Protect data by detecting outbound files

Configure an outbound file detection policy

The SASE sensitive file detection feature automatically identifies sensitive files by using sensitive data elements as their features. A data template is composed of data elements, data types, and sensitivity levels. This template is then combined with actions to form a detection policy that helps you identify whether outbound files from your employees are sensitive.

SASE has multiple built-in data templates (including common company data, customer data, and personal data). If these data templates do not meet your business requirements, you can create sensitive data elements to build new data templates.

1. Log on to the Secure Access Service Edge console.

2. In the left navigation bar, select Data Protection > Policy Center.

3. On the Outbound Transfer Management tab, click Create Policy.

4. In the Create Policy panel, configure the following information. Then, click OK.

   Parameter		Description
   Policy Information	Policy Name	The name of the policy.
   	Policy Description	A description of the policy.
   	Risk Level	The risk level of the policy. Four levels are available: Extremely High: Outbound events from pre-departure user groups, outbound events from extremely high-risk user groups, outbound events involving L4 files, etc. High: High-risk user group exfiltration events, L3 file exfiltration events, etc. Medium: Events such as outbound events from medium-risk user groups and L2 file outbound events. Low: Catch-all events for all outbound traffic.
   	Action	The action to take when the policy is triggered. Four actions are available: Audit Only Audit and Prompt Block and Notify Block Only If you select Block and Notify or Block Only, you must also select a block type: Block all or Intelligently block. Block All: The SASE App intercepts and audits all outbound file activities in real time. Intelligently Block: The SASE App blocks files in real time based on the sensitive file characteristics defined in the data template. To ensure the effectiveness of blocking, the SASE App scans endpoint files in advance and tags them with sensitivity levels. Before the scan is complete, all files are blocked by default, and the blocking policy is not in effect. The scanning and tagging are performed on the endpoint and are not reported.
   	Source File Retention	Specifies whether to save the original outbound file.
   	Retain Screenshot File	Specifies whether to save screenshot evidence.
   	Status	The status of the policy. Valid values: Enabled: The policy takes effect, and SASE scans files based on the policy. Disabled: The policy is inactive.
   Data Identification Rule Settings	Data Identification Rule	Select an existing identification rule. To learn how to create one, see Configure detection rules for outbound file classification and categorization.
   	Transmission Channel	Select the transmission channels to monitor. The policy applies to files transferred through any selected channel. You can select all or some of the following supported channel types: Instant messaging (software), email (software), FTP, network share, printing, mobile storage, cloud drive (software), cloud notes (software), remote desktop, code hosting (software), large language model (software), cloud drive (web), email (web), code hosting (web), cloud notes (web), cloud blogs, large language model (web), social media, instant messaging (web), and others.
   Effective Scope	User Group	Select the user group to which the policy applies.
   Approval Process Configuration		Specifies whether employees can request approval for a blocked file transfer. If this option is enabled, you must select an approval workflow. For information about how to create an approval workflow, see Configure an approval workflow.
   Prompt Display Configuration		Configure the notification message displayed to users when a file transfer is blocked. You can set messages in both Chinese and English.

View sensitive file detection statistics

After you configure a policy, the DLP feature automatically detects files transferred by employees. Based on the detection results, it analyzes outbound transfers of sensitive files and anomalous activities that occurred in the last 30 days, 7 days, or 24 hours.

• Sensitive file detection identifies outbound sensitive files that are 30 MB or smaller and provides statistics on the top five sensitive file types and their proportions.

• Anomalous activity records are generated for specific high-risk events. Unlike sensitive file detection, the content of these files is not scanned. You must pay close attention to anomalous activities and manually check whether the files contain sensitive information. The anomalous activity types are described in the following table:

  Anomalous activity type	Description
  Large outbound file	An employee transfers a file larger than 30 MB, either online or offline. Offline transfers of large files warrant close monitoring to prevent significant business losses.
  File copied to peripheral device	An employee copies a file smaller than 30 MB to a peripheral device. This can occur when the user is online or offline. Offline copies to peripheral devices warrant close monitoring to prevent significant business losses.
  Outbound threshold exceeded	A user transfers multiple files offline, and the total size exceeds 1 GB. Exceeding this threshold warrants close monitoring to prevent significant business losses.

1. In the left navigation bar, select Sensitive Behavior Detection.

2. In the Sensitive Behavior Identification section, view the sensitive behaviors of your employees that are detected in the specified time range.

   

View outbound records of sensitive files

SASE scans outbound files that are 30 MB or smaller to detect sensitive information and logs the details of any outbound sensitive files. You can use these logs to review the content of the sensitive files.

1. On the Sensitive Behavior Detection page, view the list of outbound sensitive files from employees.

   At the top of the list, use the dropdown list and search box to filter by Time range (defaults to the last 24 hours) and Username. The table includes columns such as Username, Department, Anomalous activity, First outbound time, Number of outbound sensitive files, and Total size of sensitive files. Click Actions to view detailed transfer records for a user.

2. Click Details in the Actions column. On the Outbound Transfers of Sensitive Files tab, view the data statistics and file list of sensitive files exfiltrated by the specified employee.

   Feature	Description
   Time period	Allows you to set a custom time range for your query.
   Data statistics	Displays statistics for outbound sensitive files within the specified time period, including the number, channel, and size of the files.
   Sensitive file list	Displays a list of outbound sensitive files, along with their sensitivity level, data type, matched data template, and the number of hits. You can also use the filter to find the data you need. Click Download to download the sensitive file to your local computer for viewing. Click Details. In the Details panel, you can view information about the current sensitive file, including Data Flow, Key Information, Sensitive File information (including file Download), Screenshot Evidence, Hit Policy, and details about the exfiltration, such as the Office Terminal, Outbound Transfer Channel, and Account Information.

View anomalous activity records

SASE helps you record events such as outbound files larger than 30 MB, files copied to external devices, and a single user's total outbound files exceeding 1 GB. You should closely monitor employees associated with these anomalous events to prevent significant business losses. For outbound files that are larger than 30 MB, you must manually check the file content for sensitive information.

1. On the Sensitive Behavior Detection page, you can view anomalous events triggered by employees.

2. Click the value in the Abnormal Event column and view the anomalous event logs for the specified user on the Abnormal Events tab.

   You can also click Details in the Actions column to view the related records on the Abnormal Events tab.

   This tab allows you to filter records by date range, Event type, Outbound Transfer Channel, and File name. The table displays fields such as event type, time, device type, outbound information, file information, and endpoint name.

Configure the retention period for detection results

SASE saves your detection results for 7 days by default. If you enable the log storage service, you can save them for 30 days. For more information, see Office Security Platform Billing Overview.

Configure storage for sensitive files

SASE enables a free 1 GB storage feature for you by default.

• If you need more storage space, click Scale Up in the top-right corner to purchase file storage capacity. For pricing details, see Office Security Platform Billing Overview.

• To stop storing new sensitive files, turn off the storage switch in the upper-right corner. This action does not delete previously stored files but prevents new ones from being saved.

• If you need to clear stored sensitive files, click Clear in the upper-right corner and select Clear by Time Range or Clear All.

Configure custom storage for sensitive files

The Office Data Protection edition of SASE Internet Access Security supports custom storage for sensitive files. For more information, see Configure custom storage.

Related documents

• To view and trace the log details of outbound sensitive files, see Sensitive file detection logs.

• To protect data by managing employee access to peripheral devices, see Protect data by managing peripheral devices.

• To protect data by managing screen and print watermarks, see Protect data by managing watermarks.