Skip to main content
Skyhigh Security

Save DLP Evidence and Match Highlights

Save EvidenceSave Evidence is an advanced DLP feature that requires entitlement to a separate add-on SKU. Contact Skyhigh Support or your account manager for assistance.

DLP Evidence is a copy of the compromised content that violates a Web Data Loss Prevention (DLP) policy detected during the policy evaluation. Match highlights are excerpts from a document that include highlighted keywords violating a DLP policy, along with surrounding text. The copy of the compromised content and document excerpt is associated with the appropriate incident and is saved in your data storage to allow you to perform additional forensics on generated incidents. You can download saved evidence files or match highlight files that are linked to Shadow/Web DLP incidents using:

  • Shadow/Web DLP Policy Incident Cloud Card: Download evidence files or match highlight files linked to DLP incidents individually from the Shadow/Web DLP Policy Incident Cloud Card on the Policy Incidents page. 
  • API: Use the API to download evidence files or match highlight files associated with DLP incidents. You can also download all the evidence files or match highlight files for DLP incidents in bulk via API.

Follow these steps to get started with the Save Evidence feature:

  1. Enable Match Highlighting to store match highlights for Shadow/Web DLP incidents.
  2. Configure your own data storage provider to store your evidence files or match highlight files. Currently, you can store your web evidence files or match highlight files only on Amazon Web Services. For details on how to set up storage, see Data Storage.
  3. Create a Web DLP Policy Rule and select the response as Save Evidence. For details, see Create a Shadow/ Web DLP Policy.

How it works?

On creating a new rule in Web DLP Policy, you can set an additional response named Save Evidence. When a Web DLP Policy is violated, the Save Evidence response is triggered, and evidence files or match highlight files are saved on the generated incidents. Match Highlighting should be enabled, and your own data storage provider must be configured to store the evidence files or match highlight files. If a DLP policy is deleted, the web evidence file or match highlight file stored in the policy is unaffected. A backup of the evidence file or match highlight file is retained and stored in the data storage provider (AWS). You can use the Shadow/Web DLP Incident Cloud Card or the API to download those evidence files or match highlight files from the data storage provider. The data stored in the provider are encrypted and to decrypt the data user should:

  • View match highlights linked to DLP incidents individually from the Shadow/Web DLP Policy Incident Cloud Card on the Policy Incidents page. For details, see View Match Highlights for Shadow/Web DLP Incidents.
  • Download evidence files or match highlight files linked to DLP incidents individually from the Shadow/Web DLP Policy Incident Cloud Card on the Policy Incidents page. For details, see Download DLP Evidence.
  • Download evidence files or match highlight files associated with DLP incidents via API. You can also download all the evidence files or match highlight files for DLP incidents in bulk via API. For details, see Retrieve Evidence API.
  • Was this article helpful?