Enable Cloud Data Discovery in the Forcepoint Security Manager

Steps

  1. In the Forcepoint Security Manager, go to DATA > Policy Management>Resources > Cloud Applications.
  2. In the cloud applications table, click the Application Name.
    The Cloud Application Properties screen opens to allow configuration of the selected application.
    • Pop-up blockers might prevent this screen from opening. If this occurs, disable the pop-up blocker and try again.
    • It might take a while for the screen to open. Wait for the screen to load, then complete the steps below. Do not close the screen while it is still loading.
  3. If you have not already configured the connection to the cloud service, click Configure Connectionon the General tab.
    The Forcepoint CASB service uses the connection to retrieve activity logs, scan files at rest, and retrieve user lists. It does not store the user credentials.
  4. Open the DLP Cloud Service tab. In the DLP Cloud Data Discovery section:
    1. Select Enable data at rest discovery to activate the data at rest discovery scan for this cloud application.
    2. Under Scan Path > Folder Path, enter the full URL of the storage folder to be scanned. By default, all folders and files in the drive path are scanned. Optionally, click Exclude Subfolders, then enter the full paths of all subfolders that should not be included in the scan.
      For Office 365 assets, the Scan Path settings are replaced by Scan Source settings. Select either Repository application or Drive Path.
      • If you select Repository application, select the repository to be scanned (OneDrive, SharePoint, or OneDrive & SharePoint). Optionally, click Exclude Drives, then enter the full paths of all drives that should be excluded from the scan.
      • If you select Drive Path, enter the full path of the drive to be scanned.
    3. For Office 365 and Box assets, select Unshare parent folder to remove the sharing permissions for a sensitive file's parent folder. Select this option to remove sharing permissions when sensitive files inherit sharing permissions from a parent folder in the hierarchy. This removes the sharing permissions for the affected folders and all files located in them. This option applies only if one of the unshare actions is selected in the action plan of the DLP Discovery policy.
    4. For Office 365, Box, Dropbox, and G Suite assets, select Scan by sharing status to scan files with a specific sharing status, then select one of the options:
      • Externally shared files: Scans all files that are shared with accounts outside of your organization’s domain(s).
      • All shared files: Scans all files that are shared with another account, including all files shared within your organization and outside of your organization’s domain(s).
  5. To scan files with specific file extensions only, click the Scan by File Extension button in the DLP Cloud Data Discovery section.
    1. To scan files with specific file extensions either:
      • Enter the file extensions into the large text field separated by commas (e.g.,

        “.doc,.docx”), or

      • Click the File Extensions button to select predefined categories. On the File Extensions screen, select the predefined categories to include in the scan. When a category is selected, the file extensions are shown in the right-side column. The bold categories are the default categories.

      To include all files with extensions, leave the field empty. The field shows All extensions to let the user know that all files with extensions are included in the scan. Note that this might increase the scan time significantly.

    2. To add the default file extensions, click Set to Default Extensions.This adds the default extension predefined categories (marked on the File Extensions screen in bold: Word processing, Spreadsheet, Presentation, Mail, and Archive).
    3. To scan files that do not have a file extension, select Include files with no extension.
    4. To sort the extensions alphabetically, select one of the two sort buttons: Sort A to Z or Sort Z to A.
  6. Open the General tab. In the Mitigation Settings section, configure an Archive folder within the selected cloud service for files moved or copied in response to a DLP incident. The archive folder must reside on the scanned asset, so the path needs to match the browser URL.
  7. Under Quarantine Notes, optionally configure messages that can replace quarantined files and explain to users that files have been moved.
  8. Click Test Connection to verify that the message file can be copied to the cloud application.
  9. To save the changes and return to the cloud applications list, click OK.
    • The new application is added to the cloud applications list, which shows the application name, type, description, and status.
    • You can edit the cloud application’s properties by clicking the Application Name.

    The new application is added to the cloud applications list even if configuration is canceled before this step is completed. Open the cloud application’s Properties screen to finish configuration if necessary.

  10. To deploy all the configured changes, click Deploy.
    Note: If you are logged on to the Forcepoint Security Manager, but want to edit the cloud application in Forcepoint CASB, click the Launch CASB Portal button to open the Forcepoint CASB management portal.