly than files that remain internal. You can use this Omnibar facet to provide better insight on how your users are interacting with the cloud and better determine the significance of the policy violation. |
|
Status | The current state of the policy violation. Status is set by the user in the policy violation platform. You can use this Omnibar facet to manage your remediation workflow; remediators can filter to only New policies to tackle the incoming violations or filter out any violations that have been marked as False Positive. |
|
User | The user who triggered the policy violation. You can use this Omnibar facet to investigate specific users. If a single user is generating excessive policy violations, they may need to be investigated. | Select between all users who have triggered a DLP policy violation. |