Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Policy Incidents Page Cloud Card

To learn more about the Policy Incidents page, see Policy Incidents Page.

NOTE: Some remediation steps require you to execute Microsoft Windows PowerShell commands. For details, see Execute Microsoft Windows PowerShell Commands.

On the Policy Incidents page, click any incident on the table to see the Cloud Card for that incident. 

Policy Incidents Cloud Card.png

Policy Incident Cloud Card Components

The Policy Incidents Cloud Card provides the following information:

  • ID
  • Severity
  • Service Name
  • Instance Name
  • Activity
  • Incident Created On
  • Last Updated
  • Last Response
  • User
  • CIS Level
  • Account ID
  • Account Name
  • What You Can Do
  • Owner. Select to assign an owner. 
  • Incident Response. Select to assign an Incident Response. 
    • User Email Notification. Select to send a User Email Notification to the user who caused the incident, select an Incident Status, and click Submit
      clipboard_e30a2554e2ce869369d9b1a0d255230a9.png
    • Send Notification to...Select to send a notification to one or more comma-separated Email Addresses. Select the Email Template to use, then click Send Notification
      clipboard_ec6348991a2b7796ada8b667452b12fb7.png
  • Incident Status. Select to assign an Incident Status. 
  • Resolution Action. Select to assign a Resolution Action. Custom Resolution Actions can be assigned on the Policy > Policy Settings > Incident Management tab. 
  • Policy. This option appears only when you select any Sanctioned DLP Incidents on the Policy Incidents page. For details, see Sanctioned DLP Policy Incident Cloud Card.
  • Primary/Secondary Rule Group Match. This option appears only when you select any Sanctioned DLP Policy Incidents on the Policy Incidents page. For details, see Sanctioned DLP Policy Incident Cloud Card.
  • MITRE. Click the Full View link to view the detected tactics and techniques associated with this incident on the MITRE Dashboard.
  • Content. Click the box arrows to open the details dialog. 
    • Item Name. Item or file that violated the policy. If a link is available, you can click to download it. For more information, see Large File Download
    • Item Type
    • Path
    • Size
    • Folder ID. Supported for Box DLP incidents. If the violation is a file, it shows the immediate parent folder's ID. If the violation is a folder, it shows the immediate parent folder ID that contains the folder.
    • Item Created On
    • Content Matches Found. Allows you to find matches on content and content metadata such as author name, subject, and comments. For details see Enable Match Highlighting. Contact Support for more information. 
    • Shared Link
  • Collaborators. Click the box arrows to open the details dialog. External and Internal Collaborators are displayed on separate tabs. The collaborators which are not affected by any policy are listed in the External and Internal Collaborators. To view the affected collaborators, see Modified Collaborators
    clipboard_eec768947210124ef486e65c19cb680e8.png
  • Scan.
    • Scan Name
    • Scan Run Date
    • Scan Run History. This option might be enabled to display details about the last five scans. Contact Support for more information. 
      • NOTE: This option is available for AWS only. 
  • Device Information
    • Device IP
  • User Details
    • User Group
      • NOTE: There is a limit of mapping 10 custom attributes and displaying 10 values per custom attribute. 
  • Notes. Enter a note for the incident and click Add. Each note added is visible separately below the Notes field. For notes that you have added, you can Edit or Delete them. For notes written by other users, you might only view them. The default limitation is 10 notes per incidents, and 300 characters per note. To use the Incident Notes feature, you must use your own Data Storage. You can't use Skyhigh CASB Data Storage. For details about configuration, see Data Storage
  • Incident History. Lists any changes made (such as changed owner, status, response, or notes), the name of the user who made the change, and the time and date that change occurred. 

Large File Download

In the Item Name table row, or in the Cloud Card, under Content, you can click to download the file that generated the incident. 

For a large file over 60 MB, a call is made to the Cloud Service Provider, and the file is generated. When the file is ready, the file name changes to Download. Click and wait for the file to download locally. If you navigate away from the Cloud Card, the download is canceled. 

Large File download 1.png  Large File Download 2.png

Incident Activity Definitions

On the Policy Incident Cloud Card, the possible Activities are defined in the following table. 

Activity Definition
Created A new file or item was created. 
Email An email was sent. 
Enabled Shared Link A file or item was shared by creating a shared link on the item. 
Invited Collaborator Other collaborators were added to the file or item. 
Message A message was sent on a collaboration application. 
Modified A file or item was modified in the service. 
Object An object in the structured app (such as Salesforce or ServiceNow) was modified. 
On-Demand Scan An On-Demand Scan was performed. 
Post A post in an application such as Chatter in Salesforce was made. 
Role Change of Collaborators The permissions for the collaborators on the file or item were changed. 
Unlocked A service's lock on the file or item was removed. 
Updated Shared Link The shared link on the file or item was updated. 
Uploaded A file or item was uploaded to the service. 

Modified Collaborators

Modified Collaborators shows the list of collaborators whose permissions are modified with the response action while applying a policy on that collaboration. For example, Revoked Collaborator.

For more information about different collaborators, see DLP Policy Rules and Rule Groups.
clipboard_e58b8383adfc0e6c732ae1a3e2f17b88d.png

Sanctioned DLP Policy Incident Cloud Card 

On the Policy Incidents page > Incident Type filter, select the Sanctioned DLP policy incident to open the cloud card and view the additional components along with the existing cloud card components. To view the details of existing cloud card components, see Policy Incidents Cloud Card Components.
clipboard_e641b6f27abf1955e1b78dfcfcd422fe6.png

The additional components displayed are:

  • Policy. The name of the matched DLP Policy. Click the link to view the details of the matched DLP policy.
    clipboard_e54417d75da6cb4f0a4ed4305a3fdf5d9.png
  • Primary Rule Group Match. The name of the Rule Group matches the policy. Click the link to view the details of Rule Group.
    clipboard_efb4bfe8bd68e1402414776c5b4260b4b.png
  • Secondary Rule Group Match. Expand to view the name of the multiple Rule Groups that match the policy.

The Policy Incidents page now includes the Primary Rule Group as a column in the table, and it can also be generated as part of a report. Go to Actions on the Policy Incidents page to create Reports. For details, see Policy Incidents Page.​​​​​​

  • Was this article helpful?