Standard Forcepoint DLP options
On the Data Loss Prevention tab, complete the fields as follows. See Possible actions for an action plan section for a description of each possible action.
- Under Network Channels:
Action Description Email Select an action to take when a breach is discovered on network email channels. Mobile email Select an action to take when a breach is discovered in content being sent to a user’s mobile device. FTP Select an action to take when a breach is discovered over FTP. HTTP/HTTPS Select an action to take when a breach is discovered over HTTP or secure HTTP. Chat Select an action to take when a breach is discovered over chat. Plain text Select an action to take when a breach is discovered via plain text. - Under Endpoint Channels:
Action Description Email Select an action to take when a breach is discovered on endpoint email. You cannot release endpoint email; therefore, you can only block messages, not quarantine them. Application control Select an action to take when a breach is discovered on an endpoint application such as Word. Removable media Select an action to take when a breach is discovered on an endpoint device such as a thumb drive. HTTP/HTTPS Select an action to take when a breach is discovered on an endpoint device over HTTP or secure HTTP. LAN Select an action to take when a breach is discovered on an endpoint LAN, such as when a user copies sensitive data from a workstation to a laptop. Printing Select an action to take when a breach is discovered on a local or network printer that is connected to an endpoint. - Under Cloud Channels, there are two channels: DLP Cloud Proxy and DLP Cloud API.
For DLP Cloud Proxy, select from the drop-down list an action to take when an incident involves files uploaded, attached, or downloaded from a cloud application.
- Select Permit to allow files to be uploaded, attached, or downloaded.
- Select Block to prevent the user action.
Note: When Block is applied, some desktop cloud applications might perform multiple retries to sync with the cloud service, and potentially malfunction. If this happens, multiple incidents might be received by the DLP system.For DLP Cloud API, select from the drop-down list an action to take when an incident involves files uploaded to, downloaded from, or shared with others.
- Select Permit to allow files to be uploaded, synchronized, downloaded, or shared.
- Select Safe copy to keep a copy of the file in the cloud archive that is accessible only to administrators.
- Select Quarantine to save the file in a quarantine folder defined in the CASB portal.
- Select Quarantine with note to quarantine the file and leave a message in place of the original file.
- Select Unshare external to remove sharing permissions for any external address.
- Select Unshare all to remove all sharing permissions from the file.
- By default, all incidents are audited. Clear the Audit incident check box if you do not want to audit incidents. Warning: If you turn off this option, incidents are not logged, so you will not know when a policy is breached.
When Audit incident is selected, select one or more of the following additional options:
- Select Include forensics to include information about the transaction that resulted in the incident, such as the contents of an email body: From:, To:, Cc: fields;
attachments, URL category, hostname, file name, and more.
Forensics display in the incident report.
- Select Run remediation script to have the system run a script when an incident is discovered, then select the script to use from the drop-down list. See Remediation scripts section for more information.
- Select Run endpoint remediation script to have the system run an endpoint remediation script when an incident is discovered, then select the script to use from the drop-down list.
- Select Send syslog message to notify an outside syslog server or ticketing system of the incident.
- Select Send email notifications to send an email message to a designated recipient when a policy is breached.
- Select the message or messages to send.
- Click a link to view or modify standard messages.
- Click New to create a custom message.
See Notifications and Adding a new messagesections for details.
Tip: There is a benefit to using the same template for each action plan. The system gathers notifications for individual users according to templates and combines them into a single notification. Therefore, if an incident contains 10 different rules, each with a different action plan but the same template, the user receives a single notification with the details of all the breaches. - Select Include forensics to include information about the transaction that resulted in the incident, such as the contents of an email body: From:, To:, Cc: fields;
attachments, URL category, hostname, file name, and more.
- To configure discovery options, continue to the next section. Otherwise, click OK to save the changes.