Data Loss Prevention Report
Data violations detected through the Real Time and SaaS API rules are logged as part of the unified Events view of the Data Loss Prevention Report.
The Data Loss Prevention reports window has two tabs:
Users with De-identification Enabled
Full administrators with De-identification enabled will continue to see identifiable information in the Data Loss Prevention Report.
View Events
- Navigate to Reporting > Additional Reports > Data Loss Prevention.
- On the Events tab, select a time frame to view reports generated in a specific date range. You can also choose a custom date range.
- Use the available Filters for better search results; choose from those listed below:
Event TypeβWhether the event is Real Time or SaaS API.
ActionβThe action the system has applied to the content: blocked, deleted, monitored, quarantined, restored from quarantine, revoked access.
SeverityβThe severity of the rule that triggered the event.
ApplicationβApplication for which an SaaS API rule is applied.
ExposureβExposure of the content scanned.
Identity TypeβThe type of identity involved in the event.
Application CategoriesβThe category of the application involved in the event. This filter displays only events that occurred after this filter was added to Umbrella, in January of 2024.![]()
- Click the gear icon to customize and sort the columns of your report.
Event Typeβ Whether the event is Real Time or SaaS API.
SeverityβThe severity of the rule that triggered the event.
Identity βThe identity that made the request.
File OwnerβThe owner of the file that created the violation in the vendor.
Event Actorβ The user who performs an action that triggers a rule violation.
File NameβThe name of the file or attachment where a classification match was found. (This include attachments to Outlook email messages.) When content is found in a message, a post, or form data, the File name displays Message, Content, or Form.
DestinationβThe destination where the content was scanned.
RuleβThe rule that triggered the event.
Resource NameβFor AWS S3 this displays the S3 bucket associated with the content that triggered the violation. For Azure Storage this displays the storage account or container associated with the content that triggered the violation. For other applications, this displays "N/A."
ActionβThe action triggered by the rule on detecting a violation.
DetectedβThe date and time of detection.![]()
- Click the action menu icon (three dots) to view further details of an event. See View Details
View Details
- Click the action menu icon (three dots) for any event to view a menu of options. Click View details.

- The Event Details window displays some of the same content as the report table, with additional information which varies depending upon the Event Type:
Real Time Events
DetectedβThe date and time the content was detected.
ActionβThe action triggered by the rule on detecting a violation.
File NameβThe name of the file where a classification match was found. When content is found in a message or a post, the File name displays Content.
IdentityβThe identity that made the request.
ApplicationβThe application where the file was uploaded or posted.
Application CategoryβThe category for the application where the file was uploaded or posted.
Destination URLβThe URL of the destination for the event.
RuleβThe rule that triggered the event.
SeverityβThe severity of the rule that triggered the event.
File LabelβFile label names in the value of the file's document properties. This includes Microsoft Office Document Properties, Microsoft Office Sensitivity Labels, and AdobePDF Document Properties.
DirectionβDirection of traffic.
ClassificationβThe classification that matched the content found in the event. Clicking the caret will display the excerpts where the matches were found.
Content TypeβThe type of data that triggered the event.
Total Size in BytesβThe size of the file that triggered the event.
SHA256 HashβThe unique SHA256 hash for the file. (You may copy this using the Copy icon.)
Event IDβA unique identifier for the event. (You may copy this using the Copy icon.)![]()
SaaS API Events
A timeline of events associated with the file.
ApplicationβThe application where the file was uploaded or posted.
TenantβThe Umbrella tenant associated with the event.
Resource IDβ The URL for the resource associated with the content that triggered the violation. For Azure S3 the resource is an S3 bucket. For Azure Storage the resource is a storage account or container. For other applications, this does not apply.
Resource NameβFor AWS S3 this displays the S3 bucket associated with the content that triggered the violation. For Azure Storage this displays the storage account or container associated with the content that triggered the violation. For other applications, this does not apply.
Destination URLβThe URL of the destination for the event. (Note: For some platforms, a single file or message can trigger multiple events that show the same Destination URL for each event.)
File/Message DirectionβThe direction of the message or file that triggered the event: Incoming or Outgoing. Note: For Outlook, this will always be Outgoing.
RuleβThe rule that triggered the event.
SeverityβThe severity of the rule that triggered the event.
ExposureβAn indication of who can see the fileβinternal or external users.
ClassificationβThe classification that matched the content found in the event. Clicking the caret will display the excerpts where the matches were found.
Content TypeβThe type of data that triggered the event.
Total Size in BytesβThe size of the file that triggered the event.
SHA256 HashβThe unique SHA256 hash for the file.
Event IDβA unique identifier for the event.![]()
Delete File
For SaaS API events on Webex Teams and Slack, when a message is monitored and a rule violation is detected, you can manually delete the message or file.
- Click the action menu (three dots) for any Webex Teams event that is not marked Deleted to view a menu of options. Click Delete Message and Files.

