Reviewing context matching in logs

Forcepoint ONE SSE enables you to capture 20 characters that immediately precede and follow the sensitive content match in a file.

At times customers might want to enable the ability for Forcepoint ONE SSE to log characters in the file that triggered a DLP pattern policy in order to identify where the violation is in the file. When configuring a Simple Pattern or with any of the simple patterns that Forcepoint ONE SSE provides out of the box, admins can enable a checkbox in the data patterns object that will then capture the 20 characters that immediately precede and follow the sensitive content match in a file.

  • On the patterns configuration page, under the general tab you will see a checkbox to enable Capture context around DLP matches. Check this box, so that when this pattern is identified in any of your policies, the logs will include the context around the match to make it easier for admins to find the violation and correct it in the file if necessary.


  • When reviewing logs, click into the details of the log line and under the FileName row, you will see the characters that were logged before and after the sensitive content match.