Data violations detected through the Real Time and SaaS API rules are logged as part of the unified Events view of the Data Loss Prevention Report.
The Data Loss Prevention reports window has two tabs:
Users with De-identification Enabled
Full administrators with De-identification enabled will continue to see identifiable information in the Data Loss Prevention Report.
Events
- Navigate to Reporting > Additional Reports > Data Loss Prevention.
- Select a time frame to view reports generated in a specific date range. You can also choose a custom date range.
- Use the available Filters for better search results, such as Event Type, Action, Severity, Exposure, and Identity Type.
Event Type- Whether the event is Real Time or SaaS API.
Action- Whether the content is monitored, quarantined, or blocked.
Severity- The severity of the rule that triggered the event.
Application- Application for which the DLP rule is applied.
Exposure- Exposure of the content scanned.
- Click the gear icon to customize and sort the columns of your report.
Event Type- Whether the event is Real Time or SaaS API.
Severity- The severity of the rule that triggered the event.
Identity or File Owner- The identity which made the request.
Name- The name of the file where a classification match was found. When content is found in a message or a post, the File name displays Content.
Destination- The destination where the content was scanned.
Rule- The rule that triggered the event.
Action- Action triggered by the rule on detecting a violation.
Detected- The date and time of detection.
- Click the action menu icon (three dots) to view further details of an event.
View Details
- Click View details.
- The Event Details window displays some of the same content as the report table, with additional information:
Application—The application where the file was uploaded or posted.
Destination URL—The URL of the destination for the event.
Rule Triggered—The rule that triggered the event.
Classification—The classification that matched the content found in the event. Clicking the caret will display the excerpts where the matches were found.
SHA256 Hash—The unique SHA256 hash for the file.
Quarantine File
When a file is monitored and a rule violation is detected, you can manually quarantine the file.
- Click Quarantine file.
- Click Quarantine to proceed.
Note:
- The file identified as exposing sensitive data is moved to the Cisco_Quarantine/DLP folder Umbrella created in the root path of the Global Admin who authorised the tenant.
- The user who authorises access to Umbrella will have access to the quarantine folder. All other accesses and collaborators are removed. Thus, it is recommended that the admin adds the relevant DLP Admins as additional collaborators to the folder.
- The file is now quarantined. Under Events Details, click Quarantine Folder to navigate to the quarantined folder.
Restore File from Quarantine
When a quarantined file is restored, the original location of the file, ownership and permissions are also restored.
- Click Restore file from quarantine.
- Click Restore to proceed.
- The file is now restored. You can access the file in its original location under Event Details.
- Use Advanced Search.
a. You can search the Data Loss Prevention Reports by keywords to find specific events.
b. Alternatively, click Advanced in the search bar to bring up the advanced search. You can search for events by identity, destination (including applications), rule, data identifier, or file hash. Click Apply to apply the filters to the report.
- Choose a Scan from the drop-down. Click Apply to view the details.
Note: Up to 10 recent scans are displayed. The next triggered Discovery Scan removes the oldest scan results in the list.
- If there is an ongoing scan, the results are displayed. Click Cancel Scan to stop the ongoing scan.
- Click the action menu icon (three dots) to view further details of a file.
Cloud Malware Report < Data Loss Prevention Report
Updated 5 months ago