Requiring justification on upload

Forcepoint ONE SSE can block unwanted upload attempts but make exceptions after a user supplies justification.

This feature works via an advanced data pattern in combination with our inline notification pop up. Admins configure an advanced policy containing their configured data pattern(s) or FPSL code set to deny on upload with the inline notification enabled. A user attempting an upload action that matches your configured pattern will be denied and presented an inline pop up with a text box prompting them to enter justification for their action. Once done they will have a 15 minute window to attempt the action again which will be allowed. Admins can then review the event in the proxy event logs and review their justification.

Steps

  1. To setup, you will need to first create an inline notification message. Refer to Creating a new inline notification.
  2. With the inline message object complete, navigate to Protect > Objects > DLP Objects and add a new DLP pattern by clicking the green plus icon and selecting the Advanced to create the data pattern.






  3. Click on the Match Criteria tab and then enter logic following the template: <RegEx Pattern> -> (Justify)
    • RegEx Pattern: This can be any RegEx Pattern you wish to identify/trigger on for an inline policy. Can be referencing an existing simple datapattern or can be an advanced pattern with boolean logic/etc.
    • (Justify): Sets the action to be taken when the pattern is identified, in this case will prompt the user for justification.
    • For example the below screenshot is a pattern - Count("Confidential")> 0 -> (Justify) - that will trigger whenever a file that matches the Confidential data pattern is uploaded. The user will be denied and an inline pop up will alert them to the policy match and prompt them for justification.

    • Once the pattern has been created, an admin simply needs to add the pattern to an upload policy in whichever app they wish, set the action to Deny and then enable notification and set the notification to inline message. A user attempting to upload a file matching the confidential pattern will encounter the inline popup to justify their action.



    • Once a user has entered the justification they can then attempt the upload again and should be able to succeed.



    • Admins reviewing the proxy logs will be able to see the event appear with a "PendingJustification" Activity and the initial "Deny" action. Reviewing log lines with the tag "ProvidedJustification" will display the justification text the user entered.



    • If the user reuploaded their file after the justification, there will be another logline indicating the successful upload event with tag "AllowedOnJustification".