Add new rule to a policy

Rules can be added to a newly created policy or you can select a specific policy from the policy list to open the policy editor.

Click the Add new rule button on the policy editor, or right-click a specific policy, from the context menu to select the Add new rule option to open the rule editor.

Once a new policy is saved, the policy editor will automatically display the option Add rule. The rule status can be set to enable or disable.

A policy rule consists of the following parts:

1
Rule Details: Enter or edit the Rule name and Description.
2
Condition: The type of data that should be matched.

1
This rule monitors specific data in: Use the drop-down list to indicate when to trigger incidents.
1a
In all parts of the transaction: To trigger an incident if the sum of all matches in the transaction exceeds the configured threshold. For example, if the threshold is 3, then a transaction with 2 matches in the message body and one match in the subject line triggers an incident.
1b
In each part of the transaction separately: To trigger an incident triggered only when the threshold is reached in any one part of the transaction. For example, there would have to be 3 matches in the body or 3 in the subject line or other message parts for an incident to be triggered.
2
Condition relations: Indicate when the rule should be triggered if more than one condition is defined.
2a
All conditions are matched: Trigger the rule if all the selected conditions are matched.
2b
At least one condition is matched: Trigger the rule if only one of the selected conditions is met.
2c
User can set custom relation: Use Boolean logic to define when the rule should be triggered. Complete the following steps to set a custom relation:
  1. Select the classifiers from the classifier list by clicking Add Classifiers button.
  2. From Select Element, select a specific condition number and click Add button to add the number to the formula box.
  3. Click the AND, OR, or NOT button to define a condition. Optionally add parentheses, as in any mathematical operation.

    For example: (1 AND 2) OR (3 AND 4) OR 5

    Each number corresponds to a condition (1 is the first condition, 2 is the second, and so on).

  4. Click another condition number.
  5. Continue until the condition is fully defined.
3
Add Classifier: Use the option to add classifiers to the condition. Click the add icon on the specific classifier to add them to the condition from the list of classifiers, including:
3a
Pattern and Phrases: Select to add a regular expression, key phrase, script, or dictionary classifier.
3b
File labeling: Select to classify data by using the labeling system.
3c
File properties: Select to add a file name, type, or size classifier to the condition.

Select the eye icon to display only the selected classifiers. Use the search option to search classifiers and the add icon to add additional classifiers as needed. See the classifiers section for more information.

4
Add Limitation: Use the option to add limitations to the condition.
4a
Transaction Size: Define to detect transactions of the specified size or larger.
4b
Email Attachments: Define to detect email messages with a certain number of attachments or greater.
4c
Email Destinations: Define to detect messages sent to a specified number of domains or greater.
5
To edit a condition’s threshold (the number of matches that trigger an incident), click the settings icon on the specific classifier, and the classifier should be enabled. See also View or edit condition's thresholds section.
6
To delete a classifier, click the Delete icon.
3
Source: Identify the sources of data, such as endpoints, devices, domains, and networks, that apply to this rule. By default, a rule applies to all sources. A rule can be applied to specific sources (Inclusions), or specific sources can be excluded from the rule (Exclusions). Use the drop-down to select between types of sources, such as User Directory, Group Directory, Registered endpoints, Custom computers, Domains, Networks, or Business units. Use the search option to locate one or more elements and the + icon to move the selected elements to the Inclusions or Exclusions as required.

4
Destination: Define the destinations for data protected by this rule. From the Select destination type field, select the following destinations:
1
Select the Email destination to monitor email on endpoint machines. By default, email is analyzed on all endpoint destinations.
  • Set the email destination toggle button to Enabled.
  • Specify whether the rule should be applied to All included or Specific destinations. If selected specific use the search option to locate one or more elements and the + icon to move the selected elements to the Inclusions or Exclusions as required.

To add, edit, or delete domains, see the Domains section.

Note: For any policy to be applied by the agent in the Destination field the web channel should be set to enabled.
2
Select Web destination to prevent or monitor users posting sensitive data to networks, domains, business units, URL categories, directory entries, countries, or custom computers via any of the following web channels:
  • Endpoint HTTP- websites, blogs, and forums accessed by endpoint machines over HTTP
  • Endpoint HTTPS- websites, blogs, and forums accessed by endpoint machines over HTTPS

Set the Web destination toggle button to Enabled.

Note that several SaaS domains are excluded from analysis by default. Optionally, exclude more domains or remove domains from the exclusion list. You can also customize the list of resources that are excluded from web policies by default. For more information, see Business Units section.

Use Channels field to select or deselect individual Web channels.

To add, edit, or delete networks, domains, business units, and custom computers, see the Resources section.

3
Select Printing destination to analyze files that endpoint users send to printers.
  • Set the printing destination toggle button to Enabled.
  • Specify whether the rule should be applied to All included or Specific destinations. If selected specific use the search option to locate one or more elements and the + icon to move the selected elements to the Inclusions or Exclusions as required.

To add, edit, or delete printers, see the Endpoint printers section.

4
Select Removable media destination to analyze media such as thumb drives, external hard drives, and other USB devices on endpoint machines. By default, all removable media is included.
  • Set the removable media destination toggle button to Enabled.
  • Specify whether the rule should be applied to All included or Specific destinations. If selected specific use the search option to locate one or more elements and the + icon to move the selected elements to the Inclusions or Exclusions as required.
5
Select Applications destination to analyze content that is being cut, copied, pasted, or otherwise handled by users on endpoint applications. (Windows endpoints only)
  • Set the applications destination toggle button to Enabled.
  • Specify whether the rule should be applied to All included or Specific destinations. If selected specific use the search option to locate one or more elements and the + icon to move the selected elements to the Inclusions or Exclusions as required.

