icon-unified.svg
Experience Center

Endpoint DLP Data Types and Filters

There are two ways you can use Endpoint Data Loss Prevention (DLP) data types and filters to define the Endpoint DLP activities information that you want to view: in a dashboard or report widget, or when analyzing charts on an Insights page. To learn more about how to analyze your Insights traffic, see Analyzing Traffic Using Insights.

When you add or edit a widget in a dashboard or report and select Endpoint DLP in the Widget Settings dialog, you select a data type to view from the Data Type menu and apply filters that you choose from the Add Filter menu.

On the Logs > Insights > Internet & SaaS > Endpoint DLP Insights page, you select a data type to view from the menu above the chart and apply filters that you choose from the Add Filter menu on the left pane.

The user and department filters list 200 results at a time. They provide search fields in which you can type a few characters and the results narrow to match your input until you find what you want.

Data Types and Filters

Certain filters, like Users, Departments, and others, support the selection of multiple values. For these, you can select up to 200 values in a single filter. You can also choose to include or exclude the selected values.

Certain data types only appear on the Endpoint DLP Insights page and not on the Analytics > Internet & SaaS > Dashboard > New Widget window. The following are the Endpoint DLP data types and their associated filters that appear on both pages:

  • Displays Endpoint DLP data associated with the actions taken. You can apply the following filters:

    • Action Taken: Use this filter to limit the data to activities associated with a specific action taken.
      • Allow
      • Block
      • Confirm Allow
      • Confirm Block
      • Exempted
    • Department: Use this filter to limit the data to the activities of a specific department.
    • User: Use this filter to limit the data to the Endpoint DLP data of specific users. It lists 200 results at a time. This filter cannot be used in a trend chart.
    Close

  • Displays Endpoint DLP data associated with the confirmed justifications. You can apply the following filters:

    • Confirm Justification: Use this filter to limit the data to activities associated with a specific justification provided by the user for the activity. The following actions appear under this filter:
      • Other
      • The data contains only my personal information.
      • The data does not contain sensitive information.
      • This activity is part of a necessary business workflow.
      • This activity was accidental.
      • User didn't provide justification in time.
    • Department: Use this filter to limit the data to the activities of a specific department.
    • User: Use this filter to limit the data to the Endpoint DLP data of specific users. It lists 200 results at a time. This filter cannot be used in a trend chart.
    Close

  • Displays Endpoint DLP data associated with departments. You can apply the following filters:

    • Action Taken: Use this filter to limit the data to activities associated with a specific action taken.
      • Allow
      • Block
      • Confirm Allow
      • Confirm Block
      • Exempted
    • Confirm Justification: Use this filter to limit the data to activities associated with a specific justification provided by the user for the activity. The following actions appear under this filter:
      • Other
      • The data contains only my personal information.
      • The data does not contain sensitive information.
      • This activity is part of a necessary business workflow.
      • This activity was accidental.
      • User didn't provide justification in time.
    • Department: Use this filter to limit the data to the activities of a specific department.
    • DLP Engine: Use this filter to view the activities in which data leakage was detected. The default option for this filter is Any. You can search for specific DLP engines.
    • Document Type: Use this filter to limit the data to traffic associated with a specific uploaded or downloaded document type. The following types appear under this filter:
      • Corporate Finance
      • Corporate Legal
      • Court Form
      • DMV
      • Immigration
      • Insurance
      • Invoice
      • Legal
      • Medical Information
      • None
      • Real Estate
      • Resume
      • Tax
      • Technical
      • Unknown
    • Rule Name: Use this filter to limit the data to activities associated with specific rules in the Endpoint DLP policy. Choose the rules from the list.
    • Severity: Use this filter to limit the data to activities associated with a specific rule severity.
      • High
      • Information
      • Low
      • Medium
    • User: Use this filter to limit the data to the Endpoint DLP data of specific users. It lists 200 results at a time. This filter cannot be used in a trend chart.
    Close

  • Displays Endpoint DLP data associated with DLP engines. You can apply the following filters:

    • Department: Use this filter to limit the data to the activities of a specific department.
    • DLP Engine: Use this filter to view activities in which data leakage was detected. The default option for this filter is Any. You can search for specific DLP engines.
    • User: Use this filter to limit the data to the Endpoint DLP data of specific users. It lists 200 results at a time. This filter cannot be used in a trend chart.
    Close

  • Displays Endpoint DLP data associated with document type. This data type cannot be used with a trend chart. You can apply the following filters:

    • Department: Use this filter to limit the data to the activities of a specific department.
    • Document Type: Use this filter to limit the data to traffic associated with a specific uploaded or downloaded document type. The following types appear under this filter:
      • Corporate Finance
      • Corporate Legal
      • Court Form
      • Immigration
      • Insurance
      • Invoice
      • Legal
      • Medical Information
      • Real Estate
      • Resume
      • Tax
      • Technical
      • Transportation and Motor Department
      • Unknown
    • User: Use this filter to limit the data to the Endpoint DLP data of specific users. It lists 200 results at a time. This filter cannot be used in a trend chart.
    Close

