Manage the Data Loss Prevention Policy


Umbrella Packages and Feature Availability

Not all of the features described here are available to all Umbrella packages. Information about your current package is listed on the Admin > Licensing page. For more information, see Determine Current Package. If you encounter a feature here that you do not have access to, contact your sales representative for more information about your current package. For more information, click Cisco Umbrella Packages.

The Data Loss Prevention (DLP) policy helps to protect sensitive data uploaded to the web. It discovers and protects sensitive data stored and shared in your cloud-sanctioned applications.

The DLP policy can be configured with multiple DLP rules; Real Time DLP rules inspect the web traffic traversing the proxy and SaaS API-based rules ensure data protection of data in the cloud. Furthermore, DLP Administrators can initiate on-demand Discovery Scans to learn about all the files in the applicable cloud applications that contain matches with the selected Data Classifications.

  1. Real Time Rules: are added to the policy to define what web proxy traffic to monitor (identities and destinations), the content or document properties to search for, and whether content should be monitored or blocked. For example, an office may want to monitor its network for file uploads that include credit card numbers, as the uploads are a breach of the company's privacy and security policies. A Real Time DLP rule designed to monitor the network and uploads to domains can block these files.
  2. SaaS API Rules: operate by leveraging the APIs of the applicable cloud tenants to scan and look for data violations in the cloud-stored files. As files in the selected tenant change in content or context (with whom we share), Umbrella near-time assesses the changed file against this rule’s criteria. If a match is made, this rule’s action is immediately enforced.

Data violations detected through the Real Time and SaaS API rules are logged as part of the unified Events view of the Data Loss Prevention Report.

Discovery Scans operate similarly to the SaaS API rules; they exercise the necessary cloud APIs to determine the files in the applicable cloud tenant that contain data matching any of the configured Data Classifications at the time the scan runs. Files containing matching data are considered to be in violation of the Discovery Scan.

The Discovery tab in the Data Loss Prevention Report lists the files in violation of the most recently initiated Discovery Scan. Additionally, DLP Administrators can quickly retrieve the reported offending files from any of the last 10 generated Discovery Scans.

Realtime DLP rules support scanning traffic isolated by the RBI (Remote Browser Isolation) in the outbound direction, in addition to scanning non-isolated HTTPs traffic. When the system detects a DLP violation in RBI traffic, a pop-up dialog will appear in the user's browser to warn of a potential data security violation.

Real Time rules, SaaS API rules, and Discovery Scans all support scanning embedded files.


  1. The rate limit is dependent on vendor SLA, which is usually up to 10 RPS for Microsoft 365 and up to 20 RPS for Google Drive.
    • The Discovery Scan can scan up to 36,000 files per hour and 864,000 files per day with an average file size of 1MB.
    • The incremental scan and Discovery Scan share the same rate limits, therefore, file changes (i.e. incremental) during the Discovery Scan are counted and have an effect on the Discovery Scan throughput.
    • An org that triggers more than 864k events per day will be at risk of not having all their events scanned.
  2. Triggering a Discovery Scan should take place around 24 hours after the tenant authorization, as the system needs time to evaluate and enumerate the users in the organization. Any triggering beforehand might not include all users and hence, the system is unable to scan all files.
  3. The DLP scans the plain text of files up to 50 MB.
  4. DLP scans archives as well as files containing embedded files. For these, DLP can extract and scan content for up to 100 files nested up to 10 levels deep.
  5. Revoke share for internal or external works only for orgs with one domain in Google Drive due to Google API limitation.

Monitor Bandwidth Usage in the App Discovery Report < Manage the Data Loss Prevention Policy > Add a Real Time Rule to the Data Loss Prevention Policy