This topic is for ITM / Endpoint DLP rules only.
When creating a rule or condition, you can verify it against past activity. This gives you another way to filter activities when you are managing your rules and conditions. You can then review them in Data Security Workbench - Explorations. You can also use this to test a rule or condition to help you determine if it will be useful.
For example, you create a rule to alert when exfiltrating a non-tracked file to USB device.
From Proofpoint Data Security & Posture, select the Administration app. Select Policies > Rules and select the rule you want to edit. (See ITM / Endpoint DLP Rules.)
Click on the rule and review the details, you see that this activity has been detected in 150 activities in the past 7 days.
You can change the time to 30 days to see how long this type of exfiltration has been happening. You see there were only 4 additional activities, so you might conclude that most of the activity occurred in the past 7 days and set up your rule for that time period.
Now you can click the activities link,
and review the activity in Data Security Workbench - Explorations.
Related Topic: