View incident information in Forcepoint CASB

When a DLP policy is triggered, additional transaction details are captured and shown in the corresponding Forcepoint CASB Audit Log and Incidents screens.

To view the Audit Log for a DLP Cloud Proxy activity:

  1. In Forcepoint CASB, go to Audit & Protect > Activity Audit > Realtime Monitoring > Audit Log.
  2. Select the cloud application (asset) from the list above the Dashboard.
  3. In the Rules column, look for a rule that matches the policy you created or enabled.
  4. If you want to only show the activities that match the DLP rules:
    1. Click the Add filters plus (+) sign.
    2. Select Rules from the list. A new Rules filter is added to the top of the audit log.
    3. Open the Rules drop-down menu and select the rule (or rules) you want to show.

To view the Audit Log for a DLP Cloud API activity:

  1. In Forcepoint CASB, go to Audit & Protect > Activity Audit > Service Provider Log > Audit Log.
  2. Select the cloud application (asset) from the list above the Dashboard.
  3. In the Rules column, look for a rule that matches the policy you created or enabled.
  4. If you want to only show the activities that match the DLP rules:
    1. Click the Add filters plus (+) sign.
    2. Select Rules from the list. A new Rules filter is added to the top of the audit log.
    3. Open the Rules drop-down menu and select the rule (or rules) you want to show.

For more information about Forcepoint CASB audit logs, see the “Investigating activity logs” section in the ForcepointCASBAdministrationGuide.