Download Sanctioned DLP Evidence
Download Sanctioned DLP Evidence: Download Sanctioned DLP Evidence is an advanced DLP feature. To enable the Download Sanctioned DLP Evidence feature, contact Skyhigh Support. |
DLP Evidence is a copy of the compromised content that violates a Sanctioned Data Loss Prevention (DLP) policy detected during the policy evaluation. You can download saved evidence files that are linked to Sanctioned DLP incidents individually on the Policy Incidents page or the Sanctioned DLP Policy Incident Cloud Card. Once evidence files are saved in sanctioned cloud services, you can download the evidence files to view the details of the violated DLP incidents and perform additional forensics on the generated incidents.
Download Paths
You can download evidence files for Sanctioned DLP incidents via the following paths:
- Policy Incidents Page: Go to Incidents > Policy Incidents > Policy Incidents page.
- Sanctioned DLP Policy Incident Cloud Card: Go to Incidents > Policy Incidents > Policy Incidents page.
NOTE: You can also download evidence files for Shadow/Web DLP incidents from the Shadow/Web DLP Incident Cloud Card.
Role-Based Access Control for Evidence Files
The process of downloading evidence files from individual DLP incidents is made more secure and controllable by applying Role-Based Access Control (RBAC). RBAC ensures that only authorized users within a tenancy are granted access to download evidence files for DLP incidents, thereby providing an additional layer of security to the overall process. For details, see About User Roles and Access Levels.
You can control the download of evidence files for Sanctioned DLP incidents by assigning users with the Incident Management role and the Download Evidence permission via the following pages:
Page Name | Navigation Details |
---|---|
Create User | Settings > User Management > Users > Actions > Create New User > Create User > Roles > Incident Management > Download Evidence |
Edit User | Settings > User Management > Users > Actions > Edit > Edit User > Roles > Incident Management > Download Evidence |
Bulk Edit – Roles | Settings > User Management > Users > select one or more users > Actions > Edit Roles > Bulk Edit – Roles > Add Roles or Overwrite Roles > Incident Management > Download Evidence |
NOTE: The access level (Manage or Read Only) configured for the Download Evidence permission does not impact the user's ability to download evidence files for DLP incidents.
For example, a Security Operations Center (SOC) may want to limit the download of evidence files for DLP incidents on the Policy Incidents page to designated users only. To achieve this use case, the SOC can assign the Incident Management role and Download Evidence permission to specific users, granting them the ability to download evidence files for DLP incidents. This way, only authorized users can access sensitive information related to DLP incidents, minimizing the risk of data breaches.
Download Evidence Files for Sanctioned DLP Incidents
You can download evidence files for incidents triggered by Sanctioned DLP policies.
IMPORTANT: Users with an Incident Management role and the Download Evidence permission can download evidence files for Sanctioned DLP incidents. For details, see About User Roles and Access Levels.
To download evidence files for Sanctioned DLP incidents:
- Go to Incidents > Policy Incidents.
- On the Policy Incidents page, select the Incident Type filter as Sanctioned DLP.
- Click the link in the Item Name column corresponding to an incident.
- Alternatively, click any incident on the table to see the Cloud Card for that incident. For details, see Sanctioned DLP Policy Incident Cloud Card.
- On the Sanctioned DLP Policy Incident Cloud Card, under Content, click the link next to the Item Name.
The evidence file is downloaded and saved in your system. You can now view the details of the violated DLP incident.