Custom Policy Wizard - Severity and Action

Use the Severity & Action tab of the custom policy wizard to define when to trigger an incident:

  • Select Trigger an incident for every matched condition to trigger an incident every time a condition in the rule is matched. (For example, if a user sends an email message containing sensitive content, then prints the message, 2 incidents are generated.)
  • Select Accumulate matches before creating an incident to have the system collect matches for a particular source over time and create incidents when a threshold is met (drip DLP). The system remembers user activity and generates incidents for matches that occur within a defined period.

To configure either option, configure the first line in the Severity and Action Plan table:

  1. Specify the incident severity:
    • Low - Incidents that match this rule are of low importance. The policy breach is minor.
    • Medium - Incidents that match this rule are of medium importance. The policy breach is moderate.
    • High - Incidents that match this rule are very important and warrant immediate attention. The policy breach is severe.
  2. Select an action plan. Action plans are customizable.
    • Select Audit Only to monitor and record (audit) incidents.
    • Select Audit and Notify (default) to monitor and record incidents. In addition, if notifications are configured, generate notifications.
    • Select Block All to block and audit incidents. In addition, if notifications are configured, generate notifications.
    • Select Drop Email Attachments to remove email attachments that violate policy.
    • Select Audit Without Forensics to monitor and record incidents without recording forensic data.
    • Select Block Without Forensics to block and audit incidents without recording forensic data.

    Define severity and action at a more granular level by selecting the second and third lines of the Severity and Action Plan table and selecting a severity and action plan for each line.

    For example, when there are at least 10 matches (10 or more), select Medium as severity and Audit & Notify as action plan. When there are at least 20 matches, select High as severity and Block as action plan.

    Tip: Start with an action plan of audit only. Once policies have been tuned, send notifications or use block actions, as needed.

    Click the icon to edit the action plan. Change the action for each channel, as needed. Editing an action plan changes it for all the rules that use it.

    Click the icon to create a new action plan. See Action Plans section, for details.

    The action applies only to the match that exceeded the threshold—the one that created the incident—and subsequent matches. Initial matches are permitted.

  3. Under the Severity and Action section, select how matches should be calculated:
    • Select greatest number of matched conditions to have the number of matches compared, and only the greatest number reported. For example, if there are 5 matches for the classifier “Confidential Pattern”, 3 for “SSN Pattern”, and 10 for “My Key Phrases”, the number of matches would be defined as 10.
    • Select sum of all matched conditions to have the number of matches added together and the total reported. Given the same example as above, the number of matches would be defined as 18.