- Click Delete to confirm.
Quarantine File
For SaaS API events on Microsoft OneDrive, SharePoint Online, Box, Dropbox, ServiceNow, or Google Drive, when a file is monitored and a rule violation is detected, you can manually quarantine the file.
- Click the action menu icon (three dots) for any event to view a menu of options. Click Quarantine file.

- Click Quarantine.

Note:
- For Microsoft OneDrive, SharePoint Online, Box, Dropbox, or Google Drive:
- The file identified as exposing sensitive data is moved to the Cisco_Quarantine/DLP folder Umbrella created in the root path of the Global Admin who authorised the tenant.
- The user who authorizes access to Umbrella will have access to the quarantine folder. All other accesses and collaborators are removed. Thus, we recommend that the admin add the relevant DLP Admins as additional collaborators to the folder.
- For ServiceNow:
- The file identified as exposing sensitive data is moved to a table named Cisco_Quarantine_Malware which can be access only by the admin user who authorized the ServiceNow tenant.
- A footprint is attached to the notes\activities area of the table the file is attached to. This footprint will notify users that the file has been identified as malware, and for more information they should contact their administrator.
- The file is now quarantined. Under Events Details, click Quarantine Folder to navigate to the quarantined folder.

Restore File from Quarantine
When a quarantined file is restored, the original location of the file, ownership and permissions are also restored.
- Click the action menu icon (three dots) for any event to view a menu of options. Click Restore file from quarantine.

- Click Restore to proceed.

- The file is now restored. You can access the file in its original location under Event Details.

Note: If your DLP rules process files from Microsoft OneDrive, SharePoint Online, Box, Dropbox, ServiceNow, or Google Drive and you restore a quarantined file that still violates rule criteria, the system will quarantine that file again. To prevent the system from quarantining the file again, remove the file's violation, or update the rule's criteria.
Use Advanced Search
- You can search the Data Loss Prevention Reports by keywords to find specific events.

- Alternatively, click Advanced in the search bar to bring up the advanced search. You can apply filters to the report choosing any of the following event criteria: Identity, File Owner, Event Actor, Event ID, Destination URL, Application, Direction (Applies only to some applications, such as OpenAI API and OpenAI ChatGPT.), Tenant, Rule, Data Classification, File Label, Data Identifier, File Name, Resource Name (for AWS S3 or Azure Storage only), or SHA256 Hash. Click Apply to apply the filters to the report.
Discovery
Prerequisite
- You must initiate a discovery scan as described in Discovery Scan.
View a Discovery Scan
- Navigate to Reporting > Additional Reports > Data Loss Prevention. Click the Discovery tab.
- Use Filters to filter the data by Application , Last Modified, and Exposure.
- Choose a Scan from the drop-down. Click Apply to view the details.
Note: Up to 10 recent scans are displayed. The next triggered Discovery Scan removes the oldest scan results in the list.

- If there is an ongoing scan, the results are displayed. Click Cancel Scan to stop the ongoing scan. (You can only run one scan at a time.)

- Click the action menu icon (three dots) to view further details of a file.

Cloud Malware Report < Data Loss Prevention Report>Third-Party Apps Report
Updated 3 months ago