TTechclick ⚡ XP 0% All lessons
Forcepoint · Data Loss Prevention · DiscoveryInteractive · L1 / L2 / L3

Forcepoint DLP Discovery — Finding & Remediating Data at Rest

Discovery is how Forcepoint finds the sensitive files you forgot you had — PAN, bank details and contracts sitting on old shares, in SharePoint, in databases, on laptops and in the cloud. This lesson maps the crawler, the endpoint agent and cloud discovery, shows how file filters keep big scans fast, and walks the full remediation path from audit to quarantine, encrypt, label and unshare.

📅 2026-06-18 · ⏱ 16 min · 5 infographics · live scan demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Forcepoint DLP Discovery (2026): how the crawler scans network shares, SharePoint, Exchange, Domino, databases and PSTs, how the DLP Endpoint agent scans laptops offline, and how cloud discovery covers SaaS — plus file filters for incremental scans, fingerprinting and the full remediation path from audit to quarantine, encrypt, label and unshare.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What discovery is

Scan data at rest, classify, then act on it.

 2

Choosing targets

Network, endpoint and cloud discovery types.

 3

Filters & scheduling

Type, size and age filters; incremental scans.

 4

Remediation

Audit to quarantine, encrypt, label, unshare.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. What kind of data does Discovery inspect?

Answered in What discovery is.

2. Which component scans network file shares?

Answered in Choosing targets.

3. How do you avoid re-scanning millions of unchanged files nightly?

Answered in Filters & scheduling.

Most engineers think…

Most people assume DLP only watches data leaving — email, web uploads, USB. That misses the biggest pile of risk: the sensitive files already sitting on old shares, in SharePoint, in databases and on laptops, often with wide-open permissions.

Forcepoint DLP Discovery is how you find and clean that up. It scans data at rest, classifies it with the same policies as inline DLP, and optionally acts on it. The on-prem crawler handles network targets and fingerprinting, the DLP Endpoint agent scans laptops even offline, and cloud discovery covers sanctioned SaaS. File filters keep scans incremental, and an action plan — audit, label, encrypt, quarantine, unshare or a remediation script — turns a finding into a fix.

① What 'data at rest' discovery is — and why it matters

Inline DLP watches data that is moving or being used right now. Discovery is the other half: it goes looking for sensitive content that is just sitting there — old project exports on a file share, customer records in a database, a PST full of contracts on a laptop. The job is three steps: scan the data at rest, classify it against your policies, and optionally enforce an action on what breaches.

Why it matters: stale, forgotten sensitive files are where breaches come from. A spreadsheet of PAN and bank details on an openly-shared folder is a quiet liability until Discovery flags it. Two components do the work: the on-prem crawler performs network discovery, and Forcepoint DLP Endpoint performs endpoint discovery — and crucially, Discovery reuses the same classifiers and fingerprints as inline DLP, so you are not re-authoring policy.

Legendcentral policy / flow (borders & arrows)loop stage boxstage labeldetail / sub-textdiagram panel
Figure 1 — The discovery loop — scan, classify, decide, act, report
Every Forcepoint discovery task runs the same loop against data at rest using the same central policy.The discovery loop — scan, classify, decide, act, reportScandata at restClassifyregex / EDM /PreciseIDDecidematch vs policyActaudit / quarantineReportincident + forensics
Every Forcepoint discovery task runs the same loop against data at rest using the same central policy.
Figure 2 — Discovery vs inline DLP
Inline DLP watches data moving or in use; discovery finds what is already sitting at rest.Discovery vs inline DLPData in motionInline DLP — email, web, cloud leaving nowData in useEndpoint agent — USB, print, clipboardData at restDiscovery — shares, DBs, SharePoint, endpoints, cloud
Inline DLP watches data moving or in use; discovery finds what is already sitting at rest.
Quick check · Q1 of 10 · Understand

Forcepoint DLP Discovery is best described as…

Correct: c. Discovery is the three-step job on data at rest: scan stored data, classify it against the same policies as inline DLP, and optionally enforce an action via an action plan.
👉 So far: Discovery = scan data at rest + classify with the same policies as inline DLP + optionally act. The crawler does network, the DLP Endpoint agent does endpoints (even offline).

