Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

About Policy Incidents

  1. Last updated
  2. Save as PDF

Limited Availability: User UID and ML-driven Potential False Positives are Limited Availability features. ML-driven Potential False Positives (an advanced DLP capability) require additional entitlement. Contact Skyhigh Support or your account manager for assistance. 

The Incidents > Policy Incidents page is a central repository of all incidents that have violated Policies. All Services are consolidated on this page, or you can choose to view the violations occurring in just one Service. You can display Policy Incidents data in a Table view, or create a Chart view. It also provides easy access to filters, Saved Views, and allows you to schedule a report, and display policy details with a single click. 

To learn more about an incident, click to view Policy Incident Cloud Cards.

Table View

The Policy Incidents page Table view is the default view. 

clipboard_e741ddcc2f6dba242db51389bfee7f7d2.png

The Policy Incidents page provides the following information and actions:

  • Search. Search via the Omnibar. You can search for multiple incident IDs by entering a comma-separated query in the Omnibar.
  • Filters. Select options on the Filters tab to scope down your search. 
  • Views. Select the Views tab to use Saved Views created by you or shared with you by another user to reuse specified search parameters from a previous search on current data. 
  • Date Picker. Use the Date Picker to select a preset or custom date range to display data from only this date range.

NOTE: The data is retained for 100 days and displayed accordingly, but the date picker allows you to select only a 30-day range. You can change the range to view data for another 30-day period or any custom range (within 30 days).

 

  • Save View. Click to create a Saved View from your search query. 
  • Policy Incident Summary. The Policy Incident Summary displays an at-a-glance view of the current count of incidents, false positive incidents, and ML-driven potential false positive incidents, along with their trend. 
    • Total Incidents. The count of various types of DLP incidents (Shadow/Web, Sanctioned, and Private Access) in the last 30 days and highlights the increase or decrease in incidents compared to the previous 30-day period.
    • False Positives. The count of various types of DLP incidents (Shadow/Web, Sanctioned, and Private Access) that are manually marked as false positives in the last 30 days. It highlights the increase or decrease in false positive incidents compared to the previous 30-day period.
    • Potential False Positives. The count of sanctioned and Shadow/Web DLP incidents automatically classified as potential false positives in the last 30 days. It highlights the increase or decrease in potential false positive incidents compared to the previous 30-day period. For more information on Potential False Positives, see About ML-driven Potential False Positives. To filter potential false positives for sanctioned incidents, see Sanctioned DLP Incidents. To filter potential false positives for Shadow/Web DLP incidents, see Shadow/Web DLP incidents.

NOTE: To view the count of ML-driven potential false positives on the Policy Incidents page, you must toggle Enable Potential False Positives to On on the Incident Management page. A count of 0 indicates that the toggle is currently off, which is common for new users. Existing users who have disabled the toggle can still see past counts of potential false positives from the last 30 days. However, new counts will only appear once the toggle is re-enabled.

 

  • Actions. Click Actions to:
    • Change Owner
    • Change Status
    • Delete Incidents. Select the checkboxes for incidents you want to delete. Then click Delete in the confirmation dialog. This action can't be undone. Large requests might take a few moments to process.
    • Select Response
    • Create Report
      • Business Report (PDF). Create a PDF report and run it immediately, which then appears in the Report Manager
      • CSV. Create a CSV report and run it immediately, which then appears in the Report Manager
      • XLS.  Create an XLS report and run it immediately, which then appears in the Report Manager
      • Schedule. Schedule a report to run later, which then appears in the Report Manager
      • Vulnerability Report. Generate a report for Container Incidents and Vulnerabilities. For details, see Report - Vulnerabilities
      • User Risk Report. Generate and download a User Risk Report to identify high, medium, and low-risk users for sanctioned services in your organization. You can generate or schedule a report, and access the generated reports via email or in the Report Manager.

NOTES: 

  • User Risk Report includes data from the last 100 days.
  • You cannot view the Filters configured for the User Risk Report on the Schedule Report page.

                 Generate User Risk Report includes the following options:

  • Generate Report. Click to generate a report. By default, the report is generated in the CSV file format. The report's title includes the report's name, current date, and time. For example, User Risk Report 10_09_23 1_56_50 PM UTC.
  • Select your report format. Select CSV or XLSX file formats to generate a report.
  • Schedule. (Optional) Schedule a report to run later, which then appears in the Report Manager.

An email is sent to the recipients with a link to download the report from Report Manager, and the report is attached if the size is less than 25 MB. The report includes user details such as username, user email, user risk score, number of incidents, threats, anomalies, activities, Active Directory (AD) attributes, and more.

