Exception Wizard - Severity & Action

Use the Severity & Action tab of the exception wizard to configure a severity level and an action plan for conditions that match the exception.

  1. Select severity and action plans according to matches of incidents that match this exception. This overrides the rule’s severity and action plan.
    Severity:
    • Low - Incidents that match this exception are of low importance. The policy breach is minor.
    • Medium - Incidents that match this exception are of medium importance. The policy breach is moderate.
    • High - Incidents that match this exception are very important and warrant immediate attention. The policy breach is severe.
    Action Plan:
    • Select Block all to use the strict actions defined under Main > Policy Management > Resources > Action Plans.
    • Select Audit & notify manager (the default) to use the moderate actions defined. These are a compromise between the blocking and auditing plans.
    • Select Audit only to use audit incidents and not block them.

    New and edit icons are displayed to the right of the action plan drop-down list.

    • Click the edit icon to change the action for each channel if desired. Editing an action plan changes it for all the rules and exceptions that use it.
    • Click the new icon to create a new action plan. See Action Plans section.
  2. Select how matches should be calculated for this exception:
    • Greatest number of matched conditions. Select this option if you want the number of matches for each condition to be compared, and only the greatest number reported. For example, if there are 5 matches for the condition, ConfidentialPattern, 3 for SSN_Pattern, and 10 for MyKeyPhrases, the number of matches would be defined as 10.
    • Sum of all matched conditions. Select this option if you want the number of matches for each condition to be added together and the total to be reported. Given the same example as above, the number of matches would be defined as 18.
  3. If you are using Risk-Adaptive Protection to determine actions according to the source’s risk level, select an action plan for each one of the risk levels (1-5), and a Dynamic User Protection Severity value. When the rule is triggered, the action plan that will be executed will be the one that was defined for the risk level of the user as determined by Forcepoint Behavioral Analytics. The following severity levels are available:
    • None (Do not Report): DLP incidents are not reported to Forcepoint Dynamic User Protection.
    • None (Report as Informative): DLP incidents are reported as informative to Forcepoint Dynamic User Protection.
    • Low: DLP incidents are of low importance. The policy breach is minor.
    • Medium: DLP incidents are of medium importance. The policy breach is moderate.
    • High: DLP incidents are important and should be monitored. The policy breach is significant.
    • Critical: DLP incidents are very important and warrant immediate attention. The policy breach is severe.
  4. If the severity value does not match the system default for the User-Risk Impact, a notification is displayed.
  5. Click the Add button ( ) to create a new action plan and add it to all risk-level action-plan lists. You can then select the new action plan for each risk level.
    Note: The Risk-Adaptive Protection section only affects users that were defined as risk-adaptive users (see Custom user directory groups section and Custom users section, on how to define such users.)
  6. Click Next to continue to the Finish page of the exception wizard. See Exception Wizard - Finish section.