② Choosing targets — network, endpoint and cloud

There are three flavours of discovery, each with its own task wizard. Network discovery is run by the crawler and reaches file shares, SharePoint (on-prem and online), Exchange (on-prem and online), IBM Domino servers, databases (SQL Server, Oracle, etc.) and Outlook PST files. Endpoint discovery uses the DLP Endpoint agent to scan local drives on managed Windows and macOS devices — even offline, with no server connection needed. Cloud discovery scans sanctioned SaaS such as Office 365 / SharePoint Online, OneDrive and Box.

What each target needs

Each network task takes targets, credentials, file filters, classifiers and a schedule. Cloud discovery has prerequisites you must name: the Cloud Applications license, the DLP Cloud Applications service connected, and the apps defined in the Forcepoint CASB portal. You build all of these under Policy Management ▸ Discovery Policies.

Figure 3 — Three discovery types, one policy
Network, endpoint and cloud discovery all classify with the same policies and fingerprints.Three discovery types, one policyDiscoverysame classifiersFile sharesSharePointExchange / DominoDatabasesEndpoint (offline)Cloud / CASB
Network, endpoint and cloud discovery all classify with the same policies and fingerprints.
🕷️
Crawler
tap to flip

The on-prem agent that performs network discovery and fingerprinting scans. Add standalone crawler instances to parallelise large scans.

💻
DLP Endpoint discovery
tap to flip

The endpoint agent scans local drives on managed Windows/macOS devices — even offline — and syncs incidents back when reconnected.

🗂️
PreciseID Files / Database
tap to flip

Fingerprinting for discovery: Files covers files, directories and SharePoint; Database covers tables, views and CSVs. Only partial hashes are stored.

🛡️
Action plan
tap to flip

What fires on a match — audit, label, encrypt, copy, move/quarantine, unshare or run a Python remediation script fed the incident as XML.

Match the target to the right discovery type

Network targets (shares, SharePoint, Exchange, Domino, databases, PST) go to the crawler; laptops and desktops — including off-network ones — go to endpoint discovery; sanctioned SaaS goes to cloud discovery, which needs the Cloud Applications license and a connected CASB service.

Quick check · Q2 of 10 · Remember

Which component performs network discovery of file shares, SharePoint and databases?

Correct: a. The crawler is the on-prem network discovery and fingerprinting agent. The DLP Endpoint agent does endpoint discovery; cloud discovery uses the CASB service.
👉 So far: Three discovery types: network (crawler — shares, SharePoint, Exchange, Domino, DBs, PST), endpoint (agent, offline-capable), and cloud (CASB — needs the Cloud Applications service connected).

③ Scheduling, file filters and incremental scans

A naive scan of a multi-terabyte share every night is a non-starter. File Filtering is how you scope a task so it only touches relevant, changed data. Filter by type (e.g. *.doc;*.xls;*.pdf, with an Except list), by size (larger or smaller than X), and by ageWithin a period, More than N months old, or a From…To date range — so re-scans only re-read recently modified files.

Full-scan triggers and timestamps

On the endpoint Advanced page you also choose when a full scan fires: Only on policy update, On policy update or fingerprinting classifier update, or Always. Enable Preserve original access time so the scan does not change a file's last-accessed timestamp and mislead backup or archiving tools. For precision, Discovery can use fingerprinting: PreciseID Files fingerprints files, directories and SharePoint, while PreciseID Database fingerprints DB tables, views and CSVs — and only partial hashes are stored, never the original data.

Figure 4 — Full scan vs incremental scan
Use file filters and triggers so big repositories re-scan only what actually changed.Full scan vs incremental scanFull scanReads every file in scopeTriggered on policy/fingerprintSlow on large sharesNeeded for first baselineIncremental (filtered)Age filter — Within last N daysType filter — *.xls;*.csv;*.pdfSize filter — skip huge/tiny filesPreserve original access time
Use file filters and triggers so big repositories re-scan only what actually changed.
'Just full-scan everything nightly' kills performance

A nightly full scan of a multi-terabyte share will never finish and will hammer the server. Use File Filtering by type, size and age, set full scans to run only on policy/fingerprint update, and enable Preserve original access time so backups aren't misled.

