Adding conditions to the API policy

The Condition clause forms the API policy.

The possible match criteria for the condition are as follows:

  • User Groups: All users scanned by the API as defined in the Selective Scanning settings or locally defined groups or security groups and OUs pulled from active directory
  • Status: The current status of the file.
    • DLP: If the file contents match a DLP pattern.
    • External: If the file has been shared with a person with a domain outside of the domains listed on the IAM > Users and Groups page (a domain that isn't configured inside of your Forcepoint ONE SSE tenant).
    • Internal: If the file has been shared with a person with a domain that exists on the IAM > Users and Groups.
    • Public: If the file was shared by a Public link that anyone can access without authentication.
    • Shared: If the file is shared in any manner including all options above (External, Internal, public).
  • File Name: Match by the exact file name.
  • File size: Match files based on it's file size, can be less than (or equal to) greather than (or equal to) a specified size in bytes.
  • Owner: The user who is the owner of the file.
  • Shared With: The user with whom the file is shared (applicable in case when the file is shared externally or internally)
  • Data Pattern: The particular pattern that is matched against the file contents.

    These are the patterns that you have included under the API Setup page for the application.

  • Actor: Indicates the performer who modified, deleted, sharingchanged, moved, renamed or downloaded. You can refine the search using equal, not equal, contains and doesn't contain options.
  • Path: The path location of the file(s).
  • Creation Time: Can set whether the file was created before, after, or between a specified date that you select from a calendar pop-up.
  • Creation Time Period: Can select if it was created in the past X amount of days.
  • Modification Time:Can set whether the file was modified before, after, or between a specified date that you select from a calendar pop-up.
  • Modification Time Period: Can select if it was modified in the past X amount of days.
Note: For conditions File Name, Owner, and Shared With, Forcepoint ONE SSE supports a contain or not contain operator allowing admins to search for files containing a word or name rather than an exact match. For example admins can search to see if files were shared with a specific external email address as needed.


Example



User Group = All Scanned Users AND (Status = DLP OR Status = Shared)

The policy will thus be enforced for all files of all scanned users whose status is DLP (matches at least one DLP pattern) or is Shared.

An implied deny rule is applied if no rules match at the end of policy evaluation. Forcepoint ONE SSE policies match in a manner similar to a traditional corporate firewall.