Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Download Shadow/Web DLP Evidence

Save Shadow/Web DLP EvidenceSave Shadow/Web DLP Evidence is an advanced DLP feature that requires entitlement to a separate add-on SKU. Contact Skyhigh Support or your account manager for assistance.

You can download saved evidence files that are linked to Shadow/Web DLP incidents individually from the Shadow/Web DLP Incident Cloud Card (found under Incidents > Policy Incidents > Policy Incidents page). For details on saving the evidence files, see Save Shadow/Web DLP Evidence and Match Highlights. Additionally, you can also use the API to download evidence files for DLP incidents. Once evidence files are downloaded to your system, you can view the details of the violated DLP incidents and perform additional forensics on the generated incidents.

NOTE: You can also download evidence files for Sanctioned DLP incidents on the Policy Incidents Page or Sanctioned DLP Policy Incident Cloud Card. For details, see Download Sanctioned DLP Evidence.


Role-Based Access Control for Evidence Files

The process of downloading evidence files from individual DLP incidents is made more secure and controllable by applying Role-Based Access Control (RBAC). RBAC ensures that only authorized users within a tenancy are granted access to download evidence files for DLP incidents, thereby providing an additional layer of security to the overall process. For details, see About User Roles and Access Levels.

You can control the download of evidence files for Shadow/Web DLP incidents by assigning users with the Incident Management role and the Download Evidence permission via the following pages: 

Page Name Navigation Details
Create User Settings > User Management > Users > Actions > Create New User > Create User > Roles > Incident Management > Download Evidence
Edit User Settings > User Management > Users > Actions > Edit > Edit User > Roles > Incident Management > Download Evidence
Bulk Edit – Roles Settings > User Management > Users > select one or more users > Actions > Edit Roles > Bulk Edit – Roles > Add Roles or Overwrite Roles > Incident Management > Download Evidence



NOTE: The access level (Manage or Read Only) configured for the Download Evidence permission does not impact the user's ability to download evidence files for DLP incidents.


For example, a Security Operations Center (SOC) may want to limit the download of evidence files for DLP incidents on the Policy Incidents page to designated users only. To achieve this, the SOC can assign the Incident Management role and Download Evidence permission to specific users, granting them the ability to download evidence files for DLP incidents. This way, only authorized users can access sensitive information related to DLP incidents, minimizing the risk of data breaches.

Download Evidence Files for Shadow/Web DLP Incidents

IMPORTANT: Users with an Incident Management role and the Download Evidence permission can download evidence files for Shadow/Web DLP incidents.


To download evidence files for Shadow/Web DLP incidents:

  1. Go to Incidents > Policy Incidents.
  2. On the Policy Incidents page, select the Incident Type as Shadow/Web DLP.
  3. Click any incident on the table to see the Cloud Card for that incident. For details, see Shadow/Web DLP Incident Cloud Card.
  4. On the Shadow/Web DLP Incident Cloud Card, under Evidence and Content match, click the link next to the Item name.

The evidence file is downloaded and saved in your system. You can now view the details of the violated DLP incident.

Shadow/Web DLP Incident Cloud Card

To learn more about the Policy Incidents page, see Policy Incidents Page.

On the Policy Incidents page > Incident Type filter, select the Shadow/Web DLP policy incident and click any incident on the table to view the Shadow/Web DLP Policy Incident Cloud Card. 


Shadow/Web DLP Policy Incident Cloud Card Components

The Shadow/Web DLP Policy Incident Cloud Card provides the following information:

  • ID
  • Severity
  • Incident Created On
  • Last Response
  • Last Updated
  • Service Name
  • User
  • Owner. Select to assign an owner. 
  • Incident Status. Select to assign an Incident Status. 
  • Resolution Action. Select to assign a Resolution Action. Custom Resolution Actions can be assigned on the Policy > Policy Settings > Incident Management tab. 
  • URL Details 
    • Destination URL
  • Device Information 
    • Device IP
  • Evidence and Content match. Click the box arrows to open the details dialog. Item details such as Properties, Content Matches, and Metadata Matches are displayed on separate tabs. The content and content metadata matches that violate any policy are listed in the Content and Metadata Matches tabs along with the evidence file in the Properties tab. 
    • Item Name. Evidence file that violated the policy. If a link is available, you can click to download it. For details, see Download DLP Evidence.
    • Size
    • Item Type
    • Content Matches Found. Allows you to find matches on content and content metadata such as author name, subject, and comments. Click the box arrows to open the details dialog. For details see Enable Match Highlighting. Contact Support for more information.
      Shadow&Web DLP Incident Cloud Card 2.png
  • Notes. Enter a note for the incident and click Add. Each note added is visible separately below the Notes field. For notes that you have added, you can Edit or Delete them. For notes written by other users, you might only view them. The default limitation is 10 notes per incident and 300 characters per note. To use the Incident Notes feature, you must use your own Data Storage. You can't use Skyhigh CASB Data Storage. For details about configuration, see Data Storage
  • Was this article helpful?