All PII matches detected by PII Scanner agents are forwarded in real time to LT Auditor-MP via the configured target destination. Scan results are reviewed, investigated, and acted on entirely within the LT Auditor-MP Web UI โ the PII Scanner Server does not store scan result data. This article covers how to find, interpret, filter, and act on PII scan results in LT Auditor-MP.
Understanding scan results:
Each result record forwarded to LT Auditor-MP represents a single PII match found in a scanned file. A single file may generate multiple result records if it contains multiple types of PII or multiple instances of the same PII type.
Each result record includes:
- File Path โ the full path to the file where the match was found
- PII Class โ the type of sensitive data detected
- Class Type โ the category of the detected class (PII, PHI, Sensitive, Confidential, or Private)
- Timestamp โ when the match was detected during the scan
- Agent โ the client agent that performed the scan
- Job Name โ the scan job that generated the result
Accessing scan results in LT Auditor-MP:
- Log in to the LT Auditor-MP Web UI
- Navigate to View in the main navigation menu
- Select the view configured for PII Scanner data or create a new one:
- Click Create View
- Set the Environment to your PII Scanner environment
- Set the Category to PII Scan Results
- Set a default date range
- Click Save
- The log table populates with PII match records from your scans
Filtering scan results:
Filter by job name:
- Click Advanced Filters
- Add a condition:
- Field โ Job Name
- Operator โ Equals
- Value โ the name of the specific scan job
- Click Apply Filters
Filter by PII class:
- Click Advanced Filters
- Add a condition:
- Field โ PII Class
- Operator โ Equals or Contains
- Value โ the class name to focus on (e.g., Social Security Number)
- Click Apply Filters
Filter by class type:
- Click Advanced Filters
- Add a condition:
- Field โ Class Type
- Operator โ Equals
- Value โ PII, PHI, Sensitive, Confidential, or Private
- Click Apply Filters
Filter by file path:
- Click Advanced Filters
- Add a condition:
- Field โ File Path
- Operator โ Starts With or Contains
- Value โ the directory path to focus on
- Click Apply Filters
Filter by agent:
- Click Advanced Filters
- Add a condition:
- Field โ Agent
- Operator โ Equals
- Value โ the hostname of the agent that performed the scan
- Click Apply Filters
Interpreting scan results:
When reviewing results focus on the following questions:
Is the sensitive data in an expected location? PII found in designated access-controlled directories is expected. PII found in unexpected locations โ a public share, a developer’s working directory, or a temporary folder โ requires immediate attention and remediation.
Is the class type appropriate for the location? PHI in a healthcare application directory may be expected. PHI in a general file share is not. Review whether the type of sensitive data found makes sense for the location it was discovered in.
How many files are affected? A single match in one file is very different from hundreds of matches across many files. Use grouping and aggregation in LT Auditor-MP reports to understand the scale of findings across a scan.
Viewing full result details:
- Click on any result row in the log table
- The detail panel opens and displays:
- File Path โ full path to the affected file
- PII Class โ the type of sensitive data detected
- Class Type โ PII, PHI, Sensitive, Confidential, or Private
- Timestamp โ when the match was detected
- Agent โ which client agent found the match
- Job Name โ which scan job generated the result
- Raw Log โ the original forwarded syslog record
- Click Close to return to the results table
Identifying false positives:
Not every match represents a genuine sensitive data finding. Some regex patterns may produce false positives โ matches that technically satisfy the pattern but do not represent real sensitive data. Use the file path and raw log context to validate whether a match represents actual sensitive data before acting on it.
If a PII class is consistently generating false positives:
- Navigate to PII Classes in the PII Scanner Server web interface
- Review and tighten the regex pattern for the relevant class
- Consider disabling the class temporarily if the false positive rate is too high to manage
Acting on scan results:
When genuine sensitive data is found in an unexpected or unauthorized location:
1. Document the finding:
- Export the relevant results from LT Auditor-MP as PDF or CSV
- Note the file path, PII class, class type, scan date, and agent
2. Assess the risk:
- Determine who has access to the location where the sensitive data was found
- Review access logs in LT Auditor-MP to determine whether the file has been accessed recently
- Assess whether the finding represents a compliance violation that must be reported
3. Remediate:
- Work with the file owner or relevant department to relocate, encrypt, or delete the sensitive file
- Review and update access controls on the affected location
- Run a follow-up on-demand scan of the same path after remediation to confirm the sensitive data has been successfully addressed
4. Report:
- If the finding represents a compliance violation follow your organization’s incident response and breach notification procedures
- Retain scan results and remediation records as evidence for compliance audits
[Your administrator should define a standard remediation workflow for PII findings and ensure all team members know how to follow it.]
Generating PII scan reports in LT Auditor-MP:
For compliance documentation and management reporting, generate structured reports from PII scan results:
- Navigate to Report in the LT Auditor-MP Web UI
- Click Create Report
- Configure the report:
- Environment โ PII Scanner environment
- Category โ PII Scan Results
- Date Range โ the period to cover
- Under Columns include:
- File Path
- PII Class
- Class Type
- Timestamp
- Agent
- Job Name
- Under Grouping consider grouping by:
- PII Class โ to see a breakdown of finding types
- Class Type โ to distinguish PII from PHI and other categories
- File Path โ to identify the most affected locations
- Click Save and then Generate Report
- Download the report as PDF for audit submission or CSV for detailed analysis
Setting up alerts for PII findings:
Configure LT Auditor-MP to alert your team when PII matches are detected during a scan:
- Navigate to Manage in the LT Auditor-MP Web UI
- Select the PII Scanner environment and category
- Click Add Filter
- Configure the filter:
- Filter Name โ e.g., PHI Finding Alert
- Condition โ Class Type Equals PHI
- Action โ Alert
- Recipients โ your security or compliance team email addresses
- Click Save and set to Active
[Your administrator should configure alerts for each sensitive class type relevant to your compliance obligations โ at minimum PHI for HIPAA environments and PII for GDPR environments.]
Best practices:
- Review scan results promptly after each scan completes โ sensitive data findings should not sit unaddressed
- Use the Class Type filter to prioritize PHI and PII findings for immediate investigation before reviewing Sensitive and Confidential findings
- Validate matches using the file path and raw log context before acting โ not every match is a genuine sensitive data finding
- Export and retain scan results as part of your compliance evidence library
- Run a follow-up on-demand scan after remediation to confirm sensitive data has been successfully removed from the affected location
- Track remediation progress for all findings to demonstrate to auditors that your organization acts on data discovery results
- Set up alert rules in LT Auditor-MP for PHI and PII class type findings so your team is notified promptly rather than discovering findings during a scheduled review
[Your administrator should establish a regular cadence for reviewing accumulated scan results in LT Auditor-MP as part of an ongoing data governance review process.]