File Retention

File retention lets you optionally retain copies of files where potential file exfiltration activity is detected. When file retention is enabled, if a file meets the conditions set by a prevention rule, it is retained on external cloud storage so it can be downloaded and reviewed. Files that are retained may be evidence when exfiltration of sensitive data is suspected. These files may also be useful for legal and compliance reviews.

What is supported?

Currently Microsoft Azure Blob is supported as external storage options.

File retention is applied on files using prevention rules. Prevention rules support conditions for:

  • Exfiltrating files to a USB.

  • Exfiltrating files to a cloud sync folder, such as Google drive

  • Uploading files to the Web

  • Printing files to a local computer

Prevention rule options for both blocking and justification can be used with file retention. For example, a prevention rule is set up that prevents an end user from exfiltrating files with employee ID numbers to any cloud sync folder that is not used by the organization. If an end user tries to upload a file with the sensitive data, one of the following could occur:

  • Blocking: the upload is blocked and the file is copied and retained

  • Justification: the user is prompted to provide a justification for the action, the file is not blocked but it is copied and retained

Requirements for File Retention

To use the file retention feature you need to make sure the following are completed:

  • Onboard external storage: From the Integration Settings screen, you onboard where you will store information on your cloud-based storage service.

  • Assign Signal and Source: After onboarding external storage, you can use this storage for data export for specific/licensed sources, such as Endpoint, CASB or Email. (See Data Export.)

  • You also define:

    • Max File Size for Retention: Maximum size for a file that is retained.

    • Max Temporary Storage Size on Endpoint: Maximum amount of storage on the endpoint before the file is uploaded and for retention.

    • File Retention Storage: Alias of the external storage you defined in the External Storage screen.

    • Path on External Storage for this Realm (optional):  Path you specify so you can structure how files that are stored. For each Agent Realm you might have a separate path area.

  • Add a Prevention Rule and turn on Retain the files option. When this option is selected, files that meet the criteria defined in the prevention rule are blocked and retained in external cloud storage. (See Prevention/Endpoint Rules.)

Analytics

To filter, review and analyze activities with retained files, from the Analytics applications such as the Exploration view, select ProcessingEnforcement Action / ResponseRetain.

An indication is displayed next to the action.

Related Topics:

Justifications

Explorations