Monitor files transferred outbound by using the DLP solution to ensure data security -

To prevent data leaks caused by sensitive files transferred outbound through multiple channels in the workplace, such as instant messaging and emails, we recommend that you use the data loss prevention (DLP) feature provided by Secure Access Service Edge (SASE) to monitor and manage files transferred outbound. This allows you to view the outbound transfer status of sensitive data, monitor data leak risks, and protect your business from major losses. This topic describes how to configure a policy to monitor outbound file transfers and how to collect statistics on outbound transfers.

Prerequisites

Internet Access DLP of SASE is purchased. For more information, see Billing overview.
Information about your employees and departments is added. For more information, see Connect an LDAP IdP to SASE and Configure a user group.

Configure a policy to monitor outbound file transfers

SASE supports the sensitive file detection feature. After you enable this feature, the system automatically identifies sensitive data elements in sensitive files and creates data templates based on the data elements, data type, and sensitivity level. Then, you can create detection policies based on conditions such as the data template and handling action to determine whether sensitive files are being transferred outbound.

SASE provides various built-in data templates that are intended for common company data, customer data, and personal data. If built-in templates cannot meet your business requirements, you can create custom data templates based on new sensitive data elements.

Step 1: (Optional) Create a sensitive data element

Log on to the SASE console.
In the left-side navigation pane, choose Data Loss Prevention > Policy Center.
On the Outbound Transfer Management > Sensitive Data Definition > Data Element tab, click Create Data Element.

In the Create Data Element panel, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Element Name	The name must be 2 to 32 characters in length and can contain letters, digits, hyphens (-), and underscores (_).
Element Type	File Name or File Content If you specify File Name or File Content for the Element Type parameter, you must specify the Element Composition parameter. The following content describes the valid values of Element Composition: Keyword: If you specify Keyword for the Element Composition parameter, the Custom Keyword parameter is required. You can specify that the element must meet all or one of your custom conditions. You can add up to 100 custom conditions. Regular Expression: Specify a valid regular expression. For example, the regular expression ([A-Za-z0-9]+) specifies all strings that contain digits and letters. You must also specify the Applicable File Type parameter. Valid values: All Types All built-in file types supported by SASE. Specified Type One or more built-in file types supported by SASE such as office PDF files, images in the BPG format, and emails in the EML format. Data Suffix One or more built-in file types supported by SASE based on the file suffix such as .tsv, .wpd, and .xps. If the built-in file types cannot meet your business requirements, you can click Add Custom Suffix to add a new file suffix. File Attribute If you specify File Attribute for the Element Type parameter, you must specify the Element Composition parameter. The following content describes the valid values of Element Composition: File Type Valid values include All Types, Specified Type, and Data Suffix. The values are described in the preceding content. File Encryption If you specify File Encryption for the Element Composition parameter, you must configure Retain Encrypted File. The file encryption feature is a built-in feature of document applications. The feature can be used to prevent sensitive data of enterprises from being detected. SASE can retain encrypted files for enterprise audit. Specify the File Size parameter. Valid values: 0 KB to 30 MB.

Step 2: (Optional) Create a data template based on sensitive data elements

On the Sensitive Data Definition > Data Template tab, click Create Template.

