Enterprise DLP
Review Email DLP Incidents
Table of Contents
Review Email DLP Incidents
Review your
Enterprise Data Loss Prevention (E-DLP)
Email DLP incidents for outbound
emails.Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Review your
Enterprise Data Loss Prevention (E-DLP)
Email DLP incidents to understand which outbound
emails were inspected, review which were blocked, quarantined, or sent for approval,
and to download files inspected by Enterprise DLP
.- Log in toStrata Cloud Manager.
- Select .
- Review your Email DLP incidents.
- Severity—Severity of the DLP incident specified in the Email DLP policy.
- Updated On—Date the Email DLP incident status or assignee was updated.
- Created On—Date the Email DLP incident occurred.
- Sender—Email of the sender who generated the Email DLP incident.
- Subject—Subject line for the email that generated the Email DLP incident.
- Policy—Email DLP policy rule that the email matched against.
- Action—Action taken byEnterprise DLPbased on the Email DLP policy rule the outbound email matched against.
- Assigned to—Incident assignee responsible to review and address the Email DLP incident.
- Status—Resolution status of the Email DLP incident.
- Click the Email DLPPolicyto view a summary of the Email DLP policy rule the email matched against.
- Basic Information—Email DLP policy rule priority, whether the rule isEnabledorDisabled, the incident severity, and the email service provider.
- Conditions—Data profile associated with the Email DLP policy rule, the sender and recipient information, and the email components the Email DLP policy rule is configured to evaluate.
- Response— Action configured in the Email DLP policy rule, the primary Incident Assignee specified in the Email DLP policy rule, and the email address that notifications are sent to when an Email DLP incident is generated against this Email DLP policy rule.
- Click the Email DLP incidentSubjectto view theIncident Details.
- TheFromandTofields display the email sender and recipient for the email that generated the DLP incident.
- TheEmail contentfield allows you to download the email in.emlformat.To successfully download an email, you must have configured evidence storage before the outbound email was inspected byEnterprise DLP. Emails of existing Email DLP incidents cannot be downloaded if you configure evidence storage after the Email DLP incident occurred.
- TheMessage IDcan be used to create a message trace on Microsoft Exchange Online or a custom Email Log Search on Gmail.
- Review theMatching Data Patterns.TheMatching Data Patternsshows snippets of the sensitive dataEnterprise DLPdetected and the data pattern that it matched against. All data patterns added to the data profile are listed in the left-hand side. All traffic matches are grouped by match confidence (High,Medium, andLow) and list the total number of patterns against which traffic matches were detected.Additionally,Enterprise DLPprovides the location each snippet was detected in.Enterprise DLPonly inspects the parts of the email configured in the Email DLP policy rule evaluation criteria. Possible values arefound in body,found in attachment, orfound in subject.
- (Quarantine only) If an outbound email was quarantined, an email administrator must review and approve these emails before they can continue to their intended recipient.
- Due to a Gmail limitation,SaaS Securitygenerates two Email DLP logs () when a quarantined email is allowed. The first Email DLP log describes the initial outbound email blocked by Email DLP. The second Email DLP log describes the allowed outbound email that is sent back toEnterprise DLPto addx-panw-inspected: trueandx-panw-action: monitorto the email header before it continues on its path to the intended recipient.