Possible actions for an action plan

The actions available for use in an action plan depend on the channel being configured.

Possible actions include:

Action	Description
Permit	Allow data to be maneuvered based on your selection —for example, allow it to be printed or posted to a website.
Block	Deny or block data from being printed, posted, or emailed, depending on your selection.
Audit only	Activity is audited and available to review.
Quarantine	Quarantine email messages containing sensitive data. Network email can be encrypted before it’s released. Select Encrypt on release to enable this feature (this feature is not supported for Forcepoint Email Security Cloud). Note: When a mobile email message is released from quarantine, it is sent to the mobile device the next time the device is connected to the network.
Quarantine with note	Quarantine the message as described above, and provides a note to the user in place of the message.
Safe copy	Keep a copy of the file in the cloud archive that is accessible only to administrators.
Unshare external	Remove sharing permissions for any external addresses.
Unshare all	Remove all sharing permissions from the file.
Drop attachments	Drops email attachments that are in breach of policy. Applies to messages detected by the Forcepoint Email Security module (except for Forcepoint Email Security Cloud). Applies to rules that monitor data in “each part separately.” Quarantines email messages that: Have a body breach, but not an attachment breach. Have breaches in both the message body and attachment. Are detected by agents other than Forcepoint Email Security, such as the protector. Are detected when rules are monitoring data in “the transaction as a whole.” Fail to drop attachments when indicated. Note: If a violation is found in a uuencoded attachment, the attachment is treated as email body and blocked rather than dropped. This is because additional content is placed between the attachments, including the attachment name. (UNIX-to- UNIX encoding [uuencoding] is a utility that most email applications use for encoding and decoding files.) Select Encrypt on release if you want quarantined messages to be encrypted before they’re released. If an attachment has been dropped, this option reattaches it and encrypts both the body and attachment before releasing the message. To release an incident, an administrator selects Remediate > Release on the incident details toolbar.
Encrypt	Encrypt the affected email message. With Forcepoint DLP agents and Forcepoint Email Security, this option applies to all email directions. For cloud infrastructure deployments such as Microsoft Azure, this option applies only to outbound email. (Inbound and Internal email is permitted, and an alert is sent to the Forcepoint Email Security administrator.)
Encrypt with profile key	Removable media only. Encrypts sensitive data for users who will be on authorized, endpoint machines. Passwords are set by administrators and deployed via profiles. Decryption is automatic if the files are accessed on the endpoints.
Encrypt with user password	Windows removable media only. Encrypts sensitive data for users who will be decrypting files from other machines (those without the endpoint agent installed). Passwords are set by endpoint users. Files are decrypted using a special utility. Note that if the user has not yet configured a password when the first breach is detected, the system prompts the user for a password and then blocks the operation. The encryption action is not performed until subsequent transactions. This option is not supported on Mac or Linux endpoints. Removable media transactions are permitted on Mac and Linux when this option is selected.
Confirm	Display a confirmation message, such as the following when a security threat is detected: Forcepoint DLP Endpoint has detected that you’re trying to copy sensitive data to a removable drive, which appears to be in violation of corporate policy. Do you want to continue? Users can continue if they enter a business reason for the operation, or they can cancel. If they cancel or wait too long, the default action is taken. To configure the default action, go to the Settings > General > Endpoint page and select Block or Permit on the General tab.
Run remediation script	Run a script that performs specific actions when an incident is detected. Remediation scripts can be run when network discovery, endpoint discovery, or DLP incidents are detected. See Remediation scripts section.
Add classification tag	Add classification tags to files that trigger a discovery incident, following the guidelines established on the Settings > General > Services > Classification Tagging page. Endpoint discovery only. Requires a supported, third-party classification tagging system.