You can view the details of a device's Endpoint Data Discovery (EDD) scan on a file-by-file basis. For each match found in a file, you can view the content that generated the match, the associated Match Score, and the expression set that was matched. This information is available from any EDD related page that shows linked file names, such as the History report, or the EDD History tab for a device.
By default, all matched content is encrypted on the device before it is uploaded to the database using a secure connection. To further protect confidential data, content may also be redacted Refers to the masking of characters from EDD data, such as credit card numbers and US Social Security Numbers, so that only part of the number is visible in the Absolute console. Redaction occurs on a device before the content is uploaded to the database during an EDD scan. before it is encrypted and uploaded, such as:
- Credit card numbers
Redacted format: <####>************
For example, a decrypted Mastercard may show as 5491************
- US Social Security Numbers (SSN)
Redacted format: <###-#>*-****
For example, a decrypted SSN may show as 480-7*-****
NOTE Credit card numbers and SSNs are always redacted when they are discovered by the following predefined EDD rules: Credit Card Number, Social Security Number, Personal Health Information, and Personal Financial Information.
For customized EDD rules, content may or may not be redacted depending on whether the @Mask_After or @Mask_Upto operator is used in the EDD rule expressions. For example, some expression set templates use the @Mask_After operator to redact content.
To view the matched content detected in a file, you need to decrypt it, as described in the following task.
To view the EDD matches detected in a particular file:
- Navigate to any EDD related page that shows linked file names in the result grid. For example, click Reports > Reporting Data.
- In the File Name column click the file name of the file you want to view. A dialog opens showing the following details near the top of the dialog:
- File path on the device
- Scan Date The date (local device time) when a device was scanned according to an Endpoint Data Discovery policy.
- File Owner
- File Type
- Reporting Status
- The information is organized into sections by policy rule. To expand a section, click its title. To collapse the section, click the title again.
To sort the information by a particular column, click the applicable column header. To reverse the sort order, click the column header again. An icon indicates whether the list is sorted in ascending or descending order.
- To submit a File Delete request to remove the file from the device, click Delete File.
- When you are finished click OK to close the dialog.
NOTE The agent's DAR component A lightweight software component of the Absolute agent that detects at-risk data stored on a Windows or Mac device during an EDD scan. The DAR component is deployed on a device only when the device is associated with a policy group in which the Endpoint Data Discovery policy is activated. can scan files in hidden directories. If the file path doesn't correspond to a visible directory on the device, the subfolder may be hidden. For more information about viewing hidden folders, refer to the device's operating system documentation, or if the data is specific to a third party application, refer to third party documentation.
The following details show for each match:
The list of words, numbers, or phrases that generated a match to the defined rule
Matched tokens are encrypted. To decrypt a matched token, click its Review link. Decrypting the matched tokens is an important step in your investigation because you can evaluate each match individually to determine its level of risk and identify false positive A result on an EDD-related report or page in which a match is detected in a file, but upon further investigation, you do not consider the matched content to be at-risk data.s.
NOTE If the word OVERFLOW shows when you click a Review link, a large number of matched tokens were found in the file and the list is truncated. Only the first 128 matched tokens are available for review. The Match Score for OVERFLOW shows the number of matches that are not shown.
match score A computed value indicating the number of content matches detected on a device during an Endpoint Data Discovery (EDD) scan. Depending on the context, the value shown for Match Score may apply to a file, a policy rule, or a device.
The Match Score associated with the matched tokens
The calculation of Match Score varies depending on rule type and content type.
Shows the name and line number of the expression set that was matched for the predefined or custom rule
For example, Personal Financial Banking Terms:43 indicates that line 43 of the predefined Financial Terms expression set was matched by the content shown under Matched Tokens.
NOTE For the Credit Card Numbers expression set, the credit card type shows (for example, Visa).