Action plans
Use the Action plans dialog to define how the system responds when various breaches are discovered.
| Name | Description |
|---|---|
| Audit Only |
(Default) Permit all activity on all channels, and log incidents in the audit log. This action plan is designed for mild breaches. |
| Block All |
Block all incidents on all channels, audit them. This action plan is designed for severe breaches. |
Complete the following steps to add an action plan:
Steps
- Navigate to Policy > Policy Elements > Resources > Action plans. The Action plans dialog opens.
-
Click the plus symbol.
- Enter the Name and Description of the action plan.
-
On the Data Loss Prevention widget, select the possible actions for the following:
- Endpoint channels
- Email channels
- Web channels
- CASB channels
Table 2. Endpoint channels Endpoint channels Description Email Select an action to take when a breach is discovered on endpoint email.
HTTP/HTTPS Select an action to take when a breach is discovered on an endpoint device over HTTP or secure HTTP.
Printing Select an action to take when a breach is discovered on a local or network printer that is connected to an endpoint. Application control Select an action to take when a breach is discovered on an endpoint application such as Word.
Removable media Select an action to take when a breach is discovered on an endpoint device such as a thumb drive.
LAN Select an action to take when a breach is discovered on an endpoint LAN, such as when a user copies sensitive data from a workstation to a laptop.
Table 3. Email channel Email channels Description Email Select an action to take when a breach is discovered on network email channels.
Table 4. Web channels Web channel Description FTP Select an action to take when a breach is discovered over FTP.
HTTP/HTTPS Select an action to take when a breach is discovered over HTTP or secure HTTP.
CASB channels
Table 5. Inline Channel Description File uploading/attaching Uploading/attaching a file to a cloud transaction. File downloading Downloading a file from the cloud Table 6. API Channel Description File creation/modification File is created or modified on the cloud. File downloading File is downloaded from the cloud. Public file sharing File is shared with a link. External file sharing File is shared with external users. Internal file sharing File is shared with internal users. The actions available in an action plan depend on the channel being configured.
Possible actions include:
Action Description Permit Allow the action to proceed based on your selection; for example, allow it to be printed or posted to a website. Block Deny or block data from being printed, posted, or emailed, depending on your selection.
Confirm Display a confirmation message, such as the following when a security threat is detected:
Endpoint has detected that you are trying to copy sensitive data to a removable drive, which appears to violate of corporate policy. Do You want to continue?
Users can continue if they enter a business reason for the operation, or they can cancel. If they cancel or wait too long, the default action is taken.
Quarantine Quarantine email messages containing sensitive data. Quarantine and encrypt Quarantine email messages containing sensitive data. Network email can be encrypted before it’s released. Drop attachments Drops email attachments that are in breach of policy. Drop attachments and encrypt If an attachment has been dropped, this option reattaches it and encrypts both the body and attachment before releasing the message. Safe copy Keep a copy of the file in the cloud archive that is accessible only to administrators. Quarantine with note Quarantine email messages containing sensitive data and provide a note to the user in place of the message. Unshare external Remove sharing permissions for any external addresses. Unshare all Remove all sharing permissions from the file. - Set the toggle button on Audit Incidents to Enabled to audit incidents.
- Click the Save button, which will appear in your action plan list.