To prevent data breaches that are caused by sensitive files being transferred through workplace channels, such as instant messaging and email, we recommend that you use the Data Loss Prevention (DLP) feature of SASE to monitor and manage outbound files. This feature provides real-time visibility into outbound transfers of sensitive data, helps you monitor data breach risks, and protects your business from significant losses. This topic describes how to configure a policy to monitor outbound file transfers and how to collect statistics on outbound transfers.
Prerequisites
You have purchased the Office Data Protection edition of SASE Internet Access Security. For more information, see Billing overview.
Employee and department information has been added. For more information, see Connect an LDAP IdP to SASE and Configure a user group.
Configure a policy to detect outbound files
The sensitive file detection feature of SASE automatically identifies sensitive files based on the characteristics of sensitive data elements. Data templates are created based on data elements, data types, and sensitivity levels. Then, detection policies are created based on conditions, such as data templates and response actions, to help you identify sensitive files that are sent by employees.
SASE provides various built-in data templates that include common company data, customer data, and personal data. If these data templates do not meet your business requirements, you can create new sensitive data elements to build custom data templates.
Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose .
On the Outbound Transfer Management tab, click Create Policy.
In the Create Policy panel, configure the parameters and click OK.
Parameter
Description
Policy Information
Policy Name
The name of the policy.
Policy Description
The description of the policy.
Risk Level
You can set a policy to one of the following four risk levels:
Extremely High: events such as outbound transfers from a user group of resigning employees, outbound transfers from an extremely high-risk user group, and outbound transfers of L4 files.
High: events such as outbound transfers from a high-risk user group and outbound transfers of L3 files.
Medium: events such as outbound transfers from a medium-risk user group and outbound transfers of L2 files.
Low: all outbound transfers for auditing purposes.
Action
The action of the policy. Valid values:
Audit Only
Audit and Prompt
Block and Notify
Block Only
If you set the action to Block and Notify or Block Only, you must also select a block type.
Block All: The SASE app blocks and audits all outbound file transfers in real-time.
Intelligently Block: The SASE app blocks outbound transfers of sensitive files in real-time based on the characteristics defined in the data template. To ensure effective real-time blocking, the SASE app scans files on endpoints and assigns sensitivity levels in advance. Before the scan task is complete, all outbound transfers are blocked by default and the blocking policy does not take effect. The scanning and labeling are performed on the endpoint and are not reported.
Source File Retention
Specifies whether to retain source file information.
Retain Screenshot File
Specifies whether to retain screenshot evidence.
Status
The status of the policy. Valid values:
Enabled: The policy is in effect. SASE detects files based on the policy.
Disabled: The policy is not in effect.
Data Identification Rule Settings
Data Identification Rule
Select a configured identification rule. For more information about how to configure an identification rule, see Configure detection rules for outbound file classification and categorization.
Transmission Channel
Select the data transmission channels. When an employee transfers a file through a selected channel, sensitive file detection is triggered. You can select some or all of the following supported channel types.
Instant Messaging (Software), Email (Software), FTP Channel, Network Share, Print, Mobile Storage, Cloud Drive (Software), Cloud Notes (Software), Remote Desktop, Code Hosting (Software), Large Language Model (Software), Cloud Drive (Web), Email (Web), Code Hosting (Web), Cloud Notes (Web), Cloud Blog, Large Language Model (Web), Social Media, Instant Messaging (Web), and Others.
Effective Scope
User Group
Select the user group to which the policy applies.
View sensitive file detection statistics
After you configure the policy, the data protection feature automatically detects files that are transferred by employees. It analyzes outbound transfers of sensitive files and anomalous activities that were triggered in the last 30 days, 7 days, or 24 hours.
The sensitive file detection feature can detect sensitive files that are 60 MB or smaller and are being transferred outbound. It also provides statistics on the top five types of sensitive files and their proportions.
Anomalous activity records are created for the following events: a file larger than 60 MB is transferred outbound, a file is copied using a peripheral device, or the total size of outbound files from a single user exceeds 1 GB. The content of these files is not detected. You must pay close attention to anomalous activities and manually check whether the files contain sensitive information. The following table describes the types of anomalous activities.
Anomalous Activity Type
Description
Large Outbound File
This event is triggered when an employee sends a file larger than 30 MB, either online or offline.
If a large file is sent offline, pay close attention to the employee's behavior to prevent major business losses.
File Copied to Peripheral
This event is triggered when an employee copies a file smaller than 30 MB to a peripheral device, either online or offline.
If a file is copied to a peripheral device offline, pay close attention to the employee's behavior to prevent major business losses.
Outbound Threshold Exceeded
This event is triggered when a user sends multiple files offline and the total size exceeds 1 GB.
If this occurs, pay close attention to the employee's behavior to prevent major business losses.
In the navigation pane on the left, go to .
In the Sensitive Behavior Identification area, view the sensitive behaviors of employees within the specified period.
View sensitive file outbound records
SASE can detect sensitive information in outbound files that are 30 MB or smaller and record information about them. You can use these records to verify the content of the outbound sensitive files.
On the Sensitive Behavior Detection page, view the list of sensitive files sent by employees.
Click Actions in the Details column. On the Outbound Transfers of Sensitive Files tab, you can view data statistics and a list of outbound sensitive files for the specified employee.
Feature
Description
Time Period (① in the figure)
You can specify a custom time range for the query.
Data Statistics (② in the figure)
Displays statistics about outbound sensitive files within the specified period, such as the number of files, transfer channels, and file sizes.
Sensitive File List (③ in the figure)
Displays a list of outbound sensitive files and provides information such as the sensitivity level, data type, matched data template, and number of hits. You can also filter the data as required.
Click Download to download the sensitive file to your computer.
Click Details. In the Details panel, you can view information about Data Flow, Key Information, and the Sensitive Message. The sensitive file information includes a Download option. You can also view information about Screenshot Evidence, the Hit Policy, the Office Terminal, the Outbound Transfer Channel, and Account Information.
View anomalous activity records
SASE can record events where an employee sends a file larger than 30 MB outbound, copies a file using a peripheral device, or sends a total of more than 1 GB of files outbound. You must pay close attention to employees who trigger anomalous activities to prevent major business losses. If a file larger than 30 MB is sent outbound, you must manually check its content for sensitive information.
On the Sensitive Behavior Detection page, view the anomalous activities triggered by employees.
Click the value in the Abnormal Event column. On the Abnormal Events tab, view the anomalous activity records for the specified user.
You can also click Actions in the Details column to view the relevant records on the Abnormal Events tab.
Configure the storage duration of detection results
By default, SASE saves your detection results for 7 days. If you activate the log storage service, you can save your detection results for 30 days. For more information, see Billing overview.
Configure sensitive file storage space
SASE provides a free storage space of 1 GB by default.
If you need more storage space, you can click Activate in the upper-right corner to purchase more file storage capacity. For pricing details, see Billing overview.
If you do not need to store sensitive files, you can turn off the storage switch in the upper-right corner. After you turn off the switch, existing sensitive files are not deleted, but new sensitive files are no longer stored.
To delete stored sensitive files, click Clear in the upper-right corner. You can choose to Clear by Time Range or Clear All.
Customize sensitive file storage space
The DLP edition of SASE for Internet access supports custom storage space for sensitive files. For more information, see Configure custom storage settings.
References
To view and trace the log details of outbound sensitive files, see Sensitive file detection logs.
To ensure data security by managing employee peripheral devices, see Ensure data security by managing peripheral devices.
To ensure data security by managing screen and print watermarks for employees, see Ensure data security by managing watermarks.