Possible actions for an action plan
The actions available for use in an action plan depend on the channel being configured.
Possible actions include:
Action | Description |
---|---|
Permit | Allow data to be maneuvered based on your selection —for example, allow it to be printed or posted to a website. |
Block | Deny or block data from being printed, posted, or emailed, depending on your selection. |
Audit only | Activity is audited and available to review. |
Quarantine |
Quarantine email messages containing sensitive data. Network email can be encrypted before it’s released. Select Encrypt on release to enable this feature (this feature is not supported for Forcepoint Email Security Cloud). Note:When a mobile email message is released from quarantine, it is sent to the mobile device the next time the device is connected to the network. |
Quarantine with note | Quarantine the message as described above, and provides a note to the user in place of the message. |
Safe copy | Keep a copy of the file in the cloud archive that is accessible only to administrators. |
Unshare external | Remove sharing permissions for any external addresses. |
Unshare all | Remove all sharing permissions from the file. |
Drop attachments |
Note:If a violation is found in a uuencoded attachment, the attachment is treated as email body and blocked rather than dropped. This is because additional content is placed between the attachments, including the attachment name. (UNIX-to- UNIX encoding [uuencoding] is a utility that most email applications use for encoding and decoding files.) Select Encrypt on release if you want quarantined messages to be encrypted before they’re released. If an attachment has been dropped, this option reattaches it and encrypts both the body and attachment before releasing the message. To release an incident, an administrator selects on the incident details toolbar. |
Encrypt |
Encrypt the affected email message. With Forcepoint DLP agents and Forcepoint Email Security, this option applies to all email directions. For cloud infrastructure deployments such as Microsoft Azure, this option applies only to outbound email. (Inbound and Internal email is permitted, and an alert is sent to the Forcepoint Email Security administrator.) |
Encrypt with profile key | Removable media only. Encrypts sensitive data for users who will be on authorized, endpoint machines. Passwords are set by administrators and deployed via profiles. Decryption is automatic if the files are accessed on the endpoints. |
Encrypt with user password |
Windows removable media only. Encrypts sensitive data for users who will be decrypting files from other machines (those without the endpoint agent installed). Passwords are set by endpoint users. Files are decrypted using a special utility. Note that if the user has not yet configured a password when the first breach is detected, the system prompts the user for a password and then blocks the operation. The encryption action is not performed until subsequent transactions. This option is not supported on Mac or Linux endpoints. Removable media transactions are permitted on Mac and Linux when this option is selected. |
Confirm |
Display a confirmation message, such as the following when a security threat is detected: Forcepoint DLP Endpoint has detected that you’re trying to copy sensitive data to a removable drive, which appears to be in violation of corporate policy. Do you want to continue? Users can continue if they enter a business reason for the operation, or they can cancel. If they cancel or wait too long, the default action is taken. To configure the default action, go to the page and select Block or Permit on the General tab. |
Run remediation script |
Run a script that performs specific actions when an incident is detected. Remediation scripts can be run when network discovery, endpoint discovery, or DLP incidents are detected. See Remediation scripts section. |
Add classification tag |
Add classification tags to files that trigger a discovery incident, following the guidelines established on the page.Endpoint discovery only. Requires a supported, third-party classification tagging system. |