Save DLP Evidence
Limited Availability: This is a Limited Availability feature. To enable the Save Web Evidence, contact Skyhigh Support.
DLP Evidence is a copy of the compromised content that violates a Web Data Loss Prevention (DLP) policy detected during the policy evaluation. The copy of the compromised content is associated with the appropriate incident and is saved in your data storage to allow you to perform additional forensics on generated incidents. Also, you can download all the evidence files in bulk using the API.
To get started with the Save Evidence, perform the following steps in order:
- Configure your own data storage provider to store your evidence files. Currently, you can store your web evidence files only on Amazon Web Services. For details on how to set up storage, see Data Storage.
- Create a Web DLP Policy Rule and select the response as Save Evidence. For details, see Create a Shadow/ Web DLP Policy.
How it works?
On creating a new rule in Web DLP Policy, you can set an additional response named Save Evidence. When a Web DLP Policy is violated, the Save Evidence response is triggered, and evidence files are saved on the generated incidents. Your own data storage provider must be configured to store the evidence files. If a DLP policy is deleted, the web evidence file stored in the policy is unaffected. A backup of the evidence file is retained and stored in the data storage provider (AWS). You can download those evidence files from the data storage provider using API. The data stored in the provider are encrypted and to decrypt the data user should:
- Download all the evidence files in bulk using the API. For details, see Retrieve Evidence API.