Controls Orchestration

Controls Orchestration rules are designed to identify data that requires immediate attention and can optionally trigger notifications or automated responses. These rules utilize configurations from previous labs, including Detectors, Data Sources, and Security Posture Policies. In the following steps, we will create the specified rules to enhance data security and incident management.

Controls Orchestration in Forcepoint DSPM provides a comprehensive approach to managing and securing data through automated work flows, rule-based detection, timely notifications, and efficient incident management.

In Controls Orchestration, you create rules to identify data that matches specific criteria. These rules are applied during scans of the selected dataset. This allows you to identify data handling that does not follow your organization’s policies.

You can configure the rules to send notifications outside of Forcepoint DSPM when data matching the rule criteria is detected. Each rule is automatically added as a card in the Incidents tab. When selecting an incidents card, you will be taken to the rule.

Configuring custom rules:

1. Navigate to Policy Center > Controls Orchestration.
2. Click Create new Rule. Enter the Name, Group (this setting enables you to select a previously defined Security Posture Policy and populates the GQL syntax in Condition field in this rule. Alternatively, you can leave the group selection empty and manually define the Condition, using GQL syntax, for the rule), Description (describes the purpose of the rule), Ownership (Person responsible for keeping the rule updated), Based on asset (select one of the available assets from the drop-down).

   

3. Click ACCEPT.
4. (Optional): You can also configure Risk Type and Rule Severity.

   

Select dataset to query:

1. Select dataset: From the drop-down select one of: Files (Matches data against data scans), Trustees(Matches against the users and groups discovered), Agent Activities(matches against the usage statistics of the endpoint agents when Forcepoint Data Classification Agent is also configured).
2. From the Condition field, configure the GQL syntax that will be used to filter the dataset for your rule.

   

Save and enable the rule:

1. Click Update. From left panel, enable the toggle button next to the rule. An example, is shown below:

   

   Note: Each time a rule is updated, the rule will automatically, toggle off.

Send notification outside Forcepoint

• To send notifications outside of Forcepoint DSPM when the rule is triggered, select the Create Action button, then select an action option in the Action type drop-down menu. Multiple actions can be created for the same rule.