Creating a copy action via policy

Forcepoint ONE SSE can apply the create copy action via an Advanced Data Pattern.

Typically, customers apply create copy via API scans when identifying sensitive files that admins wish to review before acting upon. Now, admins can also identify sensitive files during upload/download and create a copy of the file to place in a specific location for later review. This policy is applied by creating an Advanced Pattern that triggers when it matches a specific other data pattern you are looking for.

Steps

  1. Navigate to the Protect > Objects > DLP Objects page. Click the green plus icon and select Advanced to create the data pattern.




  2. Give it a name that is recognizable at the top. You can also provide a description for what the pattern is doing.


  3. Now click on the Match Criteria tab. The format you will follow is as follows: <RegEx Pattern> ->(CreateCopy "<destAppId>" "<destEmail>" "<destFolder>")
    • RegEx Pattern: This can be any RegEx Pattern you wish to identify/trigger on for an inline policy. Can be referencing an existing simple datapattern or can be an advanced pattern with boolean logic/etc.
    • -> (CreateCopy "<destAppId>" "<destEmail>" "<destFolder>"): Sets the action to be taken when the pattern is identified. In this case it will create a copy of the file and send it to the application listed and into the specific folder of the user listed.

    For example, the below screenshot is a pattern that will trigger whenever a file that matches the "Confidential" data pattern is uploaded/downloaded and will create a copy of that file and place it in user admin@dev-acme.com's GDrive folder /My Drive/SoC Investigation.



  4. Navigate to Protect > Policies and you can now add a policy action to any of your inline policies for your apps. Select into the action column and add a download and/or upload policy selecting the data pattern. You can change the action to whatever you want since you may still want to take actions on the original file, but the pattern we created will still create a copy of the file no matter what.


  5. Once triggered, you can review the action on the Analyze > Logs > Proxy Dashboard page.
    You will see the Action as CopyCreated and matching the data pattern you created.