Not all operations (cut, copy, paste, etc.) relate to all applications. The operations that are monitored are specified for each group.

Note that if you choose All included on the rule’s condition page and choose an online application here, you are requesting to monitor all content that is downloaded to endpoints. The same is true if you specify the Download operation in the online application group, then select this group.

To prevent the system from analyzing content that is cached on the endpoint, the following occurs:
  • When files are saved to the browser’s cache folders, the crawler analyzes only .exe, .csv, .xls/xlsx, .pdf, .txt, .mht, and .doc/.docx files.
  • When files are saved to any other local folder, it analyzes all file types.

For a list of applications that the system supports out of the box, see Endpoint Application section. You can also add applications and applications group, see Endpoint applications and Endpoint application groups section.

6
Select Network share destination to analyze endpoint file copy over LANs. By default, outbound traffic for all networks is covered, that is, traffic going from the endpoint to all LANs. Endpoint LAN control is applicable to Windows endpoints using Windows file sharing only.
  • Set the network share destination toggle button to Enabled.
  • Specify whether the rule should be applied to All included or Specific destinations. If selected specific use the search option to locate one or more elements and the + icon to move the selected elements to the Inclusions or Exclusions as required.

Specify a list of allowed destination IP addresses or host names for LAN copy. Users may connect to a destination machine using the host name, IP address, or mapped drive. Forcepoint ONE Data Security does not resolve the multiple names for a single destination. To block or allow access to a machine, specify each of the identifiers a user might specify: for example, FQDN, host name, mapped drive, and so on. Alternatively, always block or allow access using host name and require users to use host name.

Data from an endpoint client can be intercepted.

If access to the LAN requires user credentials, files larger than 10 MB are handled as huge files which are only searched for file size, file name, and binary fingerprint. Files smaller than 10 MB are fully analyzed. The huge file limit for other channels is 100 MB.

5
Action: Define the severity and action to apply based on the matched conditions.

1
Determine severity and action plan according to the condition matches: Choose any of the following options to trigger an incident:
1a
Create an incident for every matched condition: To trigger an incident every time a condition in the rule is matched. (For example, if a user sends an email message containing sensitive content, then prints the message, 2 incidents are generated.)
1b
Accumulate matches before creating an incident: To have the system collect matches for a particular source over time and create incidents when a threshold is met (drip DLP). The system remembers user activity and generates incidents for matches that occur within a defined period.

Use the drop-down to set the Count for matches:

  • transactions: Count incident transactions as they accumulate for a given source, even though each incident can have multiple triggers.
  • unique matches: Count unique matches to count violation triggers that accumulate for a source, but only triggers that are unique.
    If, for example, there is a rule that does not permit 10 different credit card numbers to be sent within 1 hour:
    • If a user sends 1 message with 20 credit card numbers, 1 violation trigger is counted.
    • If the user sends 20 email messages with the same credit card number, no triggers are counted, because the numbers were not unique.

    Note that case differences are counted separately in word-related classifiers. For example, word, Word, and WORD.

  • all matches: Count all matches (default) that accumulate for a source, even duplicates. In the example above, even if the user sent 20 messages with the same credit card number, 20 triggers are counted.

Matches and transactions are counted individually for each source, such as username or IP address, and they are counted only on the policy engine that detects them. Incidents are generated only when the threshold is met on a single policy engine.

Select a time period for accumulating matches. The time period is a sliding window. It resets every time a match is detected.

Use The rate of matches should decline... field to specify how long the system should continue counting matches once the rate begins to decline.

If the system continues to detect the configured number of matches over the configured period, it continues to accumulate the matches in the same incident.

2
Matches: Use the Add Match button to add new matches.

Use the AT LEAST field to define the threshold for triggering an incident. For example, trigger an incident when there are at least 3 matches (3 or more). If the threshold is not met, the match count is 0.

Specify the incident SEVERITY for the match from the drop-down:
  • Low: Incidents that match this rule are of low importance. The policy breach is minor.
  • Medium: Incidents that match this rule are of medium importance. The policy breach is moderate.
  • High: Incidents that match this rule are very important and warrant immediate attention. The policy breach is severe.

If Risk adaptive protection is enabled, then the RISK IMPACT can be set using the drop-down. The value selected will impact the risk score calculation for the affected user.

Select an existing ACTION PLAN using the drop-down.

Select the edit symbol to edit the action plan and select the plus symbol to add a new action plan. For more details, see the Action plans section.

Using the Matches are calculated... field, you can set how matches should be calculated:
  • Select Greater number of matched conditions to have the number of matches compared, and only the greatest number reported. For example, if there are 5 matches for the classifier “Confidential Pattern”, 3 for “SSN Pattern”, and 10 for “My Key Phrases”, the number of matches would be defined as 10.
  • Select Sum of all matched conditions to have the number of matches added together and the total reported. Given the same example as above, the number of matches would be defined as 18.
3
Risk adaptive protection: If enabled, different actions can be selected according to the source user’s risk level. An action can be set for the following risk levels:
  • Level 1- None: The user does not have a risk score currently.
  • Level 2- Low: The user’s risk score is between 1 and 39.
  • Level 3- Medium: The user’s risk score is between 40 and 69.
  • Level 4- High: The user’s risk score is between 70 and 89.
  • Level 5- Critical: The user’s risk score is between 90 and 100.
6
Use the toggle button to set the rule status to enable or disable.