NOTE: Save Evidence is an advanced DLP feature that requires entitlement to a separate add-on SKU. Contact Skyhigh Support or your account manager for assistance.
You can download saved evidence files that are linked to Shadow/Web DLP incidents individually from the Shadow/Web DLP Incident Cloud Card (found under Incidents > Policy Incidents > Policy Incidents page). For details on saving the evidence files, see Save DLP Evidence. Additionally, you can also use the API to download evidence files for DLP incidents. Once evidence files are downloaded to your device/system, you can view the details of the violated DLP incidents and perform additional forensics on the generated incidents.
The process of downloading web evidence files from individual DLP incidents is made more secure and controllable by applying Role-Based Access Control (RBAC). RBAC ensures that only authorized users within a tenancy are granted access to download evidence files for DLP incidents, thereby providing an additional layer of security to the overall process. For details, see About User Roles and Access Levels.
For example, a Security Operations Center (SOC) may want to limit the download of evidence files for DLP incidents on the Policy Incidents page to designated users only. To achieve this, the SOC can assign the Incident Management role and Download Evidence permission to specific users, granting them the ability to download evidence files for DLP incidents. This way, only authorized users can access sensitive information related to DLP incidents, minimizing the risk of data breaches.
Download Evidence Files for Shadow/Web DLP Incidents
IMPORTANT: Users with an Incident Management role and the Download Evidence permission can download evidence files for Shadow/Web DLP incidents.
To download evidence files for Shadow/Web DLP incidents:
- Go to Incidents > Policy Incidents.
- On the Policy Incidents page, select the Incident Type as Shadow/Web DLP.
- Click any incident on the table to see the Cloud Card for that incident. For details, see Shadow/Web DLP Incident Cloud Card.
- On the Shadow/Web DLP Incident Cloud Card, under Evidence and Content match, click the link next to the Item name.
The evidence file is downloaded and saved on your device/system.
Shadow/Web DLP Incident Cloud Card
To learn more about the Policy Incidents page, see Policy Incidents Page.
On the Policy Incidents page > Incident Type filter, select the Shadow/Web DLP policy incident and click any incident on the table to view the Shadow/Web DLP Policy Incident Cloud Card.
Shadow/Web DLP Policy Incident Cloud Card Components
The Shadow/Web DLP Policy Incident Cloud Card provides the following information:
- Incident Created On
- Last Response
- Last Updated
- Service Name
- Owner. Select to assign an owner.
- Incident Status. Select to assign an Incident Status.
- Resolution Action. Select to assign a Resolution Action. Custom Resolution Actions can be assigned on the Policy > Policy Settings > Incident Management tab.
- URL Details
- Destination URL
- Device Information
- Device IP
- Evidence and Content match. Click the box arrows to open the details dialog. Item details such as Properties, Content Matches, and Metadata Matches are displayed on separate tabs. The content and content metadata matches that violate any policy are listed in the Content and Metadata Matches along with the evidence files in the Properties.
- Item Name. Item or file that violated the policy. If a link is available, you can click to download it. For details, see Download DLP Evidence.
- Item Type
- Content Matches Found. Allows you to find matches on content and content metadata such as author name, subject, and comments. For details see Enable Match Highlighting. Contact Support for more information.
- Notes. Enter a note for the incident and click Add. Each note added is visible separately below the Notes field. For notes that you have added, you can Edit or Delete them. For notes written by other users, you might only view them. The default limitation is 10 notes per incident and 300 characters per note. To use the Incident Notes feature, you must use your own Data Storage. You can't use Skyhigh CASB Data Storage. For details about configuration, see Data Storage.