In the Create Template panel, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Template Name	The name of the template. The name must be 2 to 32 characters in length and can contain letters, digits, hyphens (-), and underscores (_).
Sensitivity Level	The sensitivity level of the file. Valid values: L4: Highly Confidential Data The following types of information: 1. Sensitive information of customers who are involved in the enterprise business. 2. Macro characteristic data, forecast data, and credit data that are generated by a single department or multiple departments after aggregation and processing. 3. Information that is strictly prohibited from being discussed and disseminated by irrelevant parties within the enterprise. If such information is leaked without authorization, it directly causes serious negative impacts on the enterprise business, or even systemic risks to the business and major legal liabilities. 4. Communication record information that is related to management decisions and investment and financing processes that involve specified personnel. L3: Confidential Data Customer information that is generated during business operations and business data that is generated by departments after aggregation and processing. If such data or information is leaked without authorization, it may directly or indirectly cause adverse effects or risks to enterprise, customers, and employees. It may also cause economic loss, business loss, and reputation loss to customers or enterprises and result in potential legal liabilities. L2: Internal Data Enterprise data and customer information that can be accessed and used only by employees or third-parties who signed a confidentiality agreement, or information that the owners allow specific groups to access. If such data or information is leaked without authorization, it may cause slight or insignificant negative impacts on enterprise customers or business and employees of the enterprise. L1: Public Data Data that is available to the public or data that is configured as public by enterprises. Public dissemination of the data does not cause security or legal issues.
Data Type	The type of data that you want to monitor. Valid values: Enterprise Data Business Data Personal Data
Data Elements	The conditions for sensitive data elements. For example, if you specify "Phone number > 5", sensitive file detection is triggered when a phone number appears more than five times. We recommend that you configure multiple conditions based on your business requirements to facilitate accurate and comprehensive file detection. You can use the AND or OR logical operator among multiple conditions.

Step 3: Create a detection policy and associate it with a data template

On the Detection Policies tab, click Create Policy.

In the Create Policy panel, configure parameters and click OK. The following table describes the parameters.

Parameter		Description
Policy Information	Policy Name	The name of the policy.
	Policy Description	The supplementary description of the policy.
	Risk Level	The risk level of events that the policy monitors. Valid values: Extremely High: events such as outbound transfer by a resigning user group, outbound transfer by an extremely high-risk user group, and outbound transfer of L4 files. High: events such as outbound transfer by a high-risk user group and outbound transfer of L3 files. Medium: events such as outbound transfer by a medium-risk user group and outbound transfer of L2 files. Low: outbound transfer of all files. This option is intended for auditing purposes.
	Action	The action of the policy. Valid values: Audit Only Block and Notify Block Only If you specify Block and Notify or Block Only, you must also select Block All or Intelligently Block. Block All: The SASE client blocks all outbound file transfers in real time and audits the transfers. Intelligently Block: The SASE client blocks outbound transfers of sensitive files that meet the conditions specified in data templates in real time. To ensure real-time blocking, the SASE client scans files on terminals and marks the sensitivity levels for the files in advance. Before the scan is complete, the SASE client automatically blocks all outbound transfers, and the blocking policy does not take effect. The scan and marking operations are performed only on terminals and are not reported.
	Source File Retention	Specifies whether to retain the source file information.
	Status	The status of the policy. If you turn on this switch, SASE monitors files based on the policy that you created. If you turn off this switch, the policy does not take effect.
Data Template Configuration	Data Template	The data template that you want to use.
Data Template Configuration	Transmission Channel	The data transmission channel that you want to use. After you select a data transmission channel, the system automatically monitors sensitive files that are transmitted over the channel. The following content describes the supported transmission channels. You can select a specific channel or all channels. Instant Messaging Email Channel HTTP Channel FTP Channel Sharing Channel Printer Channel Burning Channel Mobile Storage Other Channels
Effective Scope	User Group	The user group on which the policy takes effect.
Approval Process Configuration		If a file that an employee wants to send outbound is at risk, you can configure an approval workflow to allow the employee to submit an application. If you select Users can submit an application for approval, you must select an appropriate approval workflow. For more information, see Configure an approval workflow.
Prompt Display Configuration		The message that appears when an outbound file transfer is blocked. You can specify a message in Chinese or English.

View sensitive file detection statistics

After you enable the DLP feature and configure a detection policy, the system automatically monitors file transfers of users and analyzes outbound sensitive file transfers and exceptions within the last 30 days, 7 days, or 24 hours based on detection results.

You can use this feature to monitor sensitive files transferred outbound that are smaller than or equal to 30 MB in size, and view top 5 types of sensitive files and their percentages.