  • Displays Endpoint DLP data associated with overall traffic. You can apply the following filters:

    • Department: Use this filter to limit the data to the activities of a specific department.
    • DLP Engine: Use this filter to view activities in which data leakage was detected. The default option for this filter is Any. You can search for specific DLP engines.
    • Document Type: Use this filter to limit the data to traffic associated with a specific uploaded or downloaded document type. The following types appear under this filter:
      • Corporate Finance
      • Corporate Legal
      • Court Form
      • Immigration
      • Insurance
      • Invoice
      • Legal
      • Medical Information
      • Real Estate
      • Resume
      • Tax
      • Technical
      • Transportation and Motor Department
      • Unknown
    • Rule Name: Use this filter to limit the data to activities associated with specific rules in the Endpoint DLP policy. Choose the rules from the list.
    • Severity: Use this filter to limit the data to activities associated with a specific rule severity.
      • High
      • Information
      • Low
      • Medium
    • User: Use this filter to limit the data to the Endpoint DLP data of specific users. It lists 200 results at a time. This filter cannot be used in a trend chart.
    Close

  • Displays Endpoint DLP data associated with rule names. You can apply the following filters:

    • Department: Use this filter to limit the data to the activities of a specific department.
    • Rule Name: Use this filter to limit the data to activities associated with specific rules in the Endpoint DLP policy. Choose the rules from the list.
    • User: Use this filter to limit the data to the Endpoint DLP data of specific users. It lists 200 results at a time. This filter cannot be used in a trend chart.
    Close

  • Displays Endpoint DLP data associated with the severity. You can apply the following filters:

    • Action Taken: Use this filter to limit the data to activities associated with a specific action taken.
      • Allow
      • Block
      • Confirm Allow
      • Confirm Block
      • Exempted
    • Department: Use this filter to limit the data to the activities of a specific department.
    • Severity: Use this filter to limit the data to activities associated with a specific rule severity.
      • High
      • Information
      • Low
      • Medium
    • User: Use this filter to limit the data to the Endpoint DLP data of specific users. It lists 200 results at a time. This filter cannot be used in a trend chart.
    Close

  • Displays Endpoint DLP data associated with users. The trend chart does not support this data type. You can apply the following filters:

    • Action Taken: Use this filter to limit the data to activities associated with a specific action taken.
      • Allow
      • Block
      • Confirm Allow
      • Confirm Block
      • Exempted
    • Confirm Justification: Use this filter to limit the data to activities associated with a specific justification provided by the user for the activity. The following actions appear under this filter:
      • Other
      • The data contains only my personal information.
      • The data does not contain sensitive information.
      • This activities is part of a necessary business workflow.
      • This activities was accidental.
      • User didn't provide justification in time.
    • Department: Use this filter to limit the data to the activities of a specific department.
    • DLP Engine: Use this filter to view activities in which data leakage was detected. The default option for this filter is Any. You can search for specific DLP engines.
    • Document Type: Use this filter to limit the data to traffic associated with a specific uploaded or downloaded document type. The following types appear under this filter:
      • Corporate Finance
      • Corporate Legal
      • Court Form
      • Immigration
      • Insurance
      • Invoice
      • Legal
      • Medical Information
      • Real Estate
      • Resume
      • Tax
      • Technical
      • Transportation and Motor Department
      • Unknown
    • Rule Name: Use this filter to limit the data to activities associated with specific rules in the Endpoint DLP policy. Choose the rules from the list.
    • Severity: Use this filter to limit the data to activities associated with a specific rule severity.
      • High
      • Information
      • Low
      • Medium
    • User: Use this filter to limit the data to the Endpoint DLP data of specific users. It lists 200 results at a time. This filter cannot be used in a trend chart.
    Close

The following Endpoint DLP data type only appears on the Endpoint DLP Insights page:

