Asset mapping scans files on employee terminals, classifies them by sensitivity level, and reports the results to the SASE console. Run an asset mapping task before configuring Data Loss Prevention (DLP) policies—the scan results let you understand what sensitive data exists across your fleet and generate identification rules automatically using foundation model-based intelligent learning.
Prerequisites
Before you begin, ensure that you have:
Internet Access DLP purchased. For details, see Billing overview and Get started with SASE
Employee and department information added to SASE. For details, see Connect an LDAP IdP to SASE and Configure a user group
SASE client V4.3.1 or later installed on the terminals you want to scan
How it works
When you start an asset mapping task, the SASE client on each targeted terminal scans files according to the scan mode and performance settings you configure. Files that match the specified sensitivity level are reported to the console, where you can preview their content and use them to generate identification rules.
SASE supports two task types:
Immediate task — starts scanning right away. The task is valid for 72 hours. If a user doesn't log on to the SASE client during that window, their terminal isn't scanned.
Scheduled task — runs on a recurring schedule you define, scanning terminals on a regular basis.
Step 1: Create an asset mapping task
Create an immediate task
Log on to the SASE console.
In the left-side navigation pane, choose Data Loss Prevention > Asset Map.
On the Asset Map page, click Start Asset Mapping.
In the Start Asset Mapping panel, configure the parameters described in the following table, and then click OK.
| Parameter | Description |
|---|---|
| Task Name | A name for the task. |
| Report by Sensitivity Level | The sensitivity level of files to report. The system classifies files using identification rules and reports only files at the level you select. |
| Scan Mode | The scope of files to scan. See Choose a scan mode for guidance. |
| Performance Preference | How the task balances resource consumption against scanning thoroughness. See Choose a performance preference for guidance. |
| Applicable User | The terminals to scan: All Users (all terminals with the SASE client installed) or Some Users (specific user groups you select). |
| Exception User | Users to exclude from the task. Enter multiple usernames separated by commas (,). |
Create a scheduled task
Log on to the SASE console.
In the left-side navigation pane, choose Data Loss Prevention > Asset Map.
On the Asset Map page, click Asset Mapping Tasks.
On the Asset Mapping Tasks page, click Create Asset Mapping Task.
In the Create Scheduled Asset Mapping Task panel, configure the parameters described in the following table, and then click OK.
| Parameter | Description |
|---|---|
| Task Name | A name for the task. |
| Priority | The task priority. Valid values: 1–100. A lower value means higher priority. |
| Report by Sensitivity Level | The sensitivity level of files to report. For details about identification rules, see Configure identification rules for files transferred outbound. |
| Status | Whether to enable the task immediately after creation. |
| Scan Mode | The scope of files to scan. See Choose a scan mode for guidance. |
| Frequency | How often the task runs. |
| Performance Preference | How the task balances resource consumption against scanning thoroughness. See Choose a performance preference for guidance. |
| Applicable User | The terminals to scan: All Users or Some Users (specific user groups). |
| Exception User | Users to exclude from the task. Separate multiple usernames with commas (,). |
Choose a scan mode
| Scan mode | What it scans | When to use |
|---|---|---|
| Quick Scan | Key system paths: services, drivers, startup items, running processes, downloads, desktop, and documents directories | First scan of a new deployment, or when you want minimal impact on terminal performance |
| Custom Scan | Paths you specify (files, folders, drive letters, or Windows environment variables) | When sensitive data is concentrated in known directories |
| Full Disk Scan | All files on the terminal | When you need complete coverage and can tolerate longer scan times |
Custom Scan path formats:
| Path type | Example |
|---|---|
| File path | C:\scan_dir\scan_file.exe |
| Folder (all files in directory) | C:\scan_dir |
| Drive (all files on disk) | C:\ |
| Windows environment variable | %APPDATA% |
For Custom Scan, use Excluded Scan Path to specify paths to skip.
Choose a performance preference
| Mode | Resource usage | Scan behavior | When to use |
|---|---|---|---|
| Experience First | Minimal | Scan may be paused or canceled if system resources are needed | Terminals actively used during work hours |
| Balanced Mode | Moderate | Scan completes without noticeably affecting the user experience | Most deployments |
| Security First | High | Scan runs at highest priority | Terminals under investigation or with suspected data leaks |
Step 2: View asset mapping tasks
Log on to the SASE console.
In the left-side navigation pane, choose Data Loss Prevention > Asset Map.
On the Asset Map page, click Task Management.
On the Task Management page, view all immediate and scheduled tasks.
Filter tasks by Scan Mode, Performance Preference Mode, or Task Status.
Click Cancel Task in the Actions column to cancel a running task.
Step 3: View reported files
After a task completes, the system reports files that match the sensitivity level you configured.
Log on to the SASE console.
In the left-side navigation pane, choose Data Loss Prevention > Asset Map.
On the Asset Map page, review the file list.
Filter files by time range, sensitivity level, file name, username, department, device name, device IP address, or device Media Access Control (MAC) address.
Click Preview in the Actions column to view file content.
Run an intelligent learning task to generate rules
After an asset mapping task completes, select the files with the most reliable data and run an intelligent learning task. SASE uses a foundation model to analyze the selected files and generate identification rules, which are added to the intelligent recommendation library for use in DLP policy configuration. For details on configuring the library, see Configure identification rules for files transferred outbound.
SASE gives first-time users of intelligent learning 3 free sessions. After those are used, you receive 1 additional free session per month.
Log on to the SASE console.
In the left-side navigation pane, choose Data Loss Prevention > Asset Map.
On the Asset Map page, click Intelligently Generate Rule.
In the Intelligently Generate Rule panel, click Start New Learning Task. Configure the parameters described in the following table, and then click Start.
| Parameter | Description |
|---|---|
| Files for Learning | The number of files to use for learning. For effective and precise rules, include at least 5,000 files. |
| Detected At | The detection time range. The system uses files reported within this period. |
| File Size | Filter by file size. Only files 10 KB or larger can be included. |
| File Format | The file formats to include. Supported formats: .ppt, .pptx, .pptm, .keynote, .key, .pages, .page, .dps, .xls, .xlsx, .xlsm, .xlam, .xlsb, .csv, .numbers, .lbx, .et, .doc, .docx, .docm, .dotm, .wps, .pdf, .ofd |
What's next
Configure identification rules for files transferred outbound — use the identification rules generated from the intelligent learning task to detect and block outbound transfers of sensitive files.