Action Plans
Use the page in the Data Security module of the Forcepoint Security Manager to define how the system responds when various breaches are discovered.
The following action plans are provided by default.
| Name | Description |
|---|---|
| Audit and Notify | Audit incidents from all channels, and if configured, generate notifications. |
| Audit Only |
(Default) Permit all activity on all channels, and log incidents in the audit log. If configured, it also generates notifications. This action plan is designed for mild breaches. |
| Audit Without Forensics | Same as Audit Only, but does not store forensic data for the incident. |
| Block All |
Block all incidents on all channels, audit them, and, if configured, generate notifications. This action plan is designed for severe breaches. |
| Block Without Forensics | Same as Block All, but does not store forensic data for the incident. |
| Drop Email Attachments | Drop email attachments that breach policy. |
Note: The predefined action plans use the Default notification. You can edit the action plans to use a different notification—see Notifications and Adding a new message section
for details.
Select an action plan each time rules or exceptions are added to a policy.
- To create a new action plan, click New.
- To edit an action plan, click its name in the Action Plans list. See Adding or editing an action plan section.
See Possible actions for an action plan section for the actions available for use in an action plan, depending on the channel.
- To delete an action plan, select it and click Delete.
- To select an action plan to use by default, select a plan in the list, then click Set as Default Action Plan.