Forcepoint ONE SSE can apply the create copy action via an Advanced Data
Pattern.
Typically, customers apply create copy via API scans when identifying sensitive files that admins wish to review before acting upon. Now, admins can also identify sensitive files
during upload/download and create a copy of the file to place in a specific location for later review. This policy is applied by creating an Advanced Pattern that triggers when it matches
a specific other data pattern you are looking for.
Steps
-
Navigate to the page. Click the green plus icon and select Advanced to create the data pattern.
-
Give it a name that is recognizable at the top. You can also provide a description for what the pattern is doing.
-
Now click on the Match Criteria tab. The format you will follow is as follows:
<RegEx Pattern> ->(CreateCopy "<destAppId>" "<destEmail>"
"<destFolder>")
- RegEx Pattern: This can be any RegEx Pattern you wish to identify/trigger on for an inline policy. Can be referencing an existing simple datapattern or can be an
advanced pattern with boolean logic/etc.
- -> (CreateCopy "<destAppId>" "<destEmail>" "<destFolder>"): Sets the action to be taken when the pattern is identified. In this case it will create a copy
of the file and send it to the application listed and into the specific folder of the user listed.
For example, the below screenshot is a pattern that will trigger whenever a file that matches the "Confidential" data pattern is uploaded/downloaded and will create a copy
of that file and place it in user admin@dev-acme.com's GDrive folder /My Drive/SoC Investigation.
-
Navigate to and you can now add a policy action to any of your inline policies for your apps. Select into the action column and add a download and/or upload policy selecting the
data pattern. You can change the action to whatever you want since you may still want to take actions on the original file, but the pattern we created will still create a copy of
the file no matter what.
-
Once triggered, you can review the action on the Dashboard page.
You will see the
Action as
CopyCreated and matching the data pattern you created.