Viewing a device's sensitive file content

System requirements

The Endpoint Data Discovery page applies only to Windows and Mac devices with an active Endpoint Data Discovery policy.

Accessing information about a device's sensitive file content

To view sensitive file content:

On any page that shows linked device identifiers in the first column of the results grid, such as the All Devices page in the Devices area, click the link for the device that you want to view. Summarized information about the device shows in the page header.
Click EDD Summary. The page opens to show two tabs:
- Summary
- Scan history and status

In the following scenarios, a warning banner may show:

The most recent EDD scan on the device was stopped due to an excessive number of detected matches. Excessive matches may occur if the EDD policy assigned to the device includes one or more customized EDD rules and the rules' expressions are detecting more content than expected. Alternatively, a large number of sensitive files may reside on the device. To find the root cause, we recommend that you review the EDD policy configuration and investigate the matches detected on the device.
The device has been moved to another policy group, or its EDD policy rules have been updated. These changes are not reflected in the information on the EDD Summary page until after the next scan.
The device's EDD policy has been deactivated.

Summary tab

On the Summary tab, you can view a summary of the matches detected on a device during the last EDD scan The Secure Endpoint Agent process that opens and analyzes files on a device's hard drive to identify confidential or at-risk content, as defined in an Endpoint Data Discovery policy. See also DAR component..

The page shows information about the files where sensitive or confidential content was detected. For those files that require further investigation, you can view more detailed EDD information, which allows you to evaluate each match individually to identify false positive A result on an EDD-related report or page in which a match is detected in a file, but upon further investigation, you do not consider the matched content to be at-risk data.s and determine a device's level of risk.

After you activate an EDD policy on a device, it may take several days before data is available on the Summary tab. The data includes information collected during the last full EDD scan of the device and all subsequent delta scans. EDD scans can take between a few hours and a few days to complete. If a scan is in progress when you view this page, data from that scan is not included.

To see the results of the last EDD scan:

Click the Summary tab. Information is displayed in a sidebar, a report, and the page footer.

Sidebar information:
The following information shows in the sidebar:
- Total match score: the total matches detected on the device for all applicable EDD rules during the most recent EDD scan. A higher value may indicate that an unacceptable amount of sensitive or confidential file content is stored on the device.
- Rule: the total match score for each EDD rule included in the device's EDD policy

Report information:

The information on this page is organized in the following columns:

Column	Description
File name	File name of the file To view details about all detected matches in the file, click the linked file name. You can't view additional details about Unscannable files.
Match score	Computed value indicating the number of matches detected in the file for the associated policy rule The calculation of Match Score varies depending on rule type and content type.
Rule	Name of the predefined or customized EDD rule for which a match was detected If Unscannable shows, the file was not scanned due to a lack of system resources at the time of the EDD scan.
File path	The full file path of the file on the device
File type	Internet Media Type Similar to a MIME type, an Internet Media Type is a standard identifier to indicate the type of content contained in a file on the Internet. The format of the identifier is type name/subtype name (for example, application/zip or text/plain). of the file
File owner	Name of the user who controls permissions on the file By default, the file owner is the user who created the file.

Footer information:
The following summary information shows in the page footer:
- Total file count
- Total match score: the total matches detected on the device for all applicable EDD rules during the most recent EDD scan. A higher value may indicate that an unacceptable amount of sensitive data is stored on the device.
- Last scan date: the date when the most recent EDD scan was completed on the device

To filter the information by EDD rule, do one of the following:
- Under Rule on the sidebar, click each EDD rule you want to filter by
- Click the Rule filter and select one or more EDD rules. Click outside the filter to apply your changes. To filter by match score, click and add a filter.
The results are sorted by Match Score, in descending order. To sort the results by another column, click the applicable column header. To reverse the sort order, click the column header again. An icon indicates whether the list is sorted in ascending or descending order.
To add or remove columns, click > Edit columns. You can add the following columns to the page:
- File accessed
- File created
- File extension
- File match status
- File modified
- Scan date
To view details about all detected matches in a file, click the linked file name.
To export the page to a report, click (Export) on the page's action toolbar. Any applied filters are reflected in the exported report. Note that the following columns are automatically included in the exported report: Scan date, Device name, Serial number, and Identifier.
To save the page as a new report, click (Save as) on the page's action toolbar. Any applied filters are reflected in the saved report.The new report is added to My Reports view of the Reports page and to the Data Visibility report category.
To delete a file from the device:
1. Click the file's file name.
2. In the dialog that opens, click Delete file from this device and submit a File Delete request.

Scan history and status tab

On the Scan history and status tab, you can view a history of the files where matches were detected during an EDD scan The Secure Endpoint Agent process that opens and analyzes files on a device's hard drive to identify confidential or at-risk content, as defined in an Endpoint Data Discovery policy. See also DAR component..

After an EDD policy is activated on a device, it may take up to two days before data is available on the Scan history and status tab.

To view the results of the last two full EDD scans:

Open the EDD Summary page and click Scan history and status. Information is displayed in a sidebar, a report, and the page footer.

Sidebar information:
The following information shows in the sidebar:
- Scan history: The date of each full or delta scan performed on the device, including scheduled scans and scans resulting from a Perform EDD scan request.
  A device's scan history is limited to the last two full EDD scans of the device's hard drive and all subsequent delta scans. If a scan is in progress on the device when you run the report, any data collected up to that point is available.
- Scan status: shows details about any in-progress scan and the scan schedule
  If a scan is in progress, this section shows:
  - The scan type (delta or full)
  - The configured scan schedule for the scan type
  - The percentage of file data scanned relative to the total data size (for example (12% of 179 GB), and the date and time the scan status was last uploaded to the Secure Endpoint Console
  It also shows the scheduled date of the next delta and full scans.

Report information:

The information on this page is organized in the following columns:

Column	Description
File Name	File name of the file To view details about all detected matches in the file, and the file path on the device, click the file name. You can't view additional details about Unscannable files.
Match Score	Computed value indicating the number of matches detected in the file for the associated policy rule The calculation of Match Score varies depending on rule type and content type.
Rule	Name of the predefined or customized EDD rule for which a match was detected If Unscannable shows, the file was not scanned due to a lack of system resources at the time of the EDD scan.
File Type	Internet Media Type Similar to a MIME type, an Internet Media Type is a standard identifier to indicate the type of content contained in a file on the Internet. The format of the identifier is type name/subtype name (for example, application/zip or text/plain). of the file
File Path	The full file path of the file on the device
File Owner	Name of the user who controls permissions on the file. By default, the file owner is the user who created the file
File Created	Local date and time when the file was created
File Modified	Local date and time when the file was last edited

Footer information:
The following summary information shows in the page footer:
- Total file count
- Total match score: the total matches detected on the device for all applicable EDD rules during the selected EDD scan. A higher value may indicate that an unacceptable amount of sensitive data is stored on the device.
- Last scan date: the date when the most recent EDD scan was completed on the device

On the sidebar under Scan history, click the scan date you want to view.
To view details about all detected matches in a file, click the linked file name.
To delete a file from the device:
1. Click the file's file name.
2. In the dialog that opens, click Delete file from this device and submit a File Delete request.