The system considers the following events as exceptions: A file larger than 30 MB is transferred outbound, a file is copied to a peripheral, and more than 1 GB of files in total are transferred outbound by the same user. The system does not check the files for sensitive information. You can check the files after an exception is reported. The following table describes the types of exceptions.

Type	Description
Outbound Transfer of Large File	A file larger than 30 MB is transferred outbound online or offline from an employee. In this case, pay close attention to the user who transfers such a file outbound offline to protect your business from major losses.
Copy File with Peripheral	A file smaller than or equal to 30 MB is copied to a peripheral online or offline. In this case, pay close attention to the user who copies such a file to a peripheral offline to protect your business from major losses.
Threshold for Outbound Transfer Exceeded	More than 1 GB of files in total are transferred outbound offline by the same user. In this case, pay close attention to the user to protect your business from major losses.

In the left-side navigation pane, choose Data Loss Protection > Sensitive Behavior Detection.
In the Sensitive Behavior Identification section, view the sensitive behavior of employees in the specified time range.

View the records of sensitive files transferred outbound

You can use SASE to check for sensitive information in files transferred outbound that are smaller than or equal to 30 MB in size and record the sensitive information. You can view the content of sensitive files transferred outbound based on these records.

On the Sensitive Behavior Detection page, view the list of sensitive files transferred outbound.

Find the user whose record you want to view and click Details in the Actions column. On the Outbound Transfers of Sensitive Files tab, you can view the statistics and list of sensitive files transferred by the specified employee.

Section	Description
Time Period (marked 1 in the preceding figure)	The query time range. You can specify a custom time range.
Statistics (marked 2 in the preceding figure)	Statistics such as the number of sensitive files transferred within the specified time range, transfer channel, and file size are displayed in this section.
Sensitive File List (marked 3 in the preceding figure)	Information about sensitive files such as the sensitivity level, data type, data template, and number of hits is displayed in this section. You can also specify query conditions to search for specific data. Click Download in the Actions column to download the sensitive file to your PC. Click Details in the Actions column to view details of the sensitive file in the Details panel. You can view information such as key information, sensitive file preview, screenshot evidence, hit policy, terminal, and outbound transfer channel.

View exception records

SASE considers the following events as exceptions: A file larger than 30 MB in size is transferred outbound by a user, a file is copied to a peripheral, and more than 1 GB of files in total are transferred outbound by the same user. Pay close attention to the users to protect your business from major losses. If a file is larger than 30 MB, the system does not check the files for sensitive information. You can check the monitored files after an exception is reported.

On the Sensitive Behavior Detection page, view the exceptions records.
Find the employee whose record you want to view and click the value in the Abnormal Event column. On the Abnormal Events tab, view the exceptions records of the specified employee.
You can also click Details in the Actions column to view the records on the Abnormal Events tab.

Configure the retention period of detection results

By default, SASE stores detection results for 7 days. If you have activated Simple Log Service, you can save your detection results for 30 days. For more information, see Billing overview.

Configure sensitive file storage

By default, SASE provides 1 GB of free storage for sensitive files.

If you require larger storage, click Scale Up in the upper-right corner of the Sensitive Behavior Detection page. For more information, see Billing overview.
If you do not want to store sensitive files, turn off Storage Status in the upper-right corner of the Sensitive Behavior Detection page. If you turn off the switch, the system does not delete existing sensitive files or store new sensitive files.
If you want to clear existing sensitive files, click Clear in the upper-right corner of the Sensitive Behavior Detection page. In the dialog box that appears, specify Clear by Time Range or Clear All.

References

For information about how to view and trace the logs of sensitive files transferred outbound, see Sensitive file detection.
For information about how to manage peripherals of employees to ensure data security, see Manage peripherals to ensure data security.
For more information about how to manage screen watermarks and print watermarks to ensure data security, see Manage watermarks to ensure data security.