Possible actions for an action plan

The actions available for use in an action plan depend on the channel being configured.

Possible actions include:

Action Description
Permit Allow data to be maneuvered based on your selection —for example, allow it to be printed or posted to a website.
Block Deny or block data from being printed, posted, or emailed, depending on your selection.
Audit only Activity is audited and available to review.
Quarantine

Quarantine email messages containing sensitive data. Network email can be encrypted before it’s released. Select Encrypt on release to have the system encrypt the message before it’s released. (this feature is not supported for Forcepoint Email Security Cloud).
Quarantine with note Quarantine the message as described above, and provides a note to the user in place of the message.
Safe copy Keep a copy of the file in the cloud archive that is accessible only to administrators.
Unshare external Remove sharing permissions for any external addresses.
Unshare all Remove all sharing permissions from the file.
Drop attachments
  • Drops email attachments that are in breach of policy.
    • Applies to messages detected by the Forcepoint Email Security module (except for Forcepoint Email Security Cloud).
    • Applies to rules that monitor data in “each part separately.”
  • Quarantines email messages that:
    • Have breaches in attachments, but the body is clean.
    • Have a body breach, but not an attachment breach.
    • Have breaches in both the message body and attachment.
    • Are detected by agents other than Forcepoint Email Security and Forcepoint Data Security for Cloud Email, such as the protector.
    • Are detected when rules are monitoring data in “the transaction as a whole.”
    • Fail to drop attachments when indicated.
Note:
  • If a violation is found in a uuencoded attachment, the attachment is treated as email body and blocked rather than dropped. This is because additional content is placed between the attachments, including the attachment name. (UNIX-to- UNIX encoding [uuencoding] is a utility that most email applications use for encoding and decoding files.)
  • Only Forcepoint Email Security and Forcepoint Data Security for Cloud Email can drop attachments. If the drop attachments options is selected when the protector or Forcepoint Email Security Cloud is monitoring email, messages are quarantined when a policy is triggered.

Select Encrypt on release if you want quarantined messages to be encrypted before they’re released. If an attachment has been dropped, this option reattaches it and encrypts both the body and attachment before releasing the message.

To release an incident, an administrator selects Remediate > Release on the incident details toolbar. Release is not supported for messages detected by Forcepoint Email Security Cloud.
Encrypt

Encrypt the affected email message.

With Forcepoint DLP agents and Forcepoint Email Security, this option applies to all email directions.

For cloud infrastructure deployments such as Microsoft Azure, this option applies only to outbound email. (Inbound and Internal email is permitted, and an alert is sent to the Forcepoint Email Security administrator.)
Encrypt with profile key Removable media only. Encrypts sensitive data for users who will be on authorized, endpoint machines. Passwords are set by administrators and deployed via profiles. Decryption is automatic if the files are accessed on the endpoints.
Encrypt with user password

Windows removable media only. Encrypts sensitive data for users who will be decrypting files from other machines (those without the endpoint agent installed). Passwords are set by endpoint users. Files are decrypted using a special utility.

Note that if the user has not yet configured a password when the first breach is detected, the system prompts the user for a password and then blocks the operation. The encryption action is not performed until subsequent transactions.

This option is not supported on Mac. Removable media transactions are permitted on Mac when this option is selected.
Confirm

Display a confirmation message, such as the following when a security threat is detected:

Forcepoint DLP Endpoint has detected that you’re trying to copy sensitive data to a removable drive, which appears to be in violation of corporate policy. Do you want to continue?

Users can continue if they enter a business reason for the operation, or

they can cancel. If they cancel or wait too long, the default action is taken.

To configure the default action, go to the Settings > General > Endpoint page and select Block or Permit on the General tab.
Run remediation script

Run a script that performs specific actions when an incident is detected.

Remediation scripts can be run when network discovery, endpoint discovery, or DLP incidents are detected.

See Remediation scripts section.
Add classification tag

Add classification tags to files that trigger a discovery incident, following the guidelines established on the Settings > General > Services > Classification Tagging page.

Endpoint discovery only.

Requires a supported, third-party classification tagging system.
Permit (Acknowledge)

To allow the user action and display a pop-up notification to the user on the Endpoint. The notification prompts the user to acknowledge that their sensitive data usage is being audited.

Note: This feature will be supported in an upcoming Forcepoint F1E release.