Shadow/Web DLP Incident Cloud Card

Shadow/Web DLP Policy Incident Cloud Card Components

• ID
• Severity
• Incident Created On
• Last Response
• Last Updated
• Service Name
• User
• Owner. Select to assign an owner. You can assign the incident to yourself or other users. The Owner assignment list is dynamically rearranged for each user, with your name (me) appearing at the top for easy self-assignment. To change the owner of multiple incidents, see Change the Owner of Multiple Incidents.
• Incident Status. Select to assign an Incident Status. 
• Resolution Action. Select to assign a Resolution Action. Custom Resolution Actions can be assigned on the Policy > Policy Settings > Incident Management tab.
• Machine Learning Status. Provides details on the status of the incident, analyzed and classified using AI and ML models.
  • Potential False Positive. Indicates that the Shadow/Web DLP incident is a potential false positive.

To address potential false positive incidents, review the details and update the required incident status as necessary. For instance, select the incident status as False Positive.

• URL Details 
  • Destination URL
• Device Information 
  • Device IP
• Classifications. Number and names of the classifications that triggered the incident. 
• ML Auto Classifiers. Provides details on the matches triggered for various ML Auto Classifiers. For details, see ML Auto Classifiers.
  • ML Classifier. Displays the predefined category of the matched file, which was defined earlier during the creation of the classification (ML Auto Classifiers).
  • Confidence. Displays the confidence percentage triggered for various ML Auto Classifiers based on Skyhigh predefined ML Auto Classifiers. The confidence percentage indicates the likelihood that the file belongs to a specific file category. The minimum threshold for triggering a ML Auto Classifier match is 50%, except for source code files, which have a higher threshold.

► Click to view ML Auto Classifier details in the cloud card

• Evidence and Content match. Click the box arrows to open the details dialog. Item details such as Properties, Content Matches, and Metadata Matches are displayed on separate tabs. The content and content metadata matches that violate any policy are listed in the Content and Metadata Matches tabs, along with the evidence file in the Properties tab. 
  • Item Name. Evidence file that violated the policy. If a link is available, you can click to download it. For details, see Download DLP Evidence.
  • Size
  • Item Type
  • Content Matches Found. Allows you to find matches on content and content metadata such as author name, subject, and comments. Click the box arrows to open the details dialog. For details see Enable Match Highlighting. Contact Support for more information.
    
• Notes. Enter a note for the incident and click Add. Each note added is visible separately below the Notes field. For notes that you have added, you can Edit or Delete them. For notes written by other users, you might only view them. The default limitation is 10 notes per incident and 300 characters per note. To use the Incident Notes feature, you must use your own Data Storage. You can't use Skyhigh CASB Data Storage. For details about configuration, see Data Storage. 
• Incident History. Lists any changes made (such as changed owner, status, response, or notes), the name of the user who made the change, and the time and date that change occurred.