    • Action Taken: Use this filter to limit the data to activities associated with a specific action taken.
      • Allow
      • Block
      • Confirm Allow
      • Confirm Block
      • Exempted
    • Activity Type: Use this filter to limit the data to activities associated with a specific activity type. The following activity types appear under this filter:
      • Download
      • Email Sent
      • File Copy
      • File Read
      • File Write
      • Print
      • Upload
    • Channel: Use this filter to limit the data to activities associated with a specific channel. The following channels appear under this filter:
      • Network Share
      • Personal Cloud Storage
      • Printing
      • Removable Storage
    • Confirm Action: Use this filter to limit the data to activities associated with a specific action by the user in the confirmation dialog box. The following confirmed actions appear under this filter:
      • Cancel
      • Confirm
      • Timeout (activities that were timed out before user confirmation)
    • Confirm Justification: Use this filter to limit the data to activities associated with a specific justification provided by the user for the activity. The following actions appear under this filter:
      • Other
      • The data contains only my personal information.
      • The data does not contain sensitive information.
      • This activity is part of a necessary business workflow.
      • This activity was accidental.
      • User didn't provide justification in time.
    • Data Center: Use this filter to limit the data to activities associated with a specific data center.
    • Department: Use this filter to limit the data to the activities of a specific department. Use the Search function to find a specific department.
    • Destination Name: Use this filter to enter all or part of the item's destination name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Does Not Start With, Not Null, or Is Null.
    • Destination Type: Use this filter to limit the data to traffic associated with a specific destination type. The following destination types appear under this filter:
      • Application
      • Local Drive
      • Network Share
      • Personal Cloud Storage
      • Printer
      • Removable Storage Device
      • Web
    • DLP Dictionaries: Use this filter to see which activities contain a particular dictionary as a trigger. If a dictionary was triggered, the name of the dictionary is displayed along with a match count indicating the search score or match count for this dictionary. The default option for this filter is All. You can search for specific DLP dictionaries.
    • DLP Engine: Use this filter to view activities in which data leakage was detected. The default option for this filter is Any. You can search for specific DLP engines.
    • DLP Identifier: Use this filter to search for the activities using this DLP identifier. Whenever a DLP rule is hit, and the appropriate alert is configured, an email containing this ID is sent to your auditors. Use it as a filter to locate the exact activity. You can search for specific DLP identifiers.
    • Document Type: Use this filter to limit the data to traffic associated with a specific uploaded or downloaded document type. The following document types appear under this filter:
      • Corporate Finance
      • Corporate Legal
      • Court Form
      • Immigration
      • Insurance
      • Invoice
      • Legal
      • Medical Information
      • Real Estate
      • Resume
      • Tax
      • Technical
      • Transportation and Motor Department
      • Unknown
    • File Destination Location: Use this filter to enter all or part of the file destination location in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Does Not Start With, Not Null, or Is Null.
    • File MD5: Use this filter to enter the 32-character file MD5 in the text field.
    • File SHA256: Use this filter to display the hash of identical files. Enter all or part of the SHA256 in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Does Not Start With, Not Null, or Is Null.
    • File Size: Use this filter to limit the data to activities associated with a specific file size. When you select this filter, enter the From and To field values in bytes to view the logs within that range.
    • File Source Location: Use this filter to enter all or part of the file source location in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Does Not Start With, Not Null, or Is Null.
    • Item Name: Use this filter to enter all or part of the item's name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Does Not Start With, Not Null, or Is Null.
    • Item Type: Use this filter to limit the data to traffic associated with a specific item type. The following item types appear under this filter:
      • Clipboard Text
      • Email
      • Email Attachment
      • Embedded File
      • File
      • HTTP Request
      • Printed Text
    • Other Rules: Use this filter to limit the data to activities associated with other rules.
    • Record Type: Use this filter to limit the data to activities associated with a specific record type. The following record types appear under this filter:
      • DLP Incident
      • Sensitive Activity
    • Rule Name: Use this filter to limit the data to activities associated with specific rules in the Endpoint DLP policy. Choose the rules from the list.
    • Scan Time: Use this filter to limit the data to activities associated within a specific range of time. The following scan time appears under this filter:
      • All
      • 0–10 Sec
      • 10 Sec–30 Sec
      • 30 Sec–1 Min
      • 1 Min–5 Min
      • 5 Min–10 Min
      • 10Min–30 Min
      • 30 Min–1 Hour
      • Above 1 Hour
      • Custom
    • Severity: Use this filter to limit the data to activities associated with a specific rule severity. The following severities appear under this filter:
      • High
      • Information
      • Low
      • Medium
    • Source Name: Use this filter to enter all or part of the item's spruce name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Does Not Start With, Not Null, or Is Null.
    • Source Type: Use this filter to limit the data to activities associated with a specific source type. The following source types appear under this filter:
      • Application
      • Local Drive
      • Network Share
      • Personal Cloud Storage
      • Removable Storage Device
      • Web
    • User: Use this filter to view the activities of a specific user. The default option for this filter is Any. You can search or choose users from the list.
    • ZDP Mode: Use this filter to view the activities for a specific Endpoint DLP mode. The following ZDP modes appear under this filter:
      • Block Mode
      • Exemption Mode
    Close
Related Articles
About DashboardsAbout WidgetsAdding Notes to Dashboards and Interactive ReportsWeb Data Types and FiltersMobile Data Types and FiltersFirewall Data Types and FiltersDNS Data Types and FiltersTunnel Data Types and FiltersEndpoint DLP Data Types and FiltersEmail DLP Data Types and FiltersExtranet Data Types and Filters