Methods and systems for Data Leak Prevention (DLP) in an enterprise network are provided. According to one embodiment, a network security device maintains a filter database containing multiple filtering rules. Each filtering rule specifies a watermark hash value, a set of network services for which the filtering rule is active and an action to be taken. Network traffic directed to a destination residing outside of an enterprise network, associated with a particular network service and containing a file is received. A watermark hash value embedded within the file is identified. When there exists a filtering rule specifying a matching watermark hash value and for which the filtering rule is active for the particular network service, the action specified by the filtering rule is performed.