View incident information in Forcepoint CASB

When a DLP policy is triggered, additional transaction details are captured and shown in the corresponding Forcepoint CASB Audit Log and Incidents screens.

To view the Audit Log for a DLP Cloud Proxy activity:

1. In Forcepoint CASB, go to Audit & Protect > Activity Audit > Realtime Monitoring > Audit Log.
2. Select the cloud application (asset) from the list above the Dashboard.
3. In the Rules column, look for a rule that matches the policy you created or enabled.
4. If you want to only show the activities that match the DLP rules:
   1. Click the Add filters plus (+) sign.
   2. Select Rules from the list. A new Rules filter is added to the top of the audit log.
   3. Open the Rules drop-down menu and select the rule (or rules) you want to show.

To view the Audit Log for a DLP Cloud API activity:

1. In Forcepoint CASB, go to Audit & Protect > Activity Audit > Service Provider Log > Audit Log.
2. Select the cloud application (asset) from the list above the Dashboard.
3. In the Rules column, look for a rule that matches the policy you created or enabled.
4. If you want to only show the activities that match the DLP rules:
   1. Click the Add filters plus (+) sign.
   2. Select Rules from the list. A new Rules filter is added to the top of the audit log.
   3. Open the Rules drop-down menu and select the rule (or rules) you want to show.

For more information about Forcepoint CASB audit logs, see the “Investigating activity logs” section in the Forcepoint CASB Administration Guide.