Action plans

Use the Action plans dialog to define how the system responds when various breaches are discovered.

1. Navigate to Policy > Policy Elements > Resources > Action plans. The Action plans dialog opens.
2. Click the plus symbol.
   
3. Enter the Name and Description of the action plan.
4. On the Data Loss Prevention widget, select the possible actions for the following:
   • Endpoint channels
   • Email channels
   • Web channels
   • CASB channels

   Table 2. Endpoint channels

   Endpoint channels	Description
   Email	Select an action to take when a breach is discovered on endpoint email.
   HTTP/HTTPS	Select an action to take when a breach is discovered on an endpoint device over HTTP or secure HTTP.
   Printing	Select an action to take when a breach is discovered on a local or network printer that is connected to an endpoint.
   Application control	Select an action to take when a breach is discovered on an endpoint application such as Word.
   Removable media	Select an action to take when a breach is discovered on an endpoint device such as a thumb drive.
   LAN	Select an action to take when a breach is discovered on an endpoint LAN, such as when a user copies sensitive data from a workstation to a laptop.

   Table 3. Email channel

   Email channels	Description
   Email	Select an action to take when a breach is discovered on network email channels.

   Table 4. Web channels

   Web channel	Description
   FTP	Select an action to take when a breach is discovered over FTP.
   HTTP/HTTPS	Select an action to take when a breach is discovered over HTTP or secure HTTP.

   CASB channels

   Table 5. Inline

   Channel	Description
   File uploading/attaching	Uploading/attaching a file to a cloud transaction.
   File downloading	Downloading a file from the cloud

   Table 6. API

   Channel	Description
   File creation/modification	File is created or modified on the cloud.
   File downloading	File is downloaded from the cloud.
   Public file sharing	File is shared with a link.
   External file sharing	File is shared with external users.
   Internal file sharing	File is shared with internal users.

   The actions available in an action plan depend on the channel being configured.

   Possible actions include:

   Action	Description
   Permit	Allow the action to proceed based on your selection; for example, allow it to be printed or posted to a website.
   Block	Deny or block data from being printed, posted, or emailed, depending on your selection.
   Confirm	Display a confirmation message, such as the following when a security threat is detected: Endpoint has detected that you are trying to copy sensitive data to a removable drive, which appears to violate of corporate policy. Do You want to continue? Users can continue if they enter a business reason for the operation, or they can cancel. If they cancel or wait too long, the default action is taken.
   Quarantine	Quarantine email messages containing sensitive data.
   Quarantine and encrypt	Quarantine email messages containing sensitive data. Network email can be encrypted before it’s released.
   Drop attachments	Drops email attachments that are in breach of policy.
   Drop attachments and encrypt	If an attachment has been dropped, this option reattaches it and encrypts both the body and attachment before releasing the message.
   Safe copy	Keep a copy of the file in the cloud archive that is accessible only to administrators.
   Quarantine with note	Quarantine email messages containing sensitive data and provide a note to the user in place of the message.
   Unshare external	Remove sharing permissions for any external addresses.
   Unshare all	Remove all sharing permissions from the file.

5. Set the toggle button on Audit Alerts to Enable or Disable reporting of audit incidents.
6. Click the Save button, which will appear in your action plan list.