Download Shadow/Web DLP Evidence
|
Advanced DLP: Save Shadow/Web DLP Evidence (an advanced DLP capability) requires additional entitlement. Contact Skyhigh Support or your account manager for assistance. |
DLP Evidence is a copy of the compromised content that violates a Shadow/Web Data Loss Prevention (DLP) policy detected during the policy evaluation. Once evidence files are saved in your cloud storage, you can download the evidence files to view the details of the violated DLP incidents and perform additional forensics on the generated incidents. For details on saving the evidence files, see Save Shadow/Web DLP Evidence and Match Highlights. You can download saved evidence files that are linked to Shadow/Web DLP incidents individually from the Policy Incidents page > Shadow/Web DLP Incident Cloud Card. For details, see Shadow/Web DLP Incidents. Additionally, you can also use the API to download evidence files for DLP incidents.
NOTE: You can also download evidence files for Sanctioned DLP/CASB incidents via Policy Incidents Page > Sanctioned DLP Policy Incident Cloud Card. For details, see Download Sanctioned DLP Evidence.
Role-Based Access Control for Evidence Files
The process of downloading evidence files from individual DLP incidents is made more secure and controllable by applying Role-Based Access Control (RBAC). RBAC ensures that only authorized users within a tenancy are granted access to download evidence files for DLP incidents, thereby providing an additional layer of security to the overall process. For details, see About User Roles and Access Levels.
You can control the download of evidence files for Shadow/Web DLP incidents by assigning users with the Incident Management role and the Download Evidence permission via the following pages:
| Page Name | Navigation Details |
|---|---|
| Create User | Settings > User Management > Users > Actions > Create New User > Create User > Roles > Incident Management > Download Evidence |
| Edit User | Settings > User Management > Users > Actions > Edit > Edit User > Roles > Incident Management > Download Evidence |
| Bulk Edit – Roles | Settings > User Management > Users > select one or more users > Actions > Edit Roles > Bulk Edit – Roles > Add Roles or Overwrite Roles > Incident Management > Download Evidence |
NOTE: The access level (Manage or Read Only) configured for the Download Evidence permission does not impact the user's ability to download evidence files for DLP incidents.
For example, a Security Operations Center (SOC) may want to limit the download of evidence files for DLP incidents on the Policy Incidents page to designated users only. To achieve this, the SOC can assign the Incident Management role and Download Evidence permission to specific users, granting them the ability to download evidence files for DLP incidents. This way, only authorized users can access sensitive information related to DLP incidents, minimizing the risk of data breaches.