How to Configure DDR Rules

Create Scan Configuration

To configure DDR rules, follow these steps:
  1. Access the Forcepoint DSPM DDR dashboard using your credentials.
  2. Under the DDR tab, select Create Scan Configuration to connect to the data sources to be monitored.

  3. Define Scopes: Specify the data sources that will be connect to.
  4. Verify Configuration: Ensure that at least one data source is successfully connected. A green checkmark will confirm the completion.

Check for Incoming Events

Once the scan configuration is complete:
  1. Go to Administration > Live Events > Streaming to view real-time events.

  2. Monitor Event Activity: Filter events by source, username, action type (create, update, delete), and event type.

Overview Page

The Overview page provides a comprehensive view of DDR's performance:
  1. Event Statistics: Displays the number of events by source, such as Google Drive, SharePoint, OneDrive, and Box.
  2. Data Source Activity: Visualizes active data sources and the volume of events generated by each.
  3. Event Timeline: Shows when events occurred, helping identify peak activity periods and anomalies.

Open Risks

The Open Risks section highlights detected threats, categorized by risk type:
  • Public Exposure: Identifies sensitive files accessible to external users via public links.
  • External Sharing: Detects files shared outside the organization, potentially exposing sensitive information.
  • Internal Over-Sharing: Flags data with excessive permissions within the organization.

For each risk, DDR provides detailed insights, including the file path, user activity, and recommended remediation steps.