Data loss prevention data
Data loss prevention (DLP) data refers to the information generated, analyzed, or recorded by DLP solutions to monitor, detect, and prevent the unauthorized transmission, exposure, or leakage of data. Specifically, it focuses on data classified as confidential, regulated, or proprietary. DLP data captures events, alerts, and policy enforcement actions related to attempts to access, transfer, or use data in ways that violate organizational policies or regulatory requirements. It covers data in motion (network), at rest (storage), and in use (endpoint/applications).
Examples of DLP data include:
- DLP policy violation alerts: These might include the alert name, user, action, timestamp, and applicable policy
- Incident records: These might include the incident ID, type, file name, destination, user, and action
- Data discovery scan results: These might include the scan name, device name, number of files, and location
- User activity logs related to DLP events: These might include the user, action taken, document access, applicable policy, and status
- Data transfer attempt records: These might include the action attempt, user type, file name, action taken, and device ID
- DLP policy configuration and enforcement logs: These might include the applicable policy name, rule name, last updated date, and who modified the configuration
- Summary and compliance reports: These might include the report name, number of incidents, number of blocked transfers, number of users involved, and compliance status
The Splunk Common Information Model (CIM) add-on contains a Data access data model with fields for monitoring shared data access user activity. It helps you detect a user's unauthorized data access, misuse, exfiltration, and more. It applies to events about users accessing data on servers that are shared by many other users. You might also be interested in data access control data.