  • Settings 
    • Edit Table Columns. You can edit table columns and save your changes as a Saved View
  • Severity. Severity level of the incident: Critical, Major, Minor, Information, or Warning. 
  • Policy Name. The name of the policy was given when it was created. 
  • Item Name. Item or file that violated the policy. If a link is available, you can click to download it. For more information, see Large File Download
  • User Name. The name of the user that caused the violation. 
  • Incident Created On. Date and time the incident was created. 
  • Incident Response. For Sanctioned applications, the Incident Response column displays the configured DLP response to the incident. 

NOTE: For Shadow/Web applications, the Incident Response column displays the response actions configured in SWG for web traffic.

  • Incident StatusStatus of the incident. 
  • Service Name. The name of the Cloud Service Provider the incident pertains to. 
  • Instance Name. The name of the instance that the incident pertains to. 
  • User UIDUnique identification number of a user in your organization.

Other available table columns include:

  • Account ID
  • Account Name
  • Activity
  • CIS Level
  • Comments
  • Device ID
  • Device IP
  • Device Managed
  • Device Type
  • Event ID. When an event triggers multiple policies, and incidents are generated, the Event ID links all these incidents. If no Event ID is available, that means the incident was generated before Skyhigh CASB 4.4.0, when this feature was introduced. 
  • External Collaborators. Modified external collaborators are not shown in the column after a policy action is performed on the Cloud Card. 
  • External Collaborators Count
  • File Size
  • File Type
  • Incident ID
  • Incident Type
  • Incident Updated On
  • Internal Collaborators
  • Item Created On
  • Item Id
  • Item Modified On
  • Item Type
  • Malware Category Name
  • OS
  • Owner
  • Path
  • Quarantine Status
  • Recipient Domains. Displays the domain names of the recipient addresses. For example, if an outbound email is sent to Xyz@skyhigh.com and Cba@hpe.com then only the domain names such as hpe.com, skyhigh.com are listed in this column.
  • Remediation Response
  • Remediation Status
  • Resolution Action
  • Scan Name
  • Scan Run Date
  • Shared Link
  • Source
  • Total Match Count
  • User Agent
  • Vulnerabilities
  • Unique Match Count. The total number of unique matches for the incident.

Sanctioned Attributes. The Policy Incidents table columns might also reflect up to 10 mapped Sanctioned Attributes from Active Directory uploaded by Enterprise Connector. When mapped, you can also search for these Attributes using the Omnibar. But note, if the mapping changes, that affects what you can see and do with these Attributes. For help mapping AD attributes, contact Skyhigh CASB Support

When Multi-Instance Support is enabled, in the main table, the Service Name column is replaced with the Instance Name column, so that you can identify one instance from another. 

NOTE: In the Response column, Archived policy violations do not appear in table results unless you explicitly filter for them in the Omnibar. 

Policy Violation to Sanctioned DLP

On the Policy Incidents Summary and Policy Incidents page, the Incident Type filter label and Omnibar value Policy Violation is changed to Sanctioned DLP. For reports, the CSV and XLXS reports are not affected, but, PDF reports reflect the new string name as PDF reports capture the screen as displayed.

Filter for Unsuccessful Deleted Remediation Status

This filter allows you to search for the Unsuccessful Deleted remediation status, to more easily find and remediate failed items in the Remediation Column.

Historical User Risk Type Filter for Sanctioned DLP Incidents

You can now filter and categorize your search by Historical User Risk Type for Low, Medium, and High-risk users in the Sanctioned DLP Policy Incidents.

Historical User Risk Score is a risk score assigned to the user whenever the incident is created and it is rated on a scale of 1–9. This score is measured based on various factors such as the severity of the violation, the user’s security posture, and metadata about the user's overall compliance history. The score identifies the deviations as High, Medium, and Low-risk types:

  • High (7-9). This score indicates a great potential for cloud services and data to become vulnerable to threats. This level is the least trustworthy. 
  • Medium (4-6). This score indicates a moderate potential for cloud services and data to become vulnerable to threats.
  • Low (1-3). This score indicates little potential for cloud services and data to become vulnerable to threats. This level is the most trustworthy.

The Historical User risk score allows you to track and manage user’s typical usage patterns related to data security, and take necessary actions to strengthen the defense against potential threats in your organization. 

To filter your Historical User Risk Type for Sanctioned DLP Incidents:

  1. On the Policy Incidents page, select the Incident Type filter as Sanctioned DLP and Historical User Risk Type as Low (1-3).

    High Risk Historical User Risk Score.png
    ​​​​
  2. Click any incident on the table to open the cloud card and view the Historical User Risk score of the user and activities details. To view the Historical User Risk Score, see the Policy Incidents cloud card.

Download Evidence Files for Sanctioned DLP Incidents

You can download evidence files that are linked to Sanctioned DLP incidents individually on the Policy Incidents page. 

DLP Evidence is a copy of the compromised content that violates a Sanctioned Data Loss Prevention (DLP) policy detected during the policy evaluation. The downloaded evidence files enables you to view the details of the violated DLP incidents and perform additional forensics on the generated incidents. 

