Standard Forcepoint DLP options

On the Data Loss Prevention tab, complete the fields as follows. See Possible actions for an action plan section for a description of each possible action.
  • Under Network Channels:
    Action Description
    Email Select an action to take when a breach is discovered on network email channels.
    FTP Select an action to take when a breach is discovered over FTP.
    HTTP/HTTPS Select an action to take when a breach is discovered over HTTP or secure HTTP.
    Chat Select an action to take when a breach is discovered over chat.
    Plain text Select an action to take when a breach is discovered via plain text.
  • Under Endpoint Channels:
    Action Description
    Email Select an action to take when a breach is discovered on endpoint email. You cannot release endpoint email; therefore, you can only block messages, not quarantine them.
    Application control Select an action to take when a breach is discovered on an endpoint application such as Word.
    Removable media Select an action to take when a breach is discovered on an endpoint device such as a thumb drive.
    HTTP/HTTPS Select an action to take when a breach is discovered on an endpoint device over HTTP or secure HTTP.
    LAN Select an action to take when a breach is discovered on an endpoint LAN, such as when a user copies sensitive data from a workstation to a laptop.
    Printing Select an action to take when a breach is discovered on a local or network printer that is connected to an endpoint.
    As action plans for Network Channels, you can choose one of the following from the drop down:
    • Select Permit to allow user action.
    • Select Drop Attachments to drop email attachments that are in breach of policy and quarantine email messages.
    • Select Quarantine to save the file in a quarantine folder.
    • Select Encrypt to encrypt the affected email message.
    • Select Custom Action 1 to Custom Action 5 to perform an Email Security action when a DLP breach is detected. This can be applied only to email sent as part of Forcepoint Data Security for Cloud Email product's solution.
      Note: Custom actions appear only if you have enabled the Enable custom actions check box in Data Protection Service in Settings > General > Services.
    As action plans for Endpoint channels, you can choose one of the following from the drop down:
    • Select Permit to allow user action.
    • Select Permit (Acknowledge) to allow the user action and display a pop-up notification to the user on the Endpoint. The notification prompts the user to acknowledge that their sensitive data usage is being audited.
      Note: This feature will be supported in an upcoming Forcepoint F1E release.
    • Select Block to prevent the user action.
    • Select Confirm to allow user action.
    • For removable media, you can select the Encrypt with profile key or Encrypt with user password options.
  • Under Cloud Channels, there are two channels: DLP Cloud Proxy and DLP Cloud API.

    For DLP Cloud Proxy, select from the drop-down list an action to take when an incident involves files uploaded, attached, or downloaded from a cloud application.

    • Select Permit to allow files to be uploaded, attached, or downloaded.
    • Select Block to prevent the user action.
    Note: When Block is applied, some desktop cloud applications might perform multiple retries to sync with the cloud service, and potentially malfunction. If this happens, multiple incidents might be received by the DLP system.

    For DLP Cloud API, select from the drop-down list an action to take when an incident involves files uploaded to, downloaded from, or shared with others.

    • Select Permit to allow files to be uploaded, synchronized, downloaded, or shared.
    • Select Safe copy to keep a copy of the file in the cloud archive that is accessible only to administrators.
    • Select Quarantine to save the file in a quarantine folder defined in the CASB portal.
    • Select Quarantine with note to quarantine the file and leave a message in place of the original file.
    • Select Unshare external to remove sharing permissions for any external address.
    • Select Unshare all to remove all sharing permissions from the file.
  • By default, all incidents are audited. Clear the Audit incident check box if you do not want to audit incidents.
    Warning: If you turn off this option, incidents are not logged, so you will not know when a policy is breached.

    When Audit incident is selected, select one or more of the following additional options:

    • Select Include forensics to include information about the transaction that resulted in the incident, such as the contents of an email body: From:, To:, Cc: fields; attachments, URL category, hostname, file name, and more.

      Forensics display in the incident report.

    • Select Run remediation script to have the system run a script when an incident is discovered, then select the script to use from the drop-down list. See Remediation scripts section for more information.
    • Select Run endpoint remediation script to have the system run an endpoint remediation script when an incident is discovered, then select the script to use from the drop-down list.
    • Select Send syslog message to notify an outside syslog server or ticketing system of the incident.
    • Select Send email notifications to send an email message to a designated recipient when a policy is breached.
      • Select the message or messages to send.
      • Click a link to view or modify standard messages.
      • Click New to create a custom message.

      See Notifications and Adding a new message sections for details.

    Tip: There is a benefit to using the same template for each action plan. The system gathers notifications for individual users according to templates and combines them into a single notification. Therefore, if an incident contains 10 different rules, each with a different action plan but the same template, the user receives a single notification with the details of all the breaches.
  • To configure discovery options, continue to the next section. Otherwise, click OK to save the changes.