Detailed visibility into DLP alerts
I would like to see what Sophos saw that caused it to trigger a DLP alert. It would be nice to have detailed visibility on what was detected. A SS#? A PAN? A Date of Birth? That way we have concrete evidence of what was detected so we may approach the end user with solid data rather than a general name of the policy.
Same issue here - reports a web temporary file that has gone by the time we investigate - useful to see the contents of a file ....
FYI - this information is included in the SMTP Proxy log in the "extra" field.
You can get these details by:
* going to 'Logging & Reporting', 'View Log Files', 'Search Log Files'
* select SMTP Proxy
* Search for [reason="dlp"] (without the brackets)
The log will contain info like this:
...reason="dlp" extra="CCLdateofbirth, CCLphi, CCLCombinationofpersonallyidentifiableinformationUSA, CCLCombinationofpersonallyidentifiableinformationUK"
...reason="dlp" extra="CCLSocialsecuritynumberswithqualifyingtermsUSA, CCLphi"
...reason="dlp" extra="CCLSocialsecuritynumberswithqualifyingtermsUSA, CCLphi, CCLNationalidentificationnumberswithqualifyingtermsGlobal"