Guides
ProductDeveloperPartnerPersonal
ProductDeveloperPartnerPersonal

Data Loss Prevention Report

Suggest Edits

Data violations detected through the Real Time and SaaS API rules are logged as part of the unified Events view of the Data Loss Prevention Report.

The Data Loss Prevention reports window has two tabs:

👍

Users with De-identification Enabled

Full administrators with De-identification enabled will continue to see identifiable information in the Data Loss Prevention Report.

View Events

  1. Navigate to Reporting > Additional Reports > Data Loss Prevention.
  2. On the Events tab, select a time frame to view reports generated in a specific date range. You can also choose a custom date range.
1386
  1. Use the available Filters for better search results; choose from those listed below:

Event Type—Whether the event is Real Time or SaaS API.
Action—The action the system has applied to the content: blocked, deleted, monitored, quarantined, restored from quarantine, revoked access.
Severity—The severity of the rule that triggered the event.
Application—Application for which an SaaS API rule is applied.
Exposure—Exposure of the content scanned.
Identity Type—The type of identity involved in the event.
Application Categories—The category of the application involved in the event. This filter displays only events that occurred after this filter was added to Umbrella, in January of 2024.

  1. Click the gear icon to customize and sort the columns of your report.

Event Type— Whether the event is Real Time or SaaS API.
Severity—The severity of the rule that triggered the event.
Identity —The identity that made the request.
File Owner—The owner of the file that created the violation in the vendor.
Event Actor— The user who performs an action that triggers a rule violation.
File Name—The name of the file where a classification match was found. When content is found in a message, a post, or form data, the File name displays Message, Content, or Form.
Destination—The destination where the content was scanned.
Rule—The rule that triggered the event.
Action—The action triggered by the rule on detecting a violation.
Detected—The date and time of detection.

  1. Click the action menu icon (three dots) to view further details of an event. See View Details

View Details

  1. Click the action menu icon (three dots) for any event to view a menu of options. Click View details.
  1. The Event Details window displays some of the same content as the report table, with additional information which varies depending upon the Event Type:

Real Time Events

Detected—The date and time the content was detected.
Action—The action triggered by the rule on detecting a violation.
File Name—The name of the file where a classification match was found. When content is found in a message or a post, the File name displays Content.
Identity—The identity that made the request.
Application—The application where the file was uploaded or posted.
Destination URL—The URL of the destination for the event.
Rule—The rule that triggered the event.
Severity—The severity of the rule that triggered the event.
Direction—Direction of traffic. (Applies only to some applications, such as OpenAI API and OpenAI ChatGPT.)
Classification—The classification that matched the content found in the event. Clicking the caret will display the excerpts where the matches were found.
Content Type—The type of data that triggered the event.
Total Size in Bytes—The size of the file that triggered the event.
SHA256 Hash—The unique SHA256 hash for the file. (You may copy this using the Copy icon.)
Event ID—A unique identifier for the event. (You may copy this using the Copy icon.)

SaaS API Events

A timeline of events associated with the file.
Application—The application where the file was uploaded or posted.
Tenant—The Umbrella tenant associated with the event.
Destination URL—The URL of the destination for the event.
Rule—The rule that triggered the event.
Severity—The severity of the rule that triggered the event.
Exposure—An indication of who can see the file—internal or external users.
Classification—The classification that matched the content found in the event. Clicking the caret will display the excerpts where the matches were found.
Content Type—The type of data that triggered the event.
Total Size in Bytes—The size of the file that triggered the event.
SHA256 Hash—The unique SHA256 hash for the file.
Unique Event ID—A unique identifier for the event.

Delete File

For SaaS API events on Webex Teams, when a message is monitored and a rule violation is detected, you can manually delete the message or file.

  1. Click the action menu (three dots) for any Webex Teams event that is not marked Deleted to view a menu of options. Click Delete Message and Files.
  1. Click Delete to confirm.

Quarantine File

For SaaS API events on Microsoft OneDrive, SharePoint Online, Box, Dropbox, or Google Drive, when a file is monitored and a rule violation is detected, you can manually quarantine the file.

  1. Click the action menu icon (three dots) for any event to view a menu of options. Click Quarantine file.
  1. Click Quarantine.

🚧

  • The file identified as exposing sensitive data is moved to the Cisco_Quarantine/DLP folder Umbrella created in the root path of the Global Admin who authorised the tenant.
  • The user who authorises access to Umbrella will have access to the quarantine folder. All other accesses and collaborators are removed. Thus, we recommend that the admin add the relevant DLP Admins as additional collaborators to the folder.
  1. The file is now quarantined. Under Events Details, click Quarantine Folder to navigate to the quarantined folder.

Restore File from Quarantine

When a quarantined file is restored, the original location of the file, ownership and permissions are also restored.

  1. Click the action menu icon (three dots) for any event to view a menu of options. Click Restore file from quarantine.
  1. Click Restore to proceed.
1238
  1. The file is now restored. You can access the file in its original location under Event Details.

Use Advanced Search

  1. You can search the Data Loss Prevention Reports by keywords to find specific events.
1092
  1. Alternatively, click Advanced in the search bar to bring up the advanced search. You can apply filters to the report choosing any of the following event criteria: Identity, File Owner, Event Actor, Event ID, Destination URL, Application, Direction (Applies only to some applications, such as OpenAI API and OpenAI ChatGPT.), Tenant, Rule, Data Classification, File Label, Data Identifier, File Name, or SHA256 Hash. Click Apply to apply the filters to the report.

Discovery

Prerequisite

View a Discovery Scan

  1. Navigate to Reporting > Additional Reports > Data Loss Prevention. Click the Discovery tab.
  2. Use Filters to filter the data by Application , Last Modified, and Exposure.
  1. Choose a Scan from the drop-down. Click Apply to view the details.
    Note: Up to 10 recent scans are displayed. The next triggered Discovery Scan removes the oldest scan results in the list.
  1. If there is an ongoing scan, the results are displayed. Click Cancel Scan to stop the ongoing scan. (You can only run one scan at a time.)
  1. Click the action menu icon (three dots) to view further details of a file.

Cloud Malware Report < Data Loss Prevention Report

Updated 6 days ago