{"id":1055,"date":"2026-04-03T11:17:36","date_gmt":"2026-04-03T03:17:36","guid":{"rendered":"https:\/\/www.nsecsoft.com\/en\/?p=1055"},"modified":"2026-04-08T16:39:52","modified_gmt":"2026-04-08T08:39:52","slug":"leaktrack-audit","status":"publish","type":"post","link":"https:\/\/www.nsecsoft.com\/en\/course\/leaktrack-audit.html","title":{"rendered":"How to Audit and Monitor Employees’ Outbound File Transfers"},"content":{"rendered":"

<\/p>\n

Employees sending files out through chat tools, browsers, mailboxes, network disks, mobile media, etc. is the most common risk scenario in enterprise data security management and the one that most requires continuous traceability. By enabling Leak Tracking<\/strong> in File Security<\/strong> through Ping32, administrators can not only grasp “who sent what files at what time and through what channels”, but can also further combine screenshots, alerts, backups and sensitive content analysis when necessary to form a more complete audit link.<\/p>\n

From the perspective of implementation strategy, it is recommended to stably enable Leak Tracking<\/strong> as a basic capability first, and then gradually add enhancements such as Leak Backup<\/strong>, Sensitive Content Analysis<\/strong>, and Browser-Based Leak Channel Analysis based on the security requirements of the enterprise. This can not only establish the outbound traceability capability as soon as possible, but also avoid overlaying too many strategies at once in the early stage and increasing debugging costs.<\/p>\n

Enable “Leak Tracking” to monitor and audit outbound files<\/strong><\/h4>\n

If the current main goal of the enterprise is to establish outbound traceability capabilities, it is recommended to complete the configuration in this section first. Once completed, administrators can view audit records of employee outbound files in Leak Tracking<\/strong> and decide whether to continue enabling backups, sensitive content identification, or more granular risk treatment based on the actual risk level.<\/p>\n

1. Click Data Security<\/strong> \u2192 Policy<\/strong> on the Ping32 Management Console to enter the data security policy settings page.<\/p>\n

2. In the data security policy settings page, click File Security<\/strong> and turn on Leak Tracking<\/strong> to monitor and audit files sent by employees.<\/p>\n

3. Click Parameter Settings<\/strong> \u2192 General Settings<\/strong> and configure the following options as needed:<\/p>\n

    \n
  • Check Take screenshots when leaks are discovered<\/strong>:<\/li>\n
  • Set the number of screenshots and the interval between screenshots<\/li>\n
  • Realize automatic screenshot auditing when employees send files out<\/li>\n
  • Check Alert when a leak is discovered<\/strong>:<\/li>\n
  • Pop-up alert to console administrator<\/li>\n
  • Can be configured to trigger when multiple files are sent out in a short period of time<\/li>\n<\/ul>\n

    \"\"<\/p>\n

    4. After the policy setting is completed, confirm the policy application endpoint.<\/p>\n

    5. After confirming the policy application endpoint, click Apply<\/strong> to start monitoring and auditing files sent by employees.<\/p>\n

    6. After the policy is issued, click Data Security<\/strong> \u2192 Leak Tracking<\/strong> to view the relevant audit records of files sent by employees.<\/p>\n

    After completing the above configuration, it is recommended to simulate an outgoing action on the test endpoint, such as sending a test file through WeChat, browser or email, and then return to Data Security<\/strong> \u2192 Leak Tracking<\/strong> to check whether the corresponding record has been generated. When verifying, you can focus on the endpoint name, outgoing route, file name, timestamp, and whether there are screenshots or alarm information to confirm that the audit link is complete and available.<\/p>\n

    Back up leaked files (optional)<\/strong><\/h4>\n

    If the enterprise not only wants to know that “outbound files have occurred”, but also wants to be able to directly retrieve the original outbound files for verification afterwards, it is recommended to further configure leak backup<\/strong>. This capability is particularly suitable for high-value positions, key project groups, or compliance scenarios where original evidence needs to be retained.<\/p>\n

    1. In the Ping32 Management Console, click Data Security<\/strong> \u2192 Policy<\/strong> \u2192 Select the corresponding policy<\/strong> \u2192 File Security<\/strong> \u2192 Leak Tracking<\/strong> \u2192 Parameter Settings<\/strong><\/p>\n

    2. Click Leak Backup<\/strong> \u2192 Add<\/strong> to configure the backup of leaked files when a leak is triggered:<\/p>\n

    3. Configure backup settings in the pop-up window, with descriptions of configuration items.<\/p>\n

    \"\"<\/p>\n

    Outsourcing channels<\/p>\n

      \n
    • The default is All ways<\/strong>, that is, files sent out through any means will be backed up.<\/li>\n
    • Can be configured to specify leakage channels<\/strong> and support setting custom programs<\/strong><\/li>\n<\/ul>\n

      rule<\/p>\n

        \n
      • Default is All files<\/strong><\/li>\n
      • Can be configured as compound rules, supporting:<\/li>\n
      • Specify file type<\/strong><\/li>\n
      • Specify file size<\/strong> range<\/li>\n<\/ul>\n

        operate<\/p>\n

          \n
        • The default operation is Backup<\/strong>. If you want to set the specified program not to perform file backup, select No backup.<\/li>\n
        • Network path<\/li>\n
        • The default operation is No backup<\/strong>. If you want to set up backup of network drive files, select Backup<\/li>\n
        • Remark<\/li>\n
        • Fill in the remark information of this entry (to distinguish it from other entries)<\/li>\n<\/ul>\n

