Applying manual cloud action in API logs

In addition to triggered cloud policy actions, Forcepoint ONE SSE provides the ability for admins to apply manual cloud actions to files through the API Logs.

Admins can directly Quarantine files that did not trigger the cloud policy or Create Copy of file(s) for later inspection. Admins can also Add to Whitelist or Remove from Whitelist.

Note: Manual actions are supported for Google, Office 365, Box and Dropbox.
  1. Navigate to Analyze > Logs > API > Summary view.
  2. On the Event Logs card, select any number of files that you wish to apply an action too.


  3. In the top right corner of the Event Logs card, you will see a drop-down box titled -Manual Cloud Actions-. Selecting the drop-down will bring up the following options.


    1. Quarantine: Will move your file into an admin designed Quarantine account and Directory for additional inspection. A Notification File is put in its place with the name of the original file +_quarantined.


    2. Add To Whitelist: Will mark the file to be moved to the Whitelist. The file, if quarantined, will then be moved out of quarantine otherwise the file will be marked with Action = Whitelisted. Files that are whitelisted will be bypassed by cloud policies that would otherwise place it in quarantine.


    3. Remove from Whitelist: Will remove the files from the Whitelist.


    4. Create Copy: Will create a copy of the file and place the copy in an admin designated location for later viewing and inspection.


    5. Encrypt: Will encrypt the file selected if the application supports encryption of data at rest.


Understanding use cases of API logs

  1. Automated tuning for cloud policy actions:

    Admins can utilize the API Logs and the manual cloud action feature to identify offending files and adjust policies accordingly or quarantine files that are outliers.

    • Admins can configure cloud policies using the Create Copy action.
    • Filtering by CreatedCopy, admins can then analyze the files and adjust the policy criteria or DLP patterns accordingly.
      • If files seem to be out of line with current policy (example: containing sensitive information), the DLP policy can be adjusted to encapsulate and quarantine those files.
      • Similarly, if the majority of files are benign while a few files are outliers, the outliers can be manually quarantined without having to adjust or change the DLP policy.
  2. Exceptions for false positives:
    • Admins can utilize the manual cloud action feature to whitelist files that users say are benign.

      Admins can click the link to review the file, and if the file is benign, the admin can manually whitelist the file or use the information to adjust the DLP cloud policy patterns to ensure the file does not trigger the DLP policy.

  3. Triage of whitelisted files:
    • Periodically (at least monthly) admins should review whitelisted files to ensure they are still benign and safe especially if policies have adjusted over time or if the information in the file has changed over time.
    • Admins should filter by whitelisted items and review DLP pattern matches to see if they are inline with expected policies.
    • Manually creating copies can be used to take a look at the file content if necessary.

      If the file ends up being egregious or out of line with new policies, the file can be removed from the Whitlist so the automated policy actions will trigger appropriately.