File operations
File Operations trigger in DLP policies
Trigger File operations in DLP policies allows monitoring of user actions on files and directories in selected locations. It enables precise specification of conditions that must be met for the system to execute the appropriate rule. This feature supports effective protection of organizational data against unauthorized access, modification, or deletion.
When monitoring operations on a file containing specific content or marked with an invisible tag, it is possible to track activity related to the file regardless of its location, extension, etc. This enables monitoring to function even when the file is moved, copied, or edited.
To configure monitoring, first go to the Document tagging.
Types of file operations
The system enables monitoring and control of the following operations:
Creation: Detecting creation of new files.
Deletion: Monitoring attempts to delete files.
Open: Monitoring and logging of file open events also within a defined process.
Rename/move: Monitoring changes to file names or locations.
Write: Tracking changes saved within files.
Configuration fields
Path mask / Excluded path mask
Path mask: Defines the locations in which operations will be monitored.
Examples:
H:\desktop\testorH:\*.
Excluded path mask: Excludes specified locations from monitoring.
Example: for the mask
H:\*, the exclusion may beH:\desktop\test.
File mask / Excluded file mask
File mask: Specifies the files to be included in monitoring.
Examples:
invoice.pdf,invoice*.pdf,*.txt,*.jpg.
Excluded file mask: Excludes specific files from monitoring.
Example: for the mask
*.jpg, the exclusiontest.jpgwill cause all JPG files excepttest.jpgto be considered.
Applies to media
The multi-select field allows specification of media on which operations are to be monitored:
Local drive
External drive
USB flash drive
Network share
Additional option for USB flash drives:
Selecting USB flash drives unlocks configuration of USB device groups:
USB device groups: A dropdown list initially containing the value “All”. Groups are created from the list of previously detected USB devices.
Process mask / Excluded process mask
Works analogously to file and path masks:
Process mask: Specifies processes to be included, e.g.
chrome.exe,*.exe.Excluded process mask: Excludes specified processes, e.g. for the mask
*.exe, the exclusionchrome.exe.
A multi-select field available after tags have been created in the system.
Allows restricting the DLP rule to files that have a specific tag (e.g., classification).
Example: It is possible to set the mask
*(all locations and files), making the only condition for the policy to apply the assignment of a tag to the file.
Practical application
Example:
The rule applies to:
Operations: Open.
Locations: User desktop.
File types: Text files (.txt).
Media: Local drive.
Process: Word.exe.
Result: The DLP policy will be applied to files .txt located on the local drive in the “Desktop” directory, opened exclusively with Word.
Summary
Trigger File operations allows detailed monitoring and management of access to files in selected locations, on specified media, and when using selected processes. Thanks to flexible configuration of fields, it is possible to precisely tailor DLP rules to the specific requirements of the organization.
Last updated
Was this helpful?