Inspection Policies
The Inspection Policies tab displays all the policies configured for content inspection or content capture. On this tab, you can add, view, edit, duplicate, delete, and enable or disable policies.
Policy Table Fields and Values
The policies table displays the following fields:
| Field | Description |
|---|---|
| Enabled | Use the toggle to enable or disable policies. When a policy is disabled, it will not be triggered during a user action, and content inspection or capture will not occur. You can sort and filter in this column. |
| Policy name | The policy name. You can sort and search in this column. |
| Inspect content | Indicates whether content inspection is enabled for the policy. When enabled and an event matches the policy criteria, the system analyzes the content using content inspection engines to identify matches against attributes selected in your datasets, such as Content Identifiers, Exact Data Match (EDM) rules, and Document Tags. This process primarily occurs in the Cyberhaven cloud, with some limited inspection on the endpoint. You can sort and filter in this column. |
| Capture content | Indicates whether content capture is enabled for the policy. If enabled and an event matches the policy criteria, a copy of the data's content is sent to a customer-controlled cloud storage destination. This capability can be configured independently of enabling content inspection for the policy. You can sort and filter in this column. |
| Last modified | Date and time the policy was last modified. You can sort, filter, and search in this column. |
| Created | Date and time the policy was created. You can sort, filter, and search in this column. |
| Datasets | The datasets added to the policy. Hovering over a number in this column will display the remaining datasets. You can filter and search in this column. |
| Actions | Actions available for the policy (details, duplicate, disable/enable, delete). |
The table also includes a default policy that triggers content inspection and capture based on specific user actions. This policy is always enabled and cannot be modified.
Note You cannot disable the default content inspection policy.
Performance Panel Functionality
The Performance Panel shows you the performance metrics for a policy based on the events from the last 7 days.
When editing a policy, the Performance panel dynamically updates to show a real-time comparison of how your changes would affect event matching on past events.
The metrics include:
- Events: The number of events that match the policy. The Open Events link redirects you to the Events page of Risks Overview to display the list of events that match the policy.
- Locations: The number of locations that match the policy. In Edit mode, the preview window displays "Added" or "Removed" tags to highlight any changes.
- Users: The number of users that match the policy. In Edit mode, this window displays "Added" or "Removed" tags to highlight any changes.
- Datasets: The datasets associated with the policy that have matching events.
Policy Update Behavior
When editing an Inspection Policy, the changes take effect immediately on new events. Inspection policies do not reprocess past events after saving. The event count in the Console will stay the same, and only new events will be evaluated against the updated policy definition.