Live events

Live events page can be used view and filter user actions on files as they happen on data sources where event streaming is configured.

Remediation

Mitigate risk after a user action, for example: if user shared a file publicly, but it was found to be a highly confidential document - public share can be removed using the DSPM.

Navigate to Administration > Live events > Remediation.

Streaming

Filter user actions on files as they happen on data sources where event streaming is configured.

Navigate to Administration > Live events > Streaming.

File Audit Log

Events that occurred during a scan or during endpoint discovery (e.g. file was discovered by endpoint agent, or file was ingested/classified by scanner).

Navigate to Administration > Live events > File Audit Log.

Extended Streaming

Extended Streaming is the expanded data-collection and event-ingestion layer in the DSPM platform that goes beyond Trustee Streaming’s core “file access + permissions + data usage” telemetry. It is designed to pull, normalize, and continuously stream additional contextual signals from multiple enterprise systems, allowing DSPM to build richer risk models, deeper identity context, and enhanced data governance insights.

Extended Streaming ingests multiple event types that complement Trustee Streaming:

  • Identity & Directory Changes
  • Tracks permission drift in near real time
  • Extended Streaming monitors: Folder renaming, repository structure changes, moves, copies, and migrations, updates to storage metadata etc. These changes are reflected instantly in dashboards (without waiting for a re-scan).
  • Device and Endpoint Context
  • Behavioral Telemetry: File read/write frequency baselines, Unusual access patterns, Off-hours behavior, Large data movement baselines, High-risk user patterns

Benefits

  • Real-time Access Governance
  • Dynamic Data Exposure Dashboards
  • Identity-Aware Risk Modeling
  • Anomaly Detection
  • Faster Governance Cycles

Navigate to Administration > Live events > Extended Streaming.

Trustee Streaming

Trustee Streaming is a continuous, real-time visibility and monitoring pipeline inside DSPM that tracks file access, user behavior, permissions, and data-movement activity across an organization’s unstructured data stores (SharePoint, OneDrive etc.).

Navigate to Administration > Live Events > Trustee Streaming

How Trustee Streaming Works (High-Level Architecture)?

  • Connectors collect access events such as: File R/W operations, permission changes, etc. These events are sent to the Trustee Streaming pipeline.
  • Raw events are enriched in real time with identity (user → department, file metadata, sensitivity, context information (source location, device, access method), risk level (user risk, file risk, exposure risk).
  • Events are streamed into the Trustee Engine which normalizes events into the data models.
Benefits
  • Real-time access monitoring
  • Effective permissions computation
  • Behavioral analytics
  • Stale access detection
  • Access governance
  • Exposure and link tracking

Scan Errors

Scan Errors page display elaborate information on failed scans.

Following table provides the full description of each field:

Table 1. Field Descriptions
Column Name Description
Display Path The user-friendly or formatted representation of the resource path being accessed.
Path The actual system path or identifier of the resource targeted by the remote API. (Often matches Display Path)
Status The result of the retrieval attempt. Possible values are FAILED, SUCCESS, IN_PROGRESS.
Error Code The HTTP status code or internal error code indicating the failure type (e.g., 429 for too many requests).
Error Message Detailed message describing the error, typically including HTTP method, endpoint, and server response (often JSON format).
Occurred At Timestamp when the error occurred.
Retry Attempt The number of times the system has retried the failed request.
Next Retry At The scheduled timestamps for the next retry attempt.
Id A unique identifier for the failed retrieval attempt, often combining multiple related IDs (like configuration, scan, container, etc.).
Configuration Id Identifier for the specific configuration used during the retrieval attempt.
Connector Type The type of connector or integration used for access (e.g., GMAIL).
Container Id Identifier for the container (container is a common name for file, directory, user, group, email, etc).
Page Token Token used for pagination if the retrieval is part of a multi-page operation. May be empty if not applicable.
Last Updated At Timestamp of the last update to this failure record. For example, after a retry or error status change.
Parent Id Identifier for the parent container
Scan Id Identifier for the scanning operation this failure was part of.