Adding a new remediation script

Administrator Help | TRITON AP-DATA | Version 8.3.x


	Warning To avoid degrading system performance, it is highly recommended you consult with Forcepoint Technical Support before adding a remediation script.

Click New then select the type of script to create from the menu. For a description of each type of script, refer to Remediation scripts.

Enter a name for this remediation script.

Enter a description for this script.

Depending on the type of script, you can add up to 3 versions of this script: Windows, Linux, and Mac. When a breach is discovered on an endpoint, the system knows which version to run.

Select the tab for each operating system your endpoints run and complete the fields:

Field

Description

Executable file

Browse to the executable file you want to run when certain incidents are detected. To change your selection, right-click Browse and select a new file.

Note:

If you are using a remediation script that copies files to a \quarantine folder, be sure to exclude this folder from discovery scans.

Endpoint scripts must be smaller than 5 MB.

Arguments (optional)

Optionally, enter any arguments you want to include with the command. If the arguments are enclosed in quotation marks, separate arguments by a space. For example:
"-e" "-o"

Additional Files

If the script requires additional files, such as a resource file or other scripts that it calls, click Additional Files then browse to a zip file containing the additional file(s) to run.

Note: Additional files are placed in the same folder as the script, and they are automatically downloaded by the endpoints.

Click OK. A progress bar shows the progress of each file as it uploads. You can cancel the process at any time. When the upload is complete, the new external command appears in the details pane.

When editing an existing script, you'll see Update buttons instead of Browse buttons. To edit a script:

Click the script name to edit.

By Current executable file, click Update. You are alerted that the executable file will be removed from the TRITON management server.

Click OK to continue.

Browse to the new executable file.

If necessary, update the additional files in the same way.

Click OK.

For more information about writing a remediation script, refer to the Technical Library document, Data Remediation Scripts. This document describes:

What interpreted languages you can use for the script

The XML structure of discovery and DLP incidents

How to supply remediation scripts with credentials in various operating systems

Code samples

XML interface

TRITON AP-DATA creates an XML file every time an incident is generated. The XML file contains incident details that your script can use, such as the nature of the violation and the content itself.

At run time, your script receives the path to the XML file as an input. Your script can parse this XML file and perform addition actions based on the incident details, such as logging to an external system or custom analysis.

The XML Schema Definition (XSD) for this file is shown below:

Where:


Element	Description
analysisDetails	Root element.
transactionID	The internal transaction ID (unique ID that the system generates for every analyzed transaction).
action	The action taken (for example, permit or deny).
actionDetails	The action taken per destination.
violations	The detected violations, including the policy name and content.
name	Descriptive policy name
detectedValues	The matched sensitive content and its location (for example, email body or file attachment).