The Data Loss Prevention (DLP) feature of SASE monitors files that employees send through workplace channels — such as instant messaging, email, and cloud drives — detecting sensitive content in real time and blocking transfers when a policy requires it. This topic explains how to create a detection policy, review sensitive file records, and manage storage settings.
Prerequisites
Before you begin, make sure you have:
The Office Data Protection edition of SASE Internet Access Security. For pricing, see Billing overview.
Employee and department information added to SASE. See Connect an LDAP IdP to SASE and Configure a user group.
How it works
SASE identifies sensitive files based on the characteristics of sensitive data elements. Data templates are built from data elements, data types, and sensitivity levels. Detection policies then apply those templates — along with response actions and scope settings — to flag or block outbound transfers.
SASE includes built-in data templates covering common company data, customer data, and personal data. If those templates don't meet your needs, create custom data elements and build templates from them.
Create a detection policy
Log on to the Secure Access Service Edge console.
In the left navigation pane, choose Data Protection > Policy Center.
On the Outbound Transfer Management tab, click Create Policy.
In the Create Policy panel, configure the following parameters, then click OK.
Policy information
| Parameter | Description |
|---|---|
| Policy name | The name of the policy. |
| Policy description | A description of the policy. |
| Risk level | The severity level of outbound activity this policy targets. Choose one of four levels: Extremely High (resigning-employee groups, extremely high-risk groups, or L4 files), High (high-risk groups or L3 files), Medium (medium-risk groups or L2 files), or Low (all outbound transfers, for audit purposes). |
| Action | What SASE does when the policy is triggered: Audit Only, Audit and Prompt, Block and Notify, or Block Only. If you select Block and Notify or Block Only, also select a block type (see the block types table below). |
| Source file retention | Whether to retain the source file information. |
| Retain screenshot file | Whether to retain screenshot evidence. |
| Status | Enabled puts the policy into effect immediately. Disabled saves the policy without activating it. |
Data identification rule settings
| Parameter | Description |
|---|---|
| Data identification rule | Select a configured identification rule. To create one, see Configure detection rules for outbound file classification and categorization. |
| Transmission channel | The channels to monitor. A transfer through any selected channel triggers detection. See Supported transmission channels below. |
Effective scope
| Parameter | Description |
|---|---|
| User group | The user group to which the policy applies. |
Block types (applies only when Action is Block and Notify or Block Only)
| Block type | Behavior |
|---|---|
| Block all | The SASE app blocks and audits all outbound file transfers in real time. |
| Intelligently block | The SASE app scans and labels files on endpoints in advance, then blocks only transfers of files identified as sensitive. Before the endpoint scan completes, all outbound transfers are blocked by default. Scan and labeling results are not reported to the cloud. |
Supported transmission channels
The Transmission channel parameter supports the following channel types. Select one or more based on your monitoring requirements.
| Category | Channels |
|---|---|
| Instant messaging | Instant Messaging (Software), Instant Messaging (Web) |
| Email (Software), Email (Web) | |
| Cloud storage | Cloud Drive (Software), Cloud Drive (Web) |
| Cloud notes | Cloud Notes (Software), Cloud Notes (Web) |
| Code hosting | Code Hosting (Software), Code Hosting (Web) |
| AI / LLM | Large Language Model (Software), Large Language Model (Web) |
| File transfer | FTP Channel, Network Share |
| Devices | Mobile Storage, Print, Remote Desktop |
| Web | Cloud Blog, Social Media |
| Other | Others |
View sensitive file detection statistics
After you create a policy, SASE automatically detects outbound files and generates statistics. On the Sensitive Behavior Detection page, the Sensitive Behavior Identification area shows outbound transfer data for the last 30 days, last 7 days, or last 24 hours — including the top five types of sensitive files and their proportions.
Sensitive file detection covers files up to 60 MB. Files larger than 60 MB are not scanned for content, but may trigger anomalous activity records (see View anomalous activity records).
In the left navigation pane, go to Data Protection > Sensitive Behavior Detection.
In the Sensitive Behavior Identification area, view sensitive behavior statistics for the selected time period.
View sensitive file outbound records
SASE records the content of outbound sensitive files up to 30 MB in size. Use these records to verify what data was sent.
On the Sensitive Behavior Detection page, view the list of sensitive files sent by employees.
In the Details column, click Actions. On the Outbound Transfers of Sensitive Files tab, review the employee's data.
The tab includes the following sections:
| Section | Content |
|---|---|
| Time period ① | Set a custom time range for the query. |
| Data statistics ② | Aggregate counts by file count, transfer channel, and file size. |
| Sensitive file list ③ | Per-file details: sensitivity level, data type, matched data template, and number of hits. Filter or sort the list as needed. Click Download to save a file locally. Click Details to open the Details panel, which includes Data Flow, Key Information, Sensitive Message, Screenshot Evidence, Hit Policy, Office Terminal, Outbound Transfer Channel, and Account Information. |
View anomalous activity records
SASE creates anomalous activity records for transfers it cannot fully scan. Pay close attention to employees who trigger these events — the files may contain sensitive data that requires manual review.
| Anomalous activity type | Trigger condition |
|---|---|
| Large outbound file | An employee sends a file larger than 30 MB outbound, online or offline. |
| File copied to peripheral | An employee copies a file smaller than 30 MB to a peripheral device, online or offline. |
| Outbound threshold exceeded | A single user sends files totaling more than 1 GB in an offline session. |
On the Sensitive Behavior Detection page, review the anomalous activities triggered by employees.
Click the value in the Abnormal event column. On the Abnormal events tab, view the anomalous activity records for that user. Alternatively, click Actions in the Details column to open the same Abnormal events tab.
Configure storage duration
By default, SASE retains detection results for 7 days. To extend retention to 30 days, activate the log storage service. For pricing, see Billing overview.
Manage sensitive file storage space
SASE provides 1 GB of free sensitive file storage by default.
To purchase additional storage, click Activate in the upper-right corner. For pricing, see Billing overview.
To stop storing new sensitive files, turn off the storage switch in the upper-right corner. Existing files are not deleted.
To delete stored files, click Clear in the upper-right corner and choose Clear by time range or Clear all.
For custom storage space (available in the DLP edition), see Configure custom storage settings.
What's next
To trace the full log of outbound sensitive file events, see Sensitive file detection logs.
To control employee access to peripheral devices, see Ensure data security by managing peripheral devices.
To add screen and print watermarks, see Ensure data security by managing watermarks.