Download Shadow/Web DLP Evidence
|
Save Shadow/Web DLP Evidence: Save Shadow/Web DLP Evidence is an advanced DLP feature that requires entitlement to a separate add-on SKU. Contact Skyhigh Support or your account manager for assistance. |
You can download saved evidence files that are linked to Shadow/Web DLP incidents individually from the Shadow/Web DLP Incident Cloud Card (found under Incidents > Policy Incidents > Policy Incidents page). For details on saving the evidence files, see Save Shadow/Web DLP Evidence and Match Highlights. Additionally, you can also use the API to download evidence files for DLP incidents. Once evidence files are downloaded to your system, you can view the details of the violated DLP incidents and perform additional forensics on the generated incidents.
NOTE: You can also download evidence files for Sanctioned DLP incidents on the Policy Incidents Page or Sanctioned DLP Policy Incident Cloud Card. For details, see Download Sanctioned DLP Evidence.
Role-Based Access Control for Evidence Files
The process of downloading evidence files from individual DLP incidents is made more secure and controllable by applying Role-Based Access Control (RBAC). RBAC ensures that only authorized users within a tenancy are granted access to download evidence files for DLP incidents, thereby providing an additional layer of security to the overall process. For details, see About User Roles and Access Levels.
You can control the download of evidence files for Shadow/Web DLP incidents by assigning users with the Incident Management role and the Download Evidence permission via the following pages:
| Page Name | Navigation Details |
|---|---|
| Create User | Settings > User Management > Users > Actions > Create New User > Create User > Roles > Incident Management > Download Evidence |
| Edit User | Settings > User Management > Users > Actions > Edit > Edit User > Roles > Incident Management > Download Evidence |
| Bulk Edit – Roles | Settings > User Management > Users > select one or more users > Actions > Edit Roles > Bulk Edit – Roles > Add Roles or Overwrite Roles > Incident Management > Download Evidence |
NOTE: The access level (Manage or Read Only) configured for the Download Evidence permission does not impact the user's ability to download evidence files for DLP incidents.
For example, a Security Operations Center (SOC) may want to limit the download of evidence files for DLP incidents on the Policy Incidents page to designated users only. To achieve this, the SOC can assign the Incident Management role and Download Evidence permission to specific users, granting them the ability to download evidence files for DLP incidents. This way, only authorized users can access sensitive information related to DLP incidents, minimizing the risk of data breaches.
Download Evidence Files for Shadow/Web DLP Incidents
IMPORTANT: Users with an Incident Management role and the Download Evidence permission can download evidence files for Shadow/Web DLP incidents.
To download evidence files for Shadow/Web DLP incidents:
- Go to Incidents > Policy Incidents.
- On the Policy Incidents page, select the Incident Type as Shadow/Web DLP.
- Click any incident on the table to see the Cloud Card for that incident. For details, see Shadow/Web DLP Incident Cloud Card.
- On the Shadow/Web DLP Incident Cloud Card, under Evidence and Content match, click the link next to the Item name.
The evidence file is downloaded and saved in your system. You can now view the details of the violated DLP incident.