Secure Access Service Edge:Monitor outbound file transfers to ensure data security

Configure a policy to monitor outbound file transfers

SASE supports the sensitive file monitoring feature. After you enable this feature, the system automatically identifies sensitive data elements in sensitive files and creates data templates based on the data elements, data type, and sensitivity level. Then, you can create monitoring policies based on conditions such as the data template and handling action to determine whether sensitive files are being transferred outbound.

SASE provides various built-in data templates that include common company data, customer data, and personal data. If built-in templates cannot meet your business requirements, you can create custom data templates based on new sensitive data elements.

1. Log on to the SASE console.

2. In the left-side navigation pane, choose Data Loss Prevention > Policy Center.

3. On the Outbound Transfer Management tab, click Create Policy.

4. In the Create Policy panel, configure the parameters. The following table describes the parameters. Then, click OK.

   Parameter		Description
   Policy Information	Policy Name	The name of the policy.
   	Policy Description	The supplementary description of the policy.
   	Risk Level	The risk level of events that the policy monitors. Valid values: Extremely High: outbound transfer by a resigning user group, outbound transfer by an extremely high-risk user group, and outbound transfer of L4 files. High: outbound transfer by a high-risk user group and outbound transfer of L3 files. Medium: outbound transfer by a medium-risk user group and outbound transfer of L2 files. Low: outbound transfer of all files for auditing purposes.
   	Action	The action of the policy. Valid values: Audit Only Block and Notify Block Only If you specify Block and Notify or Block Only, you must also select Block All or Intelligently Block. Block All: The SASE client blocks all outbound file transfers in real time and audits the transfers. Intelligently Block: The SASE client blocks outbound transfers of sensitive files that meet the conditions specified in data templates in real time. To ensure real-time blocking, the SASE client scans files on terminals and marks the sensitivity levels for the files in advance. Before the scan is complete, the SASE client automatically blocks all outbound transfers, and the blocking policy does not take effect. The scan and marking operations are performed only on terminals and are not reported.
   	Source File Retention	Specifies whether to retain the source file information.
   	Retain Screenshot File	Specifies whether to retain the screenshot file information.
   	Status	The status of the policy. Valid values: If you turn on this switch, SASE monitors files based on the policy that you created. If you turn off this switch, the policy does not take effect.
   Data Identification Rule Settings	Data Identification Rule	Select an identification rule that you have configured. For more information about how to configure an identification rule, see Configure identification rules for files transferred outbound.
   	Transmission Channel	Select a data transmission channel. After you select a data transmission channel, the system automatically monitors sensitive files that are transmitted by using this channel. The following content describes the supported types of transmission channels. You can select a specific channel or all channels. Instant Messaging (Software), Email (Software), FTP Channel, Network Sharing, Print, Mobile Storage, Netdisk (Software), Cloud Note (Software), Remote Desktop, Code Hosting (Software), Foundation Model (Software), Netdisk (Web), Email (Web), Code Hosting (Web), Cloud Note (Web), Cloud Blog, Foundation Model (Web), Social Media, Instant Messaging (Web), and Others.
   Effective Scope	User Group	Select a user group to which policy applies.
   Approval Process Configuration		If a file that an employee wants to send outbound is at risk, you can configure an approval workflow to allow the employee to submit an application. If you select Users can submit an application for approval, you must select an appropriate approval workflow. For more information, see Create an approval workflow.
   Prompt Display Configuration		Specify the message that appears when an outbound file transfer is blocked. You can specify a message in Chinese or English.

View sensitive file monitoring statistics

After you enable the DLP feature and configure a detection policy, the system automatically monitors file transfers of users and analyzes outbound sensitive file transfers and exceptions within the last 30 days, 7 days, or 24 hours based on detection results.

• You can use this feature to monitor sensitive files transferred outbound that are smaller than or equal to 60 MB, and view top 5 types of sensitive files and their percentages.

