Action plans

Use the Action plans dialog to define how the system responds when various breaches are discovered.

Complete the following steps to add an action plan.

Steps

  1. Navigate to Policy > Policy Elements > Resources > Action plans. The Action plans dialog opens.
  2. Click the plus symbol.
  3. Enter the Name and Description of the action plan.
  4. On the Data Loss Prevention widget, select the possible actions for the following:
    • Endpoint channels
    • Email channels
    • Web channels
    • CASB channels
    Table 1. Endpoint channels
    Endpoint channels Description
    Email

    Select an action to take when a breach is discovered on endpoint email.
    HTTP/HTTPS

    Select an action to take when a breach is discovered on an endpoint device over HTTP or secure HTTP.
    Printing Select an action to take when a breach is discovered on a local or network printer that is connected to an endpoint.
    Application control

    Select an action to take when a breach is discovered on an endpoint application such as Word.
    Removable media

    Select an action to take when a breach is discovered on an endpoint device such as a thumb drive.
    LAN

    Select an action to take when a breach is discovered on an endpoint LAN, such as when a user copies sensitive data from a workstation to a laptop.
    Table 2. Email channel
    Email channels Description
    Email

    Select an action to take when a breach is discovered on network email channels.
    Table 3. Web channels
    Web channel Description
    FTP

    Select an action to take when a breach is discovered over FTP.
    HTTP/HTTPS

    Select an action to take when a breach is discovered over HTTP or secure HTTP.

    CASB channels

    Table 4. Inline
    Channel Description
    File uploading/attaching Uploading/attaching a file to a cloud transaction.
    File downloading Downloading a file from the cloud
    Table 5. API
    Channel Description
    File creation/modification File is created or modified on the cloud.
    File downloading File is downloaded from the cloud.
    Public file sharing File is shared with a link.
    External file sharing File is shared with external users.
    Internal file sharing File is shared with internal users.
    Table 6. Default Action plans
    Name Description
    Audit Only

    (Default) Permit all activity on all channels, and log incidents in the audit log.

    This action plan is designed for mild breaches.
    Block All

    Block all incidents on all channels, audit them.

    This action plan is designed for severe breaches.
    Note: It is not possible to edit predefined Actions plans.

    Actions and applicable channels

    The actions available in an action plan depend on the channel being configured. Possible actions include:

    Action Description Applicable Channels
    Permit Allow the action to proceed based on your selection; for example, allow it to be printed or posted to a website. All
    Block

    Deny or block data from being printed, posted, or emailed, depending on your selection.

    		 All
    Confirm

    Display a confirmation message, such as the following when a security threat is detected:

    Endpoint has detected that you are trying to copy sensitive data to a removable drive, which appears to violate of corporate policy. Do You want to continue?

    Users can continue if they enter a business reason for the operation, or they can cancel. If they cancel or wait too long, the default action is taken.

    		 Endpoint
    Quarantine Quarantine email messages containing sensitive data. Email
    Drop attachments Drops email attachments that are in breach of policy.
    • Drops email attachments that are in breach of policy.
      • Applies to messages detected by the Forcepoint Email Security module.
      • Applies to rules that monitor data in “each part separately.
    • Quarantines email messages that:
      • Have a body breach, but not an attachment breach.
      • Have breaches in both the message body and attachment.
      • Are detected by agents other than Forcepoint Email Security, such as the protector.
      • Fail to drop attachments when indicated.
    Note: If a violation is found in a uuencoded attachment, the attachment is treated as email body and blocked rather than dropped. This is because additional content is placed between the attachments, including the attachment name. (UNIX-to- UNIX encoding [uuencoding] is a utility that most email applications use for encoding and decoding files.)
    		 Email
    Encrypt

    Encrypt the affected email message.

    With Forcepoint DLP agents and Forcepoint Email Security, this option applies to all email directions.

    For cloud infrastructure deployments such as Microsoft Azure, this option applies only to outbound email. (Inbound and Internal email is permitted, and an alert is sent to the Forcepoint Email Security administrator.)

    		 Email
    Safe copy Keep a copy of the file in the cloud archive that is accessible only to administrators. CASB
    Quarantine with note Quarantine email messages containing sensitive data and provide a note to the user in place of the message. CASB
    Unshare external Remove sharing permissions for any external addresses. CASB
    Unshare all Remove all sharing permissions from the file. CASB
  5. Set the toggle button on Audit Alerts to Enable or Disable reporting of audit incidents.
  6. Click the Save button, which will appear in your action plan list.