View Match Highlights for Shadow/Web DLP Incidents
Save Shadow/Web DLP Evidence: Save Shadow/Web DLP Evidence is an advanced DLP feature that requires entitlement to a separate add-on SKU. Contact Skyhigh Support or your account manager for assistance. |
You can view saved match highlights that are linked to Shadow/Web DLP incidents on the Shadow/Web DLP Incident Cloud Card (found under Incidents > Policy Incidents > Policy Incidents page). For details on saving match highlights, see Save Shadow/Web DLP Evidence and Match Highlights. Once match highlights are saved in your data storage provider, you can view the match highlights of violated DLP incidents and perform additional forensics on the generated incidents.
NOTE: You can also view match highlights for Sanctioned DLP incidents on the Sanctioned DLP Policy Incident Cloud Card. For details, see View Match Highlights for Sanctioned DLP Incidents.
Role-Based Access Control for Match Highlights
The process of viewing match highlights from individual DLP incidents is made more secure and controllable by applying Role-Based Access Control (RBAC). RBAC ensures that only authorized users within a tenancy are granted access to view match highlights for DLP incidents, thereby providing an additional layer of security to the overall process. For details, see About User Roles and Access Levels.
You can control the visibility of match highlights for Shadow/Web DLP incidents by assigning users with the Incident Management role and the Display Match Highlights permission via the following pages:
Page Name | Navigation Details |
---|---|
Create User | Settings > User Management > Users > Actions > Create New User > Create User > Roles > Incident Management > Display Match Highlights |
Edit User | Settings > User Management > Users > Actions > Edit > Edit User > Roles > Incident Management > Display Match Highlights |
Bulk Edit – Roles | Settings > User Management > Users > select one or more users > Actions > Edit Roles > Bulk Edit – Roles > Add Roles or Overwrite Roles > Incident Management > Display Match Highlights |
NOTE: The access level (Manage or Read Only) configured for the Display Match Highlights permission does not impact the user's ability to view match highlights for DLP incidents.
For example, a Security Operations Center (SOC) can restrict access to view match highlights for DLP incidents on the Policy Incidents page to designated users only. To achieve this, the SOC must first create a Saved View Data Jurisdiction for the Policy Incidents page. For details, see Create Data Jurisdictions for Saved Views. Subsequently, the SOC can assign the Incident Management role and Display Match Highlights permission to specific users, granting them the ability to view match highlights for DLP incidents. This ensures that only authorized users can access sensitive information related to DLP incidents, minimizing the risk of data exfiltration.
View Match Highlights
You can view match highlights for incidents triggered by Shadow/Web DLP policies.
IMPORTANT: Users with an Incident Management role and the Display Match Highlights permission can view match highlights for Shadow/Web DLP incidents. For details, see About User Roles and Access Levels.
To view match highlights for Shadow/Web DLP incidents:
- Go to Incidents > Policy Incidents.
- On the Policy Incidents page, select the Incident Type as Shadow/Web DLP.
- Click any incident on the table to see the Cloud Card for that incident. For details, see Shadow/Web DLP Incident Cloud Card.
- On the Shadow/Web DLP Incident Cloud Card, go to Evidence and Content match > Content Matches Found.
You can now view match highlights of the violated DLP incident.