Guides
ProductDeveloperPartnerPersonal

Data Loss Prevention Report

Data violations detected through the Real Time and SaaS API rules are logged as part of the unified Events view of the Data Loss Prevention Report.

The Data Loss Prevention reports window has two tabs:

👍

Users with De-identification Enabled

Full administrators with De-identification enabled will continue to see identifiable information in the Data Loss Prevention Report.

Events

  1. Navigate to Reporting > Additional Reports > Data Loss Prevention.
  2. On the Events tab, select a time frame to view reports generated in a specific date range. You can also choose a custom date range.
1386
  1. Use the available Filters for better search results; choose from those listed below:

Event Type—Whether the event is Real Time or SaaS API.
Action—Whether the content is monitored, quarantined, or blocked.
Severity—The severity of the rule that triggered the event.
Application—Application for which an SaaS API rule is applied.
Exposure—Exposure of the content scanned.
Identity Type—The type of identity involved in the event.

  1. Click the gear icon to customize and sort the columns of your report.

Event Type— Whether the event is Real Time or SaaS API.
Severity—The severity of the rule that triggered the event.
Identity or File Owner—The identity that made the request or the file owner that created the violation in the vendor.
Name—The name of the file where a classification match was found. When content is found in a message, a post, or form data, the File name displays Message, Content, or Form.
Destination—The destination where the content was scanned.
Rule—The rule that triggered the event.
Action—The action triggered by the rule on detecting a violation.
Detected—The date and time of detection.

  1. Click the action menu icon (three dots) to view further details of an event. See View Details

View Details

  1. Click the action menu icon (three dots) for any event to view a menu of options. Click View details.
  1. The Event Details window displays some of the same content as the report table, with additional information which varies depending upon the Event Type:

Real Time Events

Detected—The date and time the content was detected.
Action—The action triggered by the rule on detecting a violation.
Name—The name of the file where a classification match was found. When content is found in a message or a post, the File name displays Content.
Identity—The identity that made the request.
Application—The application where the file was uploaded or posted.
Destination URL—The URL of the destination for the event.
Rule—The rule that triggered the event.
Severity—The severity of the rule that triggered the event.
Classification—The classification that matched the content found in the event. Clicking the caret will display the excerpts where the matches were found.
Content Type—The type of data that triggered the event.
Total Size in Bytes—The size of the file that triggered the event.
SHA256 Hash—The unique SHA256 hash for the file.
Unique Event ID—A unique identifier for the event.

SaaS API Events

A timeline of events associated with the file.
Application—The application where the file was uploaded or posted.
Tenant—The Umbrella tenant associated with the event.
Destination URL—The URL of the destination for the event.
Rule—The rule that triggered the event.
Severity—The severity of the rule that triggered the event.
Exposure—An indication of who can see the file—internal or external users.
Classification—The classification that matched the content found in the event. Clicking the caret will display the excerpts where the matches were found.
Content Type—The type of data that triggered the event.
Total Size in Bytes—The size of the file that triggered the event.
SHA256 Hash—The unique SHA256 hash for the file.
Unique Event ID—A unique identifier for the event.
Destination URL—The URL of the destination for the event.

Quarantine File

For SaaS API events on Microsoft OneDrive, SharePoint Online, Box, or Dropbox, When a file is monitored and a rule violation is detected, you can manually quarantine the file.

  1. Click the action menu icon (three dots) for any event to view a menu of options. Click Quarantine file.
  1. Click Quarantine.

🚧

  • The file identified as exposing sensitive data is moved to the Cisco_Quarantine/DLP folder Umbrella created in the root path of the Global Admin who authorised the tenant.
  • The user who authorises access to Umbrella will have access to the quarantine folder. All other accesses and collaborators are removed. Thus, we recommend that the admin add the relevant DLP Admins as additional collaborators to the folder.
  1. The file is now quarantined. Under Events Details, click Quarantine Folder to navigate to the quarantined folder.

Restore File from Quarantine

When a quarantined file is restored, the original location of the file, ownership and permissions are also restored.

  1. Click the action menu icon (three dots) for any event to view a menu of options. Click Restore file from quarantine.
  1. Click Restore to proceed.
1238
  1. The file is now restored. You can access the file in its original location under Event Details.

Use Advanced Search

  1. You can search the Data Loss Prevention Reports by keywords to find specific events.
1092
  1. Alternatively, click Advanced in the search bar to bring up the advanced search. You can search for events by identity, destination (including applications), rule, data identifier, or file hash. Click Apply to apply the filters to the report.
552

Discovery

Prerequisite

View a Discovery Scan

  1. Navigate to Reporting > Additional Reports > Data Loss Prevention. Click the Discovery tab.
  2. Use Filters to filter the data by Application , Last Modified, and Exposure.
  1. Choose a Scan from the drop-down. Click Apply to view the details.
    Note: Up to 10 recent scans are displayed. The next triggered Discovery Scan removes the oldest scan results in the list.
  1. If there is an ongoing scan, the results are displayed. Click Cancel Scan to stop the ongoing scan. (You can only run one scan at a time.)
  1. Click the action menu icon (three dots) to view further details of a file.

Cloud Malware Report < Data Loss Prevention Report