View Match Highlights for Sanctioned DLP Incidents
IMPORTANT: Make sure that you enable Match Highlighting to save match highlights in sanctioned cloud services. For details, see Enable Match Highlighting.
Match highlights are excerpts from a document that include highlighted keywords violating a DLP policy, along with surrounding text which can be used to identify false positives. You can view saved match highlights that are linked to Sanctioned DLP incidents individually on the Sanctioned Incident Cloud Card (found under Incidents > Policy Incidents > Policy Incidents page). Once match highlights are saved in sanctioned cloud services, you can view the match highlights of violated DLP incidents and perform additional forensics on the generated incidents.
NOTE: You can also view match highlights for Shadow/Web DLP incidents on the Shadow/Web DLP Incident Cloud Card. For details, see View Match Highlights for Sanctioned DLP Incidents.
Role-Based Access Control for Match Highlights
The process of viewing match highlights from individual DLP incidents is made more secure and controllable by applying Role-Based Access Control (RBAC). RBAC ensures that only authorized users within a tenancy are granted access to view match highlights for DLP incidents, thereby providing an additional layer of security to the overall process. For details, see About User Roles and Access Levels.
You can control the visibility of match highlights for Sanctioned DLP incidents by assigning users with the Incident Management role and the Display Match Highlights permission via the following pages:
Page Name | Navigation Details |
---|---|
Create User | Settings > User Management > Users > Actions > Create New User > Create User > Roles > Incident Management > Display Match Highlights |
Edit User | Settings > User Management > Users > Actions > Edit > Edit User > Roles > Incident Management > Display Match Highlights |
Bulk Edit – Roles | Settings > User Management > Users > select one or more users > Actions > Edit Roles > Bulk Edit – Roles > Add Roles or Overwrite Roles > Incident Management > Display Match Highlights |
NOTE: The access level (Manage or Read Only) configured for the Display Match Highlights permission does not impact the user's ability to view match highlights for DLP incidents.
For example, a Security Operations Center (SOC) can restrict access to view match highlights for DLP incidents on the Policy Incidents page to designated users only. To achieve this, the SOC must first create a Saved View Data Jurisdiction for the Policy Incidents page. For details, see Create Data Jurisdictions for Saved Views. Subsequently, the SOC can assign the Incident Management role and Display Match Highlights permission to specific users, granting them the ability to view match highlights for DLP incidents. This ensures that only authorized users can access sensitive information related to DLP incidents, minimizing the risk of data exfiltration.
View Match Highlights
You can view match highlights for incidents triggered by Sanctioned DLP policies.
IMPORTANT: Users with an Incident Management role and the Display Match Highlights permission can view match highlights for Sanctioned DLP incidents. For details, see About User Roles and Access Levels.
To view match highlights for Sanctioned DLP incidents:
- Go to Incidents > Policy Incidents.
- On the Policy Incidents page, select the Incident Type filter as Sanctioned DLP.
- Click any incident on the table to see the Cloud Card for that incident. For details, see Sanctioned DLP Policy Incident Cloud Card.
- On the Sanctioned DLP Policy Incident Cloud Card, go to Content > Content Matches Found.
You can now view match highlights of the violated DLP incident.