Custom Policy Wizard - Severity & Action

Administrator Help | TRITON AP-DATA | Version 8.3.x

On this screen, define whether incidents should be triggered every time this rule is matched or for the accumulation of matches for a particular source over time.

Also define how matches are counted, the threshold for triggering the incident, the severity to assign breaches, and the action plan to apply.

Field

Description

Create an incident for every matched condition

Select this option if you want an incident generated every time a condition in this rule is matched. For example, if a user sends an email message containing sensitive content, then prints the message, you would like 2 incidents generated.

Accumulate matches before creating an incident

(Drip DLP)

Select this option if you want the system to accumulate matches over time and create incidents when a threshold is met.

When this option is selected, the system remembers user activity and generates incidents for matches that occur within a defined period.

If you select this option, indicate the time period to monitor and whether to count matches or transactions.

Count transactions - tells the system to count incident transactions as they accumulate for a given source, even though each incident can have multiple triggers.

Count unique matches - tells the system to count violation triggers that accumulate for a source, but only triggers that are unique.

For example, you create a rule that does not permit 10 different credit card numbers to be sent within 1 hour. If a user sends 1 message with 20 credit card numbers, 1 violation trigger is counted. But if the user sends 20 email messages with the same credit card number, no triggers are counted, because the numbers were not unique.

Note that case differences are counted separately in word-related classifiers--for example, word, Word, and WORD.

Count all matches - tells the system to count all violation triggers that accumulate for a source, even duplicates. In the example above, even if the user sent 20 messages with the same credit card number, 20 triggers are counted.

Matches and transactions are counted individually for each source, such as user name or IP address, and they are counted only on the policy engine that detects them. Incidents are generated only when the threshold is met on a single policy engine.

The system counts matches by default.

Note that the time period is a sliding window. It resets every time a match is detected.

When there are at least: n matches/transactions

Define the threshold for triggering an incident. For example, trigger an incident when there are at least 3 matches (3 or more).

Note:

If you selected the cumulative option and the threshold is not met, the match count is 0.

Change severity to:

Specify the severity of incidents that breach this rule:

Low - Incidents that match this rule are of low importance. The policy breach is minor.

Medium - Incidents that match this rule are of medium importance. The policy breach is moderate.

High - Incidents that match this rule are very important and warrant immediate attention. The policy breach is severe.

and the action plan to:

Select an action plan for your policy. Action plans are customizable. By default, they include:

Block all - Select this option if you want this policy to use the strict actions defined under Main > Policy Management > Resources > Action Plans.

Audit & notify manager - Select this option (the default) if you want this policy to use the moderate actions defined. These are a compromise between strict and permissive actions.

Audit only - Select this option if you want this policy to use permissive actions.

Click the

icon to edit the action plan. You can change the action for each channel if desired. Editing an action plan changes it for all the rules that use it.

Click the

icon to create a new action plan. See Action Plans, for details.

Note that the action applies only to the match that exceeded the threshold—the one that created the incident—and subsequent matches. Initial matches are permitted.

The rate of matches should decline for at least [ nn minutes] before counting stops.

How long should the system continue counting before starting over?

Select the length of time to continue counting matches once the rate begins to decline.

As long as the system continues to detect the configured number of matches over the configured period, it continues to accumulate the matches in the same incident.

Advanced

Click Advanced to define severity at a more granular level.

For example, when there are at least 10 matches (10 or more), change severity to medium and action plan to audit & notify. When there are at least 20 matches, change severity to high and action plan to block.

Define matches

Select how matches should be calculated:

Greatest number of matched conditions. Select this option if you want the number of matches for each condition to be compared, and only the greatest number reported. For example, if there are 5 matches for the condition ConfidentialPattern, 3 for SSN_Pattern, and 10 for MyKeyPhrases, the number of matches would be defined as 10.

Sum of all matched conditions. Select this option if you want the number of matches for each condition to be added together and the total to be reported. Given the same example as above, the number of matches would be defined as 18.


	Tip Start with an action plan of audit. Once your policies are tuned, you can send notifications or block actions as needed.