          When planning Leakage Backup<\/strong>, it is recommended not to simply back up all outbound behaviors indiscriminately, but rather to make refined configurations based on outbound channels<\/strong>, rules<\/strong> and key positions. This can not only reduce the storage pressure caused by invalid backups, but also help administrators quickly focus on high-risk files that really need to be retained.<\/p>\n

          Analyze whether the document contains sensitive content (optional)<\/strong><\/h4>\n

          For companies with a large number of outbound documents and high costs of manual screening one by one, Sensitive Content Analysis<\/strong> can further improve audit efficiency. Administrators can use data classification<\/strong> to identify whether files contain specific sensitive words, sensitive fields, or business classification content, thereby upgrading outbound auditing from “seeing outbound content” to “identifying outbound content risks.”<\/p>\n

          1. In the Ping32 Management Console, click Data Security<\/strong> \u2192 Policy<\/strong> \u2192 Select the corresponding policy<\/strong> \u2192 File Security<\/strong> \u2192 Leak Tracking<\/strong> \u2192 Parameter Settings<\/strong><\/p>\n

          2. Click Sensitive Content Analysis<\/strong> and check Sensitive Content<\/strong> to enable sensitive content analysis. Support<\/p>\n

            \n
          • Intelligent analysis
            \nThis mode will analyze based on conditions such as system resource usage and whether it is idle.<\/li>\n
          • Real-time analysis
            \nIn this mode, the file content will be analyzed in real time.<\/li>\n<\/ul>\n

            \"\"<\/p>\n

            3. Select the sensitive words to be analyzed from the data categories below<\/p>\n

            Optional configuration:<\/p>\n

              \n
            • Only audit records containing sensitive content<\/li>\n
            • Instantly back up files containing sensitive content<\/li>\n<\/ul>\n

              If an enterprise wants to reduce the audit interference caused by ordinary files, it can first enable “Audit only records containing sensitive content”; if it also wants to retain the original evidence when sensitive content is hit, it can also check “Immediately back up files containing sensitive content”. This type of combination configuration is more suitable for high-risk data governance scenarios.<\/p>\n

              Enable browser leakage channel analysis (optional)<\/strong><\/h4>\n

              Ping32 leak tracking supports domain name analysis for browser leak behaviors, allowing for more refined processing of leak behaviors.<\/p>\n

              Enable \u201cAI Pro Service\u201d<\/strong><\/p>\n

              Click System Settings<\/strong> \u2192 Advanced Settings<\/strong> in the Ping32 Management Console.Start AI Pro service.<\/strong>Click Apply<\/strong><\/p>\n

              Enable the “intelligent analysis of leakage applications” strategy<\/strong><\/p>\n

              1. Enable the Leak Tracking<\/strong> policy<\/p>\n

              2. Click Other<\/strong> on the leak tracking policy setting interface<\/p>\n

              3. Open the Smart Leak Analysis Application<\/strong><\/p>\n

              4. Click OK<\/strong> \u2192 Click Apply<\/strong><\/p>\n

              Check the effect<\/strong><\/p>\n

              After the policy is issued, click Data Security<\/strong> \u2192 Leakage Tracking<\/strong> to view the audit records.Example: When the endpoint logs in to QQ mailbox through a browser to send files, the leakage channel will be displayed as QQ mailbox<\/strong> instead of only the browser (such as Edge).In the detailed information of the leakage channel, you can view:<\/p>\n

                \n
              • Leak software: such as Edge browser<\/li>\n
              • Leakage method: such as QQ mailbox<\/li>\n<\/ul>\n

                \"\"<\/p>\n

                Through the above method, the leakage path can be more refined and help managers accurately understand how users leak secrets.<\/p>\n

                Implementation suggestions and common ideas<\/strong><\/h4>\n
                  \n
                • If an enterprise has just started to build an outsourced audit system, it is recommended to enable Leak Tracking<\/strong> first, and then gradually enable Leak Backup<\/strong> and Sensitive Content Analysis<\/strong> after confirming that the audit records are stably generated.<\/li>\n
                • For high-risk positions, it is recommended to enable Screenshot when a leak is discovered<\/strong> and Alarm when a leak is discovered<\/strong> at the same time to improve the efficiency of incident discovery and the completeness of the review.<\/li>\n
                • For browser outgoing scenarios, it is recommended to combine AI Pro Service<\/strong> and Intelligent Analysis Leakage Application<\/strong> to avoid recording only staying at the browser process level without specific outgoing method information.<\/li>\n
                • Before the outbound audit strategy is officially distributed on a large scale, it is recommended to conduct verification on different outbound channels to ensure that the audit, backup, alarm and sensitive content identification results are consistent with expectations.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

                  Employees sending files out through chat tools, browser […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[69],"class_list":["post-1055","post","type-post","status-publish","format-standard","hentry","category-course","tag-kb-type-guide"],"_links":{"self":[{"href":"https:\/\/www.nsecsoft.com\/en\/wp-json\/wp\/v2\/posts\/1055","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nsecsoft.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nsecsoft.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nsecsoft.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nsecsoft.com\/en\/wp-json\/wp\/v2\/comments?post=1055"}],"version-history":[{"count":2,"href":"https:\/\/www.nsecsoft.com\/en\/wp-json\/wp\/v2\/posts\/1055\/revisions"}],"predecessor-version":[{"id":1137,"href":"https:\/\/www.nsecsoft.com\/en\/wp-json\/wp\/v2\/posts\/1055\/revisions\/1137"}],"wp:attachment":[{"href":"https:\/\/www.nsecsoft.com\/en\/wp-json\/wp\/v2\/media?parent=1055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nsecsoft.com\/en\/wp-json\/wp\/v2\/categories?post=1055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nsecsoft.com\/en\/wp-json\/wp\/v2\/tags?post=1055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}