▶ Watch a discovery scan find and quarantine a PAN spreadsheet

How one File System discovery task scans a share end-to-end. Press Play for the healthy path, then Break it to see the classic failure.

① ScanThe crawler reads files on \\fileserv01\projects, filtered to *.xls;*.csv;*.pdf changed in the last 7 days.
② ClassifyEach file is passed to the classifiers; a PreciseID/PII match finds real customer PAN and bank records.
③ IncidentA discovery incident is raised in the Security Manager with the file path, owner and matched content.
④ RemediateThe action plan runs a remediation script: the file is moved to \\quarantine and a tombstone note is left.
Press Play to step through the healthy scan-and-quarantine path. Then press Break it.
Quick check · Q3 of 10 · Apply

You must avoid re-scanning millions of unchanged files every night on a huge share. What do you use?

Correct: b. File Filtering by age (Within / More than / From-To), type and size, with full scans set to run only on policy/fingerprint update, scopes re-scans to changed data.
👉 So far: File Filtering by type, size and age plus full-scan triggers keeps re-scans incremental; PreciseID Files/Database fingerprint for precision and store only partial hashes.

④ Remediation — from audit to action, done safely

Finding a breach is half the job; the action plan decides what happens next. The safe default is audit only — log the incident and review it in Reporting ▸ Discovery. From there actions escalate: apply a file label (Microsoft Information Protection or Boldon James), encrypt or apply rights/DRM, copy, move/quarantine (often leaving a tombstone note), or delete.

Cloud actions and scripts

Cloud remediation offers Permit, Safe copy, Quarantine, Quarantine with note, Unshare external and Unshare all. For network and endpoint, you Run a remediation script — a Python script that receives each incident as an XML file and performs the copy/move/encrypt/delete/notify logic. Endpoints need the Python language interpreter installed to run scripts. The failure mode everyone hits is jumping straight to delete or quarantine before reviewing in audit — you destroy or hide files that turn out to be false positives.

Figure 5 — From finding to fix
A discovery match becomes an incident, then an action plan escalates from audit to a real remediation.From finding to fixMatchbreaches a policyIncidentraised in FSMAuditreview in ReportingRemediatelabel/encrypt/quarantineVerifyre-scan, zero new hits
A discovery match becomes an incident, then an action plan escalates from audit to a real remediation.

Arjun Mehta, infosec lead at Northstar Analytics, Pune, faces this

An internal audit finds spreadsheets full of customer PAN and bank details sitting on an old, openly-shared \\fileserv01\projects file share.

Likely cause

Years of project hand-offs dumped sensitive exports onto a legacy file share with broad permissions and no scanning.

Diagnosis

In Security Manager he creates a File System Discovery task pointed at the share, attaches his PII/financial classifiers, and on File Filtering scopes it to *.xls;*.csv;*.pdf — then reviews the hits.

Main ▸ Policy Management ▸ Discovery Policies ▸ Network + Main ▸ Reporting ▸ Discovery
Fix

He sets the action plan to Run remediation script, moving breaching files to a locked \\quarantine folder with a tombstone note, and applies a rights/encryption action to live working files; he also tightens the share permissions.

Verify

A re-run with an age = Within last 7 days filter shows zero new breaches, and a planted test file with a fake PAN is correctly quarantined.

Audit before you destroy

Never set a brand-new discovery task straight to delete or quarantine. Run it in audit, review the real hits in Reporting ▸ Discovery, then escalate to label/encrypt/quarantine for genuine breaches — and re-scan to confirm zero new hits.

Quick check · Q4 of 10 · Analyze

Which cloud remediation action removes only external sharing while keeping internal access?

Correct: d. Unshare external strips external sharing but leaves internal access intact. Unshare all removes all sharing; quarantine moves the file; permit allows it.
👉 So far: Action plans run from audit to label, encrypt, copy, move/quarantine, unshare (cloud) or a Python remediation script fed incident XML. Audit and review before you delete.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which component performs network discovery and fingerprinting scans?