• The system considers the following events as exceptions: A file larger than 60 MB is transferred outbound, a file is copied to a peripheral, and more than 1 GB of files in total are transferred outbound by the same user. The system does not check the files for sensitive information. You can check the files after an exception is reported. The following table describes the types of exceptions.

  Type	Description
  Outbound Transfer of Large File	A file larger than 30 MB is transferred outbound online or offline from an employee. In this case, pay close attention to the employee who transfers such a file outbound offline to protect your business from major losses.
  Copy File with Peripheral	A file smaller than or equal to 30 MB is copied to a peripheral online or offline. In this case, pay close attention to the employee who copies such a file to a peripheral offline to protect your business from major losses.
  Threshold for Outbound Transfer Exceeded	More than 1 GB of files in total are transferred outbound offline from an employee. In this case, pay close attention to the employee to protect your business from major losses.

1. In the left-side navigation pane, choose Data Loss Protection > Sensitive Behavior Detection.

2. In the Sensitive Behavior Identification section, view the sensitive behavior of employees in the specified time range.

   

View the records of sensitive files transferred outbound

You can use SASE to check for sensitive information in files transferred outbound that are smaller than or equal to 30 MB and record the sensitive information. You can view the content of sensitive files transferred outbound based on these records.

1. On the Sensitive Behavior Detection page, view the list of sensitive files transferred outbound by employees.

   

2. Find the employee whose record you want to view and click Details in the Actions column. On the Outbound Transfers of Sensitive Files tab, you can view the statistics and list of sensitive files transferred by the specified employee.

   

   Section	Description
   Time Period (marked 1 in the preceding figure)	The query time range. You can specify a custom time range.
   Statistics (marked 2 in the preceding figure)	Statistics such as the number of sensitive files transferred within the specified time range, transfer channel, and file size are displayed in this section.
   Sensitive File List (marked 3 in the preceding figure)	Information about sensitive files such as the sensitivity level, data type, data template, and number of hits is displayed in this section. You can also specify query conditions to search for specific data. Click Download in the Actions column to download the sensitive file to your PC. Click Details in the Actions column to view details of the sensitive file in the Details panel. You can view information such as key information, sensitive file preview, screenshot evidence, hit policy, terminal, and outbound transfer channel.

View exception records

SASE considers the following events as exceptions: A file larger than 30 MB in size is transferred outbound by a user, a file is copied to a peripheral, and more than 1 GB of files in total are transferred outbound by the same user. Pay close attention to the users to protect your business from major losses. If a file is larger than 30 MB, the system does not check the files for sensitive information. You can check the monitored files after an exception is reported.

1. On the Sensitive Behavior Detection page, view the exception records.

   

2. Find the employee whose record you want to view and click the value in the Abnormal Event column. On the Abnormal Events tab, view the exception records of the specified employee.

   You can also click Details in the Actions column to view the records on the Abnormal Events tab.

   

Configure the retention period of monitoring results

By default, SASE stores monitoring results for 7 days. If you have activated Simple Log Service, you can save your monitoring results for 30 days. For more information, see Billing overview.

Configure sensitive file storage

By default, SASE provides 1 GB of free storage for sensitive files.

• If you require larger storage space, click Scale Up in the upper-right corner of the Sensitive Behavior Detection page. For more information, see Billing overview.

• If you do not want to store sensitive files, turn off Storage Status in the upper-right corner of the Sensitive Behavior Detection page. If you turn off the switch, the system does not delete existing sensitive files or store new sensitive files.

• If you want to clear existing sensitive files, click Clear in the upper-right corner of the Sensitive Behavior Detection page. In the dialog box that appears, specify Clear by Time Range or Clear All.

Configure custom storage settings for sensitive files

Internet Access DLP of SASE allows you to configure custom storage settings for sensitive files. For more information, see Configure custom storage settings.

References

• For information about how to view and trace the logs of sensitive files transferred outbound, see Sensitive file detection.

• For information about how to manage peripherals of employees to ensure data security, see Manage peripherals to ensure data security.

• For more information about how to manage screen watermarks and print watermarks to ensure data security, see Manage watermarks to ensure data security.