You can apply Role-Based Access Control (RBAC) to control the download of evidence files for Sanctioned DLP incidents. For details, see Download Sanctioned DLP Evidence.

To download evidence files for Sanctioned DLP Incidents:

  1. On the Policy Incidents page, select the Incident Type filter as Sanctioned DLP.

    clipboard_e380448f9bcd6e2d9f4b1e18cee4a753c.png
     
  2. Click the link in the Item Name column corresponding to an incident to download the evidence file. 

NOTE: You can also apply RBAC to control the download of evidence files for Shadow/Web DLP incidents. For details, see Download Shadow/Web DLP Evidence.



 

Filter for ML-driven Potential False Positive Sanctioned DLP Incidents  

You can search for sanctioned DLP incidents that are potential false positives easily and quickly on the Policy Incidents page. This enables you to identify and review incidents that may not be actual policy violations, allowing you to take necessary actions such as marking them as false positives or tuning your policy configurations to reduce false positives in the future. To filter potential false positives for Shadow/Web DLP incidents, see Shadow/Web DLP incidents.

NOTE: To view the count of ML-driven potential false positives on the Policy Incidents page, you must toggle Enable Potential False Positives to On on the Incident Management page. A count of 0 indicates that the toggle is currently off, which is common for new users. Existing users who have disabled the toggle can still see past counts of potential false positives from the last 30 days. However, new counts will only appear once the toggle is re-enabled.

 

To filter for ML-driven Potential False Positives for Sanctioned DLP Incidents:

  1. On the Policy Incidents page, select the Incident Type filter as Sanctioned DLP and the Machine Learning Status filter as Potential False Positive.
  2. You can view all the DLP incidents that are classified as potential false positives in the Incidents table. For details on potential false positives, see About ML-driven Potential False Positives.

    clipboard_edea22dcdcc419f2ddcd22a66d48533d3.png
     
  3. Click any sanctioned DLP incident on the Incidents table to see the Cloud Card for that incident.
  4. On the Sanctioned DLP Incident Cloud Card, review the incident details and update the incident status as required. For example, select the Incident Status as False positive. For details, see Sanctioned DLP Incident Cloud Card.

Display and Filter for Classifications on Sanctioned DLP Incidents

The Classification filter displays a list of various classification names along with the number of incidents linked to each classification. You can select different classifications to filter the Sanctioned DLP incidents accordingly. This capability allows for the quick identification of classifications that have the highest incident counts. It offers valuable insights into the data that is causing the most classifications, helping the administrator in identifying potential risk areas within the organization.

You can also filter the classification for the Shadow/Web DLP incidents. For details, see Shadow/Web DLP Incidents.

To filter Classification data for Sanctioned DLP Incidents:

  1. On the Policy Incidents page, select the Incident Type filter as Sanctioned DLP.
  2. Select the Classification filter and choose the required classification from the list to view the associated incidents.

    policy class.png
     
  3. Click any sanctioned DLP incident on the Incidents table to see the Cloud Card for that incident.
  4. On the Sanctioned DLP Incident Cloud Card, review the classification details and update the necessary remediation action for your incident. For details, see Sanctioned DLP Incident Cloud Card.

View Classification Insights on the Dashboard Card for Sanctioned DLP Incidents

You can create dashboard cards for Classifications directly from the Policy Incidents page by filtering for the specific classification you want to display on the Dashboards page. These cards provide a high-level overview of classification insights and trends, allowing you to visualize data more effectively and make informed decisions.

There are two ways to add a Dashboard Card:

  1. When creating a Saved View on the Policy Incidents page, select the Add Dashboard Card checkbox and add the Classification attribute. To add a Dashboard Card from Saved View, see Create a Saved View.
  2. On your Dashboard, click + Add New Card, then select the Card Type as Incidents to locate the Classification. To add a new card from the Dashboard, see Add a New Card.

    clipboard_e842f09d45e32a5eed7ea90f58461ea01.png

Chart View

To display your Policy Incidents data in a chart, click the Chart icon, under the Omnibar. 

policy_incident_chart_3_6_2.png

To display Policy Incidents data in a chart:

  1. Select an item from the Show list to determine the X-axis of your chart. 
  2. Select an item from the By list to determine the Y-axis of your chart. 
  3. In the Dimension By dialog, select All Data, select Top 10, or select up to 10 items from the list. Then click Done

    policy_incidents_summary_dimensions_3.7.1.png
     
  4. From the In a list, select the type of chart available: 
    • Trend. Line or vertical bar chart.
    • Breakdown. Donut or horizontal bar chart. 
      Your data is displayed in the chart. 
      To edit your chart's Dimension By data, click Edit.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    1. incident history
    2. incident notes
    3. Incidents
    4. policy incidents
    5. TOPIC ID 361