Correct: b. The crawler is the on-prem network discovery and fingerprinting agent. Endpoint discovery uses the DLP Endpoint agent; cloud discovery uses the CASB service.
Q6 · Understand

Discovery primarily inspects which data state?

Correct: a. Discovery scans stored data — shares, databases, SharePoint, endpoints and cloud — which is data at rest. In-motion is email/web/cloud; in-use is endpoint actions.
Q7 · Apply

Which cloud remediation action removes only external sharing while keeping internal access?

Correct: b. Unshare external strips external sharing while keeping internal access. Unshare all removes all sharing, quarantine moves the file, and permit allows it.
Q8 · Analyze

Endpoint remediation scripts require what to be installed on each endpoint?

Correct: c. Remediation scripts are Python and are handed each incident as XML, so the Python language interpreter must be installed on every endpoint that runs them.
Q9 · Evaluate

Which prerequisite is required for cloud discovery scans?

Correct: a. Cloud discovery needs the Cloud Applications license, the DLP Cloud Applications service connected, and the apps defined in the Forcepoint CASB portal.
Q10 · Evaluate

What is the safest first action when you turn on a new discovery task in production?

Correct: d. Audit first so you can confirm real breaches before acting. Jumping straight to delete or quarantine destroys or hides files that may be false positives.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why is Discovery needed when you already run inline DLP on email, web and the endpoint? Then compare with the expert version.

Expert version: Because inline DLP only watches data that is moving or being used right now — it cannot see the sensitive files already sitting at rest on old shares, in SharePoint, in databases and on laptops, often with wide-open permissions. Discovery goes and finds that backlog: the crawler scans network targets, the DLP Endpoint agent scans devices even offline, and cloud discovery covers SaaS — all using the same classifiers and fingerprints. It then turns findings into fixes via an action plan that escalates from audit to label, encrypt, quarantine, unshare or a remediation script, which is exactly how you shrink the standing breach risk that inline DLP never touches.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Discovery
Scanning data at rest, classifying it against policy, and optionally enforcing an action on what breaches.
Network discovery
Crawler-driven scan of file shares, SharePoint, Exchange, Domino, databases and PST files.
Endpoint discovery
DLP Endpoint agent scan of local drives on managed devices — works even when the device is offline.
Cloud discovery
Scan of sanctioned cloud apps via the DLP Cloud Applications / CASB service; needs the Cloud Applications license.
Crawler
The on-prem agent that performs network discovery and fingerprinting; add standalone instances to scale large scans.
PreciseID Files / Database
Fingerprinting for discovery — Files covers files, directories and SharePoint; Database covers tables, views and CSVs. Only partial hashes are stored.
File Filtering
Task settings that scope a scan by file type, size and modification age so re-scans stay incremental.
Action plan
The set of actions run on a match — audit, label, encrypt, copy, move/quarantine, unshare or a remediation script.
Remediation script
A Python script handed each incident as an XML file; performs move, encrypt, delete, rights or notify logic.
Tombstone / replacement note
A placeholder message left where a quarantined file used to be, telling users where it went and why.

📚 Sources

  1. Forcepoint Help — What is discovery? (data at rest scanning overview). help.forcepoint.com/dlp
  2. Forcepoint Help — Forcepoint data discovery options: network, endpoint and cloud. help.forcepoint.com
  3. Forcepoint Help — Scheduling discovery tasks and discovery policies. help.forcepoint.com
  4. Forcepoint Help — Endpoint discovery task wizard: File Filtering & Advanced (full-scan triggers, preserve access time). help.forcepoint.com
  5. Forcepoint Help — Configuring cloud discovery scans (DLP Cloud Applications / CASB). help.forcepoint.com
  6. Forcepoint — Data Loss Prevention datasheet / brochure. forcepoint.com/product/data-loss-prevention-dlp

What's next?

Found and cleaned up your data at rest? Next, go deep on the classifiers that decide what actually matches — regex, dictionaries, EDM, IDM, PreciseID fingerprinting and OCR — and why fingerprinting crushes false positives.

Next · All interview lessons → Practice on exam.techclick.in →