Risk Level Definitions

DSPM classifies files into three risk levels:

• Low
• Medium
• High

Low

The default risk level assigned when none of the medium‑ or high‑risk conditions are met.

Medium

A file is considered Medium Risk if:

• Has sensitive content
• More than one user has write access to it

High Risk

A file is considered High Risk when any of the basic or extended conditions apply.

Basic High‑Risk Conditions

• The file is critical and is shared via an external link.
• The file contains PII and is shared via an external link.
• The file is sensitive or critical, and anyone with the link can access it.

Extended High‑Risk Conditions by Data Source SharePoint Online and SharePoint On-Prem:

• Additional high‑risk conditions include:
  • AIP Classification + External Link: If the file has an AIP marker based on classification tags (e.g., highly confidential, confidential, general) and is shared via an external link, it is considered high risk.
  • Critical or Sensitive + Org‑Wide Sharing: If the file is critical or sensitive and is shared organization‑wide, it is considered high risk.

ChatGPT

Extended high‑risk conditions:

• External Link + Sensitivity/Criticality: Any file that is sensitive or critical and shared via an external link is considered high risk.

LDAP and SMB

• Extended high‑risk conditions:
  • Sensitive or Critical + Authenticated/Domain Users: If the file is sensitive or critical and accessible to authenticated users or domain users, it is considered high risk.

GOOGLE_DRIVE and ONEDRIVE

Extended high‑risk conditions:

• Sensitive or Critical + Org‑Wide Sharing: If the file is sensitive or critical and shared organization‑wide, it is considered high risk.

All other Data Sources

Additional high‑risk condition:

• If the file is sensitive, critical, and anyone with the link can access it.

Additional Notes

Sensitivity and critical parameters depend on file content and metadata classification, aligning with default rules unless overridden via GQL.