Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

DLP Policy Incident Statuses

DLP Policy incidents are given one of the following workflow statuses:

  • Archived. The violation has been archived and removed from the table. (Archived policy violations do not appear in table results unless you explicitly filter for them in the Omnibar.) 
  • False Positive: The violation has been investigated and determined to not be a legitimate violation.
  • New: The violation has not yet been acted on.
  • Opened: The violation is currently under investigation.
  • Resolved: The violation has been investigated and dealt with per your internal policy.
  • Suppressed: The violation has been found to be a duplicate of a previously generated violation. For details see Policy Incident De-Duplication

What happens if more than one policy is violated by a document?

If a document violates more than one policy, an incident is created for each violation. However, the response to the document reflects the more restrictive policy. 

For example, let's say a file violates two policies: a Credit Card Number policy and a Metadata policy. Because the Credit Card Numbers policy is more restrictive, leading to a Quarantined action, the file is quarantined for both policies. Two separate incidents are created, but one action is taken.

For details, see Response Action Precedence. 

  • Was this article helpful?