In ITM / Endpoint DLP, a tracked file is a file that is received on the endpoint from a supported entry point. Since currently, File Download is the only supported entry point, a tracked file is a file that is downloaded to the endpoint.
Once a file is downloaded to the endpoint, file activities, such as File Copy, File Move, File Rename, File Delete, File Soft Delete and Document Open are tracked. The file is tracked until it is exfiltrated from a supported exit point.
Once a file is downloaded, the agent will monitor the below file activities:
- File Copy
- File Move
- File Rename
- File Delete
- File Soft-Delete
- Document Open
- Any file exfiltration to an exit point (e.g., Web File Upload, Web File Sync, Print, Copy to USB, Copy to Network Drive, Send File using Airdrop)
Activities including File Copy, File Move, Document Open, and all file exfiltration to exit points are reported for non-tracked files as well, whereas File Rename, File Delete, and File Soft Delete are only reported for tracked files.
In addition, Prevention Rules can be defined based on the file’s origin—for example, the URL from which the file was downloaded.
Related Topic:
ITM / Endpoint DLP Exit Points
Last Updated: 05/14 2025