Does a securlet rescan update the user activity?
Article ID: 415447
Updated On:
Products
CASB Securlet SAAS
CASB Advanced Threat Protection
CASB Audit
CASB Gateway
CASB Gateway Advanced
CASB Security Advanced
CASB Security Advanced IAAS
CASB Security Premium
CASB Security Premium IAAS
CASB Security Standard
CASB Securlet IAAS
CASB Securlet SAAS With DLP-CDS
Issue/Introduction
Can the user activity type in an incident reflect that the incident was triggered by a rescan?
Resolution
User activity type is not updated during a rescan. The original activity type is preserved.
A policy violation during a rescan will record the attribute common.user.scanType with a value of _rescan.
Possible values for common.user.scanType=
"_init" - initial snapshot scan
"_incr" - incremental scan
"_rescan" - rescan
DLP 16.1 can filter for the attribute _rescan.
Feedback
Yes
No
Powered by
